 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
09-12-2003, 10:32 AM
|
Firewall (smoothwall) reports 'Potentially Bad Traffic' from 127.0.0.1:80...
Having just got my adsl line, with a Smoothwall (linux-firewall) box
feeding a house-side net of 2 or 3 machines, I'm looking nervously at the intrusion detection log... It started showing significant activity yesterday - (3 of the early instance appeared to be from Mr Demon, but there were also a couple of reports of MS-SQL worms...) Then towards the end of the day I started getting 'potentially bad traffic' from 127:0.0.1:80 (!) to my new adsl demon IP at high ports (eg, this morning it's here again, to port 1286) In all these instances I've had an NT box or two up as well as my main linux-box. Is it possible that these packets are internally generated, so I don't need to worry, or has demon-adsl really got spoofed packets from the loopback address flying round on it (as the ref. to a note on www.sans.org in the smoothwall log would suggest)??? Bob -- robert w hall robert w hall 
|
|
#2
09-12-2003, 11:25 AM
|
|||
|
|||
|
Re: Firewall (smoothwall) reports 'Potentially Bad Traffic' from 127.0.0.1:80...
"robert w hall" <(E-Mail Removed)> wrote in message
news:2LhKvAAtKZY$(E-Mail Removed)... > Having just got my adsl line, with a Smoothwall (linux-firewall) box > feeding a house-side net of 2 or 3 machines, I'm looking nervously at > the intrusion detection log... > Probably blaster, many companies set windows update to resolve to 127.0.0.1... So there has been a lot of traffic flying around to this address. Incident lists have had a lot of talk about this. -- -+ Shaolin +- Discard what is useless, absorb what is not and add what is uniquely your own. .: http://www.security-forums.com :.
|
|
#3
09-12-2003, 12:29 PM
|
|||
|
|||
|
Re: Firewall (smoothwall) reports 'Potentially Bad Traffic' from 127.0.0.1:80...
On Fri, 12 Sep 2003 10:32:29 +0100, robert w hall
<(E-Mail Removed)> wrote: >Then towards the end of the day I started getting 'potentially bad >traffic' from 127:0.0.1:80 (!) to my new adsl demon IP at high ports >(eg, this morning it's here again, to port 1286) > > Its possible snort is getting its drawers in a knot over your transparent proxy server. greg -- $ReplyAddress =~ s#\@.*$##; # Delete everything after the '@' Who lives in a pineapple under the sea? Absorbent and yellow and pourous is he! If nautical nonsense be something you wish! Then drop on the deck and flop like a fish!
|
|
| Tags |
| bad, firewall, potentially, reports, smoothwall, traffic |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
