[Snort-users] loopback traffic

Security Personnel guardian at ...11830...
Wed May 19 16:46:03 EDT 2004


 >At 04:11 PM 5/19/2004, Security Personnel wrote:
>>Down to some more strangeness ---> the packets are rarely to the same 
>>port, they come to EVERY machine on our IP range, and picking apart the 
>>headers has given me the originating MAC address of our ISP's gateway machine!

 >Well, that's not surprising.. all packets inbound from the internet are
 >going to have your ISP's gateway machine MAC address on them. It's a
 >gateway after all.

Exactly, the surpising part is that the ISP isn't filtering this 
traffic. Maybe I am expecting too much, I suppose that would be a big 
job, but we're paying quite a bit of money for the connection. I 
actually called the ISP, and spoke with the techs there. They didn't 
really know what I was talking about, unfortuanately.

 >So, basically what you can conclude is that someone, somewhere outside 
 >your
 >network (or at least on the other side of your gateway) has sent a 
 >packet
 >with 127.0.0.1 as a source address to your network.

 >This could be a result of deliberate spoofing, it could be a weak DoS
 >attempt, or it could just be someone's system is broken and spewing
 >malformed packets.

 >The sending machine could be the ISP's gateway, or any part of your >ISPs
 >network, or any part of the internet as a general whole.

>>Any ideas? any fellow sufferers?

 >Firewall inbound packets with 127.0.0.1 as a source address?

Already done, but snort's NIC is in promiscuous mode, so it's getting 
everything, even OUTSIDE the firewall traffic. This is usefull for 
catching patterns of attempted attacks on the external machines.

Thanks for the feedback!
Guar.diaN




More information about the Snort-users mailing list