[Snort-users] Interesting traffic...
Jason.Haar at ...294...
Tue Feb 26 19:14:02 EST 2002
On Tue, Feb 26, 2002 at 04:11:35PM -0600, Mark Mason wrote:
> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 02/26-11:25:30.667238 127.0.0.1:15158 -> xxx.xxx.xxx.xxx:6473
> TCP TTL:63 TOS:0x0 ID:9155 IpLen:28 DgmLen:68 DF
> IP Options (2) => LSRR NOP
> ******S* Seq: 0x1BE3F7DA Ack: 0x0 Win: 0xFFFF TcpLen: 40
> TCP Options (6) => MSS: 16344 NOP WS: 1 NOP NOP TS: 281854 0
Well, if this isn't local - I'd say it's time to reconfigure your perimeter
router. Remember: INGRESS/EGRESS FILTERS!!! :-)
OTOH, the TTL:63 implies one-hop from the sender - so that implies a LAN
Compaq Insight Manager has a lovely bug where laptops it's installed on
broadcast their services from 127.0.0.1 to 127.0.0.1 (yeah, tell me how they
did that!) - but not on those port numbers...
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users