[Snort-users] loopback traffic on the network

Tom Sevy tsevy at ...1701...
Wed Feb 27 06:14:02 EST 2002

I see, from time to time, on our internal network, broadcasts from
to on port 2301.  It is always (in our case) the Compaq
agents.  I then use TCP-dump to find the offending MAC address, and am then
able to find the system (ie., tcpdump -ei xl0 host

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis at ...2783...] 
Sent: Wednesday, February 27, 2002 8:49 AM
To: rms
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] loopback traffic on the network

rms wrote:
> I see a lot of traffic like this going through my router. All sorts of
> loopback addresses as source. The destination is a single DNS server.

Hrrmm, last i knew 127/8 was reserved (i assume only for loopback).

> Anybody knows what this could be?
> Sample:
> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 02/24-16:17:04.499538 -> xxx.xxx.56.98:3385
> UDP TTL:239 TOS:0x0 ID:13808 IpLen:20 DgmLen:30 DF
> Len: 10
> and so on...Very large number of alerts of the kind, only changing the
> destination port and source address.
> Any hints, pointers, URLs resources, anything?

Treat it as suspicious.. Perhaps get Snort to log the session to tcpdump
and analyze the network capture more closely.

> Another question: is it possible to see a regular packet on the network
> having 127.x.x.x as:
> a) source
> b) destination address
> If answer is yes, than under what condition this might be (an exapmle
> would be appreciated)

If it's possible, yes, if it's 'legal', i think no..



Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list