Re: [security-onion] BRO DNS sees external DNS queries but not internal?

[Liam Randall]

Where do you have your tap?  Right at the border to your network?  Then it is seeing what is there.

Client asks server "Where is matt.com"

Server checks it's local cache, if it's not there

query upstream...

If you want to see what the clients are asking ( a great idea imho ) you need to tap the dns server as well.

Liam

On Thu, Jan 31, 2013 at 11:01 AM, Matthew Thacker <matthewaa...@gmail.com> wrote:

Doug,
First, love the product thanks for the hard work!
I'm wondering if I've got something configured wrong. Bro seems to only grab the DNS queries going from my internal DNS server to external DNS (8.8.8.8), It's not seeing the internal queries from the client machines to the internal DNS server. I have both rx and tx traffic mirrored from my DNS server to the seconion box, but just can't seem to make it report on the client->server traffic.
Any ideas?
Thanks,
matthew

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

[Castle, Shane]

Um, you're *sure* that you're listening to the traffic going to your internal DNS server?

In my case, I am planning to add a sensor on the port(s) that our internal server(s) are on, but I want to wait til I have more disk space as these are AD domain controllers and will see a ton of traffic. (BPF for sure, I think.)

And yes, it's frustrating to see DNS traffic that strongly suggests a compromised box and be unable to tell which box it is 'cos you only see traffic being forwarded to your external servers.

--
Shane Castle
Data Security Mgr, Boulder County IT

[Liam Randall]

Matt,

Windows DNS servers can be configured to log requests.

https://support.appriver.com/KB/a669/enable-dns-request-logging-for-windows-20032008.aspx

But I agree with Shane- this is information I want in Bro.

Liam

[Castle, Shane]

Oh cool! I useta do a lot of ACL configuring in the old days. But sadly, we are getting away from 6500 boxes and going to stacked 3750s instead. Hmm, but logging in, entering "conf t" and then "vlan access" gets me additional options. Is a 3750E cabable of this, too?

jldck1#sho ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)

--
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----

From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of Neil C.
Sent: Thursday, January 31, 2013 15:52
To: securit...@googlegroups.com
Subject: Re: [security-onion] BRO DNS sees external DNS queries but not internal?

On Thursday, January 31, 2013 2:44:00 PM UTC-5, Matthew Thacker wrote:
> Hehe, I've used Microsoft's idea of "logging" DNS before. It can be useful if you know are expecting a query, but just leaving it on all the time is NO fun whatsoever :)
> Thanks for the info though.

In case your DNS servers happen to be connected to a Cisco 6500 (or Nexus 7000) switch, consider using a VACL Capture instead of a SPAN port. The benefit being that a) you don't chew up one of your two SPANs, b) you can apply an ACL so only specific traffic is forwarded over to the capture port.

Of course, you're still going to want a real span port watching your outbound traffic, but at least now you've got the internal-user-to-DNS-server logs as well.

Alternatively, you could install the Snare agent on a Windows server to get the DNS logs; I haven't tried that but will need to at sites that don't have 6500's (unfortunately VACL Capture isn't supported on 3560's despite what their docs say.) Hope this is helpful to someone. Don't break anything :-)

Reference: http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml

! acl to permit everything
ip access-list extended acl-all_traffic
permit ip any any

! acl to permit just DNS traffic
ip access-list extended acl-dns-traffic
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any eq domain any
permit udp any eq domain any

! define the VLAN access map
vlan access-map vacl-monitor_dns 10
match ip address acl-dns-traffic
action forward capture
vlan access-map vacl-monitor_dns 20
match ip address acl-all_traffic
action forward

! apply the VLAN filter, xxx = the VLAN ID where to apply the VACL
vlan filter vacl-monitor_dns vlan-list xxx

! configure a switchport to act as the vacl capture port

interface GigabitEthernet7/17
description SOSensor1-eth2
switchport
switchport access vlan 123 !- actually doesn't matter which vlan you config here, its just a leftover from when the port was in access mode
switchport mode access
switchport capture
end

! verify
show vlan access-map vacl-monitor_dns

Vlan access-map "vacl-monitor_dns" 10
match: ip address acl-dns-traffic
action: forward capture
Vlan access-map "vacl-monitor_dns" 20
match: ip address acl-all_traffic
action: forward

! show information about VLAN filters
Show vlan filter
VLAN Map vacl-monitor_dns:
Configured on VLANs: <snip>
Active on VLANs: <snip>

[Neil Clauson]

It might - you'll know if you can if your switch takes the "action forward CAPTURE" part and not just "action forward"

Also Cisco has a Feature Navigator tool on their site where you can look up features by IOS version and hardware platform.  Again, its wrong on the 3560 but ymmv.  I think vacl capture is a hardware feature so maybe the newer models have it.

On Jan 31, 2013 5:59 PM, "Neil C." <clau...@gmail.com> wrote:

On Thursday, January 31, 2013 2:44:00 PM UTC-5, Matthew Thacker wrote:
> Hehe, I've used Microsoft's idea of "logging" DNS before. It can be useful if you know are expecting a query, but just leaving it on all the time is NO fun whatsoever :)
> Thanks for the info though.
>
> On Thursday, January 31, 2013 11:13:40 AM UTC-5, Liam Randall wrote:

[Doug Burks]

Please send the output of the following (redacting sensitive info as necessary):
sudo sostat

Thanks,
Doug

On Fri, Feb 1, 2013 at 8:49 AM, Matthew Thacker
<matthewaa...@gmail.com> wrote:
> Thanks for the info. Unfortunately all my switches are Force10.

>
>
> On Thursday, January 31, 2013 5:51:46 PM UTC-5, Neil C. wrote:
>> On Thursday, January 31, 2013 2:44:00 PM UTC-5, Matthew Thacker wrote:
>> > Hehe, I've used Microsoft's idea of "logging" DNS before. It can be useful if you know are expecting a query, but just leaving it on all the time is NO fun whatsoever :)
>> > Thanks for the info though.
>> >
>> > On Thursday, January 31, 2013 11:13:40 AM UTC-5, Liam Randall wrote:

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--

Doug Burks
http://securityonion.blogspot.com

[Doug Burks]

Hi Matthew,

Your sniffing interfaces show IPv6 as enabled. Did you allow Setup to
configure /etc/network/interfaces or did you configure it manually?
What does /etc/network/interfaces look like?

Thanks,
Doug

On Tue, Feb 5, 2013 at 9:13 AM, Matthew Thacker
<matthewaa...@gmail.com> wrote:
> Here ya go. I'm assuming events/url stuff is irrelevant so omitting those.
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager xxx.xxx.x.71 running 4067 4 04 Feb 19:44:07
> proxy proxy xxx.xxx.x.71 running 4323 4 04 Feb 19:44:10
> securityonion-eth0-1 worker xxx.xxx.x.71 running 4952 2 04 Feb 19:44:14
> securityonion-eth1-1 worker xxx.xxx.x.71 running 4950 2 04 Feb 19:44:14
> securityonion-eth2-1 worker xxx.xxx.x.71 running 27260 2 05 Feb 03:10:02
> Status: securityonion-eth0
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: securityonion-eth1
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: securityonion-eth2
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a6
> inet6 addr: fe80::2e0:4cff:fe68:6aa6/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:19447224 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:5973258570 (5.9 GB) TX bytes:3963 (3.9 KB)
> Interrupt:52 Base address:0x4000
>
> eth1 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a7
> inet6 addr: fe80::2e0:4cff:fe68:6aa7/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:39267982 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:28085949157 (28.0 GB) TX bytes:3963 (3.9 KB)
> Interrupt:53 Base address:0xe000
>
> eth2 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a8
> inet6 addr: fe80::2e0:4cff:fe68:6aa8/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:99827692 errors:0 dropped:0 overruns:0 frame:0
> TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:55776783845 (55.7 GB) TX bytes:3963 (3.9 KB)
> Interrupt:54 Base address:0x4000
>
> eth3 Link encap:Ethernet HWaddr 00:e0:4c:68:6a:a5
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:55 Base address:0x6000
>
> eth4 Link encap:Ethernet HWaddr 00:1d:09:67:58:64
> inet addr:xxx.xxx.x.71 Bcast:xxx.xxx.x.255 Mask:255.255.255.0
> inet6 addr: fe80::21d:9ff:fe67:5864/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:19071999 errors:0 dropped:0 overruns:0 frame:0
> TX packets:104068291 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:18437638461 (18.4 GB) TX bytes:142386874836 (142.3 GB)
> Interrupt:16 Memory:f8000000-f8012800
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1579850 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1579850 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:778694917 (778.6 MB) TX bytes:778694917 (778.6 MB)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 261G 64G 184G 26% /
> udev 6.9G 4.0K 6.9G 1% /dev
> tmpfs 2.8G 896K 2.8G 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 6.9G 0 6.9G 0% /run/shm
> /dev/sdc1 985G 757G 178G 81% /nsm
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> cupsd 910 root 8u IPv6 704567 0t0 TCP [::1]:631 (LISTEN)
> cupsd 910 root 9u IPv4 704568 0t0 TCP 127.0.0.1:631 (LISTEN)
> avahi-dae 932 avahi 12u IPv4 12397 0t0 UDP *:5353
> avahi-dae 932 avahi 13u IPv6 12398 0t0 UDP *:5353
> avahi-dae 932 avahi 14u IPv4 12399 0t0 UDP *:52362
> avahi-dae 932 avahi 15u IPv6 12400 0t0 UDP *:45211
> iscsid 1160 root 12u IPv4 7581 0t0 TCP xxx.xxx.x.71:40758->xxx.xxx.x.49:3260 (ESTABLISHED)
> dhclient3 1335 root 6u IPv4 10507 0t0 UDP *:68
> sshd 2033 root 3u IPv4 7781 0t0 TCP xxx.xxx.x.71:22->172.16.88.31:59873 (ESTABLISHED)
> syslog-ng 2142 root 9u IPv4 11709 0t0 TCP *:514 (LISTEN)
> syslog-ng 2142 root 10u IPv4 11710 0t0 UDP *:514
> sshd 2214 xxxxxxxxx 3u IPv4 7781 0t0 TCP xxx.xxx.x.71:22->172.16.88.31:59873 (ESTABLISHED)
> sshd 2214 xxxxxxxxx 8u IPv6 10851 0t0 TCP [::1]:50000 (LISTEN)
> sshd 2214 xxxxxxxxx 9u IPv4 10852 0t0 TCP 127.0.0.1:50000 (LISTEN)
> sshd 2214 xxxxxxxxx 10u IPv6 10855 0t0 TCP [::1]:50001 (LISTEN)
> sshd 2214 xxxxxxxxx 11u IPv4 10856 0t0 TCP 127.0.0.1:50001 (LISTEN)
> sshd 2214 xxxxxxxxx 12u IPv4 673883 0t0 TCP 127.0.0.1:44475->127.0.0.1:3306 (ESTABLISHED)
> sshd 2214 xxxxxxxxx 13u IPv4 673886 0t0 TCP 127.0.0.1:44477->127.0.0.1:3306 (ESTABLISHED)
> mysqld 2219 mysql 10u IPv4 13589 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 2219 mysql 812u IPv4 669083 0t0 TCP 127.0.0.1:3306->127.0.0.1:44424 (ESTABLISHED)
> mysqld 2219 mysql 816u IPv4 669055 0t0 TCP 127.0.0.1:3306->127.0.0.1:44420 (ESTABLISHED)
> mysqld 2219 mysql 817u IPv4 669056 0t0 TCP 127.0.0.1:3306->127.0.0.1:44422 (ESTABLISHED)
> mysqld 2219 mysql 819u IPv4 676084 0t0 TCP 127.0.0.1:3306->127.0.0.1:44475 (ESTABLISHED)
> mysqld 2219 mysql 820u IPv4 676085 0t0 TCP 127.0.0.1:3306->127.0.0.1:44477 (ESTABLISHED)
> dhclient3 2310 root 6u IPv4 9464 0t0 UDP *:68
> sshd 2383 root 3u IPv4 12718 0t0 TCP *:22 (LISTEN)
> sshd 2383 root 4u IPv6 12720 0t0 TCP *:22 (LISTEN)
> tclsh 2964 root 3u IPv4 27591 0t0 TCP 127.0.0.1:41500->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 7u IPv4 42113 0t0 TCP 127.0.0.1:41582->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 8u IPv4 40907 0t0 TCP 127.0.0.1:41584->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 9u IPv4 44145 0t0 TCP 127.0.0.1:41585->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 10u IPv4 44147 0t0 TCP 127.0.0.1:41586->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 2964 root 11u IPv4 44149 0t0 TCP 127.0.0.1:41587->127.0.0.1:7736 (CLOSE_WAIT)
> /usr/sbin 3105 root 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 3105 root 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 3105 root 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 3105 root 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4059 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4059 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4059 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4059 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4060 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4060 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4060 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4060 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4062 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4062 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4062 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4062 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 4063 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 4063 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 4063 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 4063 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> bro 4067 root 4u IPv4 13942 0t0 UDP xxx.xxx.x.71:42308->xxx.xxx.x.114:53
> bro 4118 root 0u IPv4 11966 0t0 TCP *:47761 (LISTEN)
> bro 4118 root 1u IPv6 11967 0t0 TCP *:47761 (LISTEN)
> bro 4118 root 2u IPv4 15126 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39817 (ESTABLISHED)
> bro 4118 root 4u IPv4 13942 0t0 UDP xxx.xxx.x.71:42308->xxx.xxx.x.114:53
> bro 4118 root 8u IPv4 12147 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39821 (ESTABLISHED)
> bro 4118 root 10u IPv4 480522 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:45491 (ESTABLISHED)
> bro 4118 root 11u IPv4 17718 0t0 TCP xxx.xxx.x.71:47761->xxx.xxx.x.71:39825 (ESTABLISHED)
> bro 4323 root 4u IPv4 16594 0t0 UDP xxx.xxx.x.71:57124->xxx.xxx.x.114:53
> bro 4400 root 0u IPv4 15125 0t0 TCP xxx.xxx.x.71:39817->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 4400 root 1u IPv4 15129 0t0 TCP *:47762 (LISTEN)
> bro 4400 root 2u IPv6 15130 0t0 TCP *:47762 (LISTEN)
> bro 4400 root 4u IPv4 16594 0t0 UDP xxx.xxx.x.71:57124->xxx.xxx.x.114:53
> bro 4400 root 7u IPv4 15728 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:51203 (ESTABLISHED)
> bro 4400 root 9u IPv4 479901 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:56873 (ESTABLISHED)
> bro 4400 root 10u IPv4 15730 0t0 TCP xxx.xxx.x.71:47762->xxx.xxx.x.71:51207 (ESTABLISHED)
> bro 4950 root 4u IPv4 16752 0t0 UDP xxx.xxx.x.71:53849->xxx.xxx.x.114:53
> bro 4952 root 4u IPv4 12118 0t0 UDP xxx.xxx.x.71:38538->xxx.xxx.x.114:53
> bro 5084 root 0u IPv4 14191 0t0 TCP xxx.xxx.x.71:39821->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 5084 root 1u IPv4 14192 0t0 TCP xxx.xxx.x.71:51203->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 5084 root 2u IPv4 14195 0t0 TCP *:47764 (LISTEN)
> bro 5084 root 4u IPv4 16752 0t0 UDP xxx.xxx.x.71:53849->xxx.xxx.x.114:53
> bro 5084 root 8u IPv6 14196 0t0 TCP *:47764 (LISTEN)
> bro 5094 root 0u IPv4 16790 0t0 TCP xxx.xxx.x.71:39825->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 5094 root 1u IPv4 16791 0t0 TCP xxx.xxx.x.71:51207->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 5094 root 2u IPv4 16794 0t0 TCP *:47763 (LISTEN)
> bro 5094 root 4u IPv4 12118 0t0 UDP xxx.xxx.x.71:38538->xxx.xxx.x.114:53
> bro 5094 root 8u IPv6 16795 0t0 TCP *:47763 (LISTEN)
> tclsh 5217 root 3u IPv4 642542 0t0 TCP 127.0.0.1:54939->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5277 root 3u IPv4 20636 0t0 TCP 127.0.0.1:8001 (LISTEN)
> tclsh 5277 root 5u IPv4 669054 0t0 TCP 127.0.0.1:8001->127.0.0.1:37266 (ESTABLISHED)
> tclsh 5277 root 7u IPv4 640583 0t0 TCP 127.0.0.1:54940->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5650 root 6u IPv4 642541 0t0 TCP 127.0.0.1:54935->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5684 root 3u IPv4 644951 0t0 TCP 127.0.0.1:54933->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5821 root 3u IPv4 648257 0t0 TCP 127.0.0.1:54936->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5840 root 3u IPv4 21636 0t0 TCP 127.0.0.1:8101 (LISTEN)
> tclsh 5840 root 5u IPv4 664826 0t0 TCP 127.0.0.1:8101->127.0.0.1:38181 (ESTABLISHED)
> tclsh 5840 root 7u IPv4 644952 0t0 TCP 127.0.0.1:54937->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5950 root 6u IPv4 640584 0t0 TCP 127.0.0.1:54941->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5969 root 3u IPv4 647434 0t0 TCP 127.0.0.1:54930->127.0.0.1:7736 (ESTABLISHED)
> tclsh 6051 root 3u IPv4 642543 0t0 TCP 127.0.0.1:54942->127.0.0.1:7736 (ESTABLISHED)
> tclsh 6070 root 3u IPv4 20985 0t0 TCP 127.0.0.1:8201 (LISTEN)
> tclsh 6070 root 5u IPv4 669082 0t0 TCP 127.0.0.1:8201->127.0.0.1:57941 (ESTABLISHED)
> tclsh 6070 root 7u IPv4 642538 0t0 TCP 127.0.0.1:54932->127.0.0.1:7736 (ESTABLISHED)
> tclsh 6172 root 6u IPv4 645799 0t0 TCP 127.0.0.1:54931->127.0.0.1:7736 (ESTABLISHED)
> tclsh 6195 root 3u IPv4 642540 0t0 TCP 127.0.0.1:54934->127.0.0.1:7736 (ESTABLISHED)
> tclsh 6414 root 3u IPv4 29495 0t0 TCP 127.0.0.1:41501->127.0.0.1:7736 (CLOSE_WAIT)
> tclsh 6414 root 5u IPv4 49013 0t0 TCP 127.0.0.1:41757->127.0.0.1:7736 (CLOSE_WAIT)
> ntpd 13869 ntp 16u IPv4 38554 0t0 UDP *:123
> ntpd 13869 ntp 17u IPv6 38555 0t0 UDP *:123
> ntpd 13869 ntp 18u IPv4 38561 0t0 UDP 127.0.0.1:123
> ntpd 13869 ntp 19u IPv4 38562 0t0 UDP xxx.xxx.x.71:123
> ntpd 13869 ntp 20u IPv6 38563 0t0 UDP [fe80::2e0:4cff:fe68:6aa8]:123
> ntpd 13869 ntp 21u IPv6 38564 0t0 UDP [fe80::2e0:4cff:fe68:6aa7]:123
> ntpd 13869 ntp 22u IPv6 38565 0t0 UDP [fe80::21d:9ff:fe67:5864]:123
> ntpd 13869 ntp 23u IPv6 38566 0t0 UDP [fe80::2e0:4cff:fe68:6aa6]:123
> ntpd 13869 ntp 24u IPv6 38567 0t0 UDP [::1]:123
> tclsh 13874 root 13u IPv4 646769 0t0 TCP *:7734 (LISTEN)
> tclsh 13874 root 14u IPv4 646770 0t0 TCP *:7736 (LISTEN)
> tclsh 13874 root 15u IPv4 646774 0t0 TCP 127.0.0.1:7736->127.0.0.1:54928 (ESTABLISHED)
> tclsh 13874 root 16u IPv4 646778 0t0 TCP 127.0.0.1:7736->127.0.0.1:54929 (ESTABLISHED)
> tclsh 13874 root 17u IPv4 645798 0t0 TCP 127.0.0.1:7736->127.0.0.1:54930 (ESTABLISHED)
> tclsh 13874 root 18u IPv4 637695 0t0 TCP 127.0.0.1:7736->127.0.0.1:54931 (ESTABLISHED)
> tclsh 13874 root 19u IPv4 648256 0t0 TCP 127.0.0.1:7736->127.0.0.1:54932 (ESTABLISHED)
> tclsh 13874 root 20u IPv4 645800 0t0 TCP 127.0.0.1:7736->127.0.0.1:54933 (ESTABLISHED)
> tclsh 13874 root 21u IPv4 645801 0t0 TCP 127.0.0.1:7736->127.0.0.1:54934 (ESTABLISHED)
> tclsh 13874 root 22u IPv4 637699 0t0 TCP 127.0.0.1:7736->127.0.0.1:54935 (ESTABLISHED)
> tclsh 13874 root 23u IPv4 637700 0t0 TCP 127.0.0.1:7736->127.0.0.1:54936 (ESTABLISHED)
> tclsh 13874 root 24u IPv4 645802 0t0 TCP 127.0.0.1:7736->127.0.0.1:54937 (ESTABLISHED)
> tclsh 13874 root 25u IPv4 645803 0t0 TCP 127.0.0.1:7736->127.0.0.1:54938 (ESTABLISHED)
> tclsh 13874 root 26u IPv4 644953 0t0 TCP 127.0.0.1:7736->127.0.0.1:54939 (ESTABLISHED)
> tclsh 13874 root 27u IPv4 637701 0t0 TCP 127.0.0.1:7736->127.0.0.1:54940 (ESTABLISHED)
> tclsh 13874 root 28u IPv4 648259 0t0 TCP 127.0.0.1:7736->127.0.0.1:54941 (ESTABLISHED)
> tclsh 13874 root 29u IPv4 647435 0t0 TCP 127.0.0.1:7736->127.0.0.1:54942 (ESTABLISHED)
> tclsh 13874 root 30u IPv4 673693 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52897 (ESTABLISHED)
> tclsh 13874 root 31u IPv4 973320 0t0 TCP xxx.xxx.x.71:7734->172.16.88.83:56527 (ESTABLISHED)
> tclsh 13874 root 43u IPv4 644978 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52516 (ESTABLISHED)
> tclsh 13874 root 44u IPv4 644979 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52517 (ESTABLISHED)
> tclsh 13874 root 45u IPv4 644980 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52518 (ESTABLISHED)
> tclsh 13874 root 47u IPv4 644981 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52519 (ESTABLISHED)
> tclsh 13874 root 48u IPv4 648287 0t0 TCP xxx.xxx.x.71:7736->172.16.88.31:52520 (ESTABLISHED)
> barnyard2 19438 root 3u IPv4 664822 0t0 TCP 127.0.0.1:37266->127.0.0.1:8001 (ESTABLISHED)
> barnyard2 19438 root 4u IPv4 664825 0t0 TCP 127.0.0.1:44420->127.0.0.1:3306 (ESTABLISHED)
> barnyard2 19498 root 3u IPv4 669734 0t0 TCP 127.0.0.1:38181->127.0.0.1:8101 (ESTABLISHED)
> barnyard2 19498 root 4u IPv4 669737 0t0 TCP 127.0.0.1:44422->127.0.0.1:3306 (ESTABLISHED)
> barnyard2 19558 root 3u IPv4 666973 0t0 TCP 127.0.0.1:57941->127.0.0.1:8201 (ESTABLISHED)
> barnyard2 19558 root 4u IPv4 666976 0t0 TCP 127.0.0.1:44424->127.0.0.1:3306 (ESTABLISHED)
> /usr/sbin 20373 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 20373 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 20373 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 20373 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 21645 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 21645 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 21645 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 21645 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> ruby1.9.1 22026 www-data 12u IPv4 801109 0t0 TCP 127.0.0.1:58634 (LISTEN)
> /usr/sbin 22036 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22036 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22036 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22036 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 22038 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22038 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22038 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22038 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> /usr/sbin 22039 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 22039 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 22039 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 22039 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> bro 27260 root 4u IPv4 475960 0t0 UDP xxx.xxx.x.71:38095->xxx.xxx.x.114:53
> bro 27263 root 0u IPv4 475062 0t0 TCP xxx.xxx.x.71:45491->xxx.xxx.x.71:47761 (ESTABLISHED)
> bro 27263 root 1u IPv4 475063 0t0 TCP xxx.xxx.x.71:56873->xxx.xxx.x.71:47762 (ESTABLISHED)
> bro 27263 root 2u IPv4 475066 0t0 TCP *:47765 (LISTEN)
> bro 27263 root 4u IPv4 475960 0t0 UDP xxx.xxx.x.71:38095->xxx.xxx.x.114:53
> bro 27263 root 8u IPv6 475067 0t0 TCP *:47765 (LISTEN)
> tclsh 27320 root 3u IPv4 646775 0t0 TCP 127.0.0.1:54929->127.0.0.1:7736 (ESTABLISHED)
> tclsh 27375 root 3u IPv4 648258 0t0 TCP 127.0.0.1:54938->127.0.0.1:7736 (ESTABLISHED)
> tclsh 27430 root 3u IPv4 642529 0t0 TCP 127.0.0.1:54928->127.0.0.1:7736 (ESTABLISHED)
> /usr/sbin 29692 www-data 4u IPv4 15372 0t0 TCP *:443 (LISTEN)
> /usr/sbin 29692 www-data 5u IPv4 15375 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 29692 www-data 6u IPv4 15377 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 29692 www-data 7u IPv4 15381 0t0 TCP *:444 (LISTEN)
> sshd 30200 root 3r IPv4 975206 0t0 TCP xxx.xxx.x.71:22->172.16.88.83:56639 (ESTABLISHED)
> sshd 30678 xxxxxxxxx 3u IPv4 975206 0t0 TCP xxx.xxx.x.71:22->172.16.88.83:56639 (ESTABLISHED)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> Tue Feb 5 07:01:01 UTC 2013
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Running PulledPork.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for snortrules-snapshot-2931.tar.gz....
> Rules tarball download of snortrules-snapshot-2931.tar.gz....
> They Match
> Done!
> Prepping rules from snortrules-snapshot-2931.tar.gz for work....
> Done!
> Checking latest MD5 for emerging.rules.tar.gz....
> Rules tarball download of emerging.rules.tar.gz....
> They Match
> Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Reading rules...
> Processing /etc/nsm/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
> Modified 17 rules
> Done
> Modifying Sids....
> Done!
> Setting Flowbit State....
> Enabled 62 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Writing /etc/nsm/rules/so_rules.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing /etc/nsm/rules/sid-msg.map....
> Done
> Writing /var/log/sid_changes.log....
> Done
> Rule Stats....
> New:-------20
> Deleted:---1
> Enabled Rules:----17445
> Dropped Rules:----0
> Disabled Rules:---15902
> Total Rules:------33347
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> Restarting Barnyard2.
> Restarting: securityonion-eth0
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting: securityonion-eth1
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting: securityonion-eth2
> * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
> * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
> Restarting IDS Engine.
> Restarting: securityonion-eth0
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
> Restarting: securityonion-eth1
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
> Restarting: securityonion-eth2
> * stopping: snort-1 (alert data)[ OK ]
> * starting: snort-1 (alert data)[ OK ]
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 13:55:37 up 18:12, 1 user, load average: 2.61, 2.12, 1.95
> Tasks: 232 total, 4 running, 228 sleeping, 0 stopped, 0 zombie
> Cpu(s): 6.3%us, 12.1%sy, 1.4%ni, 79.2%id, 0.8%wa, 0.0%hi, 0.2%si, 0.0%st
> Mem: 14366332k total, 13994624k used, 371708k free, 206248k buffers
> Swap: 14673916k total, 30380k used, 14643536k free, 8688736k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 27260 root 20 0 403m 220m 70m S 21 1.6 113:55.82 bro
> 4952 root 20 0 317m 133m 70m S 20 0.9 172:03.04 bro
> 4118 root 25 5 141m 18m 852 R 18 0.1 199:43.91 bro
> 4950 root 20 0 331m 147m 70m R 18 1.1 178:09.94 bro
> 5094 root 25 5 129m 82m 64m S 18 0.6 173:19.77 bro
> 27263 root 25 5 129m 82m 64m R 18 0.6 106:22.43 bro
> 4400 root 25 5 71032 18m 864 S 16 0.1 189:22.41 bro
> 5084 root 25 5 129m 82m 64m S 16 0.6 173:40.09 bro
> 6155 sguil 20 0 117m 99m 3568 S 4 0.7 21:01.20 prads
> 2219 mysql 20 0 2982m 279m 5168 S 2 2.0 88:34.03 mysqld
> 2252 root 20 0 202m 7676 2232 S 2 0.1 1:11.26 Xorg
> 2263 root 20 0 207m 34m 3808 S 2 0.2 1:48.67 perl
> 2524 lightdm 20 0 234m 6716 3420 S 2 0.0 1:55.04 lightdm-gtk-gre
> 4323 root 20 0 281m 24m 3260 S 2 0.2 11:15.44 bro
> 19699 root 20 0 679m 327m 11m S 2 2.3 3:20.76 snort
> 26706 root 20 0 267m 254m 239m S 2 1.8 7:06.53 netsniff-ng
> 27172 sguil 20 0 111m 13m 1056 S 2 0.1 4:10.04 argus
> 27238 sguil 20 0 111m 45m 1060 S 2 0.3 12:23.59 argus
> 27430 root 20 0 40604 5152 2736 S 2 0.0 0:14.81 tclsh
> 31212 root 20 0 17336 1340 904 R 2 0.0 0:00.02 top
> 1 root 20 0 24680 2260 1244 S 0 0.0 0:02.52 init
> 2 root 20 0 0 0 0 S 0 0.0 0:00.02 kthreadd
> 3 root 20 0 0 0 0 S 0 0.0 0:04.39 ksoftirqd/0
> 6 root RT 0 0 0 0 S 0 0.0 0:00.37 migration/0
> 7 root RT 0 0 0 0 S 0 0.0 0:00.30 watchdog/0
> 8 root RT 0 0 0 0 S 0 0.0 0:00.80 migration/1
> 9 root 20 0 0 0 0 S 0 0.0 0:03.64 kworker/1:0
> 10 root 20 0 0 0 0 S 0 0.0 0:02.27 ksoftirqd/1
> 12 root RT 0 0 0 0 S 0 0.0 0:00.13 watchdog/1
> 13 root RT 0 0 0 0 S 0 0.0 0:01.93 migration/2
> 15 root 20 0 0 0 0 S 0 0.0 0:02.06 ksoftirqd/2
> 16 root RT 0 0 0 0 S 0 0.0 0:00.11 watchdog/2
> 17 root RT 0 0 0 0 S 0 0.0 0:00.33 migration/3
> 19 root 20 0 0 0 0 S 0 0.0 0:02.53 ksoftirqd/3
> 20 root RT 0 0 0 0 S 0 0.0 0:00.14 watchdog/3
> 21 root RT 0 0 0 0 S 0 0.0 0:00.21 migration/4
> 23 root 20 0 0 0 0 S 0 0.0 0:02.39 ksoftirqd/4
> 24 root RT 0 0 0 0 S 0 0.0 0:00.14 watchdog/4
> 25 root RT 0 0 0 0 S 0 0.0 0:00.22 migration/5
> 27 root 20 0 0 0 0 S 0 0.0 0:02.46 ksoftirqd/5
> 28 root RT 0 0 0 0 S 0 0.0 0:00.13 watchdog/5
> 29 root RT 0 0 0 0 S 0 0.0 0:00.32 migration/6
> 30 root 20 0 0 0 0 S 0 0.0 0:00.34 kworker/6:0
> 31 root 20 0 0 0 0 S 0 0.0 0:02.11 ksoftirqd/6
> 32 root RT 0 0 0 0 S 0 0.0 0:00.11 watchdog/6
> 33 root RT 0 0 0 0 S 0 0.0 0:00.33 migration/7
> 35 root 20 0 0 0 0 S 0 0.0 0:02.32 ksoftirqd/7
> 36 root RT 0 0 0 0 S 0 0.0 0:00.12 watchdog/7
> 37 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
> 38 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
> 39 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
> 40 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
> 42 root 20 0 0 0 0 S 0 0.0 0:00.11 sync_supers
> 43 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
> 44 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
> 45 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
> 46 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
> 47 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> 48 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
> 50 root 20 0 0 0 0 S 0 0.0 0:01.50 kworker/2:1
> 51 root 20 0 0 0 0 S 0 0.0 0:00.88 kworker/3:1
> 54 root 20 0 0 0 0 S 0 0.0 0:00.66 kworker/6:1
> 56 root 20 0 0 0 0 S 0 0.0 0:00.04 khungtaskd
> 57 root 20 0 0 0 0 S 0 0.0 1:05.64 kswapd0
> 58 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> 59 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
> 60 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
> 61 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
> 62 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
> 70 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
> 71 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
> 72 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
> 93 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
> 177 root 20 0 0 0 0 S 0 0.0 0:00.75 kworker/7:2
> 191 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
> 237 root 20 0 0 0 0 S 0 0.0 0:28.13 jbd2/sda1-8
> 238 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 247 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
> 248 root 20 0 0 0 0 S 0 0.0 0:04.85 usb-storage
> 249 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
> 250 root 20 0 0 0 0 S 0 0.0 0:04.33 usb-storage
> 252 root 20 0 0 0 0 S 0 0.0 0:01.41 kworker/2:2
> 317 root 20 0 0 0 0 S 0 0.0 0:05.16 kworker/1:2
> 463 root 20 0 17364 540 424 S 0 0.0 0:00.12 upstart-udev-br
> 472 root 20 0 22092 744 740 S 0 0.0 0:00.12 udevd
> 737 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
> 773 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
> 790 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
> 806 messageb 20 0 24260 1220 768 S 0 0.0 0:00.14 dbus-daemon
> 855 root 20 0 21188 804 804 S 0 0.0 0:00.00 bluetoothd
> 907 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
> 910 root 20 0 101m 2932 2464 S 0 0.0 0:00.02 cupsd
> 932 avahi 20 0 32312 1400 1188 S 0 0.0 0:00.07 avahi-daemon
> 933 avahi 20 0 32180 160 140 S 0 0.0 0:00.00 avahi-daemon
> 993 root 20 0 15188 300 260 S 0 0.0 0:00.01 upstart-socket-
> 1133 root 0 -20 0 0 0 S 0 0.0 0:00.00 iscsi_eh
> 1142 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_addr
> 1143 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_mcast
> 1144 root 0 -20 0 0 0 S 0 0.0 0:00.00 iw_cm_wq
> 1145 root 0 -20 0 0 0 S 0 0.0 0:00.00 ib_cm
> 1146 root 0 -20 0 0 0 S 0 0.0 0:00.00 rdma_cm
> 1150 root 20 0 0 0 0 S 0 0.0 0:23.64 flush-8:0
> 1160 root 10 -10 13740 3524 2336 S 0 0.0 0:03.32 iscsid
> 1335 root 20 0 7264 280 192 S 0 0.0 0:00.00 dhclient3
> 1432 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_5
> 1433 root 0 -20 0 0 0 S 0 0.0 0:00.00 iscsi_q_5
> 1434 root 0 -20 0 0 0 S 0 0.0 0:00.00 scsi_wq_5
> 1435 root 20 0 22088 300 296 S 0 0.0 0:00.00 udevd
> 1437 root 20 0 4090m 2236 2000 S 0 0.0 0:00.21 console-kit-dae
> 1502 root 20 0 22088 284 280 S 0 0.0 0:00.00 udevd
> 1509 root 20 0 190m 2508 1668 S 0 0.0 0:00.08 polkitd
> 2025 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2031 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2033 root 20 0 90160 2884 2844 S 0 0.0 0:00.01 sshd
> 2045 root 20 0 0 0 0 S 0 0.0 0:15.87 jbd2/sdc1-8
> 2048 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 2124 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2126 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2134 root 20 0 20008 776 772 S 0 0.0 0:00.00 getty
> 2141 root 20 0 26780 200 164 S 0 0.0 0:00.00 syslog-ng
> 2142 root 20 0 81540 7888 2404 S 0 0.1 1:12.64 syslog-ng
> 2184 root 20 0 4460 532 528 S 0 0.0 0:00.00 acpid
> 2204 root 20 0 19112 924 784 S 0 0.0 0:00.62 cron
> 2205 daemon 20 0 16908 220 200 S 0 0.0 0:00.00 atd
> 2214 xxxxxxxx 20 0 96496 7316 996 S 0 0.1 0:56.21 sshd
> 2223 root 20 0 15980 580 476 S 0 0.0 0:13.69 irqbalance
> 2230 root 20 0 264m 1556 1364 S 0 0.0 0:00.01 lightdm
> 2261 root 20 0 4400 516 512 S 0 0.0 0:00.00 sh
> 2310 root 20 0 7264 292 200 S 0 0.0 0:00.00 dhclient3
> 2383 root 20 0 49956 2380 2256 S 0 0.0 0:00.15 sshd
> 2429 mail 20 0 12588 616 440 S 0 0.0 0:00.00 nullmailer-send
> 2452 root 20 0 153m 2216 1516 S 0 0.0 0:00.01 lightdm
> 2464 root 20 0 118m 2272 1620 S 0 0.0 0:00.97 accounts-daemon
> 2474 root 20 0 12804 504 328 S 0 0.0 0:00.00 ossec-execd
> 2478 ossec 20 0 14508 2316 692 S 0 0.0 0:07.18 ossec-analysisd
> 2488 root 20 0 4528 536 404 S 0 0.0 0:00.02 ossec-logcollec
> 2501 lightdm 20 0 4400 612 504 S 0 0.0 0:00.00 lightdm-greeter
> 2521 root 20 0 0 0 0 S 0 0.0 0:50.15 flush-8:32
> 2522 lightdm 20 0 23952 400 160 S 0 0.0 0:00.00 dbus-daemon
> 2529 root 20 0 5752 2004 540 S 0 0.0 0:35.44 ossec-syscheckd
> 2538 ossec 20 0 13068 700 432 S 0 0.0 0:00.05 ossec-monitord
> 2563 lightdm 20 0 52404 1636 1240 S 0 0.0 0:00.00 gvfsd
> 2577 lightdm 20 0 203m 1708 1208 S 0 0.0 0:00.00 gvfs-fuse-daemo
> 2614 root 20 0 214m 2868 1876 S 0 0.0 0:00.11 upowerd
> 2682 root 20 0 76600 1632 1120 S 0 0.0 0:00.00 lightdm
> 2964 root 20 0 42372 9160 2328 S 0 0.1 0:00.27 tclsh
> 3105 root 20 0 176m 10m 4152 S 0 0.1 0:01.71 /usr/sbin/apach
> 3122 root 20 0 215m 1504 1252 S 0 0.0 0:00.00 PassengerWatchd
> 3451 root 20 0 993m 2656 1888 S 0 0.0 0:20.96 PassengerHelper
> 3463 root 20 0 109m 9184 2048 S 0 0.1 0:00.13 ruby1.9.1
> 3471 nobody 20 0 165m 4076 3056 S 0 0.0 0:00.12 PassengerLoggin
> 3909 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 4059 www-data 20 0 370m 103m 8836 S 0 0.7 0:13.55 /usr/sbin/apach
> 4060 www-data 20 0 380m 113m 8860 S 0 0.8 0:12.79 /usr/sbin/apach
> 4062 www-data 20 0 370m 102m 8580 S 0 0.7 0:14.26 /usr/sbin/apach
> 4063 www-data 20 0 370m 102m 8612 S 0 0.7 0:13.27 /usr/sbin/apach
> 4067 root 20 0 2010m 25m 3380 S 0 0.2 13:54.37 bro
> 4080 root 20 0 20008 932 768 S 0 0.0 0:00.00 getty
> 4223 root 20 0 17884 1596 1320 S 0 0.0 0:00.00 bash
> 4897 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 4901 root 20 0 17884 1600 1320 S 0 0.0 0:00.00 bash
> 5217 root 20 0 33420 4988 2688 S 0 0.0 0:00.36 tclsh
> 5277 root 20 0 33440 5024 2688 S 0 0.0 0:00.54 tclsh
> 5409 root 20 0 4344 356 280 S 0 0.0 0:00.00 tail
> 5559 sguil 20 0 34392 15m 3556 S 0 0.1 4:02.22 prads
> 5650 root 20 0 33164 4508 2668 S 0 0.0 0:01.40 tclsh
> 5653 root 20 0 4328 356 280 S 0 0.0 0:00.00 cat
> 5684 root 20 0 40772 11m 2748 S 0 0.1 0:24.40 tclsh
> 5821 root 20 0 33372 4784 2476 S 0 0.0 0:00.44 tclsh
> 5840 root 20 0 33440 5032 2692 S 0 0.0 0:00.65 tclsh
> 5874 root 20 0 4344 360 280 S 0 0.0 0:00.00 tail
> 5934 sguil 20 0 27444 8344 3488 S 0 0.1 4:38.02 prads
> 5950 root 20 0 33000 4416 2656 S 0 0.0 0:00.24 tclsh
> 5952 root 20 0 4328 360 280 S 0 0.0 0:00.00 cat
> 5969 root 20 0 40676 11m 2748 S 0 0.1 0:32.55 tclsh
> 6051 root 20 0 34272 5944 2692 S 0 0.0 0:00.62 tclsh
> 6070 root 20 0 33440 5032 2692 S 0 0.0 0:01.23 tclsh
> 6073 root 20 0 4344 360 280 S 0 0.0 0:00.00 tail
> 6172 root 20 0 33200 4592 2668 S 0 0.0 0:02.56 tclsh
> 6174 root 20 0 4328 360 280 S 0 0.0 0:00.06 cat
> 6195 root 20 0 40756 12m 2748 S 0 0.1 3:40.20 tclsh
> 6414 root 20 0 46752 6724 2340 S 0 0.0 0:00.30 tclsh
> 10583 root 20 0 4344 600 508 S 0 0.0 0:00.00 tail
> 10585 root 20 0 11424 696 584 S 0 0.0 0:00.00 tail
> 13869 ntp 20 0 39756 2176 1532 S 0 0.0 0:03.40 ntpd
> 13874 root 20 0 160m 40m 3924 S 0 0.3 1:39.36 tclsh
> 13891 root 20 0 126m 5152 1056 S 0 0.0 0:02.17 tclsh
> 13893 root 20 0 126m 5132 1060 S 0 0.0 0:00.00 tclsh
> 13895 www-data 20 0 428m 91m 2904 S 0 0.6 1:37.96 ruby
> 18711 root 20 0 0 0 0 S 0 0.0 0:45.15 kworker/u:2
> 19438 root 20 0 201m 103m 1808 S 0 0.7 5:50.65 barnyard2
> 19498 root 20 0 201m 103m 1856 S 0 0.7 5:46.88 barnyard2
> 19558 root 20 0 201m 103m 1856 S 0 0.7 5:58.50 barnyard2
> 19630 root 20 0 679m 323m 11m S 0 2.3 1:37.52 snort
> 19760 root 20 0 0 0 0 S 0 0.0 0:00.39 kworker/7:0
> 19777 root 20 0 679m 385m 11m S 0 2.7 9:14.88 snort
> 19804 root 20 0 0 0 0 S 0 0.0 0:00.28 kworker/3:2
> 20373 www-data 20 0 370m 102m 8660 S 0 0.7 0:12.97 /usr/sbin/apach
> 21645 www-data 20 0 370m 102m 8876 S 0 0.7 0:15.22 /usr/sbin/apach
> 22026 www-data 20 0 281m 85m 2588 S 0 0.6 0:01.17 ruby1.9.1
> 22036 www-data 20 0 373m 105m 8828 S 0 0.8 0:11.54 /usr/sbin/apach
> 22038 www-data 20 0 382m 114m 8568 S 0 0.8 0:11.13 /usr/sbin/apach
> 22039 www-data 20 0 370m 102m 8780 S 0 0.7 0:12.27 /usr/sbin/apach
> 22774 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/0:1
> 23706 root 20 0 0 0 0 S 0 0.0 0:00.17 kworker/4:1
> 26207 root 20 0 267m 254m 239m S 0 1.8 1:44.91 netsniff-ng
> 26568 root 20 0 267m 254m 239m S 0 1.8 2:34.99 netsniff-ng
> 26817 sguil 20 0 111m 40m 1060 S 0 0.3 3:09.18 argus
> 27051 root 20 0 0 0 0 S 0 0.0 0:00.03 kworker/5:2
> 27077 root 20 0 16548 1520 1292 S 0 0.0 0:00.00 bash
> 27320 root 20 0 40604 5148 2736 S 0 0.0 0:16.02 tclsh
> 27322 root 20 0 11424 700 592 S 0 0.0 0:00.23 tail
> 27375 root 20 0 40604 5148 2736 S 0 0.0 0:15.28 tclsh
> 27377 root 20 0 11424 700 592 S 0 0.0 0:00.49 tail
> 27433 root 20 0 11424 704 592 S 0 0.0 0:00.69 tail
> 27973 root 20 0 0 0 0 S 0 0.0 0:00.02 kworker/5:1
> 27992 root 20 0 0 0 0 S 0 0.0 0:06.76 kworker/u:1
> 28812 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
> 28815 root 20 0 4400 324 220 S 0 0.0 0:00.00 sh
> 28820 root 20 0 4308 352 276 S 0 0.0 0:00.00 sleep
> 28823 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:2
> 28862 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:2
> 29690 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
> 29692 www-data 20 0 176m 7636 1324 S 0 0.1 0:00.00 /usr/sbin/apach
> 29709 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:0
> 29721 root 20 0 0 0 0 S 0 0.0 0:01.30 kworker/u:0
> 30200 root 20 0 90164 3948 3048 S 0 0.0 0:00.03 sshd
> 30678 xxxxxxxx 20 0 90164 1928 1024 S 0 0.0 0:00.01 sshd
> 30679 xxxxxxxx 20 0 31036 7948 1612 S 0 0.1 0:00.52 bash
> 30778 root 20 0 207m 31m 776 S 0 0.2 0:00.00 perl
> 30781 root 20 0 60308 2088 1540 S 0 0.0 0:00.05 sudo
> 30785 root 20 0 16540 1472 1248 S 0 0.0 0:00.00 sostat
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/SecOnionFW-eth1/dailylogs/
> /usr/bin/sostat: line 69: cd: /nsm/sensor_data/SecOnionFW-eth1/dailylogs: No such file or directory
> 23M .
> 12M ./.cache
> 9.1M ./.config
> 16K ./.dbus
> 4.0K ./Desktop
> 4.0K ./Documents
> 28K ./Downloads
> 32K ./.fontconfig
> 92K ./.gconf
> 8.0K ./.gnome2
> 392K ./.gstreamer-0.10
> 4.0K ./.gvfs
> 40K ./.local
> 4.0K ./.mono
> 4.0K ./Music
> 4.0K ./Pictures
> 36K ./.pki
> 4.0K ./Public
> 28K ./.pulse
> 12K ./.ssh
> 4.0K ./Templates
> 680K ./.thumbnails
> 4.0K ./Videos
> 12K ./.wireshark
> /usr/bin/sostat: line 69: cd: OLDPWD not set
>
> /nsm/sensor_data/securityonion-eth0/dailylogs/
> 61G .
> 11G ./2013-01-30
> 12G ./2013-01-31
> 14G ./2013-02-01
> 5.8G ./2013-02-02
> 5.3G ./2013-02-03
> 9.2G ./2013-02-04
> 4.0G ./2013-02-05
>
> /nsm/sensor_data/securityonion-eth1/dailylogs/
> 197G .
> 39G ./2013-01-30
> 41G ./2013-01-31
> 41G ./2013-02-01
> 7.2G ./2013-02-02
> 8.0G ./2013-02-03
> 50G ./2013-02-04
> 13G ./2013-02-05
>
> /nsm/sensor_data/securityonion-eth2/dailylogs/
> 453G .
> 115G ./2013-01-30
> 85G ./2013-01-31
> 92G ./2013-02-01
> 25G ./2013-02-02
> 26G ./2013-02-03
> 84G ./2013-02-04
> 29G ./2013-02-05
>
> /nsm/bro/logs/
> 689M .
> 66M ./2013-01-26
> 46M ./2013-01-27
> 63M ./2013-01-28
> 58M ./2013-01-29
> 62M ./2013-01-30
> 58M ./2013-01-31
> 54M ./2013-02-01
> 44M ./2013-02-02
> 42M ./2013-02-03
> 60M ./2013-02-04
> 25M ./2013-02-05
> 116M ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/securityonion-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/securityonion-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/securityonion-eth2/snort-1.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> pf_ring stats
> =========================================================================
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 596974
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 3473250
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-77-socket-0
> Tot Packets : 14797733
> Tot Pkt Lost : 657233
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 18570913
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 11146429
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 6411039
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 299 |
> +----------+

>
>
>
> On Monday, February 4, 2013 7:16:32 PM UTC-5, Doug Burks wrote:
>> Please send the output of the following (redacting sensitive info as necessary):
>>
>> sudo sostat
>>
>>
>>
>> Thanks,
>>
>> Doug
>>
>>
>>
>> On Fri, Feb 1, 2013 at 8:49 AM, Matthew Thacker
>>
>>

[Doug Burks]

Since you manually built this box during Beta and it shows signs of
previous configuration (/nsm/sensor_data/SecOnionFW-eth1/), you might
want to consider re-installing from scratch.

If you choose not to do that, you'll definitely want to disable IPv6
on your sniffing interfaces by adding the following to the end of each
interface stanza:
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

It looks like you've configured for jumbo frames. Has anybody else
run Security Onion on jumbo frames?

Thanks,
Doug

On Wed, Feb 6, 2013 at 8:58 AM, Matthew Thacker
<matthewaa...@gmail.com> wrote:
> Manually. I built this server back when seconion was in beta and you hadn't yet added that option into the sosetup program. I followed the directions on the FAQ as best as possible though.
>
> auto eth4
> iface eth4 inet dhcp
> mtu 9000
> post-up ethtool -G eth4 rx-jumbo 8160 rx 2040; for i in rx tx sg tso gso gro lro; do ethtool -K $IFACE $i off; done
>
> # Connected to TAP or SPAN port for traffic monitoring
> auto eth0
> iface eth0 inet manual
> mtu 6128
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up for i in rx tx sg tso gso gro lro; do ethtool -K $IFACE $i off; done
>
> auto eth1
> iface eth1 inet manual
> mtu 6128
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up for i in rx tx sg tso gso gro lro; do ethtool -K $IFACE $i off; done
>
> auto eth2
> iface eth2 inet manual
> mtu 6128
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up for i in rx tx sg tso gso gro lro; do ethtool -K $IFACE $i off; done
>
> auto eth3
> iface eth3 inet manual
> mtu 6128
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up for i in rx tx sg tso gso gro lro; do ethtool -K $IFACE $i off; done

[Seth Hall]

On Feb 7, 2013, at 7:44 PM, Doug Burks <doug....@gmail.com> wrote:

> It looks like you've configured for jumbo frames. Has anybody else
> run Security Onion on jumbo frames?

It could be good to add a setting for the various tools to set their snap length if you haven't already. Bro's default snap length is 8192 but can be configured with the const variable "snaplen". Like this:

redef snaplen = 10000;

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

[Doug Burks]

Thanks, Seth! I seem to remember an issue (perhaps in Bro 2.0 Beta?)
where Bro's default snaplen was 65535 and that caused performance
issues, so the default snaplen was then reverted to 8192. Is that
performance issue still a concern when increasing Bro's snaplen?

Thanks,
Doug

[Seth Hall]

On Feb 8, 2013, at 7:25 AM, Doug Burks <doug....@gmail.com> wrote:

> Thanks, Seth! I seem to remember an issue (perhaps in Bro 2.0 Beta?)
> where Bro's default snaplen was 65535 and that caused performance
> issues, so the default snaplen was then reverted to 8192.

Yep, I think that was during the beta.

> Is that
> performance issue still a concern when increasing Bro's snaplen?

It's generally a performance concern with any tool. It would probably be good if you controlled the snap length for all the tools yourself because Snort and Suricata probably use similar default snap lengths.

[Doug Burks]

On Fri, Feb 8, 2013 at 11:33 AM, Seth Hall <se...@icir.org> wrote:
> It would probably be good if you controlled the snap length for all the tools yourself because Snort and Suricata probably use similar default snap lengths.

According to Snort's README, the default snaplen is based on the interface MTU:

-P <snaplen> Set the snaplen of Snort to <snaplen>. This filters how much
of each packet gets into Snort, the default is the MTU for the
interface that Snort is currently listening on.

Is there a way to have Bro do the same?

Thanks,

[Seth Hall]

On Feb 11, 2013, at 6:49 AM, Doug Burks <doug....@gmail.com> wrote:

> According to Snort's README, the default snaplen is based on the interface MTU:
>
> -P <snaplen> Set the snaplen of Snort to <snaplen>. This filters how much
> of each packet gets into Snort, the default is the MTU for the
> interface that Snort is currently listening on.

I'm not totally sure that's true. From a quick glance through their source code, it looks like they have a default snap length of 1514 (in Snort) unless that's overridden from the config file. Additionally, libdaq and Snort each have separate snap lengths.

I would check with someone at Sourcefire on that, but my suspicion is that the README is incorrect.

[Doug Burks]

It looks like you're setting an mtu on each interface in
/etc/network/interfaces but it's not showing up in your ifconfig
output for any of the interfaces. You might try putting the mtu
setting in a pre-up command as shown here:
http://ubuntuforums.org/showthread.php?t=791962&page=2

Doug

[Doug Burks]

Thanks, Seth. I'll follow up with Sourcefire offline.
Doug

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>