[Snort-users] Re; loopback traffic

Richard Bejtlich taosecurity at ...11827...
Wed May 19 15:50:10 EDT 2004

Security Personnel wrote:

I've checked firewall logs, and the kernel, of course, is spitting out
"martian source" errors.. because packets from should never
be on the wire, right?


I'm seeing these packets as well.  They began appearing just after
midnight GMT on 17 May 04 at one of my sites, but not others.  A new
alert just arrived a few minutes ago.

The source port is 80 TCP and the destination ranges from 1012 to 1992
TCP.  They are all RST ACKs.


More information about the Snort-users mailing list