[Snort-users] a lot of Loopback traffic being logged.

Chuck Holley cholley at ...11679...
Thu Apr 22 10:00:04 EDT 2004


OK, I think im on to something.  I do not use the -i option, only -c to look
at the conf.  in the conf I have for "HOME_NET 192.168.10.0/24" and a little
further down I have "HOME_NET any"

I didn't pay much attention to that earlier because they were both not
commented out by default.  Im still a little confused on how snort works. Is
this the problem? 

Thanks 

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: Thursday, April 22, 2004 12:54 PM
To: Chuck Holley; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] a lot of Loopback traffic being logged.

At 09:38 AM 4/22/2004, Chuck Holley wrote:
>"BAD-TRAFFIC loopback traffic"  I am getting a lot of this one alert on 
>127.0.0.1.  im really not sure what is causing this.  If it is faulty 
>networking or maybe a spoofer.  Now that I know im getting this, thanks to 
>SNORT, what the heck do I do about it?  Anyone ever remedy this problem?

What interface parameter are you passing to snort on the command line? -i 
any? Try forcing snort to only listen on one real ethernet interface, it 
could be sniffing your loopback interface, which naturally would have 
loopback traffic on it.









More information about the Snort-users mailing list