Snort signature explanation
So, let me structure this in one Answer:
1)
This event indicates that shellcode has been detected in network traffic
so if that code gets through, and gets executed you end up with a backdoor.192.168.202.50:60322 seems to be the attacking IP and it is trying to exploit some vulnerability on the Windows box 192.168.22.252:445
2)
- 192.168.199.58:63000 -> 192.168.28.100:60000 = for this I am not sure, as port 60000 could be used for various things..
3)
- SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 = this is a bit self explanatory .. 192.168.199.58:59173 is trying to push requests towards 192.168.22.201 port 407..
4)
- Same for 192.168.199.58:60327 trying to exploit a memory overfly towards SMTP on: 192.168.21.151:25
But in all those cases, it seems 192.168.199.58 is probably exploited, or something from that box is probing the LAN network..
I would also scan 192.168.199.50 and .58 to figure out who is on those boxes, any current connections from foreign addresses, that might have exploited these two boxes..
Snort installed on ubuntu not sending alerts to syslog
I've posted this question on linuxquestions.org aswell and got an answer.
Following unSpawn reply I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file.
Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content:
auth /var/log/syslog
Also as suggested I've made some changes to the snort execution command (omitting the -q -A console):
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
after restarting the rsyslog service I found the missing Snort alerts in syslog.
barnyard2 not talking to mysql
For barnyard2 to work, your unified2 output file created by snort must contain alert AND PCAP data.
So, in /etc/snort/snort.conf (or wherever your snort configuration is), you need to specify output unified2: <filename>
(I recommend NOT using "snort.log" for the filename).
Review the barnyard2 global variable file /etc/default/barnyard2
or /etc/sysconfig/barnyard2
comment out the BINARY_LOG
Setting, and also make sure the log filename matches the one you used in snort.conf
.
Restart snort, and then restart barnyard2 to see if you are up and running.
EDIT:
For whatever reason, the BINARY_LOG setting trumps other settings and will cause snort to only produce a pcap log file. (Try running file /var/log/snort/snort.log.*
and you will likely see the files are pure pcaps (packet captures) - meaning they don't contain the Snort alert/event info.
And Barnyard2 will only work with log files that contain both event and pcap info. Unless there is some setting I overlooked. Go figure. If you run file
on a valid barnyard2 unified2 file, the result should just be "data" or something of that nature.
I hope this helps. I lost many hours and hairs over this.
snort was alive, but now she's dead. no clue. :(
internal network issues were the cause
Related Topics
Unzip in Current Directory While Preserving File Structure
Finding The Longest Word in a Text File
Linux Configuration - Ssmtp: Cannot Open Smtp.Gmail.Com:587
How to Store Result of Diff in Linux
How to Execute 'X86_64-Conda_Cos6-Linux-Gnu-Gcc': No Such File or Directory (Pysam Installation)
How to Mmap() a Large File Without Risking The Oom Killer
Where Is User's Cron Job Stored After "Crontab -E"
Do Here-Strings Undergo Word-Splitting
How to Get a Faster Output Pipe Than /Dev/Null
How to Set Errno in Linux Device Driver
Difference Between Archiving and Compression
Compile Errors Using Bfd.H on Linux