Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MISC loopback traffic

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 16 Nov 2001 15:30:03 -0500
This means that snort detected a packet on the ethernet wire which is from a loopback address. Loopback addresses are intended to be used to allow a process to connect to a port on the local machine without going out over any kind of network wire. The appearance of such an address on any network wire is invalid as per RFC 1700's "special addresses" section: 

--------
 (g)   {127, <any>}

         Internal host loopback address.  Should never appear outside
         a host.
----------
see http://www.ietf.org/rfc/rfc1700.txt for the rest of that document, but the rest is mostly irrelevant here.
As best I know there are two cases that are likely to cause what you are seeing: 1) Crafted packets with spoofed addresses trying to sneak past a machines IPfilter rules (only works if they are poorly written and lack spoof protection rules).
2) Some bozo thought the 127.*.*.* block was prime real estate for private addresses, ignoring or not knowing the fact that doing so is invalid. The IP addresses 10.*.*.*, 192.168.*.* and one other block of IPs (which I forget the address of offhand) are reserved for private network applications, and should be used instead.
Given the large number of addresses, and the fact that none are 127.0.0.1 (the "normal" loopback, and the best candidate for spoofing), I suspect case number 2 is in effect, but you should take a closer look at the packets to see where they are going to see if they have malicious intent, or are merely a foolish mistake. 


At 02:24 PM 11/16/2001, you wrote:

I am seeing entries from Snort as shown below.  Any ideas/thoughts as to
what causes this?  I have looked in the FW logs and can't see anything that
corresponds to these snort events.

```````````````````````````````````````````````````````````````````

#1-208658| [2001-11-15 16:32:24] 127.184.201.85 [ext fw ip]   MISC loopback
traffic



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: