From owner-freebsd-stable@FreeBSD.ORG  Sat Sep 20 10:06:16 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0A6316A4B3
	for <freebsd-stable@freebsd.org>;
	Sat, 20 Sep 2003 10:06:16 -0700 (PDT)
Received: from fep06-app.kolumbus.fi (fep06-0.kolumbus.fi [193.229.0.57])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2CCDD43FE5
	for <freebsd-stable@freebsd.org>;
	Sat, 20 Sep 2003 10:06:15 -0700 (PDT)
	(envelope-from pertti.kosunen@kolumbus.fi)
Received: from osbsd ([80.186.54.3]) by fep06-app.kolumbus.fi with SMTP
          id <20030920170448.QKSW2570.fep06-app.kolumbus.fi@osbsd>
          for <freebsd-stable@freebsd.org>; Sat, 20 Sep 2003 20:04:48 +0300
Message-ID: <030501c37f99$4beb9500$0b00000a@arenanet.fi>
From: "Pertti Kosunen" <pertti.kosunen@kolumbus.fi>
To: <freebsd-stable@freebsd.org>
Date: Sat, 20 Sep 2003 20:04:46 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Sonic Foundry Sound Forge 6.00 Build 132
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Sep 2003 17:06:17 -0000

Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999

>From snorts alert log file, these come ~1000 in a day:
[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821
TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x59780001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

What could cause this loopback traffic? Box has no firewall and this happens
even if only default ssh-server listen network (limited to listen only local
network with hosts.allow). Cvsupped few days ago and had no effect.

tcpdump -e -i xl0 -n host 127.0.0.1
Shows this traffic.

tcpdump -e -i lo0
Shows nothing.