Hi, look this rules : /xxx/snort-rules/bad-traffic.rules:alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:3;) and read tcpdump file (join) : 09:06:41.970786 24.78.142.0.3509 > 81.51.107.191.4662: S [tcp sum ok] 45356840:45356840(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 113, id 28847, len 48) ... yes not localhost ip, but I have xxx.xxx.xxx.0 ip ! (yes this traffic is p2p edonkey) firestorm 053 and previous have same pb ... I use firestorm-nids on freebsd48 with syslog patch. Regard.
Attachment:
firestorm-loopbacktraffic.tcpdump.gz
Description: GNU Zip compressed data