[Snort-users] Interesting traffic...

Jason Haar Jason.Haar at ...294...
Tue Feb 26 19:14:02 EST 2002


On Tue, Feb 26, 2002 at 04:11:35PM -0600, Mark Mason wrote:

> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 02/26-11:25:30.667238 127.0.0.1:15158 -> xxx.xxx.xxx.xxx:6473
> TCP TTL:63 TOS:0x0 ID:9155 IpLen:28 DgmLen:68 DF
> IP Options (2) => LSRR NOP 
> ******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win: 0xFFFF  TcpLen: 40
> TCP Options (6) => MSS: 16344 NOP WS: 1 NOP NOP TS: 281854 0 

Well, if this isn't local - I'd say it's time to reconfigure your perimeter
router. Remember: INGRESS/EGRESS FILTERS!!! :-)

OTOH, the TTL:63 implies one-hop from the sender - so that implies a LAN
host...

Compaq Insight Manager has a lovely bug where laptops it's installed on
broadcast their services from 127.0.0.1 to 127.0.0.1 (yeah, tell me how they
did that!) - but not on those port numbers...

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list