Hi All, I receive this packet this morning, (join tcpdump file) Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.173462 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=*S****** from=client server=CLOSED client=SYN_SENT : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.190995 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=*S**A*** from=server server=SYN_SENT client=SYN_RECV : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.190995 alert=sig.tcp sig=1431.4 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=*S**A*** from=server server=SYN_SENT client=SYN_RECV : BAD TRAFFIC syn to multicast address Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.191055 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=****A*** from=client server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212041 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212097 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212152 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212187 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.230985 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.231046 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.231086 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.251964 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.252026 alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6 spt=2928 dpt=4662 flags=****A*** from=client server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.252084 alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6 spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED client=ESTABLISHED : BAD TRAFFIC loopback traffic (yes, this event sent by firestorm-nids with syslog patch) and my question is, Why firestorm event "BAD TRAFFIC loopback" ? because look this rule : alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:3;) On this tcp session, I don't have 127.0.0.0/8 ! Please Help me, and Thanks for your Answers. Regard.
Attachment:
firestorm-badtraffic0.tcpdump.gz
Description: GNU Zip compressed data