[Snort-users] [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad Traffic alert generating from 127.0.0.1:80 to the firewall's external ip

Calyth calyth at ...9344...
Sun May 2 01:31:01 EDT 2004


No way I have enough money for something from Cisco.
But that's good info to know though!

Benton

Corey Rock wrote:
> Is it possible someone is using a Cisco VPN client?  I often see 
> loopback alerts with the 3000 clients in our environment...the loopback 
> error will show FW as source, and loopback as destination.
> 
> Inspecting the GUI for the VPN client shows all traffic to the Loopback 
> device, so I suspect it's normal behavior (the loopback alerts in my 
> case, can be ignored). Alerts disappear when the VPN session is 
> terminated.  (am checking with Cisco on actual workings of client)
> 
> Not sure if this is your cause, but it's mine.
> 
> Regards,
> 
> Corey
> 
>> From: Calyth <calyth at ...9344...>
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] [OpenBSD 3.4 + snort 2.0.0b72] Strange Bad 
>> Traffic alert generating from 127.0.0.1:80 to the firewall's external ip
>> Date: Sat, 01 May 2004 01:31:05 -0700
>>
>> The platform is OpenBSD 3.4 running snort 2.0.0 build 72.
>> I got this strange alert from snort that repeats itself. It complains of
>> Bad Traffic loopback traffic (potential) with priority 2, and it's
>> always from 127.0.0.1:80 to some port on the external IP that greater
>> than 1024.
>> Has anyone seen this? I'm running snort with -D -i ep0 -c {path to
>> snort.conf}
>>
>> Benton Lam
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: Oracle 10g
>> Get certified on the hottest thing ever to hit the market... Oracle 
>> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
>> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get it now! 
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






More information about the Snort-users mailing list