Snort mailing list archives

RE: a lot of Loopback traffic being logged.

From: rod <rod () thenewdawn tv>
Date: Thu, 27 May 2004 16:02:36 +0100

We had this for a short while, finally tracked it down to a wormed box
on the other side of the router.  The router was letting src traffic
from 127.0.0.1 through to our public addresses, this has now been
corrected and the traffic has been stopped.

best regards

Rod
________________________________________________________________________

On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:

Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed

for a

while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump

Im assuming im doing this right. Im trying to log only packets form
127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and

write

to a file called dump.

Now, I did this and got two loggings in tcpdump:

13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack

799408129

win 0
13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack

1316880385

win 0

hal2 is the server that has tcpdump on it. Is this machine one of the

boxes

that is sending out the 127.0.0.1, or did I simply pickup two packets

sent

out form hal2 to these other machines. 

I looked at snort and the exact same ip's, with the exact same ports

were

logged coming from 127.0.0.1

To say the least im confused even more!!



Hi, 
 I see it on my external interface too. I used tcpdump with -e parameter
to display MAC address of the sender. 


tcpdump -e -i eth1 src host 127.0.0.1 


I find that MAC address of loopback packets is my ISP's Cisco switch. 


So all packets come from external network (I think). I am connected over
wi-fi AP and when I sniffed, I have seen that these packets coming to 
most connected people in this AP. 


I don't know what it can be. 


Regards,




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Need configuration help, (continued)
- - Need configuration help Tinni (Apr 22)
    - How to start snort for multiple servers' traffic Tinni (Apr 23)
    - Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
  - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 23)
- RE: a lot of Loopback traffic being logged. rod (May 27)
  - RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
    - RE: a lot of Loopback traffic being logged. rod (May 28)
  - how to clean up database? Cesar (May 27)