[Snort-users] Bad Loop Back Traffic

Scott Elgram SElgram at ...10477...
Fri Feb 27 06:24:24 EST 2004


Actually my set-up goes like this;
    Internet connects to router, connects to hub, hub connects to firewall.
Also connected to the hub is eth0 on the SNORT machine with no IP.  A second
card (eth1) on the SNORT machine connects to the internal network so that I
can monitor with ACID.  This setup works good, the SNORT sensor sees all
traffic coming in from the router and going out to the router.  So far the
only problem it seems to have is the Bad Loop Back Traffic

-Scott Elgram

----- Original Message ----- 
From: "SN ORT" <snort_on_acid at ...131...>
To: <SElgram at ...10477...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, February 25, 2004 2:01 PM
Subject: Re: [Snort-users] Bad Loop Back Traffic


> So you have this hub, connected to both the firewall
> and the router. Do you also have another connection,
> connecting the router to the firewall? Now the
> firewall and the router have two connections to each
> other? If you have a switch in between as well, this
> would cause a spanning tree problem. Or is this hub
> the only connection between the two? If not, then I
> would suggest a different way to monitor the
> connections, such as a switch between the router/fw
> and if you have that already, the switch should then
> mirror the router port only.
>
> If the hub is the only connection then is your sensor
> acting as a router? And your IP of you non-sniffing
> Interface is an internal IP connected internally?
>
> Cheese!
>
> Marc
>
> >Message: 5
> >Reply-To: "Scott Elgram" <SElgram at ...10477...>
> >From: "Scott Elgram" <SElgram at ...10477...>
> >To: <snort-users at lists.sourceforge.net>
> >Subject: Re: [Snort-users] Bad Loop Back Traffic
> >Date: Tue, 24 Feb 2004 09:52:35 -0800
> >Organization: VerifPoint/CreDENTALs
>
> >Hummm, interesting,
> >    I have my SNORT installed on RH9 with 2
> >interfaces.  The interface with
> >the sensor is connected to a hub between my router
> >and firewall.  The
> >interface has no IP address and catches only
> out->bound and in-bound traffic
> >from the internet.  For a while I was under the
> >impression that this "Bad
> >Loop Back Traffic" was the result of having an
> >interface up with no IP or
> >configuration.  Could this be the reason you think?
> >-Scott Elgram
>
> >----- Original Message -----
> >From: <bclark at ...10956...>
> >To: <snort-users at lists.sourceforge.net>
> >Cc: <SElgram at ...10477...>
> >Sent: Tuesday, February 24, 2004 9:01 AM
> >Subject: Re: [Snort-users] Bad Loop Back Traffic
>
>
> > I have also seen this type of traffic about 200,000
> alerts last night.  I
> > am not sure but I think it is a clients Windows
> machine.
> >
> > >
> > > Hello,
> > >     I have an abundance of alerts telling me
> > > url[snort] BAD-TRAFFIC loopback traffic on
> 127.0.0.1:80
> > > According to snort this is due to improperly
> configured interfaces.  =
> > > Which part is improperly configured and how can I
> fix this? Or have I =
> > > been hacked?
> > >
> > > -Scott Elgram
> > > IT/Systems Support
> > > VerifPoint/CreDENTALs
> > > (949)770-5290 ext. 26
> >
> >
> >
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail SpamGuard - Read only the mail you want.
> http://antispam.yahoo.com/tools
>






More information about the Snort-users mailing list