[Snort-sigs] SID 528

Warchild warchild at ...288...
Fri Feb 15 17:41:25 EST 2002

alert ip any any <> any (msg:"BAD TRAFFIC loopback
traffic"; classtype:bad-unknown; sid:528; rev:2;) 

Loopback (aka, "localhost") traffic was detected on your listening

Possible ACL bypass, DOS attempt, system recon.

Detailed Information:
Traffic destined-to/coming-from the loopback interface (
was detected.  

Attack Scenarios:
As part of a possibly more intense attack, an attacker may attempt to
deny a legitimate system of service by spoofing loopback traffic.
This may give an attacker more information about system
(mis)configurations.  This loopback traffic may appear as semi-legit
traffic, whereas other cases may bring fragmented, out-of-band, and
malformed traffic. 

In the best case, this may simply be a system misconfiguration as
opposed to a potential hostile attack. 

Ease of Attack:
Fairly trivial if elevated system privledges are obtained.  Packets
can easily be crafted to have a source/destination IP resembling the
loopback.  The difficulty is finding situations where loopback traffic
is not properly filtered.

False Positives:
None, so long as you are not running snort on the loopback interface.

False Negatives:

Corrective Action:
Apply proper ingress/egress filtering at all areas of your network.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list