Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: a lot of Loopback traffic being logged.

From: Mark.Schutzmann () Omron com
Date: Fri, 23 Apr 2004 10:33:36 -0500

One more point... if you have a Cisco router, you can create some ACL's and
use CEF to detect the packet stream and find the MAC address. That's how I
ended up finding it beyond my local router without having to send a
protocol analyzer to the remote site. Good Luck!

Mark


                                                                                                                        
               
                      "Fred Portnoy"                                                                                    
               
                      <fportnoy () mail pl        To:       "'Chuck Holley'" <cholley () fitnessquest com>, 
<Mark.Schutzmann () omron com>      
                      ymouth.edu>              cc:       <snort-users () lists sourceforge net>,                        
                  
                                                <snort-users-admin () lists sourceforge net>                            
                  
                      04/23/2004 10:07         Subject:  RE: [Snort-users] a lot of Loopback traffic being logged.      
               
                      AM                                                                                                
               
                      Please respond to                                                                                 
               
                      fportnoy                                                                                          
               
                                                                                                                        
               
                                                                                                                        
               




You need to sniff on one interface at a time at your network distribution
point, and as you find the offending packets, go upstream to the next
aggregation point and so forth, until you get by the last router and you
are
on the offender's home LAN; only then will you have captured their actual
mac address. Good Luck!

-fp

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chuck Holley
Sent: Friday, April 23, 2004 10:25 AM
To: Mark.Schutzmann () Omron com
Cc: snort-users () lists sourceforge net;
snort-users-admin () lists sourceforge net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.


OK, I looked through the archives and found that it is probably the
balaster
worm, and that to find the src address you need to follow back to the MAC
address.  My problem is that I have firestarter firewall on my mailserver
and it is also logging the loopback address issue as a "Martian source
attack," and I have two different IP addresses mapped to the same MAC
address??????  What is up with that?  How do I trace that?

Also I cant seem to find where the MAC address is in ACID.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Mark.Schutzmann () Omron com
Sent: Thursday, April 22, 2004 6:09 PM
To: Chuck Holley
Cc: snort-users () lists sourceforge net;
snort-users-admin () lists sourceforge net
Subject: Re: [Snort-users] a lot of Loopback traffic being logged.


I reported this same problem earlier. I had a lot of great feedback, if you
want to search the mailing list. Recently, I had this come up again. I used
Snort in non-daemon mode to find the MAC address that was associated with
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to
trace
that through my WAN to another network, where we found the local MAC and
traced that to a couple of Japanese engineers who were visiting our company
and had plugged their computers into our network. Unfortunately, because we
did not have a translator and could not readily sift through their Japanese
OS computers, I still cannot say what the source program was that caused
this. I simply had to quarantine their computer away from the corporate
network. If I find a translator and the program, I will forward this info
on. Let me know what you find! I suspect some virus or trojan. This is a
fairly amateur attack to actually be running manually. Good Luck!

Best Regards,
Mark




                      "Chuck Holley"

                      <cholley () fitnessquest com>          To:
<snort-users () lists sourceforge net>

                      Sent by:                            cc:

                      snort-users-admin () lists sour        Subject:
[Snort-users] a lot of Loopback traffic being logged.

                      ceforge.net





                      04/22/2004 08:38 AM









"BAD-TRAFFIC loopback traffic"  I am getting a lot of this one alert on
127.0.0.1.  im really not sure what is causing this.  If it is faulty
networking or maybe a spoofer.  Now that I know im getting this, thanks to
SNORT, what the heck do I do about it?  Anyone ever remedy this problem?

Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cholley () fitnessquest com








-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a
limited time only, get FREE Ground shipping on all orders of $35 or more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a
limited time only, get FREE Ground shipping on all orders of $35 or more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list








-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: