On Mon, 2006-08-07 at 17:51 +0200, Lutz Schildt wrote:
Hi everyone,
I just had Snort alering me about this:
#(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150] (snort
decoder) Bad Traffic Loopback IP
IPv4: 72.30.*.* -> 195.90.*.*
TCP: port=* -> dport: * chksum=0
Payload: length = 195
000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
GET /robots.txt
010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
HTTP/1.0..Host:
It's valid HTTP traffic, why would snort tell me it's Bad Loopback
Traffic? It's the first time in about 4 years of snort that this
happened. Is it maybe because chksum=0?
AHA!!
I had a rash of weird preprocessor alerts myself recently. "(snort
decoder) Bad Traffic Same Src/Dst IP" when in fact the IP addresses
where not the same. It reached levels that were driving me nuts so I
suppressed that preproc alert completely. The actual rules for
Same-Src/Dst traffic never fired.
Looking at these packets, all of them have an IP header and TCP header
checksum of 0.
The question is if that is the cause for the alert, or if the
preprocessor just doesn't report the checksum correctly.
Anyone else seeing this?
Regards,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
signature.asc
Description: This is a digitally signed message part
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
