[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Lutz Schildt ls at ...2172...
Mon Aug 7 18:56:59 EDT 2006


Hi again,

Am Montag, den 07.08.2006, 18:19 +0200 schrieb rmkml:
> Hi Lutz,
> one or two ip ending with .0 ? (72.30.x.0)
> Regards
> Rmkml

Both don't end with 0.

Am Montag, den 07.08.2006, 18:19 +0200 schrieb Todd Wease:
> This alert only occurs if either the source or destination ip starts
> with 127.  It's a decoder alert and isn't fired by any of the rules
> but
> only if you have specified that decoding issues should be alerted
> upon.
> Decoding alerts can be turned off by adding the line
> 
> config disable_decode_alerts

I don't want to deactivate those alerts, I know what Loopback traffic.
And that is exactly why this bothers me. It shouldn't be alerted by
snort because it is not Loopback traffic.

But I see I'm not the only one that is seeing alerts that shouldn't be
there. Frank, I do have other (real) loopback traffic here, that doesn't
have chksum=0. Either chksum=0 is causing the alert, but more likely is
that snort somehow displays the chksum wrong as a "side effect". As this
is normal and valid traffic I pretty much doubt the chksum of the packet
itself was wrong or even 0.


Best regards,

Lutz Schildt





More information about the Snort-sigs mailing list