Snort Message - Warning: No Preprocessors Configured for Policy 0

Snort signature explanation

So, let me structure this in one Answer:

1)

• This event indicates that shellcode has been detected in network traffic so if that code gets through, and gets executed you end up with a backdoor.

• 192.168.202.50:60322 seems to be the attacking IP and it is trying to exploit some vulnerability on the Windows box 192.168.22.252:445

2)

• 192.168.199.58:63000 -> 192.168.28.100:60000 = for this I am not sure, as port 60000 could be used for various things..

3)

• SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 = this is a bit self explanatory .. 192.168.199.58:59173 is trying to push requests towards 192.168.22.201 port 407..

4)

• Same for 192.168.199.58:60327 trying to exploit a memory overfly towards SMTP on: 192.168.21.151:25

But in all those cases, it seems 192.168.199.58 is probably exploited, or something from that box is probing the LAN network..

I would also scan 192.168.199.50 and .58 to figure out who is on those boxes, any current connections from foreign addresses, that might have exploited these two boxes..

Snort installed on ubuntu not sending alerts to syslog

I've posted this question on linuxquestions.org aswell and got an answer.

Following unSpawn reply I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file.
Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content:

auth /var/log/syslog

Also as suggested I've made some changes to the snort execution command (omitting the -q -A console):

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

after restarting the rsyslog service I found the missing Snort alerts in syslog.

barnyard2 not talking to mysql

For barnyard2 to work, your unified2 output file created by snort must contain alert AND PCAP data.

So, in /etc/snort/snort.conf (or wherever your snort configuration is), you need to specify output unified2: <filename> (I recommend NOT using "snort.log" for the filename).

Review the barnyard2 global variable file /etc/default/barnyard2 or /etc/sysconfig/barnyard2 comment out the BINARY_LOG Setting, and also make sure the log filename matches the one you used in snort.conf.

Restart snort, and then restart barnyard2 to see if you are up and running.

EDIT:
For whatever reason, the BINARY_LOG setting trumps other settings and will cause snort to only produce a pcap log file. (Try running file /var/log/snort/snort.log.* and you will likely see the files are pure pcaps (packet captures) - meaning they don't contain the Snort alert/event info.

And Barnyard2 will only work with log files that contain both event and pcap info. Unless there is some setting I overlooked. Go figure. If you run file on a valid barnyard2 unified2 file, the result should just be "data" or something of that nature.

I hope this helps. I lost many hours and hairs over this.

snort was alive, but now she's dead. no clue. :(

internal network issues were the cause

---

Related Topics