[Snort-users] BAD-TRAFFIC loopback traffic Alert is NOW TFTPGET passwd

Matthew L. McCarty matthew at ...10792...
Tue Dec 23 12:38:02 EST 2003


Recently I havee been getting some packets like this:

#(7 - 317178) [2003-12-18 21:26:49]  url[snort/528]  BAD-TRAFFIC loopback 
traffic
IPv4: 127.0.0.1 -> my.ip.address
      hlen=5 TOS=0 dlen=40 ID=64383 flags=0 offset=0 TTL=126 chksum=51443
TCP:  port=80 -> dport: 1853  flags=***A*R** seq=0
      ack=1642659841 off=5 res=0 win=0 urp=0 chksum=52732
Payload: none

I pretty much determined that they are due to the MS Blaster worm.  However 
these packets were setting off the BAD-TRAFFIC loopback 
traffic Alert as would make sense. But now all of the sudden they show up in 
the TFTPGET passwd alert instead.  

Can anybody help with the explanantion for this?


-- 
Matthew L. McCarty





More information about the Snort-users mailing list