freebsd security - Jun 2004 - freebsd-security Digest, Vol 61, Issue 3

On Sat, 29 May 2004 12:00:52 -0700 (PDT),  
<freebsd-security-request@freebsd.org> wrote:

Hello !

Today i see in snort logs :

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x75830001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x568A0001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

[**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x37920001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

Why ? ;-)
> Send freebsd-security mailing list submissions to
> 	freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> 	freebsd-security-request@freebsd.org
>
> You can reach the person managing the list at
> 	freebsd-security-owner@freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
>    1. X & securelevel=3 (bofn)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 29 May 2004 05:43:23 +0200
> From: "bofn" <bofn@irq.org>
> Subject: X & securelevel=3
> To: freebsd-security@freebsd.org
> Message-ID: <web-3714609@sqnork.irq.org>
> Content-Type: text/plain; charset="ISO-8859-1"
>
>
> running (4-Stable)
>
> Hi,
>
> short form question:
>  how does one run XDM under securelevel>0 ?
>
> long version:
> i've searched for an answer on how to run Xfree/Xorg at a securelevel
> the X server likes access to /dev/io and some other resources but is not
> granted access after security is switched on.
> one way of doing it seems to be to start it before setting the  
> securelevel, but
> then is doesnt allow a restart of X.
> the other option seems to be the Aperture patch, ported in 2001 with no  
> recent
> updates and no longer usable against the current software.
>
> 2nd part of the question..
> cd writing needs direct access to /dev/<acd0c> and that is also not  
> allowed in
> secure more.
> how can one give selective access to only allow (RW) access to one or two
> devices ?
>
> if there is no way of doing these things with configs and such, can  
> anyone
> point me at the relevant source code that controls these functions so i  
> can add
> this specific functionality.
>
>
> Cheers
> * Anna
>
>
> ------------------------------
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to  
> "freebsd-security-unsubscribe@freebsd.org"
>
> End of freebsd-security Digest, Vol 61, Issue 3
> ***********************************************

On Mon, 7 Jun 2004, Michael Vlasov wrote:
> On Sat, 29 May 2004 12:00:52 -0700 (PDT),
> <freebsd-security-request@freebsd.org> wrote:
>
> Hello !
>
> Today i see in snort logs :
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
> TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0  Ack: 0x75830001  Win: 0x0  TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
> TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0  Ack: 0x568A0001  Win: 0x0  TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
> TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0  Ack: 0x37920001  Win: 0x0  TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> Why ? ;-)
Ok, that means that someone (or thing) is spoofing packets to your box
(i know, and so does snort, that its spoofed because the source ip is
127.0.0.1 and its coming in on an interface apart from lo0) this is
sometimes used as a DoS attack (its one of those fun addresses to use as
source addresses for them), although, by the looks of it (because theres
multiple dst-ports being used), someone is using a program like nmap to
portscan your host using a spoofed ip

~Neo-Vortex