[Snort-sigs] Loopback Traffic from and to non Loopback-IP

Frank Knobbe frank at ...1978...
Mon Aug 7 19:12:07 EDT 2006


On Tue, 2006-08-08 at 00:56 +0200, Lutz Schildt wrote:
> But I see I'm not the only one that is seeing alerts that shouldn't be
> there. Frank, I do have other (real) loopback traffic here, that doesn't
> have chksum=0. Either chksum=0 is causing the alert, but more likely is
> that snort somehow displays the chksum wrong as a "side effect". As this
> is normal and valid traffic I pretty much doubt the chksum of the packet
> itself was wrong or even 0.

Lutz,

I do see valid Loop-traffic on occasion where the preprocessor and the
signature alerts. However, on the latest events, the alerts were not
valid. The source and destination addresses were different, yet the
preprocessor alerted that they were the same. Sorry, if that wasn't
clear.

Cheers,
Frank






More information about the Snort-sigs mailing list