[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308181826.h7IIQBAc050171@mailserver2.hushmail.com>
From: phathat at hushmail.com (Phathat)
Subject: Loopback packets
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anyone seen this?
Snort began reporting this capture from a single Windows box about twenty
four hours after we set windowsupdate.com to loopback. That's the only
correlation I've found. Now I have three machines sending these little
angry packets from different subnets (1918). Strangest of all, these
packets traversed two + routers before it hit the Snort box?... Anyone?...
- --- Last alerts ---
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:31.696482 0:7:D:50:E7:FC -> FF:FF:FF:FF:FF:FF type:0x800
len:0x3C
127.0.0.1:80 -> 255.255.255.255:1766 TCP TTL:126 TOS:0x0 ID:31804 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0x57810001 Win: 0x0 TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]
[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:44.439384 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:59540 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0xE860001 Win: 0x0 TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]
[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:50.084525 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:46933 IpLen:20
DgmLen:40
***A*R** Seq: 0x0 Ack: 0xE860001 Win: 0x0 TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]
- -- END OF LOG ---
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj9BGkMACgkQnBN72pVYTdhXHACbB1B/N7G11+UTJK0EeCtmspU05ZoA
nRGXmL9840M45/+LWzfweI6sZ4Xa
=w6Ls
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists