[Snort-users] a lot of Loopback traffic being logged.

Mark.Schutzmann at ...10438... Mark.Schutzmann at ...10438...
Thu Apr 22 15:07:05 EDT 2004


I reported this same problem earlier. I had a lot of great feedback, if you
want to search the mailing list. Recently, I had this come up again. I used
Snort in non-daemon mode to find the MAC address that was associated with
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to
trace that through my WAN to another network, where we found the local MAC
and traced that to a couple of Japanese engineers who were visiting our
company and had plugged their computers into our network. Unfortunately,
because we did not have a translator and could not readily sift through
their Japanese OS computers, I still cannot say what the source program was
that caused this. I simply had to quarantine their computer away from the
corporate network. If I find a translator and the program, I will forward
this info on. Let me know what you find! I suspect some virus or trojan.
This is a fairly amateur attack to actually be running manually. Good Luck!

Best Regards,
Mark


                                                                                                                                                  
                      "Chuck Holley"                                                                                                              
                      <cholley at ...11679...>          To:       <snort-users at lists.sourceforge.net>                                           
                      Sent by:                            cc:                                                                                     
                      snort-users-admin at ...4626...        Subject:  [Snort-users] a lot of Loopback traffic being logged.                         
                      ceforge.net                                                                                                                 
                                                                                                                                                  
                                                                                                                                                  
                      04/22/2004 08:38 AM                                                                                                         
                                                                                                                                                  
                                                                                                                                                  




"BAD-TRAFFIC loopback traffic"  I am getting a lot of this one alert on
127.0.0.1.  im really not sure what is causing this.  If it is faulty
networking or maybe a spoofer.  Now that I know im getting this, thanks to
SNORT, what the heck do I do about it?  Anyone ever remedy this problem?

Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cholley at ...11679...










More information about the Snort-users mailing list