[Snort-users] Re; loopback traffic

Richard Bejtlich taosecurity at ...11827...
Wed May 19 15:50:10 EDT 2004


Security Personnel wrote:

I've checked firewall logs, and the kernel, of course, is spitting out
"martian source" errors.. because packets from 127.0.0.1 should never
be on the wire, right?

--

I'm seeing these packets as well.  They began appearing just after
midnight GMT on 17 May 04 at one of my sites, but not others.  A new
alert just arrived a few minutes ago.

The source port is 80 TCP and the destination ranges from 1012 to 1992
TCP.  They are all RST ACKs.

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list