On Wed, 2004-01-07 at 01:44, Aaron Stout wrote:
> Hi. I recently installed snort. I have been noticing allot of
>
> Jan 6 11:40:00 fearthecow snort: [1:527:4] BAD-TRAFFIC same SRC/DST
> [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> 127.0.0.1:53 -> 127.0.0.1:32966
[snip]
> This seems to keep happening on my loopback interface. I am not sure
> what would be causing this. But it is certainly filling the logs up
> quick. Any sugestions or comments would be greatly appreciated.Two possibilities: 1) You ask snort to sniff on loopback interface. Why? No crackers is going to hack you through lo interface before entering from eth* or ppp*, unless you expect console crackers in which case you are using the wrong tool for the job. 2) Some box on your network is severely broken. Actually, the only time I see this traffic is when a attacker spoof their address (don't ask me *why* several layers of ISP's fails to filter this out) or when a box on the network is broken (actually, my real-life experience tells me that those events seems to go hand-in-hand: only time I have seen loopback packets generated from machine on LAN is when the said machine has been compromised). Suggestions: 1) Log all traffic to files in pcap format, which you later can open up in ethereal (among other tools) for later analysis. 2) Read some books about networks and IDSs. To start with I would suggest the following books: TCP/IP Illustrated, Volume 1: The Protocols W. Richard Stevens Addison-Wesley Pub Co; ISBN: 0201633469 Network Intrusion Detection: An Analyst's Handbook Stephen Northcutt, Donald McLachlan, Judy Novak New Riders Publishing; ISBN: 0735712654 Intrusion Signatures and Analysis Mark Cooper, Stephen Northcutt, Matt Fearnow, Karen Frederick New Riders Publishing; ISBN: 0735710635 Best regards Michael Boman -- Michael Boman Developer, Hardened Gentoo Linux http://www.gentoo.org http://dev.gentoo.org/~mboman
signature.asc
Description: This is a digitally signed message part
