Date: Sat, 20 Sep 2003 14:05:27 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Pertti Kosunen <pertti.kosunen@kolumbus.fi> Cc: freebsd-stable@freebsd.org Subject: Re: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE Message-ID: <20030920210527.GB38264@rot13.obsecurity.org> In-Reply-To: <030501c37f99$4beb9500$0b00000a@arenanet.fi> References: <030501c37f99$4beb9500$0b00000a@arenanet.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
--St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 20, 2003 at 08:04:46PM +0300, Pertti Kosunen wrote: > Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999 >=20 > >From snorts alert log file, these come ~1000 in a day: > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821 > TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x59780001 Win: 0x0 TcpLen: 20 > [Xref =3D> http://rr.sans.org/firewall/egress.php] >=20 > What could cause this loopback traffic? Forged source address on a network with no egress filtering. Kris --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/bMEXWry0BWjoQKURAruoAKCp45gglMFf89wgc2DogRC6m+b+uwCgq1LR RxmXDvyKuoVSi5VGZG+SwdU= =PI5C -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030920210527.GB38264>