[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

firestorm question (bad traffic loopback)



Hi All,

I receive this packet this morning, (join tcpdump file)

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.173462
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=*S****** from=client server=CLOSED
client=SYN_SENT : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.190995
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=*S**A*** from=server server=SYN_SENT
client=SYN_RECV : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.190995
alert=sig.tcp sig=1431.4 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=*S**A*** from=server server=SYN_SENT
client=SYN_RECV : BAD TRAFFIC syn to multicast address

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.191055
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=****A*** from=client server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212041
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212097
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212152
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.212187
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.230985
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.231046
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.231086
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=***PA*** from=client server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.251964
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=****A*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.252026
alert=sig.ip sig=528.3 priority=2 src=80.8.89.0 dst=80.14.9.13 proto=6
spt=2928 dpt=4662 flags=****A*** from=client server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

Apr 29 15:01:08 crusoe 11 firestorm-nids053pre3frag: 1051621268.252084
alert=sig.ip sig=528.3 priority=2 src=80.14.9.13 dst=80.8.89.0 proto=6
spt=4662 dpt=2928 flags=***PA*** from=server server=ESTABLISHED
client=ESTABLISHED : BAD TRAFFIC loopback traffic

(yes, this event sent by firestorm-nids with syslog patch)

and my question is,

Why firestorm event "BAD TRAFFIC loopback" ?

because look this rule :
alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback traffic";
classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php;
sid:528; rev:3;)

On this tcp session, I don't have 127.0.0.0/8 !

Please Help me,

and Thanks for your Answers.

Regard.

Attachment: firestorm-badtraffic0.tcpdump.gz
Description: GNU Zip compressed data