Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
Snort logs showing bad traffic orig. from localhost
Results 1 to 4 of 4

Thread: Snort logs showing bad traffic orig. from localhost

Hybrid View

  1. #1
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Snort logs showing bad traffic orig. from localhost

    Not sure what this means. Been happening for couple days non stop. I know that sometimes you can scan someone and make it look like its from their own box in the logs. But this happens every three to 15 min +. This is the latest version of IPCop with latest patches. Can someone shed some light?


    Code:
    Date:   08/17 00:34:10    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1097
    References:   none found   SID:    528
    Date:   08/17 00:34:43    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1857
    References:   none found   SID:    528
    Date:   08/17 00:37:13    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1204
    References:   none found   SID:    528
    Date:   08/17 00:56:38    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1178
    References:   none found   SID:    528
    Date:   08/17 00:56:54    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1674
    References:   none found   SID:    528
    Date:   08/17 00:58:38    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1910
    References:   none found   SID:    528
    Date:   08/17 00:58:55    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1174
    References:   none found   SID:    528
    Date:   08/17 00:59:28    Name:   BAD TRAFFIC loopback traffic
    Priority:   2    Type:   Potentially Bad Traffic
    IP info:    127.0.0.1:80 -> 68.0.29.39:1934
    References:   none found   SID:    528

  2. #2

    Re:Snort logs showing bad traffic orig. from localhost

    Radar,
    I found this by doing a google on SID 528. This is an excerpt from geocrawler that came up.

    FROM: WarchildDATE: 02/15/2002 17:46:10SUBJECT: [Snort-sigs] SID 528
    Rule:
    alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback
    traffic"; classtype:bad-unknown; sid:528; rev:2
    --
    Sid:
    528

    --
    Summary:
    Loopback (aka, "localhost&quot traffic was detected on your listening
    interface.

    --
    Impact:
    Possible ACL bypass, DOS attempt, system recon.

    --
    Detailed Information:
    Traffic destined-to/coming-from the loopback interface (127.0.0.1/8)
    was detected.

    --
    Attack Scenarios:
    As part of a possibly more intense attack, an attacker may attempt to
    deny a legitimate system of service by spoofing loopback traffic.
    This may give an attacker more information about system
    (mis)configurations. This loopback traffic may appear as semi-legit
    traffic, whereas other cases may bring fragmented, out-of-band, and
    malformed traffic.

    In the best case, this may simply be a system misconfiguration as
    opposed to a potential hostile attack.

    --
    Ease of Attack:
    Fairly trivial if elevated system privledges are obtained. Packets
    can easily be crafted to have a source/destination IP resembling the
    loopback. The difficulty is finding situations where loopback traffic
    is not properly filtered.

    --
    False Positives:
    None, so long as you are not running snort on the loopback interface.

    --
    False Negatives:
    None.

    --
    Corrective Action:
    Apply proper ingress/egress filtering at all areas of your network.


    Hope this helps,
    10ded

  3. #3
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Re:Snort logs showing bad traffic orig. from localhost

    Thanks 10Dedfish, yeah in IPCop that 528 you see is a link to a similar explanation as you found on Snort's website. I just don't know how to determine if its a misconfigured network device or is someone probing me and spoofing the ip. It seems to try different ports. I shall keep searching.

  4. #4

    Re:Snort logs showing bad traffic orig. from localhost

    I would keep track of the different ports that its trying. If it is the same ones again and again then I wouldnt worry about it. If it isnt then i would start to worry.

    10ded

Similar Threads

  1. cant even ping localhost
    By sivaram_swdw in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 05-30-2005, 12:10 AM
  2. Can't ftp to server (not even to localhost)
    By tob in forum Linux - General Topics
    Replies: 1
    Last Post: 11-07-2004, 07:13 PM
  3. snort rules: drop ping scans from host to subnet
    By Blaqb0x in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 08-24-2004, 12:19 AM
  4. localhost and numbers
    By papanohair in forum Linux - General Topics
    Replies: 26
    Last Post: 03-31-2002, 06:35 PM
  5. Snort IDS, Remote Denial of Service
    By Aaron_Adams in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 02-25-2002, 08:01 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •