[Snort-sigs] sig 528 false positive

Matthew Watchinski mwatchinski at ...435...
Wed Jul 14 20:46:58 EDT 2004


Not really a false positive. Loopback traffic on the wire isn't a good thing.

   127.0.0.0/8 - This block is assigned for use as the Internet host
   loopback address.  A datagram sent by a higher level protocol to an
   address anywhere within this block should loop back inside the host.
   This is ordinarily implemented using only 127.0.0.1/32 for loopback,
   but no addresses within this block should ever appear on any network
   anywhere [RFC1700 <http://www.faqs.org/rfcs/rfc1700.html>, page 5].


cheers,
-matt

Dan Heideman wrote:

> Just sending false positive info on sig 528.
> Sorry if it's redundant.
>
> - Dan
>
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work. #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> # # $Id$
> #
> #
> Rule:  bad-traffic loopback traffic --
> Sid:
> 528
> -- 
> Summary:
>
> -- 
> Impact:
>
> -- 
> Detailed Information:
>
> -- 
> Affected Systems:
>
> -- 
> Attack Scenarios:
>
> -- 
> Ease of Attack:
>
> -- 
> False Positives:
> When ices and icecast reside on the same server, this sig will be 
> triggered.
> -- 
> False Negatives:
>
> -- 
> Corrective Action:
>
> -- 
> Contributors:
>





More information about the Snort-sigs mailing list