[Snort-sigs] update docs for sid 528

Jon Hart warchild at ...288...
Thu Sep 11 00:58:04 EDT 2003


Hi,

I think it would be good for sid 528, which is used to detect loopback
traffic on your network, to be updated to reflect a stupid bug that
affects what looks to be most versions of SunOS and Solaris (2.6, 7, 8
and 9 at least).

The bug is described starting here:

http://www.netsys.com/focus-sun/2002/07/msg00026.html

and continues more here:

http://www.netsys.com/focus-sun/2002/08/msg00000.html

The bug still exists.  There are two very common occassions where I see
loopback traffic on a network, or here of people seeing loopback traffic
on a network.  First is when a worm/virus/attacker uses a loopback
address as the source of his attacks as an attempt to hide himself.
Second is when a Sun box, for whatever reason, decides to contact a host
that resolves to an IP in 127.0.0.0/8.  This happens quite often,
especially when people try to mitigate spam by setting their MX to a
loopback address.  It will also work for any type of IP traffic.  Just
try it.  Fire up good 'ole CDE and try to telnet to 127.0.0.5 port 25.
Watch on your sensor as the loopback traffic is spewed out onto the net.

This is a fairly common false positive, and its not a misconfiguration
issue as this is the way Sun ships its OS by default, so I think a quick
update to the false positive section for this sig is in order.

-jon




More information about the Snort-sigs mailing list