[Snort-users] a lot of Loopback traffic being logged.
alejandro.flores at ...11361...
Thu May 27 10:09:01 EDT 2004
I think it's a good idea to document this.
What's the worm's name?
> We had this for a short while, finally tracked it down to a wormed box
> on the other side of the router. The router was letting src traffic
> from 127.0.0.1 through to our public addresses, this has now been
> corrected and the traffic has been stopped.
> best regards
> On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:
> > Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed
> for a
> > while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
> > Im assuming im doing this right. Im trying to log only packets form
> > 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and
> > to a file called dump.
> > Now, I did this and got two loggings in tcpdump:
> > 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack
> > win 0
> > 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack
> > win 0
> > hal2 is the server that has tcpdump on it. Is this machine one of the
> > that is sending out the 127.0.0.1, or did I simply pickup two packets
> > out form hal2 to these other machines.
> > I looked at snort and the exact same ip's, with the exact same ports
> > logged coming from 127.0.0.1
> > To say the least im confused even more!!
> I see it on my external interface too. I used tcpdump with -e parameter
> to display MAC address of the sender.
> tcpdump -e -i eth1 src host 127.0.0.1
> I find that MAC address of loopback packets is my ISP's Cisco switch.
> So all packets come from external network (I think). I am connected over
> wi-fi AP and when I sniffed, I have seen that these packets coming to
> most connected people in this AP.
> I don't know what it can be.
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users