Snort mailing list archives
Re: Snort UDP traffic in loopback interface
From: "Lowe, Richard B" <Richard.B.Lowe () CenturyLink com>
Date: Thu, 12 Dec 2013 07:50:50 +0000
Try adding your loopback IP to the $HOME_NET variable in the config and see if that fixes your issue. From: evalues evalues [mailto:evalues.es () gmail com] Sent: Wednesday, December 11, 2013 10:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort UDP traffic in loopback interface Hi, when I set Snort to listen in Loopback interface it doesn't trigger alerts for UDP rules. The same rules in eth0 interface work perfectly. Besides, TCP and ICMP alerts also work in Loopback interface. If I run Snort in sniffer mode I can view the datagram, but the alerts are not triggered. This is an example of an SNMP datagram that should raise an alert: (snort decoder) WARNING: Bad Traffic Same Src/Dst IP (snort decoder) WARNING: Bad Traffic Loopback IP 12/11-07:37:30.785801 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x59 127.0.0.1:59796<http://127.0.0.1:59796> -> 127.0.0.1:162<http://127.0.0.1:162> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:75 DF Len: 47 0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E. 0x0010: 00 4B 00 00 40 00 40 11 3C A0 7F 00 00 01 7F 00 .K..@.@.<....... 0x0020: 00 01 E9 94 00 A2 00 37 FE 4A 30 2D 02 01 00 04 .......7.J0-.... 0x0030: 09 56 69 73 69 74 61 6E 74 65 A4 1D 06 07 2B 06 .Visitante....+. 0x0040: 01 04 01 96 26 40 04 7F 00 01 01 02 01 06 02 01 ....&@.......... 0x0050: 01 43 04 04 9E 5A F2 30 00 .C...Z.0. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Can someone help me? Thank you very much.
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort UDP traffic in loopback interface evalues evalues (Dec 11)
- Re: Snort UDP traffic in loopback interface rmkml (Dec 11)
- Re: Snort UDP traffic in loopback interface evalues evalues (Dec 12)
- Re: Snort UDP traffic in loopback interface Максим Завилов (Dec 13)
- Re: Snort UDP traffic in loopback interface Joel Esler (jesler) (Dec 13)
- Re: Snort UDP traffic in loopback interface evalues evalues (Dec 12)
- Re: Snort UDP traffic in loopback interface rmkml (Dec 11)
- Re: Snort UDP traffic in loopback interface Lowe, Richard B (Dec 12)