[Snort-users] Questions on traffic

crtech crtech at ...10582...
Tue Feb 17 18:42:00 EST 2004


Hello all, hopefully someone can help a rookie out some.  I work for a small company that has a basic internet connections.  There is a router connected to the Internet connection then a firewall.  Snort is linked between the two so that it can see all traffic what is on the internet connection.  I have been seeing a lot of traffic that I have been unable to determine what it is.  Here is a copy of one alert.

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
02/17-08:33:12.453650 xx:xx:xx:xx:xx:xx -> xx:xx:xx:xx:xx:xx type:0x800 len:0x3C
127.0.0.1:80 -> xxx.xxx.xxx.xxx:1293 TCP TTL:116 TOS:0x0 ID:65095 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x35360001 Win: 0x0 TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]


The firewall is stopping this traffic from coming through, but I would like to see if I can stop it completely.  It's error log is:

Deny IP spoof from (127.0.0.1) to xxx.xxx.xxx.xxx on interface outside

Does anyone have any ideals on what this is and what I can do to resolve it?  

Thank You

Lynn Gustafson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040217/a20153e9/attachment.html>


More information about the Snort-users mailing list