RE: [Snort-users] a lot of Loopback traffic being logged.
Chuck Holley
balaster
worm, and that to find the src address you need to follow back to the =
MAC
address. My problem is that I have firestarter firewall on my =
mailserver
and it is also logging the loopback address issue as a "Martian source
attack," and I have two different IP addresses mapped to the same MAC
address?????? What is up with that? How do I trace that? =20
Also I cant seem to find where the MAC address is in ACID.
-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of
Mark.Sc...@Omron.com
Sent: Thursday, April 22, 2004 6:09 PM
To: Chuck Holley
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: Re: [Snort-users] a lot of Loopback traffic being logged.
I reported this same problem earlier. I had a lot of great feedback, if =
you
want to search the mailing list. Recently, I had this come up again. I =
used
Snort in non-daemon mode to find the MAC address that was associated =
with
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to
trace that through my WAN to another network, where we found the local =
MAC
and traced that to a couple of Japanese engineers who were visiting our
company and had plugged their computers into our network. Unfortunately,
because we did not have a translator and could not readily sift through
their Japanese OS computers, I still cannot say what the source program =
was
that caused this. I simply had to quarantine their computer away from =
the
corporate network. If I find a translator and the program, I will =
forward
this info on. Let me know what you find! I suspect some virus or trojan.
This is a fairly amateur attack to actually be running manually. Good =
Luck!
Best Regards,
Mark
=20
"Chuck Holley"
<cho...@fitnessquest.com> To:
<snort...@lists.sourceforge.net>
Sent by: cc:
snort-us...@lists.sour Subject:
[Snort-users] a lot of Loopback traffic being logged.
=20
=20
04/22/2004 08:38 AM
=20
=20
"BAD-TRAFFIC loopback traffic" I am getting a lot of this one alert on
127.0.0.1. im really not sure what is causing this. If it is faulty
networking or maybe a spoofer. Now that I know im getting this, thanks =
to
SNORT, what the heck do I do about it? Anyone ever remedy this problem?
Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cho...@fitnessquest.com
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Fred Portnoy
distribution
point, and as you find the offending packets, go upstream to the next
aggregation point and so forth, until you get by the last router and you =
are
on the offender's home LAN; only then will you have captured their =
actual
mac address. Good Luck!
-fp
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to =
trace
that through my WAN to another network, where we found the local MAC and
traced that to a couple of Japanese engineers who were visiting our =
company
and had plugged their computers into our network. Unfortunately, because =
we
did not have a translator and could not readily sift through their =
Japanese
OS computers, I still cannot say what the source program was that caused
this. I simply had to quarantine their computer away from the corporate
network. If I find a translator and the program, I will forward this =
info
on. Let me know what you find! I suspect some virus or trojan. This is a
fairly amateur attack to actually be running manually. Good Luck!
Best Regards,
Mark
=20
"Chuck Holley"
<cho...@fitnessquest.com> To:
<snort...@lists.sourceforge.net>
Sent by: cc:
=20
=20
04/22/2004 08:38 AM
=20
=20
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For =
a
limited time only, get FREE Ground shipping on all orders of $35 or =
more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For =
a
limited time only, get FREE Ground shipping on all orders of $35 or =
more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-------------------------------------------------------
Mark.Sc...@omron.com
One more point... if you have a Cisco router, you can create some ACL's=
and
use CEF to detect the packet stream and find the MAC address. That's ho=
w I
ended up finding it beyond my local router without having to send a
protocol analyzer to the remote site. Good Luck!
Mark
=
=20
"Fred Portnoy" =
=20
<fpor...@mail.pl To: "'Chuck Holley=
'" <cho...@fitnessquest.com>, <Mark.Sc...@omron.com> =20
ymouth.edu> cc: <snort-users@l=
ists.sourceforge.net>, =20
<snort-users-admin@list=
s.sourceforge.net> =20
04/23/2004 10:07 Subject: RE: [Snort-use=
rs] a lot of Loopback traffic being logged. =20
AM =
=20
Please respond to =
=20
fportnoy =
=20
=
=20
=
=20
You need to sniff on one interface at a time at your network distributi=
on
point, and as you find the offending packets, go upstream to the next
aggregation point and so forth, until you get by the last router and yo=
u
are
on the offender's home LAN; only then will you have captured their actu=
al
mac address. Good Luck!
-fp
-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of Chuck Hol=
ley
Sent: Friday, April 23, 2004 10:25 AM
To: Mark.Sc...@Omron.com
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.
OK, I looked through the archives and found that it is probably the
balaster
worm, and that to find the src address you need to follow back to the M=
AC
address. My problem is that I have firestarter firewall on my mailserv=
er
and it is also logging the loopback address issue as a "Martian source
attack," and I have two different IP addresses mapped to the same MAC
address?????? What is up with that? How do I trace that?
Also I cant seem to find where the MAC address is in ACID.
-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of
Mark.Sc...@Omron.com
Sent: Thursday, April 22, 2004 6:09 PM
To: Chuck Holley
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: Re: [Snort-users] a lot of Loopback traffic being logged.
I reported this same problem earlier. I had a lot of great feedback, if=
you
want to search the mailing list. Recently, I had this come up again. I =
used
Snort in non-daemon mode to find the MAC address that was associated wi=
th
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to
trace
that through my WAN to another network, where we found the local MAC an=
d
traced that to a couple of Japanese engineers who were visiting our com=
pany
and had plugged their computers into our network. Unfortunately, becaus=
e we
did not have a translator and could not readily sift through their Japa=
nese
OS computers, I still cannot say what the source program was that cause=
d
this. I simply had to quarantine their computer away from the corporate=
network. If I find a translator and the program, I will forward this in=
fo
on. Let me know what you find! I suspect some virus or trojan. This is =
a
fairly amateur attack to actually be running manually. Good Luck!
Best Regards,
Mark
"Chuck Holley"
<cho...@fitnessquest.com> To:
<snort...@lists.sourceforge.net>
Sent by: cc:
snort-us...@lists.sour Subject:
[Snort-users] a lot of Loopback traffic being logged.
04/22/2004 08:38 AM
"BAD-TRAFFIC loopback traffic" I am getting a lot of this one alert on=
127.0.0.1. im really not sure what is causing this. If it is faulty
networking or maybe a spoofer. Now that I know im getting this, thanks=
to
SNORT, what the heck do I do about it? Anyone ever remedy this problem=
?
Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cho...@fitnessquest.com
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For=
a
limited time only, get FREE Ground shipping on all orders of $35 or mor=
e.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For=
a
limited time only, get FREE Ground shipping on all orders of $35 or mor=
e.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
=
Chuck Holley
a
while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
Im assuming im doing this right. Im trying to log only packets form
127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and =
write
to a file called dump.
Now, I did this and got two loggings in tcpdump:
13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack =
799408129
win 0
13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack =
1316880385
win 0
hal2 is the server that has tcpdump on it. Is this machine one of the =
boxes
that is sending out the 127.0.0.1, or did I simply pickup two packets =
sent
out form hal2 to these other machines.=20
I looked at snort and the exact same ip's, with the exact same ports =
were
logged coming from 127.0.0.1
To say the least im confused even more!!
-----Original Message-----
From: Fred Portnoy [mailto:fpor...@mail.plymouth.edu]=20
Sent: Friday, April 23, 2004 11:07 AM
To: 'Chuck Holley'; Mark.Sc...@omron.com
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.
You need to sniff on one interface at a time at your network =
distribution
point, and as you find the offending packets, go upstream to the next
aggregation point and so forth, until you get by the last router and you =
are
on the offender's home LAN; only then will you have captured their =
actual
mac address. Good Luck!
-fp
-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of Chuck =
Holley
Sent: Friday, April 23, 2004 10:25 AM
To: Mark.Sc...@Omron.com
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.
OK, I looked through the archives and found that it is probably the =
balaster
worm, and that to find the src address you need to follow back to the =
MAC
address. My problem is that I have firestarter firewall on my =
mailserver
and it is also logging the loopback address issue as a "Martian source
attack," and I have two different IP addresses mapped to the same MAC
address?????? What is up with that? How do I trace that? =20
Also I cant seem to find where the MAC address is in ACID.
-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of
Mark.Sc...@Omron.com
Sent: Thursday, April 22, 2004 6:09 PM
To: Chuck Holley
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: Re: [Snort-users] a lot of Loopback traffic being logged.
I reported this same problem earlier. I had a lot of great feedback, if =
you
want to search the mailing list. Recently, I had this come up again. I =
used
Snort in non-daemon mode to find the MAC address that was associated =
with
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to =
trace
that through my WAN to another network, where we found the local MAC and
traced that to a couple of Japanese engineers who were visiting our =
company
and had plugged their computers into our network. Unfortunately, because =
we
did not have a translator and could not readily sift through their =
Japanese
OS computers, I still cannot say what the source program was that caused
this. I simply had to quarantine their computer away from the corporate
network. If I find a translator and the program, I will forward this =
info
on. Let me know what you find! I suspect some virus or trojan. This is a
fairly amateur attack to actually be running manually. Good Luck!
Best Regards,
Mark
=20
"Chuck Holley"
<cho...@fitnessquest.com> To:
<snort...@lists.sourceforge.net>
Sent by: cc:
snort-us...@lists.sour Subject:
[Snort-users] a lot of Loopback traffic being logged.
=20
=20
04/22/2004 08:38 AM
=20
=20
"BAD-TRAFFIC loopback traffic" I am getting a lot of this one alert on
127.0.0.1. im really not sure what is causing this. If it is faulty
networking or maybe a spoofer. Now that I know im getting this, thanks =
to
SNORT, what the heck do I do about it? Anyone ever remedy this problem?
Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cho...@fitnessquest.com
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For =
a
limited time only, get FREE Ground shipping on all orders of $35 or =
more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For =
a
limited time only, get FREE Ground shipping on all orders of $35 or =
Fred Portnoy
Sniffer....this would eliminate any confusion over self generated =
packets at
the snort box. But .... my guess is that your tcpdump is mis-resolving =
the
127.0.0.1 src address into it's host's own name. Tcpdump must have an =
option
to just display numerical addresses and not resolve them? -f
-----Original Message-----
From: Chuck Holley [mailto:cho...@fitnessquest.com]=20
Sent: Friday, April 23, 2004 1:24 PM
To: fpor...@mail.plymouth.edu; Mark.Sc...@omron.com
Cc: snort...@lists.sourceforge.net;
snort-us...@lists.sourceforge.net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.
Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed for =
a
while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
Im assuming im doing this right. Im trying to log only packets form
127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and =
write
to a file called dump.
Now, I did this and got two loggings in tcpdump:
13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack =
799408129
win 0 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack