Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort UDP traffic in loopback interface

From: rmkml <rmkml () yahoo fr>
Date: Wed, 11 Dec 2013 22:01:31 +0100 (CET)
Hi Evalues,

snort on localhost fire for me,

ok please look my example:
 dig @127.0.0.1 version.bind chaos txt

tcpdump recorded on "-i lo":
21:53:27.575913 IP (tos 0x0, ttl 64, id 62830, offset 0, flags [none], proto UDP (17), length 69)
    127.0.0.1.56870 > 127.0.0.1.53: [bad udp cksum 0xfe44 -> 0xda9e!] 64696+ [1au] TXT CHAOS? version.bind. ar: . OPT 
UDPsize=4096 (41)

snort output v2.9.5.6 :
12/11-21:53:27.575913  [**] [116:151:1] (snort decoder) WARNING: Bad Traffic Same Src/Dst IP [**] [Classification: 
Potentially Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53
12/11-21:53:27.575913  [**] [116:150:1] (snort decoder) WARNING: Bad Traffic Loopback IP [**] [Classification: Potentially 
Bad Traffic] [Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53
12/11-21:53:27.575913  [**] [1:1616:9] DNS named version UDP attempt [**] [Classification: Attempted Information Leak] 
[Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53
12/11-21:53:27.575913  [**] [1:2101616:9] GPL DNS named version attempt [**] [Classification: Attempted Information Leak] 
[Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53

For my example, I must disable cksum verif (-k none).

Could you check if you need "-k none" please?

Regards
@Rmkml


On Wed, 11 Dec 2013, evalues evalues wrote:



Hi, when I set Snort to listen in Loopback interface it doesn’t trigger alerts for UDP rules. The same rules in eth0 
interface work perfectly. Besides, TCP and ICMP alerts also work in Loopback interface.

If I run Snort in sniffer mode I can view the datagram, but the alerts are not triggered. This is an example of an SNMP 
datagram that should raise an alert:

(snort decoder) WARNING: Bad Traffic Same Src/Dst IP (snort decoder) WARNING: Bad Traffic Loopback IP 12/11-07:37:30.785801 
00:00:00:00:00:00 –> 00:00:00:00:00:00 type:0x800 len:0x59 127.0.0.1:59796 –>
127.0.0.1:162 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:75 DF Len: 47 0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 
00 …………..E. 0x0010: 00 4B 00 00 40 00 40 11 3C A0 7F 00 00 01 7F 00 .K..@.@.<…….
0x0020: 00 01 E9 94 00 A2 00 37 FE 4A 30 2D 02 01 00 04 …….7.J0-…. 0x0030: 09 56 69 73 69 74 61 6E 74 65 A4 1D 06 07 2B 06 
.Visitante….+. 0x0040: 01 04 01 96 26 40 04 7F 00 01 01 02 01 06 02 01 ….&@……….
0x0050: 01 43 04 04 9E 5A F2 30 00 .C…Z.0.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Can someone help me?

Thank you very much.



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: