[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Lutz Schildt ls at ...2172...
Mon Aug 7 11:51:49 EDT 2006


Hi everyone,

I just had Snort alering me about this:


> #(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150]  (snort
> decoder) Bad Traffic Loopback IP
> IPv4: 72.30.*.* -> 195.90.*.*
> TCP:  port=* -> dport: * chksum=0
> Payload:  length = 195
> 
> 000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
> GET /robots.txt
> 010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
> HTTP/1.0..Host:

It's valid HTTP traffic, why would snort tell me it's Bad Loopback
Traffic? It's the first time in about 4 years of snort that this
happened. Is it maybe because chksum=0?

Kind regards

Lutz Schildt





More information about the Snort-sigs mailing list