[SLUG] IpCop logs

From: Bob File (bobpat@earthlink.net)
Date: Sat Jun 05 2004 - 21:11:54 EDT


I meant to ask this on Saturday, but completely forgot (space out!).
Even though I only have dial up, the modem is attached to a firewall.
Ipcop is installed and all patches that I know about have been applied.
Snort is running and I get this message (among others, of course, but this one
is a bit disturbing):

Date: 06/05 15:58:24 Name: BAD TRAFFIC loopback traffic
Priority: 2 Type: Potentially Bad Traffic
IP info: 127.0.0.1:80 -> 209.165.13.125:1444
References: none found SID: 528

If I ssh into the IpCop box and ask for ip information (ifconfig) I get:
ppp0 Link encap:Point-to-Point Protocol
          inet addr:209.165.13.125 P-t-P:209.165.107.2 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MTU:1524 Metric:1
          RX packets:17855 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13560 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:20228777 (19.2 Mb) TX bytes:856230 (836.1 Kb)
route shows the P-t-P address: (route -n):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.165.107.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 209.165.107.2 0.0.0.0 UG 0 0 0 ppp0

What am I seeing here? a misconfig somewhere or a compromised firewall?
The other entries in the snort log are pings and portscans and the like.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:46 EDT