On Wed, 2004-01-07 at 22:57, Michael Boman wrote:
> On Wed, 2004-01-07 at 01:44, Aaron Stout wrote:
> > Hi. I recently installed snort. I have been noticing allot of
> >
> > Jan 6 11:40:00 fearthecow snort: [1:527:4] BAD-TRAFFIC same SRC/DST
> > [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP}
> > 127.0.0.1:53 -> 127.0.0.1:32966
> [snip]
> > This seems to keep happening on my loopback interface. I am not sure
> > what would be causing this. But it is certainly filling the logs up
> > quick. Any sugestions or comments would be greatly appreciated.
>
> Two possibilities:
> 1) You ask snort to sniff on loopback interface. Why? No crackers is
> going to hack you through lo interface before entering from eth* or
> ppp*, unless you expect console crackers in which case you are using the
> wrong tool for the job.
>
> 2) Some box on your network is severely broken. Actually, the only time
> I see this traffic is when a attacker spoof their address (don't ask me
> *why* several layers of ISP's fails to filter this out) or when a box on
> the network is broken (actually, my real-life experience tells me that
> those events seems to go hand-in-hand: only time I have seen loopback
> packets generated from machine on LAN is when the said machine has been
> compromised).
>
> Suggestions:
> 1) Log all traffic to files in pcap format, which you later can open up
> in ethereal (among other tools) for later analysis.
>
> 2) Read some books about networks and IDSs. To start with I would
> suggest the following books:
>
> TCP/IP Illustrated, Volume 1: The Protocols
> W. Richard Stevens
> Addison-Wesley Pub Co; ISBN: 0201633469
>
> Network Intrusion Detection: An Analyst's Handbook
> Stephen Northcutt, Donald McLachlan, Judy Novak
> New Riders Publishing; ISBN: 0735712654
>
> Intrusion Signatures and Analysis
> Mark Cooper, Stephen Northcutt, Matt Fearnow, Karen Frederick
> New Riders Publishing; ISBN: 0735710635
>
> Best regards
> Michael Boman
Thats exactly what happend. I used the any option for interfaces that
came with the default config. I fired it up to take a peak. I then
removed any and set it for eth0. Never saw any allerts about same
SRC/DST since.
--
[EMAIL PROTECTED] mailing list
