[Snort-users] Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80?

Jyri Hovila jyri.hovila at ...2940...
Mon Sep 1 07:20:04 EDT 2003


Hi everyone!

It (once again) seems to be impossible to get anything through to
Security Focuses incidents list, so I dare to take the chance and post
here. Since I wrote the following message, third Snort sensor has also
started reporting similar traffic. I have now recorded total of 162 of
these packets.

------------------------- original message -------------------------

Two of my Snort sensors, connected to separate ISPs, have started
reporting TCP traffic from 127.0.0.1, port 80. First such packet was
found August the 30th at 11.57 EET/GMT+2. So far I've recorded 104 of
them. They all have A and R flags up, TTL is either 121 or 122 and
there's no payload. Destination ports appear to be randomly selected
between 1024 and 2000. Packets have been destined to all the addresses
of the /27 subnets my Snort sensors are wathing. Here's a sample from
ACID:

------------------------------------------------------------------------------
#(19 - 1042) [2003-08-30 11:57:53] url[snort/528]  BAD-TRAFFIC loopback traffic

IPv4: 127.0.0.1 -> 195.197.xxx.xxx
      hlen=5 TOS=0 dlen=40 ID=3626 flags=0 offset=0 TTL=122 chksum=65362
TCP:  port=80 -> dport: 1850  flags=***A*R** seq=0
      ack=1855651841 off=5 res=0 win=0 urp=0 chksum=1623
Payload: none
------------------------------------------------------------------------------

My Snort sensors have been running for couple of years but they've never
recorded anything similar before. Is anyone else seeing this kind of
packets? Any ideas what could be causing them?

- Jyri





More information about the Snort-users mailing list