Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort "seeing" nonexistant packets

From: Lai Zit Seng <lzs () pobox com>
Date: Tue, 24 Jul 2001 23:33:53 +0800 (SGT)
Hi,

I am seeing a strange phenomenom. I have noticed this prior to 1.8.1-beta3
but only started to confirm my observations now. I am running 1.8.1-beta3
at this time and it alerting about many packets supposedly from the
loopback network. But they don't exist, confirmed via tcpdump on the same
host.

For example, I run snort with this command line:

    snort -z est -DNy -c /etc/snort/snort.conf -i eth1

and this appears in my alert log (my IP address masked out):

[**] [1:528:1] MISC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
07/24/01-23:28:21.194494 127.81.172.46 -> xx.xx.xx.xx
IP TTL:0 TOS:0x0 ID:1596 IpLen:20 DgmLen:116
Frag Offset: 0xB9   Frag Size: 0x60

At the same time, I run tcpdump -i eth1 -n net 127.0.0.0/8 on the very
same machine and NO packets show up.

So where is snort seeing the traffic? Possibly packets got mangled within
itself?

Regards,

.lzs


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: