[Snort-users] Snort UDP traffic in loopback interface

Lowe, Richard B Richard.B.Lowe at ...16613...
Thu Dec 12 02:50:50 EST 2013


Try adding your loopback IP to the $HOME_NET variable in the config and see if that fixes your issue.

From: evalues evalues [mailto:evalues.es at ...11827...]
Sent: Wednesday, December 11, 2013 10:56 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort UDP traffic in loopback interface


Hi, when I set Snort to listen in Loopback interface it doesn't trigger alerts for UDP rules. The same rules in eth0 interface work perfectly. Besides, TCP and ICMP alerts also work in Loopback interface.

If I run Snort in sniffer mode I can view the datagram, but the alerts are not triggered. This is an example of an SNMP datagram that should raise an alert:

(snort decoder) WARNING: Bad Traffic Same Src/Dst IP (snort decoder) WARNING: Bad Traffic Loopback IP 12/11-07:37:30.785801 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x59 127.0.0.1:59796<http://127.0.0.1:59796> -> 127.0.0.1:162<http://127.0.0.1:162> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:75 DF Len: 47 0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E. 0x0010: 00 4B 00 00 40 00 40 11 3C A0 7F 00 00 01 7F 00 .K.. at ...843...@...843...<....... 0x0020: 00 01 E9 94 00 A2 00 37 FE 4A 30 2D 02 01 00 04 .......7.J0-.... 0x0030: 09 56 69 73 69 74 61 6E 74 65 A4 1D 06 07 2B 06 .Visitante....+. 0x0040: 01 04 01 96 26 40 04 7F 00 01 01 02 01 06 02 01 ....&@.......... 0x0050: 01 43 04 04 9E 5A F2 30 00 .C...Z.0.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Can someone help me?

Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131212/076d1e9a/attachment.html>


More information about the Snort-users mailing list