[Snort-users] Snort UDP traffic in loopback interface

evalues evalues evalues.es at ...11827...
Thu Dec 12 04:14:23 EST 2013


I have checked the -k param and now it is working perfectly! I have tried
setting the -k value to noudp, that is the type of traffic was failing.

Likely Snort was dropping SNMP traffic generated in the same computer.

Thank you very much!


On Wed, Dec 11, 2013 at 10:01 PM, rmkml <rmkml at ...1855...> wrote:

> Hi Evalues,
>
> snort on localhost fire for me,
>
> ok please look my example:
>  dig @127.0.0.1 version.bind chaos txt
>
> tcpdump recorded on "-i lo":
> 21:53:27.575913 IP (tos 0x0, ttl 64, id 62830, offset 0, flags [none],
> proto UDP (17), length 69)
>     127.0.0.1.56870 > 127.0.0.1.53: [bad udp cksum 0xfe44 -> 0xda9e!]
> 64696+ [1au] TXT CHAOS? version.bind. ar: . OPT UDPsize=4096 (41)
>
> snort output v2.9.5.6 :
> 12/11-21:53:27.575913  [**] [116:151:1] (snort decoder) WARNING: Bad
> Traffic Same Src/Dst IP [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53
> 12/11-21:53:27.575913  [**] [116:150:1] (snort decoder) WARNING: Bad
> Traffic Loopback IP [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {UDP} 127.0.0.1:56870 -> 127.0.0.1:53
> 12/11-21:53:27.575913  [**] [1:1616:9] DNS named version UDP attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2] {UDP}
> 127.0.0.1:56870 -> 127.0.0.1:53
> 12/11-21:53:27.575913  [**] [1:2101616:9] GPL DNS named version attempt
> [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
> 127.0.0.1:56870 -> 127.0.0.1:53
>
> For my example, I must disable cksum verif (-k none).
>
> Could you check if you need "-k none" please?
>
> Regards
> @Rmkml
>
>
>
> On Wed, 11 Dec 2013, evalues evalues wrote:
>
>
>> Hi, when I set Snort to listen in Loopback interface it doesn’t trigger
>> alerts for UDP rules. The same rules in eth0 interface work perfectly.
>> Besides, TCP and ICMP alerts also work in Loopback interface.
>>
>> If I run Snort in sniffer mode I can view the datagram, but the alerts
>> are not triggered. This is an example of an SNMP datagram that should raise
>> an alert:
>>
>> (snort decoder) WARNING: Bad Traffic Same Src/Dst IP (snort decoder)
>> WARNING: Bad Traffic Loopback IP 12/11-07:37:30.785801 00:00:00:00:00:00
>> –> 00:00:00:00:00:00 type:0x800 len:0x59 127.0.0.1:59796 –>
>> 127.0.0.1:162 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:75 DF Len: 47
>> 0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 …………..E. 0x0010: 00
>> 4B 00 00 40 00 40 11 3C A0 7F 00 00 01 7F 00 .K.. at ...843...@.<…….
>> 0x0020: 00 01 E9 94 00 A2 00 37 FE 4A 30 2D 02 01 00 04 …….7.J0-….
>> 0x0030: 09 56 69 73 69 74 61 6E 74 65 A4 1D 06 07 2B 06 .Visitante….+.
>> 0x0040: 01 04 01 96 26 40 04 7F 00 01 01 02 01 06 02 01 ….&@……….
>> 0x0050: 01 43 04 04 9E 5A F2 30 00 .C…Z.0.
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>> =+=+=+=+=+=+=+
>>
>> Can someone help me?
>>
>> Thank you very much.
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131212/e3fd4769/attachment.html>


More information about the Snort-users mailing list