Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bad Loop Back Traffic

From: Mark.Schutzmann () Omron com
Date: Fri, 27 Feb 2004 11:48:28 -0600

I have also suddenly noticed that I am receiving the Bad Loop Back Traffic
alerts. This started after I updated my sigs from the Snort site on
Wednesday. Here's what I get when I issue the test command. Eth0 is a Gig
Fiber card on a c4006 in monitor mode and eth1 is a 100MB card on the same
switch, Any ideas? (aside from updating Snort...that's another story!)

[root@RHLXSnort snort]# /usr/local/bin/snort -c /etc/snort/snort.conf -i
eth0 -T
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = OEI-RHLXSnort
database:   sensor name = 209.44.1.42
database:     sensor id = 1
database: inconsistent cid information for sid=1
          Recovering by rolling forward the cid=23189
database: schema version = 106
database: using the "log" facility
THRESHOLD: gen_id=1, sig_id=10000504, type=1, tracking=1, count=10,
seconds=30
THRESHOLD: gen_id=1, sig_id=10000505, type=1, tracking=1, count=10,
seconds=30
THRESHOLD: gen_id=1, sig_id=10000506, type=1, tracking=1, count=10,
seconds=30
THRESHOLD: gen_id=1, sig_id=100000507, type=0, tracking=0, count=1000,
seconds=300
THRESHOLD: gen_id=1, sig_id=1000508, type=1, tracking=1, count=10,
seconds=240
THRESHOLD: gen_id=1, sig_id=1000509, type=1, tracking=1, count=10,
seconds=240
1308 Snort rules read...
1308 Option Chains linked into 209 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.6 (Build 100)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
database: Closing connection to database "snort"
Snort exiting


                                                                                                                        
                          
                      "Scott Elgram"                                                                                    
                          
                      <SElgram () verifpoint com>            To:       "SN ORT" <snort_on_acid () yahoo com>            
                                
                      Sent by:                            cc:       <snort-users () lists sourceforge net>              
                             
                      snort-users-admin () lists sour        Subject:  Re: [Snort-users] Bad Loop Back Traffic          
                             
                      ceforge.net                                                                                       
                          
                                                                                                                        
                          
                                                                                                                        
                          
                      02/25/2004 05:03 PM                                                                               
                          
                      Please respond to "Scott                                                                          
                          
                      Elgram"                                                                                           
                          
                                                                                                                        
                          
                                                                                                                        
                          




Actually my set-up goes like this;
    Internet connects to router, connects to hub, hub connects to firewall.
Also connected to the hub is eth0 on the SNORT machine with no IP.  A
second
card (eth1) on the SNORT machine connects to the internal network so that I
can monitor with ACID.  This setup works good, the SNORT sensor sees all
traffic coming in from the router and going out to the router.  So far the
only problem it seems to have is the Bad Loop Back Traffic

-Scott Elgram

----- Original Message -----
From: "SN ORT" <snort_on_acid () yahoo com>
To: <SElgram () verifpoint com>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, February 25, 2004 2:01 PM
Subject: Re: [Snort-users] Bad Loop Back Traffic



So you have this hub, connected to both the firewall
and the router. Do you also have another connection,
connecting the router to the firewall? Now the
firewall and the router have two connections to each
other? If you have a switch in between as well, this
would cause a spanning tree problem. Or is this hub
the only connection between the two? If not, then I
would suggest a different way to monitor the
connections, such as a switch between the router/fw
and if you have that already, the switch should then
mirror the router port only.

If the hub is the only connection then is your sensor
acting as a router? And your IP of you non-sniffing
Interface is an internal IP connected internally?

Cheese!

Marc


Message: 5
Reply-To: "Scott Elgram" <SElgram () verifpoint com>
From: "Scott Elgram" <SElgram () verifpoint com>
To: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Bad Loop Back Traffic
Date: Tue, 24 Feb 2004 09:52:35 -0800
Organization: VerifPoint/CreDENTALs



Hummm, interesting,
   I have my SNORT installed on RH9 with 2
interfaces.  The interface with
the sensor is connected to a hub between my router
and firewall.  The
interface has no IP address and catches only

out->bound and in-bound traffic

from the internet.  For a while I was under the
impression that this "Bad
Loop Back Traffic" was the result of having an
interface up with no IP or
configuration.  Could this be the reason you think?
-Scott Elgram



----- Original Message -----
From: <bclark () bwkip com>
To: <snort-users () lists sourceforge net>
Cc: <SElgram () verifpoint com>
Sent: Tuesday, February 24, 2004 9:01 AM
Subject: Re: [Snort-users] Bad Loop Back Traffic




I have also seen this type of traffic about 200,000

alerts last night.  I

am not sure but I think it is a clients Windows

machine.




Hello,
    I have an abundance of alerts telling me
url[snort] BAD-TRAFFIC loopback traffic on

127.0.0.1:80

According to snort this is due to improperly

configured interfaces.  =

Which part is improperly configured and how can I

fix this? Or have I =

been hacked?

-Scott Elgram
IT/Systems Support
VerifPoint/CreDENTALs
(949)770-5290 ext. 26






__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools






-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: