[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[firestorm053] pb with rules : BAD TRAFFIC loopback traffic ...

To: firestorm@xxxxxxxxxxxxxxxx
Subject: [firestorm053] pb with rules : BAD TRAFFIC loopback traffic ...
From: rmkml <rmkml@xxxxxxxxxx>
Date: Sat, 21 Jun 2003 10:44:24 +0200
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm
Sender: test@xxxxxxxxxx

Hi,

look this rules :

/xxx/snort-rules/bad-traffic.rules:alert ip any any <> 127.0.0.0/8 any
(msg:"BAD TRAFFIC loopback traffic"; classtype:bad-unknown;
reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:3;)

and read tcpdump file (join) :
09:06:41.970786 24.78.142.0.3509 > 81.51.107.191.4662: S [tcp sum ok]
45356840:45356840(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 113,
id 28847, len 48)
...

yes not localhost ip, but I have xxx.xxx.xxx.0 ip !
(yes this traffic is p2p edonkey)

firestorm 053 and previous have same pb ...

I use firestorm-nids on freebsd48 with syslog patch.

Regard.

Attachment: firestorm-loopbacktraffic.tcpdump.gz
Description: GNU Zip compressed data

Follow-Ups:
- Re: [firestorm053] pb with rules : BAD TRAFFIC loopback traffic ...
  - From: Gianni Tedesco

Prev by Date: Re: [firestorm053] tcp reassembly question
Next by Date: [firestorm053] pb with rules: BAD TRAFFIC syn to multicast address...
Previous by thread: [firestorm053] tcp reassembly question
Next by thread: Re: [firestorm053] pb with rules : BAD TRAFFIC loopback traffic ...
Index(es):
- Date
- Thread