Date: Sat, 20 Sep 2003 20:04:46 +0300 From: "Pertti Kosunen" <pertti.kosunen@kolumbus.fi> To: <freebsd-stable@freebsd.org> Subject: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE Message-ID: <030501c37f99$4beb9500$0b00000a@arenanet.fi>
next in thread | raw e-mail | index | archive | help
Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999 >From snorts alert log file, these come ~1000 in a day: [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821 TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x59780001 Win: 0x0 TcpLen: 20 [Xref => http://rr.sans.org/firewall/egress.php] What could cause this loopback traffic? Box has no firewall and this happens even if only default ssh-server listen network (limited to listen only local network with hosts.allow). Cvsupped few days ago and had no effect. tcpdump -e -i xl0 -n host 127.0.0.1 Shows this traffic. tcpdump -e -i lo0 Shows nothing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?030501c37f99$4beb9500$0b00000a>