Snort mailing list archives
Re: RE: BAD-TARFFIC Loopback traffic
From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 20 Dec 2003 14:56:57 -0500 (EST)
As a follow up to the discussions in the list [0, 1] about Snort seeing
127.0.0.1 traffic, I thought this was interesting. I was just playing with
NMap's new service detection feature [2] and did a scan as follows:
From host A, run nmap -A -T4 -F 192.168.1.0/24
Snort is on "snorter" at 192.168.1.22
I got this syslog alert, note it is ICMP, not TCP/80 or TCP/25 as previously
discussed.
Dec 20 13:53:08 snorter snort: [1:528:3] BAD TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: <eth0> {ICMP}
127.0.0.1 -> 192.168.99.0
I isolated the packet, as follows:
/tmp# snort -Xqvder snort.log.2003-12-20.pcap src 127.0.0.1
12/20-13:53:08.203033 0:6:29:A2:AB:3F -> FF:FF:FF:FF:FF:FF type:0x800 len:0x3C
127.0.0.1 -> 192.168.1.0 ICMP TTL:39 TOS:0x0 ID:36980 IpLen:20 DgmLen:28
Type:8 Code:0 ID:58555 Seq:35350 ECHO
0x0000: FF FF FF FF FF FF 00 06 29 A2 ED 3E 08 00 45 00 ........)..>..E.
0x0010: 00 1C 90 74 00 00 27 01 60 C3 7F 00 00 01 C0 A8 ...t..'.`.......
0x0020: 63 00 08 00 89 2D E4 BB 8A 16 00 00 00 00 00 00 c....-..........
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The only thing not clear is IF this packet actually made it onto the wire, or
if Snort only saw it because it was loopback on the Snort host itself.
Unfortunately I will not have time to pursue this any more at the moment.
Later,
JP
[0] http://marc.theaimsgroup.com/?l=snort-users&m=106745650608485&w=2
[1] RHEL 3 (Taroon Beta) sendmail put 127.0.0.1 packets out on the wire with a
src or dst (I forget which) port 25. When I killed sendmail and some other
related service they went away. Presumably that was a bug and is fixed in the
released RHEL 3, but I have not tested that.
[2] http://www.insecure.org/nmap/versionscan.html
------------------------------|:::======|--------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash. Now you have to reboot Windows 200x or XP every
couple of days because of a patch. How is that better or more stable?
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: RE: BAD-TARFFIC Loopback traffic Frank Knobbe (Oct 29)
- <Possible follow-ups>
- Re: RE: BAD-TARFFIC Loopback traffic JP Vossen (Dec 20)