[Snort-users] Bad Loop Back Traffic

SN ORT snort_on_acid at ...131...
Wed Feb 25 14:11:05 EST 2004


So you have this hub, connected to both the firewall
and the router. Do you also have another connection,
connecting the router to the firewall? Now the
firewall and the router have two connections to each
other? If you have a switch in between as well, this
would cause a spanning tree problem. Or is this hub
the only connection between the two? If not, then I
would suggest a different way to monitor the
connections, such as a switch between the router/fw
and if you have that already, the switch should then
mirror the router port only.

If the hub is the only connection then is your sensor
acting as a router? And your IP of you non-sniffing
Interface is an internal IP connected internally?

Cheese!

Marc

>Message: 5
>Reply-To: "Scott Elgram" <SElgram at ...10477...>
>From: "Scott Elgram" <SElgram at ...10477...>
>To: <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] Bad Loop Back Traffic
>Date: Tue, 24 Feb 2004 09:52:35 -0800
>Organization: VerifPoint/CreDENTALs

>Hummm, interesting,
>    I have my SNORT installed on RH9 with 2
>interfaces.  The interface with
>the sensor is connected to a hub between my router
>and firewall.  The
>interface has no IP address and catches only
out->bound and in-bound traffic
>from the internet.  For a while I was under the
>impression that this "Bad
>Loop Back Traffic" was the result of having an
>interface up with no IP or
>configuration.  Could this be the reason you think?
>-Scott Elgram

>----- Original Message -----
>From: <bclark at ...10956...>
>To: <snort-users at lists.sourceforge.net>
>Cc: <SElgram at ...10477...>
>Sent: Tuesday, February 24, 2004 9:01 AM
>Subject: Re: [Snort-users] Bad Loop Back Traffic


> I have also seen this type of traffic about 200,000
alerts last night.  I
> am not sure but I think it is a clients Windows
machine.
>
> >
> > Hello,
> >     I have an abundance of alerts telling me
> > url[snort] BAD-TRAFFIC loopback traffic on
127.0.0.1:80
> > According to snort this is due to improperly
configured interfaces.  =
> > Which part is improperly configured and how can I
fix this? Or have I =
> > been hacked?
> >
> > -Scott Elgram
> > IT/Systems Support
> > VerifPoint/CreDENTALs
> > (949)770-5290 ext. 26
>
>
>

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools




More information about the Snort-users mailing list