[Snort-users] RE: BAD-TARFFIC Loopback traffic

JP Vossen vossenjp at ...8683...
Sat Dec 20 11:58:01 EST 2003


As a follow up to the discussions in the list [0, 1] about Snort seeing
127.0.0.1 traffic, I thought this was interesting.  I was just playing with
NMap's new service detection feature [2] and did a scan as follows:
	From host A, run nmap -A -T4 -F 192.168.1.0/24
	Snort is on "snorter" at 192.168.1.22

I got this syslog alert, note it is ICMP, not TCP/80 or TCP/25 as previously
discussed.

Dec 20 13:53:08 snorter snort: [1:528:3] BAD TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: <eth0> {ICMP}
127.0.0.1 -> 192.168.99.0

I isolated the packet, as follows:

/tmp# snort -Xqvder snort.log.2003-12-20.pcap src 127.0.0.1
12/20-13:53:08.203033 0:6:29:A2:AB:3F -> FF:FF:FF:FF:FF:FF type:0x800 len:0x3C
127.0.0.1 -> 192.168.1.0 ICMP TTL:39 TOS:0x0 ID:36980 IpLen:20 DgmLen:28
Type:8  Code:0  ID:58555   Seq:35350  ECHO
0x0000: FF FF FF FF FF FF 00 06 29 A2 ED 3E 08 00 45 00  ........)..>..E.
0x0010: 00 1C 90 74 00 00 27 01 60 C3 7F 00 00 01 C0 A8  ...t..'.`.......
0x0020: 63 00 08 00 89 2D E4 BB 8A 16 00 00 00 00 00 00  c....-..........
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


The only thing not clear is IF this packet actually made it onto the wire, or
if Snort only saw it because it was loopback on the Snort host itself.
Unfortunately I will not have time to pursue this any more at the moment.

Later,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users&m=106745650608485&w=2
[1] RHEL 3 (Taroon Beta) sendmail put 127.0.0.1 packets out on the wire with a
src or dst (I forget which) port 25. When I killed sendmail and some other
related service they went away. Presumably that was a bug and is fixed in the
released RHEL 3, but I have not tested that.
[2] http://www.insecure.org/nmap/versionscan.html
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list