[Snort-users] MISC loopback traffic

Matt Kettler mkettler at ...4108...
Fri Nov 16 12:30:14 EST 2001

This means that snort detected a packet on the ethernet wire which is from 
a loopback address. Loopback addresses are intended to be used to allow a 
process to connect to a port on the local machine without going out over 
any kind of network wire. The appearance of such an address on any network 
wire is invalid as per RFC 1700's "special addresses" section:

  (g)   {127, <any>}

          Internal host loopback address.  Should never appear outside
          a host.

see http://www.ietf.org/rfc/rfc1700.txt for the rest of that document, but 
the rest is mostly irrelevant here.

As best I know there are two cases that are likely to cause what you are 
         1) Crafted packets with spoofed addresses trying to sneak past a 
machines IPfilter rules (only works if they are poorly written and lack 
spoof protection rules).

         2) Some bozo thought the 127.*.*.* block was prime real estate for 
private addresses, ignoring or not knowing the fact that doing so is 
invalid. The IP addresses 10.*.*.*, 192.168.*.* and one other block of IPs 
(which I forget the address of offhand) are reserved for private network 
applications, and should be used instead.

Given the large number of addresses, and the fact that none are 
(the "normal" loopback, and the best candidate for spoofing), I suspect 
case number 2 is in effect, but you should take a closer look at the 
packets to see where they are going to see if they have malicious intent, 
or are merely a foolish mistake.

At 02:24 PM 11/16/2001, you wrote:
>I am seeing entries from Snort as shown below.  Any ideas/thoughts as to
>what causes this?  I have looked in the FW logs and can't see anything that
>corresponds to these snort events.
>#1-208658| [2001-11-15 16:32:24] [ext fw ip]   MISC loopback

More information about the Snort-users mailing list