[Snort-users] MISC loopback traffic

Joshua Wright Joshua.Wright at ...2031...
Fri Nov 16 12:08:08 EST 2001


I saw this alert when I processed a file capture of a SYN Flood attack.  The
SYN flood tool was (I deduced) simply using rand/255 for source addresses,
and therefore creating anomalous 127.x.x.x, class D, class E and networks
with 0's in them.

I would say that someone is crafting these packets.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



-----Original Message-----
From: Tom Sevy [mailto:tsevy at ...1701...]
Sent: Friday, November 16, 2001 2:24 PM
To: 'Snort-Users eMail List (snort-users at lists.sourceforge.net)'
Subject: [Snort-users] MISC loopback traffic


I am seeing entries from Snort as shown below.  Any ideas/thoughts as to
what causes this?  I have looked in the FW logs and can't see anything that
corresponds to these snort events.

```````````````````````````````````````````````````````````````````

#1-208658| [2001-11-15 16:32:24] 127.184.201.85 [ext fw ip]   MISC loopback
traffic
#1-208672| [2001-11-15 16:36:31] 127.73.201.85 [ext fw ip]   MISC loopback
traffic
#1-208673| [2001-11-15 16:36:31] 127.95.201.85 [ext fw ip]   MISC loopback
traffic
#1-208674| [2001-11-15 16:36:32] 127.191.201.85 [ext fw ip]   MISC loopback
traffic
#1-208675| [2001-11-15 16:36:33] 127.234.201.85 [ext fw ip]   MISC loopback
traffic
#1-209055| [2001-11-15 19:09:16] 127.114.201.85 [ext fw ip]   MISC loopback
traffic
#1-209056| [2001-11-15 19:09:16] 127.119.201.85 [ext fw ip]   MISC loopback
traffic
#1-209057| [2001-11-15 19:09:17] 127.134.201.85 [ext fw ip]   MISC loopback
traffic
#1-209058| [2001-11-15 19:09:17] 127.140.201.85 [ext fw ip]   MISC loopback
traffic
#1-209059| [2001-11-15 19:09:17] 127.147.201.85 [ext fw ip]   MISC loopback
traffic
#1-209060| [2001-11-15 19:09:17] 127.154.201.85 [ext fw ip]   MISC loopback
traffic
#1-209061| [2001-11-15 19:09:18] 127.175.201.85 [ext fw ip]   MISC loopback
traffic
#1-209062| [2001-11-15 19:09:18] 127.177.201.85 [ext fw ip]   MISC loopback
traffic
#1-209063| [2001-11-15 19:09:18] 127.182.201.85 [ext fw ip]   MISC loopback
traffic
#1-209064| [2001-11-15 19:09:18] 127.185.201.85 [ext fw ip]   MISC loopback
traffic
#1-209065| [2001-11-15 19:09:18] 127.192.201.85 [ext fw ip]   MISC loopback
traffic
#1-209066| [2001-11-15 19:09:19] 127.207.201.85 [ext fw ip]   MISC loopback
traffic
#1-209067| [2001-11-15 19:09:19] 127.210.201.85 [ext fw ip]   MISC loopback
traffic
#1-209068| [2001-11-15 19:09:19] 127.212.201.85 [ext fw ip]   MISC loopback
traffic
#1-209069| [2001-11-15 19:09:19] 127.218.201.85 [ext fw ip]   MISC loopback
traffic
#1-209070| [2001-11-15 19:09:19] 127.220.201.85 [ext fw ip]   MISC loopback
traffic
#1-209071| [2001-11-15 19:09:20] 127.243.201.85 [ext fw ip]   MISC loopback
traffic
#1-209072| [2001-11-15 19:09:20] 127.245.201.85 [ext fw ip]   MISC loopback
traffic
#1-209073| [2001-11-15 19:09:20] 127.248.201.85 [ext fw ip]   MISC loopback
traffic
#1-209074| [2001-11-15 19:09:21] 127.254.201.85 [ext fw ip]   MISC loopback
traffic
#1-209038| [2001-11-15 19:09:12] 127.2.201.85 [ext fw ip]   MISC loopback
traffic
#1-209039| [2001-11-15 19:09:12] 127.4.201.85 [ext fw ip]   MISC loopback
traffic
#1-209040| [2001-11-15 19:09:13] 127.8.201.85 [ext fw ip]   MISC loopback
traffic
#1-209041| [2001-11-15 19:09:13] 127.10.201.85 [ext fw ip]   MISC loopback
traffic
#1-209042| [2001-11-15 19:09:13] 127.31.201.85 [ext fw ip]   MISC loopback
traffic
#1-209043| [2001-11-15 19:09:13] 127.34.201.85 [ext fw ip]   MISC loopback
traffic
#1-209044| [2001-11-15 19:09:14] 127.37.201.85 [ext fw ip]   MISC loopback
traffic
#1-209045| [2001-11-15 19:09:14] 127.40.201.85 [ext fw ip]   MISC loopback
traffic
#1-209046| [2001-11-15 19:09:14] 127.46.201.85 [ext fw ip]   MISC loopback
traffic
#1-209047| [2001-11-15 19:09:14] 127.63.201.85 [ext fw ip]   MISC loopback
traffic
#1-209048| [2001-11-15 19:09:15] 127.67.201.85 [ext fw ip]   MISC loopback
traffic
#1-209049| [2001-11-15 19:09:15] 127.71.201.85 [ext fw ip]   MISC loopback
traffic
#1-209050| [2001-11-15 19:09:15] 127.81.201.85 [ext fw ip]   MISC loopback
traffic
#1-209051| [2001-11-15 19:09:15] 127.85.201.85 [ext fw ip]   MISC loopback
traffic
#1-209052| [2001-11-15 19:09:16] 127.101.201.85 [ext fw ip]   MISC loopback
traffic
#1-209053| [2001-11-15 19:09:16] 127.110.201.85 [ext fw ip]   MISC loopback
traffic
#1-209054| [2001-11-15 19:09:16] 127.112.201.85 [ext fw ip]   MISC loopback
traffic

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list