[Snort-users] loopback traffic on the network
tsevy at ...1701...
Wed Feb 27 06:14:02 EST 2002
I see, from time to time, on our internal network, broadcasts from 127.0.0.1
to 255.255.255.255 on port 2301. It is always (in our case) the Compaq
agents. I then use TCP-dump to find the offending MAC address, and am then
able to find the system (ie., tcpdump -ei xl0 host 127.0.0.1)
From: Chris Keladis [mailto:Chris.Keladis at ...2783...]
Sent: Wednesday, February 27, 2002 8:49 AM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] loopback traffic on the network
> I see a lot of traffic like this going through my router. All sorts of
> loopback addresses as source. The destination is a single DNS server.
Hrrmm, last i knew 127/8 was reserved (i assume only for loopback).
> Anybody knows what this could be?
> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 02/24-16:17:04.499538 127.184.74.150:12147 -> xxx.xxx.56.98:3385
> UDP TTL:239 TOS:0x0 ID:13808 IpLen:20 DgmLen:30 DF
> Len: 10
> and so on...Very large number of alerts of the kind, only changing the
> destination port and source address.
> Any hints, pointers, URLs resources, anything?
Treat it as suspicious.. Perhaps get Snort to log the session to tcpdump
and analyze the network capture more closely.
> Another question: is it possible to see a regular packet on the network
> having 127.x.x.x as:
> a) source
> b) destination address
> If answer is yes, than under what condition this might be (an exapmle
> would be appreciated)
If it's possible, yes, if it's 'legal', i think no..
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users