[Snort-users] Questions on traffic
This is a discussion on [Snort-users] Questions on traffic within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_00C6_01C3F53E.2890C6A0 Content-Type: text/plain; charset="iso-8859-1&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2004
|
|||
|
|||
[Snort-users] Questions on traffic
This is a multi-part message in MIME format.
------=_NextPart_000_00C6_01C3F53E.2890C6A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello all, hopefully someone can help a rookie out some. I work for a = small company that has a basic internet connections. There is a router = connected to the Internet connection then a firewall. Snort is linked = between the two so that it can see all traffic what is on the internet = connection. I have been seeing a lot of traffic that I have been unable = to determine what it is. Here is a copy of one alert. [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]=20 02/17-08:33:12.453650 xx:xx:xx:xx:xx:xx -> xx:xx:xx:xx:xx:xx type:0x800 = len:0x3C 127.0.0.1:80 -> xxx.xxx.xxx.xxx:1293 TCP TTL:116 TOS:0x0 ID:65095 = IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x35360001 Win: 0x0 TcpLen: 20 [Xref =3D> http://rr.sans.org/firewall/egress.php] The firewall is stopping this traffic from coming through, but I would = like to see if I can stop it completely. It's error log is: Deny IP spoof from (127.0.0.1) to xxx.xxx.xxx.xxx on interface outside Does anyone have any ideals on what this is and what I can do to resolve = it? =20 Thank You Lynn Gustafson ------=_NextPart_000_00C6_01C3F53E.2890C6A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hello all, hopefully someone can help a = rookie out=20 some. I work for a small company that has a basic internet=20 connections. There is a router connected to the Internet = connection then a=20 firewall. Snort is linked between the two so that it can see all = traffic=20 what is on the internet connection. I have been seeing a lot of = traffic=20 that I have been unable to determine what it is. Here is a copy of = one=20 alert.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>[**] [1:528:4] BAD-TRAFFIC loopback = traffic=20 [**]</FONT></DIV> <DIV><FONT face=3DArial size=3D2>[Classification: Potentially Bad = Traffic]=20 [Priority: 2] </FONT></DIV> <DIV><FONT face=3DArial size=3D2>02/17-08:33:12.453650 xx:xx:xx:xx:xx:xx = ->=20 xx:xx:xx:xx:xx:xx type:0x800 len:0x3C</FONT></DIV> <DIV><FONT face=3DArial size=3D2>127.0.0.1:80 -> xxx.xxx.xxx.xxx:1293 = TCP TTL:116=20 TOS:0x0 ID:65095 IpLen:20 DgmLen:40</FONT></DIV> <DIV><FONT face=3DArial size=3D2>***A*R** Seq: 0x0 Ack: 0x35360001 Win: = 0x0 TcpLen:=20 20</FONT></DIV> <DIV><FONT face=3DArial size=3D2>[Xref =3D> </FONT><A=20 href=3D"http://rr.sans.org/firewall/egress.php"><FONT face=3DArial=20 size=3D2>http://rr.sans.org/firewall/egress.php</FONT></A><FONT = face=3DArial=20 size=3D2>]</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The firewall is stopping this traffic = from coming=20 through, but I would like to see if I can stop it completely. It's = error=20 log is:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Deny IP spoof from (127.0.0.1) to = xxx.xxx.xxx.xxx=20 on interface outside</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Does anyone have any ideals on what = this is and=20 what I can do to resolve it? </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Thank You</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Lynn = Gustafson</FONT></DIV></BODY></HTML> ------=_NextPart_000_00C6_01C3F53E.2890C6A0-- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
