[Snort-users] BAD-TRAFFIC loopback
giermo at ...8381...
Tue Dec 23 13:02:02 EST 2003
traffic Alert is NOW TFTP
Date: Tue, 23 Dec 2003 15:01:25 -0600
X-Mailer: Internet Mail Service (5.5.2653.19)
> Recently I havee been getting some packets like this:
> #(7 - 317178) [2003-12-18 21:26:49] =A0url[snort/528] =A0
> BAD-TRAFFIC loopback=20
> IPv4: 127.0.0.1 -> my.ip.address
> =A0 =A0 =A0 hlen=3D5 TOS=3D0 dlen=3D40 ID=3D64383 flags=3D0 =
> TCP: =A0port=3D80 -> dport: 1853 =A0flags=3D***A*R** seq=3D0
> =A0 =A0 =A0 ack=3D1642659841 off=3D5 res=3D0 win=3D0 urp=3D0 =
> Payload: none
> I pretty much determined that they are due to the MS Blaster=20
> worm. However=20
> these packets were setting off the BAD-TRAFFIC loopback=20
> traffic Alert as would make sense. But now all of the sudden=20
> they show up in=20
> the TFTPGET passwd alert instead. =20
> Can anybody help with the explanantion for this?
Something caused your rule order to change. Snort doesn't process past
the first rule hit.
Before the BAD-TRAFFIC rule was first, now the TFTP rule is.
Note that this has nothing (well, not entirely nothing, but close) to =
with the order the rules are read in.
More information about the Snort-users