Also, try the following: netstat -anp
The p option displays the program bound to that socket/port. >From the looks of your snort log, it did not *appear* to be a loopback address. -scm > On 15-Jan-2002 Craig Van Tassle wrote: > > My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig > > shows me.. and i have no idea what program is running on that port. > > Do you think that i could have a possible intrusin? > > > > Thanks > > Craig > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > >> No, you can't bypass the firewall using the loopback interface. Whats > >> interesting though is the IP address they're using... usually loopback is > >> 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program > >> is running? > >> > >> -----Original Message----- > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > >> Sent: Monday, January 14, 2002 8:48 AM > >> To: secuirty-basics > >> Subject: loopback device > >> > >> > >> Is it possible for someone over a network to use my loopback to by pass my > >> firewall? If so what can i do to mitigate the problem and how damageing can > >> it be? > >> > >> The reason im asking is my Snort sytem is showing badd loopback traffic.. > >> thanks > >> > >> here is a snipit from my snort logs. > >> > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > >> [Classification: Potentially Bad Traffic] [Priority: 2] > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > >> ******S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > >> > >> Thanks > >> Craig > >> > >> > > - -- > Phillip O'Donnell > Software Engineer, Esphion Limited > [EMAIL PROTECTED] > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.1i > > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g > Ky+CD/KuL2KCESveLJw30Gb1 > =VjXg > -----END PGP SIGNATURE----- >
