Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BAD TRAFFIC loopback traffic

From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 25 Aug 2003 20:04:12 -0400 (EDT)
Date: Fri, 22 Aug 2003 13:06:38 -0400 (EDT)
From: Erek Adams <erek () snort org>
To: IntegPatchMgr <IntegPatchMgr () infosys com>
cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] BAD TRAFFIC loopback traffic

On Fri, 22 Aug 2003, IntegPatchMgr wrote:


I am getting below message, Can any one let me know what is this mean ?

EVENT # : 65
EVENTLOG : Application
EVENT TYPE : INFORMATION (4)
SOURCE : snort
EVENT ID : 1
TIME :  8/22/2003 3:55:06 PM
MESSAGE :  [1:528:3] BAD TRAFFIC loopback traffic [Classification:
Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 ->
172.25.15.21:1284


You had traffic from the loopback address 127.0.0.1 on the wire
(ethernet).  That should never happen.  Most likely the 127.0.0.1 address
was spoofed.


FYIW, I had a similar issue.  I started getting a TON of this message in
syslog:

Aug 13 12:34:31 xxxxxxx snort: [1:528:3] BAD TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: <eth0> {TCP}
192.168.xxx.143:32831 -> 127.0.0.1:25

The source (.143) was a brand new from-scratch install of RHEL Taroon (i.e.
Red Hat Enterprise Linux 3.0 Beta 1).  There was a sendmail process and
another sendmail-related process that I forget the name of.  When I stopped
both of those processes, the messages went away.

That sounds like some part of sendmail is severely broken in Taroon, but I
have not seen anything on that list, so it could just be me.

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: