Snort mailing list archives

Re: BAD TRAFFIC loopback traffic

From: JP Vossen <vossenjp () netaxs com>
Date: Wed, 27 Aug 2003 23:27:59 -0400 (EDT)

On Wed, 27 Aug 2003, Edin Dizdarevic wrote:

JP Vossen schrieb:
[...]

You had traffic from the loopback address 127.0.0.1 on the wire
(ethernet).  That should never happen.  Most likely the 127.0.0.1 address
was spoofed.



FYIW, I had a similar issue.  I started getting a TON of this message in
syslog:

[...]

could it be, that your're runng Snort with the "-i any" parameter?


Not I.  And Snort is on a totally different box in a hub environment, so the
traffic IS on the wire, and I have the pcap to prove it:

/tmp# snort -vdqr xxx/2003-08-13/snort.log.1060747269
No run mode specified, defaulting to verbose mode
08/13-00:34:30.453335 192.168.xxx.143:32820 -> 127.0.0.1:25
TCP TTL:64 TOS:0x0 ID:31412 IpLen:20 DgmLen:60 DF
******S* Seq: 0x1FF8C28A  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 18004030 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/13-00:34:33.445568 192.168.xxx.143:32820 -> 127.0.0.1:25
TCP TTL:64 TOS:0x0 ID:31413 IpLen:20 DgmLen:60 DF
******S* Seq: 0x1FF8C28A  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 18004330 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC loopback traffic IntegPatchMgr (Aug 22)
- Re: BAD TRAFFIC loopback traffic Erek Adams (Aug 22)
- Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 23)
- <Possible follow-ups>
- Re: BAD TRAFFIC loopback traffic Matt Kettler (Aug 22)
- Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)
  - Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 27)
    - Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)