RE: BAD-TRAFFIC loopback

[SRH-Lists <giermo () 333tech com>]

traffic Alert is NOW TFTP
        GET passwd
Date: Tue, 23 Dec 2003 15:01:25 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

> Recently I havee been getting some packets like this:
> =20
> #(7 - 317178) [2003-12-18 21:26:49] =A0url[snort/528] =A0
> BAD-TRAFFIC loopback=20
> traffic
> IPv4: 127.0.0.1 -> my.ip.address
> =A0 =A0 =A0 hlen=3D5 TOS=3D0 dlen=3D40 ID=3D64383 flags=3D0 =
offset=3D0 TTL=3D126=20
> chksum=3D51443
> TCP: =A0port=3D80 -> dport: 1853 =A0flags=3D***A*R** seq=3D0
> =A0 =A0 =A0 ack=3D1642659841 off=3D5 res=3D0 win=3D0 urp=3D0 =
chksum=3D52732
> Payload: none
> =20
> I pretty much determined that they are due to the MS Blaster=20
> worm.  However=20
> these packets were setting off the BAD-TRAFFIC loopback=20
> traffic Alert as would make sense. But now all of the sudden=20
> they show up in=20
> the TFTPGET passwd alert instead. =20
> =20
> Can anybody help with the explanantion for this?
> =20

Something caused your rule order to change.  Snort doesn't process past
the first rule hit.

Before the BAD-TRAFFIC rule was first, now the TFTP rule is.

Note that this has nothing (well, not entirely nothing, but close) to =
do
with the order the rules are read in.

-steve


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users