[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Frank Knobbe frank at ...1978...
Mon Aug 7 13:53:11 EDT 2006


On Mon, 2006-08-07 at 17:51 +0200, Lutz Schildt wrote:
> Hi everyone,
> 
> I just had Snort alering me about this:
> 
> 
> > #(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150]  (snort
> > decoder) Bad Traffic Loopback IP
> > IPv4: 72.30.*.* -> 195.90.*.*
> > TCP:  port=* -> dport: * chksum=0
> > Payload:  length = 195
> > 
> > 000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
> > GET /robots.txt
> > 010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
> > HTTP/1.0..Host:
> 
> It's valid HTTP traffic, why would snort tell me it's Bad Loopback
> Traffic? It's the first time in about 4 years of snort that this
> happened. Is it maybe because chksum=0?

AHA!! 

I had a rash of weird preprocessor alerts myself recently. "(snort
decoder) Bad Traffic Same Src/Dst IP" when in fact the IP addresses
where not the same. It reached levels that were driving me nuts so I
suppressed that preproc alert completely. The actual rules for
Same-Src/Dst traffic never fired.

Looking at these packets, all of them have an IP header and TCP header
checksum of 0.

The question is if that is the cause for the alert, or if the
preprocessor just doesn't report the checksum correctly.

Anyone else seeing this?

Regards,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060807/446e1d36/attachment.sig>


More information about the Snort-sigs mailing list