Hi Matthew,
Your sniffing interfaces show IPv6 as enabled. Did you allow Setup to
configure /etc/network/interfaces or did you configure it manually?
What does /etc/network/interfaces look like?
Thanks,
Doug
On Tue, Feb 5, 2013 at 9:13 AM, Matthew Thacker
<
matthewaa...@gmail.com> wrote:
> Here ya go. I'm assuming events/url stuff is irrelevant so omitting those.
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager xxx.xxx.x.71 running 4067 4 04 Feb 19:44:07
> proxy proxy xxx.xxx.x.71 running 4323 4 04 Feb 19:44:10
> securityonion-eth0-1 worker xxx.xxx.x.71 running 4952 2 04 Feb 19:44:14
> securityonion-eth1-1 worker xxx.xxx.x.71 running 4950 2 04 Feb 19:44:14
> securityonion-eth2-1 worker xxx.xxx.x.71 running 27260 2 05 Feb 03:10:02
> Status: securityonion-eth0
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: securityonion-eth1
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: securityonion-eth2
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a6
> inet6 addr: fe80::2e0:4cff:fe68:6aa6/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:19447224 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:5973258570 (5.9 GB) TX bytes:3963 (3.9 KB)
> Interrupt:52 Base address:0x4000
>
> eth1 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a7
> inet6 addr: fe80::2e0:4cff:fe68:6aa7/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:39267982 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:28085949157 (28.0 GB) TX bytes:3963 (3.9 KB)
> Interrupt:53 Base address:0xe000
>
> eth2 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a8
> inet6 addr: fe80::2e0:4cff:fe68:6aa8/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:99827692 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:55776783845 (55.7 GB) TX bytes:3963 (3.9 KB)
> Interrupt:54 Base address:0x4000
>
> eth3 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a5
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:55 Base address:0x6000
>
> eth4 Link encap:Ethernet HWaddr 00:1d:09:67:58:64
> inet addr:xxx.xxx.x.71 Bcast:xxx.xxx.x.255 Mask:255.255.255.0
> inet6 addr: fe80::21d:9ff:fe67:5864/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:19071999 errors:0 dropped:0 overruns:0 frame:0
> TX packets:104068291 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:
18437638461 (18.4 GB) TX bytes:142386874836 (142.3 GB)
> Interrupt:16 Memory:f8000000-f8012800
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1579850 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1579850 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:778694917 (778.6 MB) TX bytes:778694917 (778.6 MB)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 261G 64G 184G 26% /
> udev 6.9G 4.0K 6.9G 1% /dev
> tmpfs 2.8G 896K 2.8G 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 6.9G 0 6.9G 0% /run/shm
> /dev/sdc1 985G 757G 178G 81% /nsm
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> cupsd 910 root 8u IPv6 704567 0t0 TCP [::1]:631 (LISTEN)
> cupsd 910 root 9u IPv4 704568 0t0 TCP
127.0.0.1:631 (LISTEN)
> avahi-dae 932 avahi 12u IPv4 12397 0t0 UDP *:5353
> avahi-dae 932 avahi 13u IPv6 12398 0t0 UDP *:5353
> avahi-dae 932 avahi 14u IPv4 12399 0t0 UDP *:52362
> avahi-dae 932 avahi 15u IPv6 12400 0t0 UDP *:45211
> iscsid 1160 root 12u IPv4 7581 0t0 TCP xxx.xxx.x.71:40758->xxx.xxx.x.49:3260 (ESTABLISHED)
> dhclient3 1335 root 6u IPv4 10507 0t0 UDP *:68
> sshd 2033 root 3u IPv4 7781 0t0 TCP xxx.xxx.x.71:22->
172.16.88.31:59873 (ESTABLISHED)
> syslog-ng 2142 root 9u IPv4 11709 0t0 TCP *:514 (LISTEN)
> syslog-ng 2142 root 10u IPv4 11710 0t0 UDP *:514
> sshd 2214 xxxxxxxxx 3u IPv4 7781 0t0 TCP xxx.xxx.x.71:22->
172.16.88.31:59873 (ESTABLISHED)
> sshd 2214 xxxxxxxxx 8u IPv6 10851 0t0 TCP [::1]:50000 (LISTEN)
> sshd 2214 xxxxxxxxx 9u IPv4 10852 0t0 TCP
127.0.0.1:50000 (LISTEN)
> sshd 2214 xxxxxxxxx 10u IPv6 10855 0t0 TCP [::1]:50001 (LISTEN)
> sshd 2214 xxxxxxxxx 11u IPv4 10856 0t0 TCP
127.0.0.1:50001 (LISTEN)
> sshd 2214 xxxxxxxxx 12u IPv4 673883 0t0 TCP 127.0.0.1:44475->
127.0.0.1:3306 (ESTABLISHED)
> sshd 2214 xxxxxxxxx 13u IPv4 673886 0t0 TCP 127.0.0.1:44477->
127.0.0.1:3306 (ESTABLISHED)
> mysqld 2219 mysql 10u IPv4 13589 0t0 TCP
127.0.0.1:3306 (LISTEN)
> mysqld 2219 mysql 812u IPv4 669083 0t0 TCP 127.0.0.1:3306->
127.0.0.1:44424 (ESTABLISHED)
> mysqld 2219 mysql 816u IPv4 669055 0t0 TCP 127.0.0.1:3306->
127.0.0.1:44420 (ESTABLISHED)
> mysqld 2219 mysql 817u IPv4 669056 0t0 TCP 127.0.0.1:3306->
127.0.0.1:44422 (ESTABLISHED)
> mysqld 2219 mysql 819u IPv4 676084 0t0 TCP 127.0.0.1:3306->
127.0.0.1:44475 (ESTABLISHED)
> mysqld 2219 mysql 820u IPv4 676085 0t0 TCP 127.0.0.1:3306->
127.0.0.1:44477 (ESTABLISHED)
> dhclient3 2310 root 6u IPv4 9464 0t0 UDP *:68
> sshd 2383 root 3u IPv4 12718 0t0 TCP *:22 (LISTEN)
> sshd 2383 root 4u IPv6 12720 0t0 TCP *:22 (LISTEN)
> tclsh 2964 root 3u IPv4 27591 0t0 TCP 127.0.0.1:41500->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 7u IPv4 42113 0t0 TCP 127.0.0.1:41582->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 8u IPv4 40907 0t0 TCP 127.0.0.1:41584->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 9u IPv4 44145 0t0 TCP 127.0.0.1:41585->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 10u IPv4 44147 0t0 TCP 127.0.0.1:41586->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 11u IPv4 44149 0t0 TCP 127.0.0.1:41587->
127.0.0.1:7736 (CLOSE_WAIT)
> /usr/sbin 3105 root 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 3105 root 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 3105 root 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 3105 root 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4059 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4059 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4059 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4059 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4060 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4060 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4060 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4060 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4062 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4062 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4062 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4062 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4063 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4063 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4063 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4063 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> bro 4067 root 4u IPv4 13942 0t0 UDP xxx.xxx.x.71:42308->xxx.xxx.x.114:53
> bro 4118 root 0u IPv4 11966 0t0 TCP *:47761 (LISTEN)
> bro 4118 root 1u IPv6 11967 0t0 TCP *:47761 (LISTEN)
> bro 4118 root 2u IPv4 15126 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39817 (ESTABLISHED)
> bro 4118 root 4u IPv4 13942 0t0 UDP xxx.xxx.x.71:42308->xxx.xxx.x.114:53
> bro 4118 root 8u IPv4 12147 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39821 (ESTABLISHED)
> bro 4118 root 10u IPv4 480522 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:45491 (ESTABLISHED)
> bro 4118 root 11u IPv4 17718 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39825 (ESTABLISHED)
> bro 4323 root 4u IPv4 16594 0t0 UDP xxx.xxx.x.71:57124->xxx.xxx.x.114:53
> bro 4400 root 0u IPv4 15125 0t0 TCP xxx.xxx.x.71:39817->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 4400 root 1u IPv4 15129 0t0 TCP *:47762 (LISTEN)
> bro 4400 root 2u IPv6 15130 0t0 TCP *:47762 (LISTEN)
> bro 4400 root 4u IPv4 16594 0t0 UDP xxx.xxx.x.71:57124->xxx.xxx.x.114:53
> bro 4400 root 7u IPv4 15728 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:51203 (ESTABLISHED)
> bro 4400 root 9u IPv4 479901 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:56873 (ESTABLISHED)
> bro 4400 root 10u IPv4 15730 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:51207 (ESTABLISHED)
> bro 4950 root 4u IPv4 16752 0t0 UDP xxx.xxx.x.71:53849->xxx.xxx.x.114:53
> bro 4952 root 4u IPv4 12118 0t0 UDP xxx.xxx.x.71:38538->xxx.xxx.x.114:53
> bro 5084 root 0u IPv4 14191 0t0 TCP xxx.xxx.x.71:39821->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 5084 root 1u IPv4 14192 0t0 TCP xxx.xxx.x.71:51203->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 5084 root 2u IPv4 14195 0t0 TCP *:47764 (LISTEN)
> bro 5084 root 4u IPv4 16752 0t0 UDP xxx.xxx.x.71:53849->xxx.xxx.x.114:53
> bro 5084 root 8u IPv6 14196 0t0 TCP *:47764 (LISTEN)
> bro 5094 root 0u IPv4 16790 0t0 TCP xxx.xxx.x.71:39825->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 5094 root 1u IPv4 16791 0t0 TCP xxx.xxx.x.71:51207->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 5094 root 2u IPv4 16794 0t0 TCP *:47763 (LISTEN)
> bro 5094 root 4u IPv4 12118 0t0 UDP xxx.xxx.x.71:38538->xxx.xxx.x.114:53
> bro 5094 root 8u IPv6 16795 0t0 TCP *:47763 (LISTEN)
> tclsh 5217 root 3u IPv4 642542 0t0 TCP 127.0.0.1:54939->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5277 root 3u IPv4 20636 0t0 TCP
127.0.0.1:8001 (LISTEN)
> tclsh 5277 root 5u IPv4 669054 0t0 TCP 127.0.0.1:8001->
127.0.0.1:37266 (ESTABLISHED)
> tclsh 5277 root 7u IPv4 640583 0t0 TCP 127.0.0.1:54940->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5650 root 6u IPv4 642541 0t0 TCP 127.0.0.1:54935->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5684 root 3u IPv4 644951 0t0 TCP 127.0.0.1:54933->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5821 root 3u IPv4 648257 0t0 TCP 127.0.0.1:54936->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5840 root 3u IPv4 21636 0t0 TCP
127.0.0.1:8101 (LISTEN)
> tclsh 5840 root 5u IPv4 664826 0t0 TCP 127.0.0.1:8101->
127.0.0.1:38181 (ESTABLISHED)
> tclsh 5840 root 7u IPv4 644952 0t0 TCP 127.0.0.1:54937->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5950 root 6u IPv4 640584 0t0 TCP 127.0.0.1:54941->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 5969 root 3u IPv4 647434 0t0 TCP 127.0.0.1:54930->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 6051 root 3u IPv4 642543 0t0 TCP 127.0.0.1:54942->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 6070 root 3u IPv4 20985 0t0 TCP
127.0.0.1:8201 (LISTEN)
> tclsh 6070 root 5u IPv4 669082 0t0 TCP 127.0.0.1:8201->
127.0.0.1:57941 (ESTABLISHED)
> tclsh 6070 root 7u IPv4 642538 0t0 TCP 127.0.0.1:54932->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 6172 root 6u IPv4 645799 0t0 TCP 127.0.0.1:54931->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 6195 root 3u IPv4 642540 0t0 TCP 127.0.0.1:54934->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 6414 root 3u IPv4 29495 0t0 TCP 127.0.0.1:41501->
127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 6414 root 5u IPv4 49013 0t0 TCP 127.0.0.1:41757->
127.0.0.1:7736 (CLOSE_WAIT)
> ntpd 13869 ntp 16u IPv4 38554 0t0 UDP *:123
> ntpd 13869 ntp 17u IPv6 38555 0t0 UDP *:123
> ntpd 13869 ntp 18u IPv4 38561 0t0 UDP
127.0.0.1:123
> ntpd 13869 ntp 19u IPv4 38562 0t0 UDP xxx.xxx.x.71:123
> ntpd 13869 ntp 20u IPv6 38563 0t0 UDP [fe80::2e0:4cff:fe68:6aa8]:123
> ntpd 13869 ntp 21u IPv6 38564 0t0 UDP [fe80::2e0:4cff:fe68:6aa7]:123
> ntpd 13869 ntp 22u IPv6 38565 0t0 UDP [fe80::21d:9ff:fe67:5864]:123
> ntpd 13869 ntp 23u IPv6 38566 0t0 UDP [fe80::2e0:4cff:fe68:6aa6]:123
> ntpd 13869 ntp 24u IPv6 38567 0t0 UDP [::1]:123
> tclsh 13874 root 13u IPv4 646769 0t0 TCP *:7734 (LISTEN)
> tclsh 13874 root 14u IPv4 646770 0t0 TCP *:7736 (LISTEN)
> tclsh 13874 root 15u IPv4 646774 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54928 (ESTABLISHED)
> tclsh 13874 root 16u IPv4 646778 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54929 (ESTABLISHED)
> tclsh 13874 root 17u IPv4 645798 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54930 (ESTABLISHED)
> tclsh 13874 root 18u IPv4 637695 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54931 (ESTABLISHED)
> tclsh 13874 root 19u IPv4 648256 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54932 (ESTABLISHED)
> tclsh 13874 root 20u IPv4 645800 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54933 (ESTABLISHED)
> tclsh 13874 root 21u IPv4 645801 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54934 (ESTABLISHED)
> tclsh 13874 root 22u IPv4 637699 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54935 (ESTABLISHED)
> tclsh 13874 root 23u IPv4 637700 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54936 (ESTABLISHED)
> tclsh 13874 root 24u IPv4 645802 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54937 (ESTABLISHED)
> tclsh 13874 root 25u IPv4 645803 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54938 (ESTABLISHED)
> tclsh 13874 root 26u IPv4 644953 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54939 (ESTABLISHED)
> tclsh 13874 root 27u IPv4 637701 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54940 (ESTABLISHED)
> tclsh 13874 root 28u IPv4 648259 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54941 (ESTABLISHED)
> tclsh 13874 root 29u IPv4 647435 0t0 TCP 127.0.0.1:7736->
127.0.0.1:54942 (ESTABLISHED)
> tclsh 13874 root 30u IPv4 673693 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52897 (ESTABLISHED)
> tclsh 13874 root 31u IPv4 973320 0t0 TCP xxx.xxx.x.71:7734->
172.16.88.83:56527 (ESTABLISHED)
> tclsh 13874 root 43u IPv4 644978 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52516 (ESTABLISHED)
> tclsh 13874 root 44u IPv4 644979 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52517 (ESTABLISHED)
> tclsh 13874 root 45u IPv4 644980 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52518 (ESTABLISHED)
> tclsh 13874 root 47u IPv4 644981 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52519 (ESTABLISHED)
> tclsh 13874 root 48u IPv4 648287 0t0 TCP xxx.xxx.x.71:7736->
172.16.88.31:52520 (ESTABLISHED)
> barnyard2 19438 root 3u IPv4 664822 0t0 TCP 127.0.0.1:37266->
127.0.0.1:8001 (ESTABLISHED)
> barnyard2 19438 root 4u IPv4 664825 0t0 TCP 127.0.0.1:44420->
127.0.0.1:3306 (ESTABLISHED)
> barnyard2 19498 root 3u IPv4 669734 0t0 TCP 127.0.0.1:38181->
127.0.0.1:8101 (ESTABLISHED)
> barnyard2 19498 root 4u IPv4 669737 0t0 TCP 127.0.0.1:44422->
127.0.0.1:3306 (ESTABLISHED)
> barnyard2 19558 root 3u IPv4 666973 0t0 TCP 127.0.0.1:57941->
127.0.0.1:8201 (ESTABLISHED)
> barnyard2 19558 root 4u IPv4 666976 0t0 TCP 127.0.0.1:44424->
127.0.0.1:3306 (ESTABLISHED)
> /usr/sbin 20373 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 20373 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 20373 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 20373 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 21645 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 21645 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 21645 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 21645 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> ruby1.9.1 22026 www-data 12u IPv4 801109 0t0 TCP
127.0.0.1:58634 (LISTEN)
> /usr/sbin 22036 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22036 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22036 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22036 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 22038 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22038 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22038 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22038 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 22039 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22039 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22039 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22039 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> bro 27260 root 4u IPv4 475960 0t0 UDP xxx.xxx.x.71:38095->xxx.xxx.x.114:53
> bro 27263 root 0u IPv4 475062 0t0 TCP xxx.xxx.x.71:45491->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 27263 root 1u IPv4 475063 0t0 TCP xxx.xxx.x.71:56873->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 27263 root 2u IPv4 475066 0t0 TCP *:47765 (LISTEN)
> bro 27263 root 4u IPv4 475960 0t0 UDP xxx.xxx.x.71:38095->xxx.xxx.x.114:53
> bro 27263 root 8u IPv6 475067 0t0 TCP *:47765 (LISTEN)
> tclsh 27320 root 3u IPv4 646775 0t0 TCP 127.0.0.1:54929->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 27375 root 3u IPv4 648258 0t0 TCP 127.0.0.1:54938->
127.0.0.1:7736 (ESTABLISHED)
> tclsh 27430 root 3u IPv4 642529 0t0 TCP 127.0.0.1:54928->
127.0.0.1:7736 (ESTABLISHED)
> /usr/sbin 29692 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 29692 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 29692 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 29692 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> sshd 30200 root 3r IPv4 975206 0t0 TCP xxx.xxx.x.71:22->
172.16.88.83:56639 (ESTABLISHED)
> sshd 30678 xxxxxxxxx 3u IPv4 975206 0t0 TCP xxx.xxx.x.71:22->
172.16.88.83:56639 (ESTABLISHED)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> Tue Feb 5 07:01:01 UTC 2013
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Running PulledPork.
>
http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
> @_/ / 66\_
cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for snortrules-snapshot-2931.tar.gz....
> Rules tarball download of snortrules-snapshot-2931.tar.gz....
> They Match
> Done!
> Prepping rules from snortrules-snapshot-2931.tar.gz for work....
> Done!
> Checking latest MD5 for emerging.rules.tar.gz....
> Rules tarball download of emerging.rules.tar.gz....
> They Match
> Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Reading rules...
> Processing /etc/nsm/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
> Modified 17 rules
> Done
> Modifying Sids....
> Done!
> Setting Flowbit State....
> Enabled 62 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Writing /etc/nsm/rules/so_rules.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing /etc/nsm/rules/sid-msg.map....
> Done
> Writing /var/log/sid_changes.log....
> Done
> Rule Stats....
> New:-------20
> Deleted:---1
> Enabled Rules:----17445
> Dropped Rules:----0
> Disabled Rules:---15902
> Total Rules:------33347
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> Restarting Barnyard2.
> Restarting: securityonion-eth0
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting: securityonion-eth1
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting: securityonion-eth2
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting IDS Engine.
> Restarting: securityonion-eth0
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
> Restarting: securityonion-eth1
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
> Restarting: securityonion-eth2
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 13:55:37 up 18:12, 1 user, load average: 2.61, 2.12, 1.95
> Tasks: 232 total, 4 running, 228 sleeping, 0 stopped, 0 zombie
> Cpu(s): 6.3%us, 12.1%sy, 1.4%ni, 79.2%id, 0.8%wa, 0.0%hi, 0.2%si, 0.0%st
> Mem: 14366332k total, 13994624k used, 371708k free, 206248k buffers
> Swap: 14673916k total, 30380k used, 14643536k free, 8688736k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 27260 root 20 0 403m 220m 70m S 21 1.6 113:55.82 bro
> 4952 root 20 0 317m 133m 70m S 20 0.9 172:03.04 bro
> 4118 root 25 5 141m 18m 852 R 18 0.1 199:43.91 bro
> 4950 root 20 0 331m 147m 70m R 18 1.1 178:09.94 bro
> 5094 root 25 5 129m 82m 64m S 18 0.6 173:19.77 bro
> 27263 root 25 5 129m 82m 64m R 18 0.6 106:22.43 bro
> 4400 root 25 5 71032 18m 864 S 16 0.1 189:22.41 bro
> 5084 root 25 5 129m 82m 64m S 16 0.6 173:40.09 bro
> 6155 sguil 20 0 117m 99m 3568 S 4 0.7 21:01.20 prads
> 2219 mysql 20 0 2982m 279m 5168 S 2 2.0 88:34.03 mysqld
> 2252 root 20 0 202m 7676 2232 S 2 0.1 1:11.26 Xorg
> 2263 root 20 0 207m 34m 3808 S 2 0.2 1:48.67 perl
> 2524 lightdm 20 0 234m 6716 3420 S 2 0.0 1:55.04 lightdm-gtk-gre
> 4323 root 20 0 281m 24m 3260 S 2 0.2 11:15.44 bro
> 19699 root 20 0 679m 327m 11m S 2 2.3 3:20.76 snort
> 26706 root 20 0 267m 254m 239m S 2 1.8 7:06.53 netsniff-ng
> 27172 sguil 20 0 111m 13m 1056 S 2 0.1 4:10.04 argus
> 27238 sguil 20 0 111m 45m 1060 S 2 0.3 12:23.59 argus
> 27430 root 20 0 40604 5152 2736 S 2 0.0 0:14.81 tclsh
> 31212 root 20 0 17336 1340 904 R 2 0.0 0:00.02 top
> 1 root 20 0 24680 2260 1244 S 0 0.0 0:02.52 init
> 2 root 20 0 0 0 0 S 0 0.0 0:00.02 kthreadd
> 3 root 20 0 0 0 0 S 0 0.0 0:04.39 ksoftirqd/0
> 6 root RT 0 0 0 0 S 0 0.0 0:00.37 migration/0
> 7 root RT 0 0 0 0 S 0 0.0 0:00.30 watchdog/0
> 8 root RT 0 0 0 0 S 0 0.0 0:00.80 migration/1
> 9 root 20 0 0 0 0 S 0 0.0 0:03.64 kworker/1:0
> 10 root 20 0 0 0 0 S 0 0.0 0:02.27 ksoftirqd/1
> 12 root RT 0 0 0 0 S 0 0.0 0:00.13 watchdog/1
> 13 root RT 0 0 0 0 S 0 0.0 0:01.93 migration/2
> 15 root 20 0 0 0 0 S 0 0.0 0:02.06 ksoftirqd/2
> 16 root RT 0 0 0 0 S 0 0.0 0:00.11 watchdog/2
> 17 root RT 0 0 0 0 S 0 0.0 0:00.33 migration/3
> 19 root 20 0 0 0 0 S 0 0.0 0:02.53 ksoftirqd/3
> 20 root RT 0 0 0 0 S 0 0.0 0:00.14 watchdog/3
> 21 root RT 0 0 0 0 S 0 0.0 0:00.21 migration/4
> 23 root 20 0 0 0 0 S 0 0.0 0:02.39 ksoftirqd/4
> 24 root RT 0 0 0 0 S 0 0.0 0:00.14 watchdog/4
> 25 root RT 0 0 0 0 S 0 0.0 0:00.22 migration/5
> 27 root 20 0 0 0 0 S 0 0.0 0:02.46 ksoftirqd/5
> 28 root RT 0 0 0 0 S 0 0.0 0:00.13 watchdog/5
> 29 root RT 0 0 0 0 S 0 0.0 0:00.32 migration/6
> 30 root 20 0 0 0 0 S 0 0.0 0:00.34 kworker/6:0
> 31 root 20 0 0 0 0 S 0 0.0 0:02.11 ksoftirqd/6
> 32 root RT 0 0 0 0 S 0 0.0 0:00.11 watchdog/6
> 33 root RT 0 0 0 0 S 0 0.0 0:00.33 migration/7
> 35 root 20 0 0 0 0 S 0 0.0 0:02.32 ksoftirqd/7
> 36 root RT 0 0 0 0 S 0 0.0 0:00.12 watchdog/7
> 37 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
> 38 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
> 39 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
> 40 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
> 42 root 20 0 0 0 0 S 0 0.0 0:00.11 sync_supers
> 43 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
> 44 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
> 45 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
> 46 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
> 47 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> 48 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
> 50 root 20 0 0 0 0 S 0 0.0 0:01.50 kworker/2:1
> 51 root 20 0 0 0 0 S 0 0.0 0:00.88 kworker/3:1
> 54 root 20 0 0 0 0 S 0 0.0 0:00.66 kworker/6:1
> 56 root 20 0 0 0 0 S 0 0.0 0:00.04 khungtaskd
> 57 root 20 0 0 0 0 S 0 0.0 1:05.64 kswapd0
> 58 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> 59 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
> 60 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
> 61 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
> 62 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
> 70 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
> 71 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
> 72 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
> 93 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
> 177 root 20 0 0 0 0 S 0 0.0 0:00.75 kworker/7:2
> 191 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
> 237 root 20 0 0 0 0 S 0 0.0 0:28.13 jbd2/sda1-8
> 238 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 247 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
> 248 root 20 0 0 0 0 S 0 0.0 0:04.85 usb-storage
> 249 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
> 250 root 20 0 0 0 0 S 0 0.0 0:04.33 usb-storage
> 252 root 20 0 0 0 0 S 0 0.0 0:01.41 kworker/2:2
> 317 root 20 0 0 0 0 S 0 0.0 0:05.16 kworker/1:2
> 463 root 20 0 17364 540 424 S 0 0.0 0:00.12 upstart-udev-br
> 472 root 20 0 22092 744 740 S 0 0.0 0:00.12 udevd
> 737 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
> 773 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
> 790 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
> 806 messageb 20 0 24260 1220 768 S 0 0.0 0:00.14 dbus-daemon
> 855 root 20 0 21188 804 804 S 0 0.0 0:00.00 bluetoothd
> 907 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
> 910 root 20 0 101m 2932 2464 S 0 0.0 0:00.02 cupsd
> 932 avahi 20 0 32312 1400 1188 S 0 0.0 0:00.07 avahi-daemon
> 933 avahi 20 0 32180 160 140 S 0 0.0 0:00.00 avahi-daemon
> 993 root 20 0 15188 300 260 S 0 0.0 0:00.01 upstart-socket-
> 1133 root 0 -20 0 0 0 S 0 0.0 0:00.00 iscsi_eh
> 1142 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_addr
> 1143 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_mcast
> 1144 root 0 -20 0 0 0 S 0 0.0 0:00.00 iw_cm_wq
> 1145 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_cm
> 1146 root 0 -20 0 0 0 S 0 0.0 0:00.00 rdma_cm
> 1150 root 20 0 0 0 0 S 0 0.0 0:23.64 flush-8:0
> 1160 root 10 -10 13740 3524 2336 S 0 0.0 0:03.32 iscsid
> 1335 root 20 0 7264 280 192 S 0 0.0 0:00.00 dhclient3
> 1432 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_5
> 1433 root 0 -20 0 0 0 S 0 0.0 0:00.00 iscsi_q_5
> 1434 root 0 -20 0 0 0 S 0 0.0 0:00.00 scsi_wq_5
> 1435 root 20 0 22088 300 296 S 0 0.0 0:00.00 udevd
> 1437 root 20 0 4090m 2236 2000 S 0 0.0 0:00.21 console-kit-dae
> 1502 root 20 0 22088 284 280 S 0 0.0 0:00.00 udevd
> 1509 root 20 0 190m 2508 1668 S 0 0.0 0:00.08 polkitd
> 2025 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2031 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2033 root 20 0 90160 2884 2844 S 0 0.0 0:00.01 sshd
> 2045 root 20 0 0 0 0 S 0 0.0 0:15.87 jbd2/sdc1-8
> 2048 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 2124 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2126 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2134 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2141 root 20 0 26780 200 164 S 0 0.0 0:00.00 syslog-ng
> 2142 root 20 0 81540 7888 2404 S 0 0.1 1:12.64 syslog-ng
> 2184 root 20 0 4460 532 528 S 0 0.0 0:00.00 acpid
> 2204 root 20 0 19112 924 784 S 0 0.0 0:00.62 cron
> 2205 daemon 20 0 16908 220 200 S 0 0.0 0:00.00 atd
> 2214 xxxxxxxx 20 0 96496 7316 996 S 0 0.1 0:56.21 sshd
> 2223 root 20 0 15980 580 476 S 0 0.0 0:13.69 irqbalance
> 2230 root 20 0 264m 1556 1364 S 0 0.0 0:00.01 lightdm
> 2261 root 20 0 4400 516 512 S 0 0.0 0:00.00 sh
> 2310 root 20 0 7264 292 200 S 0 0.0 0:00.00 dhclient3
> 2383 root 20 0 49956 2380 2256 S 0 0.0 0:00.15 sshd
> 2429 mail 20 0 12588 616 440 S 0 0.0 0:00.00 nullmailer-send
> 2452 root 20 0 153m 2216 1516 S 0 0.0 0:00.01 lightdm
> 2464 root 20 0 118m 2272 1620 S 0 0.0 0:00.97 accounts-daemon
> 2474 root 20 0 12804 504 328 S 0 0.0 0:00.00 ossec-execd
> 2478 ossec 20 0 14508 2316 692 S 0 0.0 0:07.18 ossec-analysisd
> 2488 root 20 0 4528 536 404 S 0 0.0 0:00.02 ossec-logcollec
> 2501 lightdm 20 0 4400 612 504 S 0 0.0 0:00.00 lightdm-greeter
> 2521 root 20 0 0 0 0 S 0 0.0 0:50.15 flush-8:32
> 2522 lightdm 20 0 23952 400 160 S 0 0.0 0:00.00 dbus-daemon
> 2529 root 20 0 5752 2004 540 S 0 0.0 0:35.44 ossec-syscheckd
> 2538 ossec 20 0 13068 700 432 S 0 0.0 0:00.05 ossec-monitord
> 2563 lightdm 20 0 52404 1636 1240 S 0 0.0 0:00.00 gvfsd
> 2577 lightdm 20 0 203m 1708 1208 S 0 0.0 0:00.00 gvfs-fuse-daemo
> 2614 root 20 0 214m 2868 1876 S 0 0.0 0:00.11 upowerd
> 2682 root 20 0 76600 1632 1120 S 0 0.0 0:00.00 lightdm
> 2964 root 20 0 42372 9160 2328 S 0 0.1 0:00.27 tclsh
> 3105 root 20 0 176m 10m 4152 S 0 0.1 0:01.71 /usr/sbin/apach
> 3122 root 20 0 215m 1504 1252 S 0 0.0 0:00.00 PassengerWatchd
> 3451 root 20 0 993m 2656 1888 S 0 0.0 0:20.96 PassengerHelper
> 3463 root 20 0 109m 9184 2048 S 0 0.1 0:00.13 ruby1.9.1
> 3471 nobody 20 0 165m 4076 3056 S 0 0.0 0:00.12 PassengerLoggin
> 3909 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 4059 www-data 20 0 370m 103m 8836 S 0 0.7 0:13.55 /usr/sbin/apach
> 4060 www-data 20 0 380m 113m 8860 S 0 0.8 0:12.79 /usr/sbin/apach
> 4062 www-data 20 0 370m 102m 8580 S 0 0.7 0:14.26 /usr/sbin/apach
> 4063 www-data 20 0 370m 102m 8612 S 0 0.7 0:13.27 /usr/sbin/apach
> 4067 root 20 0 2010m 25m 3380 S 0 0.2 13:54.37 bro
> 4080 root 20 0 20008 932 768 S 0 0.0 0:00.00 getty
> 4223 root 20 0 17884 1596 1320 S 0 0.0 0:00.00 bash
> 4897 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 4901 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 5217 root 20 0 33420 4988 2688 S 0 0.0 0:00.36 tclsh
> 5277 root 20 0 33440 5024 2688 S 0 0.0 0:00.54 tclsh
> 5409 root 20 0 4344 356 280 S 0 0.0 0:00.00 tail
> 5559 sguil 20 0 34392 15m 3556 S 0 0.1 4:02.22 prads
> 5650 root 20 0 33164 4508 2668 S 0 0.0 0:01.40 tclsh
> 5653 root 20 0 4328 356 280 S 0 0.0 0:00.00 cat
> 5684 root 20 0 40772 11m 2748 S 0 0.1 0:24.40 tclsh
> 5821 root 20 0 33372 4784 2476 S 0 0.0 0:00.44 tclsh
> 5840 root 20 0 33440 5032 2692 S 0 0.0 0:00.65 tclsh
> 5874 root 20 0 4344 360 280 S 0 0.0 0:00.00 tail
> 5934 sguil 20 0 27444 8344 3488 S 0 0.1 4:38.02 prads
> 5950 root 20 0 33000 4416 2656 S 0 0.0 0:00.24 tclsh
> 5952 root 20 0 4328 360 280 S 0 0.0 0:00.00 cat
> 5969 root 20 0 40676 11m 2748 S 0 0.1 0:32.55 tclsh
> 6051 root 20 0 34272 5944 2692 S 0 0.0 0:00.62 tclsh
> 6070 root 20 0 33440 5032 2692 S 0 0.0 0:01.23 tclsh
> 6073 root 20 0 4344 360 280 S 0 0.0 0:00.00 tail
> 6172 root 20 0 33200 4592 2668 S 0 0.0 0:02.56 tclsh
> 6174 root 20 0 4328 360 280 S 0 0.0 0:00.06 cat
> 6195 root 20 0 40756 12m 2748 S 0 0.1 3:40.20 tclsh
> 6414 root 20 0 46752 6724 2340 S 0 0.0 0:00.30 tclsh
> 10583 root 20 0 4344 600 508 S 0 0.0 0:00.00 tail
> 10585 root 20 0 11424 696 584 S 0 0.0 0:00.00 tail
> 13869 ntp 20 0 39756 2176 1532 S 0 0.0 0:03.40 ntpd
> 13874 root 20 0 160m 40m 3924 S 0 0.3 1:39.36 tclsh
> 13891 root 20 0 126m 5152 1056 S 0 0.0 0:02.17 tclsh
> 13893 root 20 0 126m 5132 1060 S 0 0.0 0:00.00 tclsh
> 13895 www-data 20 0 428m 91m 2904 S 0 0.6 1:37.96 ruby
> 18711 root 20 0 0 0 0 S 0 0.0 0:45.15 kworker/u:2
> 19438 root 20 0 201m 103m 1808 S 0 0.7 5:50.65 barnyard2
> 19498 root 20 0 201m 103m 1856 S 0 0.7 5:46.88 barnyard2
> 19558 root 20 0 201m 103m 1856 S 0 0.7 5:58.50 barnyard2
> 19630 root 20 0 679m 323m 11m S 0 2.3 1:37.52 snort
> 19760 root 20 0 0 0 0 S 0 0.0 0:00.39 kworker/7:0
> 19777 root 20 0 679m 385m 11m S 0 2.7 9:14.88 snort
> 19804 root 20 0 0 0 0 S 0 0.0 0:00.28 kworker/3:2
> 20373 www-data 20 0 370m 102m 8660 S 0 0.7 0:12.97 /usr/sbin/apach
> 21645 www-data 20 0 370m 102m 8876 S 0 0.7 0:15.22 /usr/sbin/apach
> 22026 www-data 20 0 281m 85m 2588 S 0 0.6 0:01.17 ruby1.9.1
> 22036 www-data 20 0 373m 105m 8828 S 0 0.8 0:11.54 /usr/sbin/apach
> 22038 www-data 20 0 382m 114m 8568 S 0 0.8 0:11.13 /usr/sbin/apach
> 22039 www-data 20 0 370m 102m 8780 S 0 0.7 0:12.27 /usr/sbin/apach
> 22774 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/0:1
> 23706 root 20 0 0 0 0 S 0 0.0 0:00.17 kworker/4:1
> 26207 root 20 0 267m 254m 239m S 0 1.8 1:44.91 netsniff-ng
> 26568 root 20 0 267m 254m 239m S 0 1.8 2:34.99 netsniff-ng
> 26817 sguil 20 0 111m 40m 1060 S 0 0.3 3:09.18 argus
> 27051 root 20 0 0 0 0 S 0 0.0 0:00.03 kworker/5:2
> 27077 root 20 0 16548 1520 1292 S 0 0.0 0:00.00 bash
> 27320 root 20 0 40604 5148 2736 S 0 0.0 0:16.02 tclsh
> 27322 root 20 0 11424 700 592 S 0 0.0 0:00.23 tail
> 27375 root 20 0 40604 5148 2736 S 0 0.0 0:15.28 tclsh
> 27377 root 20 0 11424 700 592 S 0 0.0 0:00.49 tail
> 27433 root 20 0 11424 704 592 S 0 0.0 0:00.69 tail
> 27973 root 20 0 0 0 0 S 0 0.0 0:00.02 kworker/5:1
> 27992 root 20 0 0 0 0 S 0 0.0 0:06.76 kworker/u:1
> 28812 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
> 28815 root 20 0 4400 324 220 S 0 0.0 0:00.00 sh
> 28820 root 20 0 4308 352 276 S 0 0.0 0:00.00 sleep
> 28823 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:2
> 28862 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:2
> 29690 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
> 29692 www-data 20 0 176m 7636 1324 S 0 0.1 0:00.00 /usr/sbin/apach
> 29709 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:0
> 29721 root 20 0 0 0 0 S 0 0.0 0:01.30 kworker/u:0
> 30200 root 20 0 90164 3948 3048 S 0 0.0 0:00.03 sshd
> 30678 xxxxxxxx 20 0 90164 1928 1024 S 0 0.0 0:00.01 sshd
> 30679 xxxxxxxx 20 0 31036 7948 1612 S 0 0.1 0:00.52 bash
> 30778 root 20 0 207m 31m 776 S 0 0.2 0:00.00 perl
> 30781 root 20 0 60308 2088 1540 S 0 0.0 0:00.05 sudo
> 30785 root 20 0 16540 1472 1248 S 0 0.0 0:00.00 sostat
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/SecOnionFW-eth1/dailylogs/
> /usr/bin/sostat: line 69: cd: /nsm/sensor_data/SecOnionFW-eth1/dailylogs: No such file or directory
> 23M .
> 12M ./.cache
> 9.1M ./.config
> 16K ./.dbus
> 4.0K ./Desktop
> 4.0K ./Documents
> 28K ./Downloads
> 32K ./.fontconfig
> 92K ./.gconf
> 8.0K ./.gnome2
> 392K ./.gstreamer-0.10
> 4.0K ./.gvfs
> 40K ./.local
> 4.0K ./.mono
> 4.0K ./Music
> 4.0K ./Pictures
> 36K ./.pki
> 4.0K ./Public
> 28K ./.pulse
> 12K ./.ssh
> 4.0K ./Templates
> 680K ./.thumbnails
> 4.0K ./Videos
> 12K ./.wireshark
> /usr/bin/sostat: line 69: cd: OLDPWD not set
>
> /nsm/sensor_data/securityonion-eth0/dailylogs/
> 61G .
> 11G ./2013-01-30
> 12G ./2013-01-31
> 14G ./2013-02-01
> 5.8G ./2013-02-02
> 5.3G ./2013-02-03
> 9.2G ./2013-02-04
> 4.0G ./2013-02-05
>
> /nsm/sensor_data/securityonion-eth1/dailylogs/
> 197G .
> 39G ./2013-01-30
> 41G ./2013-01-31
> 41G ./2013-02-01
> 7.2G ./2013-02-02
> 8.0G ./2013-02-03
> 50G ./2013-02-04
> 13G ./2013-02-05
>
> /nsm/sensor_data/securityonion-eth2/dailylogs/
> 453G .
> 115G ./2013-01-30
> 85G ./2013-01-31
> 92G ./2013-02-01
> 25G ./2013-02-02
> 26G ./2013-02-03
> 84G ./2013-02-04
> 29G ./2013-02-05
>
> /nsm/bro/logs/
> 689M .
> 66M ./2013-01-26
> 46M ./2013-01-27
> 63M ./2013-01-28
> 58M ./2013-01-29
> 62M ./2013-01-30
> 58M ./2013-01-31
> 54M ./2013-02-01
> 44M ./2013-02-02
> 42M ./2013-02-03
> 60M ./2013-02-04
> 25M ./2013-02-05
> 116M ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/securityonion-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/securityonion-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/securityonion-eth2/snort-1.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> pf_ring stats
> =========================================================================
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 596974
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 3473250
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 14797733
> Tot Pkt Lost : 657233
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 18570913
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 11146429
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 6411039
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 299 |
> +----------+
>
>
>
> On Monday, February 4, 2013 7:16:32 PM UTC-5, Doug Burks wrote:
>> Please send the output of the following (redacting sensitive info as necessary):
>>
>> sudo sostat
>>
>>
>>
>> Thanks,
>>
>> Doug
>>
>>
>>
>> On Fri, Feb 1, 2013 at 8:49 AM, Matthew Thacker
>>
>>