[Snort-users] a lot of Loopback traffic being logged.

Alejandro Flores alejandro.flores at ...11361...
Thu May 27 10:09:01 EDT 2004


	Hello Rod,

	I think it's a good idea to document this. 
	What's the worm's name?

Regards,
Alejandro



> We had this for a short while, finally tracked it down to a wormed box
> on the other side of the router.  The router was letting src traffic
> from 127.0.0.1 through to our public addresses, this has now been
> corrected and the traffic has been stopped.
> 
> best regards
> 
> Rod
> ________________________________________________________________________
> 
> On Fri, 2004-04-23 at 19:23, Chuck Holley wrote: 
> > Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed
> for a
> > while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
> > 
> > Im assuming im doing this right. Im trying to log only packets form
> > 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and
> write
> > to a file called dump.
> > 
> > Now, I did this and got two loggings in tcpdump:
> > 
> > 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack
> 799408129
> > win 0
> > 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack
> 1316880385
> > win 0
> > 
> > hal2 is the server that has tcpdump on it. Is this machine one of the
> boxes
> > that is sending out the 127.0.0.1, or did I simply pickup two packets
> sent
> > out form hal2 to these other machines. 
> > 
> > I looked at snort and the exact same ip's, with the exact same ports
> were
> > logged coming from 127.0.0.1
> > 
> > To say the least im confused even more!!
> > 
> > 
> 
> 
> Hi, 
>  I see it on my external interface too. I used tcpdump with -e parameter
> to display MAC address of the sender. 
> 
> 
> tcpdump -e -i eth1 src host 127.0.0.1 
> 
> 
> I find that MAC address of loopback packets is my ISP's Cisco switch. 
> 
> 
> So all packets come from external network (I think). I am connected over
> wi-fi AP and when I sniffed, I have seen that these packets coming to 
> most connected people in this AP. 
> 
> 
> I don't know what it can be. 
> 
> 
> Regards,
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list