[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Michael Scheidell scheidell at ...249...
Tue Aug 8 08:00:01 EDT 2006


> -----Original Message-----
> From: snort-sigs-bounces at lists.sourceforge.net 
> [mailto:snort-sigs-bounces at lists.sourceforge.net] On Behalf 
> Of Lutz Schildt
> Sent: Monday, August 07, 2006 11:52 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Loopback Traffic from and to non Loopback-IP
> 
> 
> Hi everyone,
> 
> I just had Snort alering me about this:
> 
> 
> > #(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150]  (snort
> > decoder) Bad Traffic Loopback IP
> > IPv4: 72.30.*.* -> 195.90.*.*
> > TCP:  port=* -> dport: * chksum=0
> > Payload:  length = 195
> > 
> > 000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
> > GET /robots.txt
> > 010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
> > HTTP/1.0..Host:
> 
> It's valid HTTP traffic, why would snort tell me it's Bad 
> Loopback Traffic? It's the first time in about 4 years of 
> snort that this happened. Is it maybe because chksum=0?
> 
Since 127.0.0.1 isn't involved in this packet, I would suggest MAYBE
that snort has lost some packets.

Run SIGUSR1 on snort, look at logs for statistics and see if you can see
snort missing traffic.

If it does, try to upgrade/update, modify, change.
(google for help, many many reasons, depending on os, config, etc)
-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Take a vacation from spam:  up to 25% off of SpammerTrap anti-spam
gateway
http://www.spammertrap.com/vacation




More information about the Snort-sigs mailing list