[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Todd Wease twease at ...435...
Mon Aug 7 15:19:23 EDT 2006


On Mon, 2006-08-07 at 17:51 +0200, Lutz Schildt wrote:
> Hi everyone,
> 
> I just had Snort alering me about this:
> 
> 
> > #(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150]  (snort
> > decoder) Bad Traffic Loopback IP
> > IPv4: 72.30.*.* -> 195.90.*.*
> > TCP:  port=* -> dport: * chksum=0
> > Payload:  length = 195
> > 
> > 000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
> > GET /robots.txt
> > 010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
> > HTTP/1.0..Host:
> 
> It's valid HTTP traffic, why would snort tell me it's Bad Loopback
> Traffic? It's the first time in about 4 years of snort that this
> happened. Is it maybe because chksum=0?
> 
> Kind regards
> 
> Lutz Schildt

This alert only occurs if either the source or destination ip starts
with 127.  It's a decoder alert and isn't fired by any of the rules but
only if you have specified that decoding issues should be alerted upon.
Decoding alerts can be turned off by adding the line

config disable_decode_alerts

to your snort.conf file.


Todd





More information about the Snort-sigs mailing list