Snort mailing list archives
RE: BAD-TRAFFIC loopback
From: SRH-Lists <giermo () 333tech com>
Date: Tue, 23 Dec 2003 13:01:33 -0800
traffic Alert is NOW TFTP GET passwd Date: Tue, 23 Dec 2003 15:01:25 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Recently I havee been getting some packets like this: =20 #(7 - 317178) [2003-12-18 21:26:49] =A0url[snort/528] =A0 BAD-TRAFFIC loopback=20 traffic IPv4: 127.0.0.1 -> my.ip.address =A0 =A0 =A0 hlen=3D5 TOS=3D0 dlen=3D40 ID=3D64383 flags=3D0 =
offset=3D0 TTL=3D126=20
chksum=3D51443 TCP: =A0port=3D80 -> dport: 1853 =A0flags=3D***A*R** seq=3D0 =A0 =A0 =A0 ack=3D1642659841 off=3D5 res=3D0 win=3D0 urp=3D0 =
chksum=3D52732
Payload: none =20 I pretty much determined that they are due to the MS Blaster=20 worm. However=20 these packets were setting off the BAD-TRAFFIC loopback=20 traffic Alert as would make sense. But now all of the sudden=20 they show up in=20 the TFTPGET passwd alert instead. =20 =20 Can anybody help with the explanantion for this? =20
Something caused your rule order to change. Snort doesn't process past the first rule hit. Before the BAD-TRAFFIC rule was first, now the TFTP rule is. Note that this has nothing (well, not entirely nothing, but close) to = do with the order the rules are read in. -steve ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: BAD-TRAFFIC loopback SRH-Lists (Dec 23)