[Snort-sigs] SID 528
warchild at ...288...
Fri Feb 15 17:41:25 EST 2002
alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback
traffic"; classtype:bad-unknown; sid:528; rev:2;)
Loopback (aka, "localhost") traffic was detected on your listening
Possible ACL bypass, DOS attempt, system recon.
Traffic destined-to/coming-from the loopback interface (127.0.0.1/8)
As part of a possibly more intense attack, an attacker may attempt to
deny a legitimate system of service by spoofing loopback traffic.
This may give an attacker more information about system
(mis)configurations. This loopback traffic may appear as semi-legit
traffic, whereas other cases may bring fragmented, out-of-band, and
In the best case, this may simply be a system misconfiguration as
opposed to a potential hostile attack.
Ease of Attack:
Fairly trivial if elevated system privledges are obtained. Packets
can easily be crafted to have a source/destination IP resembling the
loopback. The difficulty is finding situations where loopback traffic
is not properly filtered.
None, so long as you are not running snort on the loopback interface.
Apply proper ingress/egress filtering at all areas of your network.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs