[Snort-users] BAD-TRAFFIC loopback

SRH-Lists giermo at ...8381...
Tue Dec 23 13:02:02 EST 2003


traffic Alert is NOW TFTP
	GET passwd
Date: Tue, 23 Dec 2003 15:01:25 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

> Recently I havee been getting some packets like this:
>=20
> #(7 - 317178) [2003-12-18 21:26:49] =A0url[snort/528] =A0
> BAD-TRAFFIC loopback=20
> traffic
> IPv4: 127.0.0.1 -> my.ip.address
> =A0 =A0 =A0 hlen=3D5 TOS=3D0 dlen=3D40 ID=3D64383 flags=3D0 =
offset=3D0 TTL=3D126=20
> chksum=3D51443
> TCP: =A0port=3D80 -> dport: 1853 =A0flags=3D***A*R** seq=3D0
> =A0 =A0 =A0 ack=3D1642659841 off=3D5 res=3D0 win=3D0 urp=3D0 =
chksum=3D52732
> Payload: none
>=20
> I pretty much determined that they are due to the MS Blaster=20
> worm.  However=20
> these packets were setting off the BAD-TRAFFIC loopback=20
> traffic Alert as would make sense. But now all of the sudden=20
> they show up in=20
> the TFTPGET passwd alert instead. =20
>=20
> Can anybody help with the explanantion for this?
>=20

Something caused your rule order to change.  Snort doesn't process past
the first rule hit.

Before the BAD-TRAFFIC rule was first, now the TFTP rule is.

Note that this has nothing (well, not entirely nothing, but close) to =
do
with the order the rules are read in.

-steve




More information about the Snort-users mailing list