[Full-Disclosure] Loopback packets

["Phathat" <phathat@hushmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone seen this?
Snort began reporting this capture from a single Windows box about twenty
four hours after we set windowsupdate.com to loopback. That's the only
correlation I've found. Now I have three machines sending these little
angry packets from different subnets (1918). Strangest of all, these
packets traversed two + routers before it hit the Snort box?... Anyone?...

- --- Last alerts ---

[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:31.696482 0:7:D:50:E7:FC -> FF:FF:FF:FF:FF:FF type:0x800
len:0x3C
127.0.0.1:80 -> 255.255.255.255:1766 TCP TTL:126 TOS:0x0 ID:31804 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0x57810001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:44.439384 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:59540 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0xE860001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/18-08:15:50.084525 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C
127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:46933 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0xE860001  Win: 0x0  TcpLen: 20
[Xref => url rr.sans.org/firewall/egress.php]


- -- END OF LOG ---




-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9BGkMACgkQnBN72pVYTdhXHACbB1B/N7G11+UTJK0EeCtmspU05ZoA
nRGXmL9840M45/+LWzfweI6sZ4Xa
=w6Ls
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html