[Snort-users] loopback traffic on the network

Tom Sevy tsevy at ...1701...
Wed Feb 27 06:14:02 EST 2002


I see, from time to time, on our internal network, broadcasts from 127.0.0.1
to 255.255.255.255 on port 2301.  It is always (in our case) the Compaq
agents.  I then use TCP-dump to find the offending MAC address, and am then
able to find the system (ie., tcpdump -ei xl0 host 127.0.0.1)

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis at ...2783...] 
Sent: Wednesday, February 27, 2002 8:49 AM
To: rms
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] loopback traffic on the network


rms wrote:
 
> I see a lot of traffic like this going through my router. All sorts of
> loopback addresses as source. The destination is a single DNS server.

Hrrmm, last i knew 127/8 was reserved (i assume only for loopback).

 
> Anybody knows what this could be?
> Sample:
> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 02/24-16:17:04.499538 127.184.74.150:12147 -> xxx.xxx.56.98:3385
> UDP TTL:239 TOS:0x0 ID:13808 IpLen:20 DgmLen:30 DF
> Len: 10
> 
> and so on...Very large number of alerts of the kind, only changing the
> destination port and source address.
> 
> Any hints, pointers, URLs resources, anything?

Treat it as suspicious.. Perhaps get Snort to log the session to tcpdump
and analyze the network capture more closely.

 
> Another question: is it possible to see a regular packet on the network
> having 127.x.x.x as:
> a) source
> b) destination address
> 
> If answer is yes, than under what condition this might be (an exapmle
> would be appreciated)

If it's possible, yes, if it's 'legal', i think no..



Cheers,

Chris.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list