[Snort-sigs] update docs for sid 528
warchild at ...288...
Thu Sep 11 00:58:04 EDT 2003
I think it would be good for sid 528, which is used to detect loopback
traffic on your network, to be updated to reflect a stupid bug that
affects what looks to be most versions of SunOS and Solaris (2.6, 7, 8
and 9 at least).
The bug is described starting here:
and continues more here:
The bug still exists. There are two very common occassions where I see
loopback traffic on a network, or here of people seeing loopback traffic
on a network. First is when a worm/virus/attacker uses a loopback
address as the source of his attacks as an attempt to hide himself.
Second is when a Sun box, for whatever reason, decides to contact a host
that resolves to an IP in 127.0.0.0/8. This happens quite often,
especially when people try to mitigate spam by setting their MX to a
loopback address. It will also work for any type of IP traffic. Just
try it. Fire up good 'ole CDE and try to telnet to 127.0.0.5 port 25.
Watch on your sensor as the loopback traffic is spewed out onto the net.
This is a fairly common false positive, and its not a misconfiguration
issue as this is the way Sun ships its OS by default, so I think a quick
update to the false positive section for this sig is in order.
More information about the Snort-sigs