[Snort-users] ID'ing loopback spoof

Hello,=20

Trying to ID activity/scans which have the following=20
characteristics:

- Source Address: 127.0.0.1 (spoofed)
- Source Port: 80
- Protocol: TCP
- Destination Address: scanning entire internal /16 private
supernet
- Destination Port: randomized between 1000..2000
- Average packet size: 64.0000 bytes
- Flags set: RST, ACK
- Payload: varies except for several fixed characters: E A P p (
- Periodicity: random/varies. continues for 1 - 3 hours
then stops for ~6..~24 hours.
- Frame Size: static 60 bytes
- Window Size, a consistent 55808 regardless of source address

Gut feeling is that this activity throttles M$ HTTP/DNS/?=20
services/daemons which require a restart/reboot of the service
or server. IOW - a reboot is pretty much guaranteed to fix it=20
fix a few hours.

Any help would be sincerely appreciated.

Happy Holidays!!!

--
blake


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users