Re: loopback device

From: Tim Walberg (twalberg@mindspring.com)
Date: 01/22/02 

Date: Tue, 22 Jan 2002 11:17:41 -0600
From: Tim Walberg <twalberg@mindspring.com>
To: leon <leon@inyc.com>

Hmmm... my version of the netstat manpage says:

   -p, --program
       Show the PID and name of the program to which each socket belongs.

I suspect there's more than one version of netstat out there...

                                tw

On 01/21/2002 13:08 -0500, leon wrote:
>> That is not true. P stands for proto not port.
>>
>> -p proto Shows connections for the protocol specified by proto;
>> proto
>> may be any of: TCP, UDP, TCPv6, or UDPv6. If used with
>> the -s
>> option to display per-protocol statistics, proto may be
>> any of:
>> IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
>>
>> It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE
>> LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING.
>>
>> Cheers,
>>
>> Leon
>>
>> -----Original Message-----
>> From: shawn merdinger [mailto:dinger@gslis.utexas.edu]
>> Sent: Friday, January 18, 2002 8:45 PM
>> Cc: Craig Van Tassle; secuirty-basics
>> Subject: Re: loopback device
>>
>> Also, try the following:
>>
>> netstat -anp
>>
>> The p option displays the program bound to that socket/port.
>>
>> >From the looks of your snort log, it did not *appear* to be a
>> >loopback
>> address.
>>
>> -scm
>>
>>
>> > On 15-Jan-2002 Craig Van Tassle wrote:
>> > > My loop back is supposed to be 127.0.0.1.. at least that is what
>> > > my ifconfig shows me.. and i have no idea what program is
>> > > running on that port. Do you think that i could have a possible
>> > > intrusin?
>> > >
>> > > Thanks
>> > > Craig
>> > >
>> > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote:
>> > >> No, you can't bypass the firewall using the loopback interface.
>> > >> Whats interesting though is the IP address they're using...
>> > >> usually loopback is 127.0.0.1 and the port number, 5460 isn't
>> > >> assigned to anyone so what program is running?
>> > >>
>> > >> -----Original Message-----
>> > >> From: Craig Van Tassle [mailto:craig@ambrosa.dns04.com]
>> > >> Sent: Monday, January 14, 2002 8:48 AM
>> > >> To: secuirty-basics
>> > >> Subject: loopback device
>> > >>
>> > >>
>> > >> Is it possible for someone over a network to use my loopback to
>> > >> by pass my firewall? If so what can i do to mitigate the
>> > >> problem and how damageing can it be?
>> > >>
>> > >> The reason im asking is my Snort sytem is showing badd loopback
>> > >> traffic.. thanks
>> > >>
>> > >> here is a snipit from my snort logs.
>> > >>
>> > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
>> > >> [Classification: Potentially Bad Traffic] [Priority: 2]
>> > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460
>> > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40
>> > >> ******S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20
>> > >>
>> > >> Thanks
>> > >> Craig
>> > >>
>> > >>
>> >
>> > - --
>> > Phillip O'Donnell
>> > Software Engineer, Esphion Limited
>> > phillip@esphion.com
>> >
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: PGP 6.5.1i
>> >
>> > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g
>> > Ky+CD/KuL2KCESveLJw30Gb1
>> > =VjXg
>> > -----END PGP SIGNATURE-----
>> >
>>
>>
End of included message 

-- 
twalberg@mindspring.com