[Snort-sigs] SID 528

Warchild warchild at ...288...
Fri Feb 15 17:41:25 EST 2002


Rule:
alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback
traffic"; classtype:bad-unknown; sid:528; rev:2;) 
--
Sid:
528

--
Summary:
Loopback (aka, "localhost") traffic was detected on your listening
interface.

--
Impact:
Possible ACL bypass, DOS attempt, system recon.

--
Detailed Information:
Traffic destined-to/coming-from the loopback interface (127.0.0.1/8)
was detected.  

--
Attack Scenarios:
As part of a possibly more intense attack, an attacker may attempt to
deny a legitimate system of service by spoofing loopback traffic.
This may give an attacker more information about system
(mis)configurations.  This loopback traffic may appear as semi-legit
traffic, whereas other cases may bring fragmented, out-of-band, and
malformed traffic. 

In the best case, this may simply be a system misconfiguration as
opposed to a potential hostile attack. 

--
Ease of Attack:
Fairly trivial if elevated system privledges are obtained.  Packets
can easily be crafted to have a source/destination IP resembling the
loopback.  The difficulty is finding situations where loopback traffic
is not properly filtered.

--
False Positives:
None, so long as you are not running snort on the loopback interface.

--
False Negatives:
None.

--
Corrective Action:
Apply proper ingress/egress filtering at all areas of your network.

--
Contributors:
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

-- 
Additional References:
http://rr.sans.org/firewall/egress.php




More information about the Snort-sigs mailing list