Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BAD-TRAFFIC loopback traffic Alert is NOW TFTPGET passwd

From: "Matthew L. McCarty" <matthew () rareearthstrategies com>
Date: Tue, 23 Dec 2003 14:37:50 -0600
Recently I havee been getting some packets like this:

#(7 - 317178) [2003-12-18 21:26:49]  url[snort/528]  BAD-TRAFFIC loopback 
traffic
IPv4: 127.0.0.1 -> my.ip.address
      hlen=5 TOS=0 dlen=40 ID=64383 flags=0 offset=0 TTL=126 chksum=51443
TCP:  port=80 -> dport: 1853  flags=***A*R** seq=0
      ack=1642659841 off=5 res=0 win=0 urp=0 chksum=52732
Payload: none

I pretty much determined that they are due to the MS Blaster worm.  However 
these packets were setting off the BAD-TRAFFIC loopback 
traffic Alert as would make sense. But now all of the sudden they show up in 
the TFTPGET passwd alert instead.  

Can anybody help with the explanantion for this?


-- 
Matthew L. McCarty



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: