[Snort-users] a lot of Loopback traffic being logged.

Fred Portnoy fportnoy at ...1527...
Thu Apr 22 12:44:05 EDT 2004


We saw this too, and we were lucky enough, by sniffing upstream in the
network, to trace it back to one of our ResNet users. We shut off the
student's port and we told our ResNet folks to go clean up the machine. It
got cleaned up and turned back on. Sadly, I can't tell you more specifically
what the cause was. 

-fp


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Harry
Bloomberg
Sent: Thursday, April 22, 2004 2:27 PM
To: Chuck Holley
Cc: 'Matt Kettler'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.


On Thu, 22 Apr 2004, Chuck Holley wrote:

> OK, I think im on to something.  I do not use the -i option, only -c 
> to look at the conf.  in the conf I have for "HOME_NET 
> 192.168.10.0/24" and a little further down I have "HOME_NET any"
>
   We are forcing Snort to listen to one real port only with the -i option,
and we're also seeing a *lot* of packets with a source of 127.0.0.1:80.
This was confirmed by one of our network guys who plugged another packet
sniffer into the Snort port.  This seems to be real traffic, and we're
baffled by the source.

Harry Bloomberg



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a
limited time only, get FREE Ground shipping on all orders of $35 or more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list