[Snort-users] Questions on traffic
crtech at ...10582...
Tue Feb 17 18:42:00 EST 2004
Hello all, hopefully someone can help a rookie out some. I work for a small company that has a basic internet connections. There is a router connected to the Internet connection then a firewall. Snort is linked between the two so that it can see all traffic what is on the internet connection. I have been seeing a lot of traffic that I have been unable to determine what it is. Here is a copy of one alert.
[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
02/17-08:33:12.453650 xx:xx:xx:xx:xx:xx -> xx:xx:xx:xx:xx:xx type:0x800 len:0x3C
127.0.0.1:80 -> xxx.xxx.xxx.xxx:1293 TCP TTL:116 TOS:0x0 ID:65095 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x35360001 Win: 0x0 TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]
The firewall is stopping this traffic from coming through, but I would like to see if I can stop it completely. It's error log is:
Deny IP spoof from (127.0.0.1) to xxx.xxx.xxx.xxx on interface outside
Does anyone have any ideals on what this is and what I can do to resolve it?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users