Snort mailing list archives
RE: [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from 127.0.0.1:80 to the firewall's external ip
From: "Corey Rock" <snort_sigs () hotmail com>
Date: Sat, 01 May 2004 17:58:50 +0000
Is it possible someone is using a Cisco VPN client? I often see loopback alerts with the 3000 clients in our environment...the loopback error will show FW as source, and loopback as destination.
Inspecting the GUI for the VPN client shows all traffic to the Loopback device, so I suspect it's normal behavior (the loopback alerts in my case, can be ignored). Alerts disappear when the VPN session is terminated. (am checking with Cisco on actual workings of client)
Not sure if this is your cause, but it's mine. Regards, Corey
From: Calyth <calyth () shaw ca> To: snort-users () lists sourceforge netSubject: [Snort-users] [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from 127.0.0.1:80 to the firewall's external ipDate: Sat, 01 May 2004 01:31:05 -0700 The platform is OpenBSD 3.4 running snort 2.0.0 build 72. I got this strange alert from snort that repeats itself. It complains of Bad Traffic loopback traffic (potential) with priority 2, and it's always from 127.0.0.1:80 to some port on the external IP that greater than 1024. Has anyone seen this? I'm running snort with -D -i ep0 -c {path to snort.conf} Benton Lam ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.com/go/onm00200415ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from 127.0.0.1:80 to the firewall's external ip Calyth (May 01)
- <Possible follow-ups>
- RE: [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from 127.0.0.1:80 to the firewall's external ip Corey Rock (May 01)