Snort mailing list archives
BAD-TRAFFIC loopback traffic Alert is NOW TFTPGET passwd
From: "Matthew L. McCarty" <matthew () rareearthstrategies com>
Date: Tue, 23 Dec 2003 14:37:50 -0600
Recently I havee been getting some packets like this: #(7 - 317178) [2003-12-18 21:26:49] url[snort/528] BAD-TRAFFIC loopback traffic IPv4: 127.0.0.1 -> my.ip.address hlen=5 TOS=0 dlen=40 ID=64383 flags=0 offset=0 TTL=126 chksum=51443 TCP: port=80 -> dport: 1853 flags=***A*R** seq=0 ack=1642659841 off=5 res=0 win=0 urp=0 chksum=52732 Payload: none I pretty much determined that they are due to the MS Blaster worm. However these packets were setting off the BAD-TRAFFIC loopback traffic Alert as would make sense. But now all of the sudden they show up in the TFTPGET passwd alert instead. Can anybody help with the explanantion for this? -- Matthew L. McCarty ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD-TRAFFIC loopback traffic Alert is NOW TFTPGET passwd Matthew L. McCarty (Dec 23)