[Snort-users] [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from to the firewall's external ip

Corey Rock snort_sigs at ...125...
Sat May 1 10:59:06 EDT 2004

Is it possible someone is using a Cisco VPN client?  I often see loopback 
alerts with the 3000 clients in our environment...the loopback error will 
show FW as source, and loopback as destination.

Inspecting the GUI for the VPN client shows all traffic to the Loopback 
device, so I suspect it's normal behavior (the loopback alerts in my case, 
can be ignored). Alerts disappear when the VPN session is terminated.  (am 
checking with Cisco on actual workings of client)

Not sure if this is your cause, but it's mine.



>From: Calyth <calyth at ...9344...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic 
>alert generating from to the firewall's external ip
>Date: Sat, 01 May 2004 01:31:05 -0700
>The platform is OpenBSD 3.4 running snort 2.0.0 build 72.
>I got this strange alert from snort that repeats itself. It complains of
>Bad Traffic loopback traffic (potential) with priority 2, and it's
>always from to some port on the external IP that greater
>than 1024.
>Has anyone seen this? I'm running snort with -D -i ep0 -c {path to
>Benton Lam
>This SF.Net email is sponsored by: Oracle 10g
>Get certified on the hottest thing ever to hit the market... Oracle 10g. 
>Take an Oracle 10g class now, and we'll give you the exam FREE. 
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

FREE pop-up blocking with the new MSN Toolbar – get it now! 

More information about the Snort-users mailing list