[snort] BAD-TRAFFIC loopback traffic 4.9-PRE
Kris Kennaway
kris at obsecurity.org
Sat Sep 20 14:05:35 PDT 2003
On Sat, Sep 20, 2003 at 08:04:46PM +0300, Pertti Kosunen wrote:
> Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999
>
> >From snorts alert log file, these come ~1000 in a day:
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821
> TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x59780001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> What could cause this loopback traffic?
Forged source address on a network with no egress filtering.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030920/d56e00d4/attachment.bin
More information about the freebsd-stable
mailing list