[Snort-users] loopback traffic

Security Personnel guardian at ...11830...
Wed May 19 13:12:04 EDT 2004


I'm not even sure how to pose this question. I wish I could fully 
explain the problem.. I'll start with an e-mail from snort

/<from snort>/
05/19-12:58:37.770631 [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
127.0.0.1:80 -> XXX.XXX.XXX.XXX:1202
/</from snort>/

Now, I've read some stuff about these messages before, and as always 
it's important to note that the iptables-based firewall doesn't let 
these packets into any of the machines on our net, but snort still 
catches them (promiscuity and all). Nonetheless, the AMOUNT of these 
packets is overwhelming. ~700 just yesterday.

I've checked firewall logs, and the kernel, of course, is spitting out 
"martian source" errors.. because packets from 127.0.0.1 should never be 
on the wire, right?
right.

Down to some more strangeness ---> the packets are rarely to the same 
port, they come to EVERY machine on our IP range, and picking apart the 
headers has given me the originating MAC address of our ISP's gateway 
machine!

Any ideas? any fellow sufferers?




More information about the Snort-users mailing list