Yes, this IS loopback, 'cause it between 127.0.0.1 & 128.x.x.x. All the range of this IP's reserved. However, it is REALLY BAD - i don't know this ports (49847 and 5460). The way to solve this problem is to add a rule to Snort database, which permits all loopback traffic from network (it's strange if this is not default rule! May be they didn't add all the range).
P.S. Sorry if my English too bad :) Hello Tim, Tuesday, January 22, 2002, 8:17:41 PM, you wrote: TW> Hmmm... my version of the netstat manpage says: TW> -p, --program TW> Show the PID and name of the program to which each socket belongs. TW> I suspect there's more than one version of netstat out there... TW> tw TW> On 01/21/2002 13:08 -0500, leon wrote: >>> That is not true. P stands for proto not port. >>> >>> -p proto Shows connections for the protocol specified by proto; >>> proto >>> may be any of: TCP, UDP, TCPv6, or UDPv6. If used with >>> the -s >>> option to display per-protocol statistics, proto may be >>> any of: >>> IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. >>> >>> It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE >>> LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. >>> >>> Cheers, >>> >>> Leon >>> >>> -----Original Message----- >>> From: shawn merdinger [mailto:[EMAIL PROTECTED]] >>> Sent: Friday, January 18, 2002 8:45 PM >>> Cc: Craig Van Tassle; secuirty-basics >>> Subject: Re: loopback device >>> >>> Also, try the following: >>> >>> netstat -anp >>> >>> The p option displays the program bound to that socket/port. >>> >>> >From the looks of your snort log, it did not *appear* to be a >>> >loopback >>> address. >>> >>> -scm >>> >>> >>> > On 15-Jan-2002 Craig Van Tassle wrote: >>> > > My loop back is supposed to be 127.0.0.1.. at least that is what >>> > > my ifconfig shows me.. and i have no idea what program is >>> > > running on that port. Do you think that i could have a possible >>> > > intrusin? >>> > > >>> > > Thanks >>> > > Craig >>> > > >>> > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: >>> > >> No, you can't bypass the firewall using the loopback interface. >>> > >> Whats interesting though is the IP address they're using... >>> > >> usually loopback is 127.0.0.1 and the port number, 5460 isn't >>> > >> assigned to anyone so what program is running? >>> > >> >>> > >> -----Original Message----- >>> > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] >>> > >> Sent: Monday, January 14, 2002 8:48 AM >>> > >> To: secuirty-basics >>> > >> Subject: loopback device >>> > >> >>> > >> >>> > >> Is it possible for someone over a network to use my loopback to >>> > >> by pass my firewall? If so what can i do to mitigate the >>> > >> problem and how damageing can it be? >>> > >> >>> > >> The reason im asking is my Snort sytem is showing badd loopback >>> > >> traffic.. thanks >>> > >> >>> > >> here is a snipit from my snort logs. >>> > >> >>> > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] >>> > >> [Classification: Potentially Bad Traffic] [Priority: 2] >>> > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 >>> > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 >>> > >> ******S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 >>> > >> >>> > >> Thanks >>> > >> Craig >>> > >> >>> > >> >>> > >>> > - -- >>> > Phillip O'Donnell >>> > Software Engineer, Esphion Limited >>> > [EMAIL PROTECTED] >>> > >>> > >>> > -----BEGIN PGP SIGNATURE----- >>> > Version: PGP 6.5.1i >>> > >>> > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g >>> > Ky+CD/KuL2KCESveLJw30Gb1 >>> > =VjXg >>> > -----END PGP SIGNATURE----- >>> > >>> >>> TW> End of included message -- Best regards, osiris mailto:[EMAIL PROTECTED]
