Please do not update until further notice! Ubuntu SSL packages seem to cause issues.

[Doug Burks]

There appears to be an issue with the SSL packages that Ubuntu just
released. Please do not update your systems until further notice.

Thanks!

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Jeff Nucciarone]

ok, now what do i do??!!

boot back to a lower level?

[Doug Burks]

I'll let you know as soon as I determine the best path forward.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Doug Burks]

After installing the latest Ubuntu updates, the Sguil client reports:

Error: SSL channel "sock4": error: dh key too small

This error message seems related to this:

"As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 768 bits, preventing a possible downgrade
attack."

http://www.ubuntu.com/usn/usn-2639-1/

[Jeff Nucciarone]

On Thursday, June 11, 2015 at 5:01:40 PM UTC-4, Doug Burks wrote:
> After installing the latest Ubuntu updates, the Sguil client reports:
>
> Error: SSL channel "sock4": error: dh key too small
>
> This error message seems related to this:
>
> "As a security improvement, this update also modifies OpenSSL behaviour to
> reject DH key sizes below 768 bits, preventing a possible downgrade
> attack."
>
> http://www.ubuntu.com/usn/usn-2639-1/

So how do we increase the strength of the key?

[Doug Burks]

I'll let you know as soon as I determine the best path forward.

[Doug Burks]

I asked the following question to the Ubuntu folks:
https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051

Hope to hear back tonight.

[Matt .]

The 1st time I patch all systems at once instead of waiting a day or more after the 1st system. Doh!

[Jeff Nucciarone]

Hopefully you get an answer soon so that this doesn't die on the vine.

[Doug Burks]

For those who've already installed the new OpenSSL 1.0.1-4ubuntu5.31
packages, here's an emergency bandaid you can try until we get a
proper fix.

Downgrade your OpenSSL packages to the previous version by running the
following command:
sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3

If that doesn't work for you, here is a longer set of steps to try.

Determine what ssl packages you have installed that need to be downgraded:
dpkg -l | grep ssl | grep "ubuntu5.31"

You will most likely have four packages:
ii libssl-dev
1.0.1-4ubuntu5.31 SSL development libraries,
header files and documentation
ii libssl-doc
1.0.1-4ubuntu5.31 SSL development documentation
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.31 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.31 Secure Socket Layer (SSL)
binary and related cryptographic tools

For each of these packages, do the following (replacing PACKAGENAME
with the actual package name) to see what versions are available:
apt-cache showpkg PACKAGENAME

For example:
apt-cache showpkg libssl-dev |more
Package: libssl-dev
Versions:
1.0.1-4ubuntu5.31
(/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-updates_main_binary-amd64_Packages)
(/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_precise-security_main_binary-amd64_Packages)
(/var/lib/dpkg/status)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e

1.0.1-4ubuntu3 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e

In this case, we see that the previous version is 1.0.1-4ubuntu3.

Downgrade all packages to the previous version using "apt-get install"
and specifying the version number. In this case, we downgrade to
1.0.1-4ubuntu3 using the following command:

sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3

On Thu, Jun 11, 2015 at 7:06 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> Hopefully you get an answer soon so that this doesn't die on the vine.
>

[Doug Burks]

Of course, please keep in mind that this is just an emergency bandaid
and it downgrades your system to a previous version of OpenSSL that
has security vulnerabilities. But this may be an acceptable risk for
those who just need to get their sensors back up and running at least
until Ubuntu provides an updated tcltls package.

[Matt .]

Thanks Doug,

I've done this on one server so far. The initial downgrade worked to some extent. I didn't need initially try searching for other versions. Though I did seem to need to reboot to get it going after downgrading though it didn't ask to be reboot.

Processing seems to have fully resumed, and is catching up, and SGUIL loads on the server. But it appears apache, or something related isn't working. I can't browse to the server web sites locally or remotely. Both locally and remotely the error is "Connection Refused".

But since everything else seems to be ok I can wait till tomorrow.

Attached is output for sostat -redacted in case you're interested.

Thanks,
Matt

On Thursday, June 11, 2015 at 5:25:25 PM UTC-7, Doug Burks wrote:
> For those who've already installed the new OpenSSL 1.0.1-4ubuntu5.31
> packages, here's an emergency bandaid you can try until we get a
> proper fix.
>
> Downgrade your OpenSSL packages to the previous version by running the
> following command:
> sudo apt-get install libssl-dev=1.0.1-4ubuntu3
> libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
> openssl=1.0.1-4ubuntu3
>
> If that doesn't work for you, here is a longer set of steps to try.

<deleted to save space>

[Matt .]

I forgot to mention that I also did try <pkg -l | grep ssl | grep "ubuntu5.31"> to see if there was something else to downgrade due to the web site issue. But it doesn't return any results.

[Rehnquyst]

FYI I did not experience this issue in regards to not being able to connect to Snorby/Suqert. Just so you know this is not univeral.

[Shane Castle]

Just so you know: after my update, here is what is installed:

ii libssl-dev
1.0.1-4ubuntu5.28 SSL development libraries,

header files and documentation
ii libssl-doc

1.0.1-4ubuntu5.28 SSL development documentation
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.28 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.28 Secure Socket Layer (SSL) binary
and related cryptographic tools

AFAICT, I am having no issues with any components. I am running a simple
unified server/sensor, in one VM. This is a system initially installed
from the 12.04.3-20130904 iso image and updated since. On login using
SSH, I see "Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-85-generic
x86_64)".

If you want me to check or research anything let me know.

Sorry you are having to deal with this issue.

On 12.06.2015 02:25, Doug Burks wrote:
> dpkg -l | grep ssl | grep "ubuntu5.31"

--
Mit besten Grüßen
Shane Castle

[Shane Castle]

But now the 1.0.1-4ubuntu5.31 versions are waiting to be installed.
Holding off for now.

[Shane Castle]

Hmm - I see you've had no answer. I suspect the real bug is the mod to
reject DH512, which seems dumb to me, and I bet lots of things besides
tcltls break because of it. I begin to understand why the OpenBSD guys
have forked their own version of OpenSSL.

I've been looking to try to see if some change can be made to permit
DH512 (was hoping the openssl.cnf file might work) but so far no joy.

On 12.06.2015 00:40, Doug Burks wrote:
> I asked the following question to the Ubuntu folks:
> https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051
>
> Hope to hear back tonight.

[Shane Castle]

Looking at the openssl diffs I see that the 768-bit req is hard-coded
into s3_clnt.c. This blog entry (
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
) indicates that soon they will increase the limit to 1024, and generate
2048 DH keys by default. So it seems that modifying tcltls to generate
larger DH keys (probably 2048) is the only solution.

I still think they should have permitted the 512-bit requirement to be
overridden, that this will break lots of things, and they are going to
get flamed.

I think you should change your question to a bug report for tcltls, if
that's possible. Claiming that it's an OpenSSL bug seems hopeless.

[Torgeir Natvig]

If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5.

change these lines in snort_agent.tcl and pcap_agent.tcl:

tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5

[Doug Burks]

Hi Matt,

I think your Apache issue is unrelated. Please start a new thread to
troubleshoot it and include any clues from the Apache logs in
/var/log/apache2/.

[Doug Burks]

Hi Shane,

I agree.

Created bug:
https://bugs.launchpad.net/ubuntu/+source/tcltls/+bug/1464626

[Doug Burks]

Hi Torgeir,

Thanks for your feedback!

I looked at changing the cipher in the tcl agents as an option as
well. I'm hoping that Ubuntu will respond quickly with a tcltls
package update, but if that doesn't happen, I may end up having to
build new Sguil packages with updated ciphers.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Jeff Nucciarone]

On Thursday, June 11, 2015 at 8:38:30 PM UTC-4, Doug Burks wrote:
> Of course, please keep in mind that this is just an emergency bandaid
> and it downgrades your system to a previous version of OpenSSL that
> has security vulnerabilities. But this may be an acceptable risk for
> those who just need to get their sensors back up and running at least
> until Ubuntu provides an updated tcltls package.

Downgraded and rebooted. pcap_agent and snort_agent seem to be running ok. sguil console starts. However no fresh alerts since the update yesterday at 19:00. Perhaps just busy trying to work thru the backlog?

[Doug Burks]

Please send sostat output.

[Jeff Nucciarone]

On Friday, June 12, 2015 at 9:47:05 AM UTC-4, Doug Burks wrote:
> Please send sostat output.
>

tail of pcap_agent.log:

Sending sguild (sock3) LastPcapTime {2015-06-12 13:52:02}
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received

tail of snort_agent.log:

Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received

tail of barnyard2.log:

WARNING: Ignoring bad line in SID file: 'v1'
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/REDACTED-eth2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
sguil: sensor name = REDACTED-eth2
sguil: agent port = 8000
sguil: Connected to localhost on 8000.

sostat from the master:

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5239 9 12 Jun 13:21:45
proxy proxy localhost running 5423 9 12 Jun 13:21:47
SO-server-eth2-1 worker localhost running 6638 2 12 Jun 13:21:51
SO-server-eth2-2 worker localhost running 6633 2 12 Jun 13:21:51
SO-server-eth2-3 worker localhost running 6632 2 12 Jun 13:21:51
SO-server-eth2-4 worker localhost running 6634 2 12 Jun 13:21:51
SO-server-eth3-1 worker localhost running 6631 2 12 Jun 13:21:51
SO-server-eth3-2 worker localhost running 6636 2 12 Jun 13:21:51
SO-server-eth3-3 worker localhost running 6637 2 12 Jun 13:21:51
SO-server-eth3-4 worker localhost running 6635 2 12 Jun 13:21:51
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588334 errors:0 dropped:0 overruns:0 frame:0
TX packets:217391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:315714265 (315.7 MB) TX bytes:309863929 (309.8 MB)
Interrupt:36 Memory:da000000-da012800

eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:91393067 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104232555193 (104.2 GB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:df2c0000-df2e0000

eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:41 Memory:df3c0000-df3e0000

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:605602 errors:0 dropped:0 overruns:0 frame:0
TX packets:605602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1769509207 (1.7 GB) TX bytes:1769509207 (1.7 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1769509207 605602 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1769509207 605602 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
315714265 588334 0 0 0 9973
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
309863929 217391 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
104232996145 91393427 0 0 0 10197
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 44G 97G 32% /
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 852K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sdb2 18T 15T 2.8T 84% /nsm
/dev/sda1 484M 300M 159M 66% /boot
/dev/sda5 29G 174M 27G 1% /tmp
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda11 19G 492M 18G 3% /home
/dev/sda7 29G 1011M 26G 4% /var
/dev/sdb1 1.0T 150G 875G 15% /var/lib/mysql
/dev/sda8 29G 5.4G 22G 20% /var/log
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 2149 avahi 12u IPv4 29912 0t0 UDP *:5353
avahi-dae 2149 avahi 13u IPv6 29913 0t0 UDP *:5353
avahi-dae 2149 avahi 14u IPv4 29914 0t0 UDP *:38898
avahi-dae 2149 avahi 15u IPv6 29915 0t0 UDP *:54578
cupsd 2151 root 8u IPv6 29931 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2151 root 9u IPv4 29932 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2161 root 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2220 root 3u IPv4 1525 0t0 TCP *:ssh_port (LISTEN)
sshd 2220 root 4u IPv6 1527 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2553 root 10u IPv4 16624 0t0 TCP X.X.X.X:59570->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2553 root 21u IPv4 10890 0t0 TCP X.X.X.X:44510->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2608 root 9u IPv4 30032 0t0 TCP *:514 (LISTEN)
syslog-ng 2608 root 10u IPv4 30033 0t0 UDP *:514
mysqld 2656 mysql 10u IPv4 25697 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2656 mysql 13u IPv4 8665 0t0 TCP X.X.X.X:3306->X.X.X.X:49211 (ESTABLISHED)
mysqld 2656 mysql 26u IPv4 23011 0t0 TCP X.X.X.X:3306->X.X.X.X:49213 (ESTABLISHED)
mysqld 2656 mysql 421u IPv4 22027 0t0 TCP X.X.X.X:3306->X.X.X.X:49209 (ESTABLISHED)
mysqld 2656 mysql 857u IPv4 28212 0t0 TCP X.X.X.X:3306->X.X.X.X:49206 (ESTABLISHED)
searchd 2669 sphinxsearch 7u IPv4 32276 0t0 TCP *:9306 (LISTEN)
searchd 2669 sphinxsearch 8u IPv4 32277 0t0 TCP *:9312 (LISTEN)
sshd 2721 SO-user 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2721 SO-user 8u IPv6 1705 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2721 SO-user 9u IPv4 1706 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2721 SO-user 10u IPv4 22026 0t0 TCP X.X.X.X:49209->X.X.X.X:3306 (ESTABLISHED)
snmpd 2882 snmp 8u IPv4 11452 0t0 UDP X.X.X.X:161
snmpd 2882 snmp 9u IPv4 32395 0t0 UDP *:39439
salt-mast 2977 root 12u IPv4 13547 0t0 TCP *:4505 (LISTEN)
salt-mast 2977 root 14u IPv4 12468 0t0 TCP X.X.X.X:4505->X.X.X.X:44510 (ESTABLISHED)
salt-mast 2977 root 15u IPv4 1806 0t0 TCP X.X.X.X:4505->X.X.X.X:34950 (ESTABLISHED)
salt-mast 2977 root 16u IPv4 13658 0t0 TCP X.X.X.X:4505->X.X.X.X:40080 (ESTABLISHED)
salt-mast 2989 root 20u IPv4 12449 0t0 TCP *:4506 (LISTEN)
salt-mast 2989 root 21u IPv4 26712 0t0 TCP X.X.X.X:4506->X.X.X.X:59570 (ESTABLISHED)
salt-mast 2989 root 23u IPv4 26701 0t0 TCP X.X.X.X:4506->X.X.X.X:40628 (ESTABLISHED)
salt-mast 2989 root 29u IPv4 28730 0t0 TCP X.X.X.X:4506->X.X.X.X:53560 (ESTABLISHED)
ntpd 3239 ntp 16u IPv4 32428 0t0 UDP *:123
ntpd 3239 ntp 17u IPv6 32429 0t0 UDP *:123
ntpd 3239 ntp 18u IPv4 32435 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 19u IPv4 32436 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 20u IPv6 32437 0t0 UDP [X.X.X.X]:123
ntpd 3239 ntp 21u IPv6 32438 0t0 UDP [X.X.X.X]:123
ossec-csy 4334 ossecm 5u IPv4 30568 0t0 UDP X.X.X.X:60485->X.X.X.X:514
sshd 4364 root 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 9u IPv6 1882 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 4517 SO-user 10u IPv4 1883 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 4517 SO-user 11u IPv4 30671 0t0 TCP X.X.X.X:49206->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 4631 root 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 4631 root 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4631 root 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4631 root 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
tclsh 4811 SO-user 13u IPv4 30661 0t0 TCP *:7734 (LISTEN)
tclsh 4811 SO-user 14u IPv4 30662 0t0 TCP *:7736 (LISTEN)
tclsh 4811 SO-user 15u IPv4 34002 0t0 TCP X.X.X.X:7736->X.X.X.X:39312 (ESTABLISHED)
tclsh 4811 SO-user 16u IPv4 34003 0t0 TCP X.X.X.X:7736->X.X.X.X:39313 (ESTABLISHED)
tclsh 4811 SO-user 17u IPv4 28211 0t0 TCP X.X.X.X:7736->X.X.X.X:34399 (ESTABLISHED)
tclsh 4811 SO-user 18u IPv4 27003 0t0 TCP X.X.X.X:7736->X.X.X.X:34400 (ESTABLISHED)
tclsh 4811 SO-user 19u IPv4 24974 0t0 TCP X.X.X.X:7736->X.X.X.X:34401 (ESTABLISHED)
tclsh 4811 SO-user 20u IPv4 22951 0t0 TCP X.X.X.X:7736->X.X.X.X:34403 (ESTABLISHED)
tclsh 4811 SO-user 21u IPv4 26022 0t0 TCP X.X.X.X:7736->X.X.X.X:44159 (ESTABLISHED)
tclsh 4811 SO-user 22u IPv4 15839 0t0 TCP X.X.X.X:7736->X.X.X.X:44160 (ESTABLISHED)
tclsh 4811 SO-user 23u IPv4 15847 0t0 TCP X.X.X.X:7736->X.X.X.X:34404 (ESTABLISHED)
tclsh 4811 SO-user 24u IPv4 72917 0t0 TCP X.X.X.X:7734->X.X.X.X:37117 (ESTABLISHED)
tclsh 4868 SO-user 3u IPv4 22950 0t0 TCP X.X.X.X:34403->X.X.X.X:7736 (ESTABLISHED)
bro 5239 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 0u IPv4 28071 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 1u IPv6 28072 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 2u IPv4 25923 0t0 TCP X.X.X.X:47761->X.X.X.X:34387 (ESTABLISHED)
bro 5255 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 251u IPv4 24917 0t0 TCP X.X.X.X:47761->X.X.X.X:34397 (ESTABLISHED)
bro 5255 SO-user 255u IPv4 26838 0t0 TCP X.X.X.X:47761->X.X.X.X:34398 (ESTABLISHED)
bro 5255 SO-user 256u IPv4 24919 0t0 TCP X.X.X.X:47761->X.X.X.X:34401 (ESTABLISHED)
bro 5255 SO-user 257u IPv4 26878 0t0 TCP X.X.X.X:47761->X.X.X.X:34402 (ESTABLISHED)
bro 5255 SO-user 258u IPv4 8569 0t0 TCP X.X.X.X:47761->X.X.X.X:34404 (ESTABLISHED)
bro 5255 SO-user 259u IPv4 11589 0t0 TCP X.X.X.X:47761->X.X.X.X:34406 (ESTABLISHED)
bro 5255 SO-user 260u IPv4 28113 0t0 TCP X.X.X.X:47761->X.X.X.X:34408 (ESTABLISHED)
bro 5255 SO-user 261u IPv4 25982 0t0 TCP X.X.X.X:47761->X.X.X.X:34410 (ESTABLISHED)
bro 5423 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 0u IPv4 9608 0t0 TCP X.X.X.X:34387->X.X.X.X:47761 (ESTABLISHED)
bro 5425 SO-user 1u IPv4 9611 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 2u IPv6 9612 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 251u IPv4 8565 0t0 TCP X.X.X.X:47762->X.X.X.X:46585 (ESTABLISHED)
bro 5425 SO-user 255u IPv4 24918 0t0 TCP X.X.X.X:47762->X.X.X.X:46588 (ESTABLISHED)
bro 5425 SO-user 256u IPv4 9666 0t0 TCP X.X.X.X:47762->X.X.X.X:46589 (ESTABLISHED)
bro 5425 SO-user 257u IPv4 15802 0t0 TCP X.X.X.X:47762->X.X.X.X:46592 (ESTABLISHED)
bro 5425 SO-user 258u IPv4 8570 0t0 TCP X.X.X.X:47762->X.X.X.X:46594 (ESTABLISHED)
bro 5425 SO-user 259u IPv4 20742 0t0 TCP X.X.X.X:47762->X.X.X.X:46596 (ESTABLISHED)
bro 5425 SO-user 260u IPv4 8571 0t0 TCP X.X.X.X:47762->X.X.X.X:46598 (ESTABLISHED)
bro 5425 SO-user 261u IPv4 12657 0t0 TCP X.X.X.X:47762->X.X.X.X:46600 (ESTABLISHED)
bro 6631 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6632 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6633 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6634 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6635 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6636 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6637 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6638 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6639 SO-user 0u IPv4 25948 0t0 TCP X.X.X.X:46585->X.X.X.X:47762 (ESTABLISHED)
bro 6639 SO-user 1u IPv4 25949 0t0 TCP X.X.X.X:34397->X.X.X.X:47761 (ESTABLISHED)
bro 6639 SO-user 2u IPv4 25952 0t0 TCP *:47767 (LISTEN)
bro 6639 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6639 SO-user 251u IPv6 25953 0t0 TCP *:47767 (LISTEN)
bro 6642 SO-user 0u IPv4 25954 0t0 TCP X.X.X.X:34398->X.X.X.X:47761 (ESTABLISHED)
bro 6642 SO-user 1u IPv4 25957 0t0 TCP X.X.X.X:46588->X.X.X.X:47762 (ESTABLISHED)
bro 6642 SO-user 2u IPv4 25960 0t0 TCP *:47765 (LISTEN)
bro 6642 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6642 SO-user 251u IPv6 25961 0t0 TCP *:47765 (LISTEN)
bro 6651 SO-user 0u IPv4 21912 0t0 TCP X.X.X.X:46589->X.X.X.X:47762 (ESTABLISHED)
bro 6651 SO-user 1u IPv4 21913 0t0 TCP X.X.X.X:34401->X.X.X.X:47761 (ESTABLISHED)
bro 6651 SO-user 2u IPv4 21916 0t0 TCP *:47766 (LISTEN)
bro 6651 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6651 SO-user 251u IPv6 21917 0t0 TCP *:47766 (LISTEN)
bro 6686 SO-user 0u IPv4 14656 0t0 TCP X.X.X.X:34402->X.X.X.X:47761 (ESTABLISHED)
bro 6686 SO-user 1u IPv4 14657 0t0 TCP X.X.X.X:46592->X.X.X.X:47762 (ESTABLISHED)
bro 6686 SO-user 2u IPv4 14660 0t0 TCP *:47769 (LISTEN)
bro 6686 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6686 SO-user 251u IPv6 14661 0t0 TCP *:47769 (LISTEN)
bro 6729 SO-user 0u IPv4 21926 0t0 TCP X.X.X.X:34404->X.X.X.X:47761 (ESTABLISHED)
bro 6729 SO-user 1u IPv4 21927 0t0 TCP X.X.X.X:46594->X.X.X.X:47762 (ESTABLISHED)
bro 6729 SO-user 2u IPv4 21930 0t0 TCP *:47764 (LISTEN)
bro 6729 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6729 SO-user 251u IPv6 21931 0t0 TCP *:47764 (LISTEN)
bro 6732 SO-user 0u IPv4 21932 0t0 TCP X.X.X.X:34406->X.X.X.X:47761 (ESTABLISHED)
bro 6732 SO-user 1u IPv4 21933 0t0 TCP X.X.X.X:46596->X.X.X.X:47762 (ESTABLISHED)
bro 6732 SO-user 2u IPv4 21936 0t0 TCP *:47763 (LISTEN)
bro 6732 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6732 SO-user 251u IPv6 21937 0t0 TCP *:47763 (LISTEN)
bro 6737 SO-user 0u IPv4 21938 0t0 TCP X.X.X.X:34408->X.X.X.X:47761 (ESTABLISHED)
bro 6737 SO-user 1u IPv4 21939 0t0 TCP X.X.X.X:46598->X.X.X.X:47762 (ESTABLISHED)
bro 6737 SO-user 2u IPv4 21942 0t0 TCP *:47768 (LISTEN)
bro 6737 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6737 SO-user 251u IPv6 21943 0t0 TCP *:47768 (LISTEN)
bro 6742 SO-user 0u IPv4 17811 0t0 TCP X.X.X.X:34410->X.X.X.X:47761 (ESTABLISHED)
bro 6742 SO-user 1u IPv4 17812 0t0 TCP X.X.X.X:46600->X.X.X.X:47762 (ESTABLISHED)
bro 6742 SO-user 2u IPv4 17815 0t0 TCP *:47770 (LISTEN)
bro 6742 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6742 SO-user 251u IPv6 17816 0t0 TCP *:47770 (LISTEN)
tclsh 6869 SO-user 3u IPv4 8623 0t0 TCP X.X.X.X:34404->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 3u IPv4 17008 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6900 SO-user 5u IPv4 14708 0t0 TCP X.X.X.X:34399->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 7u IPv4 25009 0t0 TCP X.X.X.X:8000->X.X.X.X:59239 (ESTABLISHED)
barnyard2 6951 SO-user 3u IPv4 11638 0t0 TCP X.X.X.X:59239->X.X.X.X:8000 (ESTABLISHED)
barnyard2 6951 SO-user 4u IPv4 35853 0t0 TCP X.X.X.X:49211->X.X.X.X:3306 (ESTABLISHED)
tclsh 7086 SO-user 3u IPv4 15838 0t0 TCP X.X.X.X:34400->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 3u IPv4 11088 0t0 TCP X.X.X.X:8100 (LISTEN)
tclsh 7135 SO-user 5u IPv4 11217 0t0 TCP X.X.X.X:34401->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 7u IPv4 26047 0t0 TCP X.X.X.X:8100->X.X.X.X:45801 (ESTABLISHED)
barnyard2 7219 SO-user 3u IPv4 12905 0t0 TCP X.X.X.X:45801->X.X.X.X:8100 (ESTABLISHED)
barnyard2 7219 SO-user 4u IPv4 12908 0t0 TCP X.X.X.X:49213->X.X.X.X:3306 (ESTABLISHED)
sshd 13264 root 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
sshd 13423 SO-user 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
/usr/sbin 16531 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 16531 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 16531 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 16531 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
sshd 17023 root 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 9u IPv6 68865 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 17332 SO-user 10u IPv4 68866 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 17332 SO-user 12u IPv4 68889 0t0 TCP X.X.X.X:6010->X.X.X.X:60074 (ESTABLISHED)
wish 17574 SO-user 3u IPv4 53614 0t0 TCP X.X.X.X:60074->X.X.X.X:6010 (ESTABLISHED)
wish 17574 SO-user 4u IPv4 71911 0t0 TCP X.X.X.X:37117->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 19362 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 19362 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19362 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19362 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 20451 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 20451 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20451 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20451 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22184 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22184 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22184 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22184 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22217 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22217 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22217 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22217 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22226 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22226 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22226 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22226 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)

=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 12 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
Running PulledPork.
Error 500 when fetching https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
mainX.X.X.Xmd5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2973.tar.gz....
Rules tarball download of snortrules-snapshot-2973.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Updating Snorby's sig_reference table.../usr/bin/rule-update: line 309: 9557 Segmentation fault /usr/bin/barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf > /var/log/nsm/barnyard2-snorby.log 2>&1
done.
Restarting Barnyard2.
Restarting: SO-server-eth2
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth2
* stopping: suricata (alert data)
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
27.77 23.29 16.06
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 13:51:01 up 30 min, 2 users, load average: 27.77, 23.29, 16.06
Tasks: 384 total, 25 running, 359 sleeping, 0 stopped, 0 zombie
Cpu(s): 38.4%us, 12.9%sy, 0.9%ni, 44.9%id, 1.9%wa, 0.0%hi, 1.0%si, 0.0%st
Mem: 65965188k total, 65707376k used, 257812k free, 59384k buffers
Swap: 36981308k total, 268k used, 36981040k free, 49126608k cached

%CPU %MEM COMMAND
278 0.6 /usr/sbin/mysqld
90.0 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
105 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
92.0 0.8 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
90.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
88.2 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
86.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
85.6 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
82.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
81.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
76.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
73.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
66.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
58.3 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
49.9 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
32.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.8 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo -i 1 -U
27.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
24.8 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
24.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.4 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.1 0.9 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
7.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
5.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
4.6 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.5 7.5 /usr/bin/searchd --nodetach
2.7 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.7 1.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3
1.7 0.0 /var/ossec/bin/ossec-syscheckd
1.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.7 0.1 /usr/bin/python /usr/bin/salt-master
0.6 0.0 wish /usr/bin/SO-user.tk
0.5 0.0 [flush-8:16]
0.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.4 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.3 0.0 /var/ossec/bin/ossec-analysisd
0.3 0.0 sshd: SO-user
0.3 0.1 delayed_job
0.3 0.0 [kworker/0:2]
0.2 0.0 sshd: SO-user
0.2 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.2 0.0 [xfsaild/sdb2]
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /sbin/init
0.1 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.1 0.0 [kswapd1]
0.1 0.0 [kworker/0:0]
0.1 0.0 [kworker/0:3]
0.1 0.0 [kswapd0]
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 /usr/bin/python /usr/bin/salt-minion
0.1 0.1 /usr/sbin/apache2 -k start
0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/1:0]
0.0 0.0 -bash
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.0 -bash
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/u:0]
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [xfsaild/sdb1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.8 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth3/bpf-pcap.ops
0.0 0.0 [migration/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/12:1]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [xfsbufd/sdb2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/15]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/4:2]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 Passenger spawn server
0.0 0.0 [migration/1]
0.0 0.0 [migration/2]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [migration/8]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/10]
0.0 0.0 [migration/11]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [migration/16]
0.0 0.0 [migration/17]
0.0 0.0 [migration/18]
0.0 0.0 [migration/20]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [migration/23]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [kworker/13:1]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 lightdm
0.0 0.0 cron
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/8:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/14:2]
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [kworker/5:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 PassengerHelperAgent
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [watchdog/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [watchdog/20]
0.0 0.0 [kworker/21:0]
0.0 0.0 [watchdog/21]
0.0 0.0 [kworker/22:0]
0.0 0.0 [watchdog/22]
0.0 0.0 [kworker/23:0]
0.0 0.0 [watchdog/23]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/15:1]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 [kpsmoused]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found|SO-user|SO-user/SO-user/g
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 27067858
eth3: 0

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 10 days
7.8T .
1000G ./2015-06-03
771G ./2015-06-04
612G ./2015-06-05
850G ./2015-06-06
1.2T ./2015-06-07
464G ./2015-06-08
862G ./2015-06-09
908G ./2015-06-10
815G ./2015-06-11
555G ./2015-06-12

/nsm/sensor_data/SO-server-eth3/dailylogs/ - 10 days
6.0M .
1.2M ./2015-06-03
996K ./2015-06-04
100K ./2015-06-05
148K ./2015-06-06
1.0M ./2015-06-07
136K ./2015-06-08
68K ./2015-06-09
96K ./2015-06-10
1.3M ./2015-06-11
1004K ./2015-06-12

/nsm/bro/logs/ - 20 days
53G .
1.7G ./2015-05-24
1.8G ./2015-05-25
2.8G ./2015-05-26
2.7G ./2015-05-27
2.8G ./2015-05-28
2.9G ./2015-05-29
1.7G ./2015-05-30
1.9G ./2015-05-31
3.3G ./2015-06-01
3.6G ./2015-06-02
3.2G ./2015-06-03
3.3G ./2015-06-04
3.1G ./2015-06-05
1.5G ./2015-06-06
1.9G ./2015-06-07
3.4G ./2015-06-08
3.0G ./2015-06-09
3.3G ./2015-06-10
3.1G ./2015-06-11
1.4G ./2015-06-12
1.3G ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

SO-server-eth2-1: 1434117062.946515 recvd=5067633 dropped=0 link=5067633
SO-server-eth2-2: 1434117063.146265 recvd=6463885 dropped=0 link=6463885
SO-server-eth2-3: 1434117063.346373 recvd=3338798 dropped=0 link=3338798
SO-server-eth2-4: 1434117062.585244 recvd=13876547 dropped=0 link=13876547
SO-server-eth3-1: 1434117063.746455 recvd=0 dropped=0 link=0
SO-server-eth3-2: 1434117063.946420 recvd=0 dropped=0 link=0
SO-server-eth3-3: 1434117064.150450 recvd=0 dropped=0 link=0
SO-server-eth3-4: 1434117064.350567 recvd=0 dropped=0 link=0

=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
tcp.segment_memcap_drop | RxPFReth24 | 0

/nsm/sensor_data/SO-server-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth34 | 0
tcp.segment_memcap_drop | RxPFReth34 | 0


=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 16

Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/6631-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6632-eth2.2
Appl. Name : bro-eth2
Tot Packets : 3341882
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6633-eth2.5
Appl. Name : bro-eth2
Tot Packets : 6479368
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6634-eth2.3
Appl. Name : bro-eth2
Tot Packets : 14055060
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 0

/proc/net/pf_ring/6635-eth3.7
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6636-eth3.6
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6637-eth3.4
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/6638-eth2.8
Appl. Name : bro-eth2
Tot Packets : 5071877
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

/proc/net/pf_ring/7192-eth2.9
Appl. Name : Suricata
Tot Packets : 3225736
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65523

/proc/net/pf_ring/7194-eth2.10
Appl. Name : Suricata
Tot Packets : 13463541
Tot Pkt Lost : 2890133
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 0

/proc/net/pf_ring/7195-eth2.11
Appl. Name : Suricata
Tot Packets : 6322912
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65318

/proc/net/pf_ring/7196-eth2.12
Appl. Name : Suricata
Tot Packets : 4960118
Tot Pkt Lost : 66309
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65342

/proc/net/pf_ring/7381-eth3.13
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538

/proc/net/pf_ring/7383-eth3.14
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538

/proc/net/pf_ring/7389-eth3.15
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538

/proc/net/pf_ring/7391-eth3.16
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log Processed: +559626 Lost: -309720
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150608000004 Processed: +405673 Lost: -39608
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +134665 Lost: -41651
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +199478 Lost: -56179
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +202015 Lost: -64280
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +144792 Lost: -55219
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +138168 Lost: -45614
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +145931 Lost: -79232
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142384 Lost: -93918
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +111200 Lost: -58768
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +170675 Lost: -26390
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +160829 Lost: -23526
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +220800 Lost: -98712
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +121634 Lost: -4157
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +383817 Lost: -47196
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +203344 Lost: -217257
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142529 Lost: -33740
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +243511 Lost: -5928
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +154932 Lost: -26336
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +462978 Lost: -3431
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +159543 Lost: -41148
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +185819 Lost: -25878
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +213027 Lost: -27718
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +172679 Lost: -393
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +183188 Lost: -51550
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +116575 Lost: -116274
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +81423 Lost: -8794
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +209425 Lost: -28287

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7487

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2541 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
75 1:2008581 ET P2P BitTorrent DHT ping request
71 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
64 1:2522770 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386
60 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
58 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
48 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
45 1:2522466 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234
42 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
41 1:2522230 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
39 1:2402000 ET DROP Dshield Block Listed Source group 1
39 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
38 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
36 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
35 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
32 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
32 1:2012648 ET POLICY Dropbox Client Broadcasting
31 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
28 1:2000418 ET POLICY Executable and linking format (ELF) file download
26 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
25 1:2522388 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195
24 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
23 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
22 1:2002157 ET CHAT Skype User-Agent detected
18 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
16 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
16 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
14 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
14 1:2012171 ET INFO DYNAMIC_DNS Query to 3322.org Domain
13 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
13 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
12 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
11 1:2020085 ET ATTACK_RESPONSE Microsoft CScript Banner Outbound
11 1:2000345 ET TROJAN IRC Nick change on non-standard port
10 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
8 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
8 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
8 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
7 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
7 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
6 1:2000032 ET NETBIOS LSA exploit
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
5 1:2016847 ET INFO Possible Chrome Plugin install
5 1:2014488 ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain
5 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
5 1:2008120 ET TFTP Outbound TFTP Read Request
4 1:2000334 ET P2P BitTorrent peer sync
4 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
4 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4 1:2019542 ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)
4 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
4 1:2014041404 TLSv1.2 Malicious Heartbleed Request V2
4 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
3 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
3 1:2016754 ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
3 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2 1:2013414 ET POLICY Executable served from Amazon S3
2 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
2 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
2 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
2 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
2 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
2 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
2 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
2 1:2000347 ET TROJAN IRC Private message on non-standard port
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
2 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
2 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
2 1:2014906 ET INFO .exe File requested over FTP
2 1:2522906 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454
2 1:2018193 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
2 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
2 1:2221013 SURICATA HTTP request header invalid
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0
1 1:18206 OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt
1 1:2002664 ET SCAN Nessus User Agent
1 1:2014781 ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net
1 1:2010067 ET POLICY Data POST to an image file (jpg)
1 1:21858 FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2012118 ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect
1 1:2520110 ET TOR Known Tor Exit Node Traffic group 56
1 1:2500068 ET COMPROMISED Known Compromised or Hostile Host Traffic group 35
1 1:2523066 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534
1 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2014727 ET POLICY Outdated Mac Flash Version
1 1:2522660 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331
1 1:2403331 ET CINS Active Threat Intelligence Poor Reputation IP group 32
1 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 1:2500090 ET COMPROMISED Known Compromised or Hostile Host Traffic group 46
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
1 1:2017877 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6
1 1:30514 SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2522110 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56
1 1:2014041720 OpenSSL SSLv3 heartbeat read overrun attempt
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2019284 ET ATTACK_RESPONSE Output of id command from HTTP server
1 1:2520132 ET TOR Known Tor Exit Node Traffic group 67
1 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
1 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
1 1:2522526 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264
1 1:2403324 ET CINS Active Threat Intelligence Poor Reputation IP group 25
1 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
1 1:20878 OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt
1 1:2522784 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393
1 1:2403323 ET CINS Active Threat Intelligence Poor Reputation IP group 24
1 1:2008986 ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
1 1:2522718 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360
1 1:2014041714 SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2403314 ET CINS Active Threat Intelligence Poor Reputation IP group 15
1 1:2404015 ET CNC Shadowserver Reported CnC Server IP group 16
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2522132 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2522272 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137
1 1:2014041722 OpenSSL TLSv1.1 heartbeat read overrun attempt
1 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
Total
40287

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1430177 1:2000419 ET POLICY PE EXE or DLL Windows file download
935789 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
900546 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
221289 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
214793 1:2013298 ET POLICY Nessus Server SSL certificate detected
184360 1:2015561 ET INFO PDF Using CCITTFax Filter
157869 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
146003 1:2008117 ET TFTP Outbound TFTP Data Transfer
118188 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
117459 1:2220006 SURICATA SMTP no server welcome message
114367 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
97757 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
94777 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
78288 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
78288 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
77769 1:2001329 ET POLICY RDP connection request
63587 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
45162 1:2001330 ET POLICY RDP connection confirm
43070 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
41652 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
34400 1:2008453 ET SCAN Tomcat Auth Brute Force attempt (admin)
31996 1:2001219 ET SCAN Potential SSH Scan
25392 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
20085 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19411 1:2002157 ET CHAT Skype User-Agent detected
16890 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
15860 1:2210004 SURICATA STREAM 3way handshake SYNACK resend with different ack
14329 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
13718 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
13083 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
12379 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
12131 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
11892 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
11436 1:2019232 ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
11281 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
10644 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
10298 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
10032 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
9020 1:2221002 SURICATA HTTP request field missing colon
8525 1:2013028 ET POLICY curl User-Agent Outbound
8375 1:2008581 ET P2P BitTorrent DHT ping request
7147 1:31978 OS-OTHER Bash CGI environment variable injection attempt
6349 1:2018087 ET INFO Control Panel Applet File Download
5881 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
5504 1:2019239 ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie
5357 1:2221013 SURICATA HTTP request header invalid
4705 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4639 1:2012648 ET POLICY Dropbox Client Broadcasting
4457 1:25358 APP-DETECT Acunetix web vulnerability scan attempt
3663 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
Total
5649988

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2540 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 Snort Alert [1:2008517:2]
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
75 1:2008581 ET P2P BitTorrent DHT ping request
71 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
64 1:2522770 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386
60 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
58 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
48 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
45 1:2522466 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234
42 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
41 1:2522230 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
39 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
39 1:2402000 ET DROP Dshield Block Listed Source group 1
38 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
36 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
35 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
32 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
32 1:2012648 ET POLICY Dropbox Client Broadcasting
31 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
28 1:2000418 ET POLICY Executable and linking format (ELF) file download
26 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
25 1:2522388 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195
24 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
23 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
22 1:2002157 ET CHAT Skype User-Agent detected
18 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
16 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
16 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
14 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
14 1:2012171 ET INFO DYNAMIC_DNS Query to 3322.org Domain
13 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
13 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
12 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
11 1:2020085 ET ATTACK_RESPONSE Microsoft CScript Banner Outbound
11 1:2000345 ET TROJAN IRC Nick change on non-standard port
10 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
8 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
8 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
8 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
7 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
7 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
6 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2000032 ET NETBIOS LSA exploit
5 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
5 1:2008120 ET TFTP Outbound TFTP Read Request
5 1:2014488 ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain
5 1:2016847 ET INFO Possible Chrome Plugin install
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
4 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
4 1:2000334 ET P2P BitTorrent peer sync
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
4 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
4 1:2014041404 TLSv1.2 Malicious Heartbleed Request V2
4 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
4 1:2019542 ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
3 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
3 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
3 1:2016754 ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
3 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
2 1:2221013 SURICATA HTTP request header invalid
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
2 1:2013414 ET POLICY Executable served from Amazon S3
2 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
2 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
2 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
2 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
2 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
2 1:2522906 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454
2 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
2 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
2 1:2018193 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
2 1:2014906 ET INFO .exe File requested over FTP
2 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
2 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
2 1:2000347 ET TROJAN IRC Private message on non-standard port
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2500090 ET COMPROMISED Known Compromised or Hostile Host Traffic group 46
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2019284 ET ATTACK_RESPONSE Output of id command from HTTP server
1 1:2522784 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393
1 1:2520110 ET TOR Known Tor Exit Node Traffic group 56
1 1:2522110 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2403324 ET CINS Active Threat Intelligence Poor Reputation IP group 25
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2520132 ET TOR Known Tor Exit Node Traffic group 67
1 1:2522132 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67
1 1:2500068 ET COMPROMISED Known Compromised or Hostile Host Traffic group 35
1 1:2403314 ET CINS Active Threat Intelligence Poor Reputation IP group 15
1 1:2403331 ET CINS Active Threat Intelligence Poor Reputation IP group 32
1 1:2403323 ET CINS Active Threat Intelligence Poor Reputation IP group 24
1 1:2002664 ET SCAN Nessus User Agent
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2404015 ET CNC Shadowserver Reported CnC Server IP group 16
1 1:2522718 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360
1 1:2014727 ET POLICY Outdated Mac Flash Version
1 1:2522272 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137
1 1:2523066 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2014781 ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net
1 1:2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
1 1:2014041722 OpenSSL TLSv1.1 heartbeat read overrun attempt
1 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
1 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
1 1:2010067 ET POLICY Data POST to an image file (jpg)
1 1:2522660 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331
1 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
1 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
1 1:2014041720 OpenSSL SSLv3 heartbeat read overrun attempt
1 1:2017877 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6
1 1:2008986 Snort Alert [1:2008986:5]
1 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
1 1:2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2522526 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2012118 ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect
1 1:30514 SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2014041714 SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 1:21858 FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt
1 1:20878 OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt
1 1:18206 OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt
Total
40287

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
184026 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
177134 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
153320 1:2000419 ET POLICY PE EXE or DLL Windows file download
147316 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
112205 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
39907 1:2015561 ET INFO PDF Using CCITTFax Filter
21426 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
18988 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
17253 1:2220006 SURICATA SMTP no server welcome message
14457 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
10248 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
7284 1:2013298 ET POLICY Nessus Server SSL certificate detected
7256 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
6946 1:2008517 Snort Alert [1:2008517:2]
5965 1:2221002 SURICATA HTTP request field missing colon
5532 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
4579 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4260 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
4140 1:2001219 ET SCAN Potential SSH Scan
3831 1:2221013 SURICATA HTTP request header invalid
3439 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2816 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
2779 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2629 1:2013028 ET POLICY curl User-Agent Outbound
2421 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2385 1:2001329 ET POLICY RDP connection request
2298 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
2242 1:2001330 ET POLICY RDP connection confirm
2008 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
1915 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
1835 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
1789 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
1749 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
1314 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
1290 1:2008581 ET P2P BitTorrent DHT ping request
975 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
813 1:2018087 ET INFO Control Panel Applet File Download
762 1:2012648 ET POLICY Dropbox Client Broadcasting
714 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
695 1:2018489 ET SCAN NMAP OS Detection Probe
621 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
610 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
605 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
547 1:2522778 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390
523 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
430 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
430 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
424 1:2010066 ET POLICY Data POST to an image file (gif)
420 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
408 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Total
999876

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2606 supervising syslog-ng
2608 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
2656 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
2647 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
15096 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
24821 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_76
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
8
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
6.3T /nsm/elsa/data
424M /var/lib/mysql/syslog
858M /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
2014-03-20 20:01:00 2015-06-12 13:46:37

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X

[Richard Anderson]

Doing the downgrade solved the issue for me. I only patched the server and none of the sensors.

[Jeff Nucciarone]

On Friday, June 12, 2015 at 9:47:05 AM UTC-4, Doug Burks wrote:
> Please send sostat output.

I just ran top on the master and the load has shot to over 40 with a boatload of perl.

15125 root 20 0 291m 93m 5560 R 99 0.1 45:42.94 perl
24122 root 20 0 291m 93m 5524 R 95 0.1 28:51.81 perl
15262 root 20 0 291m 93m 5556 R 95 0.1 42:36.11 perl
30078 root 20 0 289m 92m 5560 R 92 0.1 9:45.12 perl
31847 root 20 0 291m 93m 5524 R 91 0.1 9:46.89 perl
4108 root 20 0 287m 89m 5560 R 88 0.1 16:31.56 perl
869 root 20 0 291m 93m 5560 R 87 0.1 8:19.47 perl
6633 sguil 20 0 758m 701m 520m R 83 1.1 17:57.30 bro
26542 root 20 0 287m 89m 5524 R 83 0.1 22:35.21 perl
8108 root 20 0 291m 93m 5524 R 82 0.1 53:33.15 perl
19481 root 20 0 291m 93m 5556 R 80 0.1 36:39.01 perl
20611 root 20 0 289m 92m 5560 R 76 0.1 34:02.74 perl
22052 root 20 0 289m 91m 5524 R 76 0.1 33:32.70 perl
30223 root 20 0 291m 93m 5556 R 76 0.1 9:12.22 perl
19588 root 20 0 291m 93m 5560 R 74 0.1 33:59.47 perl
31908 root 20 0 291m 93m 5524 R 72 0.1 9:18.91 perl
17889 root 20 0 289m 92m 5556 R 71 0.1 39:32.87 perl
15197 root 20 0 287m 89m 5556 R 66 0.1 44:55.10 perl
21232 root 20 0 291m 93m 5556 R 66 0.1 29:41.90 perl
18013 root 20 0 291m 93m 5556 R 65 0.1 37:32.00 perl
2656 mysql 20 0 5359m 410m 8388 S 62 0.6 127:31.22 mysqld
6933 sguil 20 0 1935m 1.4g 434m S 62 2.2 67:09.43 Suricata-Main
25873 root 20 0 287m 89m 5552 R 60 0.1 10:17.85 perl
930 root 20 0 291m 93m 5556 R 58 0.1 7:16.58 perl
22377 root 20 0 287m 89m 5556 R 58 0.1 23:15.50 perl
815 root 20 0 291m 93m 5556 R 55 0.1 8:31.90 perl
16635 root 20 0 291m 93m 5560 R 52 0.1 39:58.00 perl

root 812 0.0 0.0 4396 608 ? Ss 14:12 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 815 68.4 0.1 298616 96208 ? R 14:12 9:10 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 868 0.0 0.0 4396 612 ? Ss 14:13 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 869 73.2 0.1 298440 95980 ? R 14:13 9:05 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 928 0.0 0.0 4396 612 ? Ss 14:14 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 930 69.2 0.1 298368 95992 ? R 14:14 7:54 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1015 0.0 0.0 4396 612 ? Ss 14:15 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1016 0.9 0.0 241660 56592 ? S 14:15 0:06 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1575 0.0 0.0 4396 612 ? Ss 14:16 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1576 0.3 0.0 241224 56092 ? S 14:16 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1635 0.0 0.0 4396 612 ? Ss 14:17 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1636 0.3 0.0 241120 56060 ? S 14:17 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1684 0.0 0.0 4396 612 ? Ss 14:18 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1686 0.3 0.0 241224 56092 ? S 14:18 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1736 0.0 0.0 4396 608 ? Ss 14:19 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1737 0.5 0.0 241224 56088 ? S 14:19 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 1808 0.0 0.0 4396 608 ? Ss 14:20 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 1816 0.5 0.0 241120 56060 ? S 14:20 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 2379 0.0 0.0 4396 612 ? Ss 14:21 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 2382 0.6 0.0 241224 56092 ? S 14:21 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 2457 0.0 0.0 4396 612 ? Ss 14:22 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 2459 0.8 0.0 241120 56056 ? S 14:22 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 2514 0.0 0.0 4396 608 ? Ss 14:23 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 2516 1.7 0.0 241120 56060 ? S 14:23 0:02 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 2568 0.0 0.0 4396 608 ? Ss 14:24 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 2571 2.1 0.0 241224 56092 ? S 14:24 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 2644 0.0 0.0 4396 608 ? Ss 14:25 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 2648 0.0 0.0 4396 608 ? S 13:20 0:00 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
root 2649 8.4 0.0 224096 46132 ? R 13:20 5:29 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
root 2653 6.4 0.0 241224 55828 ? S 14:25 0:01 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1000 3156 0.0 0.0 13604 932 pts/1 S+ 14:25 0:00 egrep --color=a
uto perl
root 4105 0.0 0.0 4396 608 ? Ss 13:21 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 4108 26.7 0.1 294516 92128 ? R 13:21 17:13 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 8105 0.0 0.0 4396 608 ? Ss 13:24 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 8108 88.2 0.1 298392 96028 ? R 13:24 54:10 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 15123 0.0 0.0 4396 612 ? Ss 13:33 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 15125 88.6 0.1 298592 96032 ? R 13:33 46:29 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 15193 0.0 0.0 4396 612 ? Ss 13:34 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 15197 88.6 0.1 294440 92080 ? R 13:34 45:33 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 15255 0.0 0.0 4396 604 ? Ss 13:35 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 15262 85.8 0.1 298616 96192 ? R 13:35 43:15 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 16632 0.0 0.0 4396 604 ? Ss 13:37 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 16635 83.8 0.1 298604 96056 ? R 13:37 40:36 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 17885 0.0 0.0 4396 596 ? Ss 13:39 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 17889 86.7 0.1 296732 94364 ? R 13:39 40:16 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 18007 0.0 0.0 4396 612 ? Ss 13:40 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 18013 84.0 0.1 298616 96208 ? R 13:40 38:09 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 19477 0.0 0.0 4396 608 ? Ss 13:42 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 19481 86.0 0.1 298624 96060 ? R 13:42 37:21 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 19585 0.0 0.0 4396 560 ? Ss 13:43 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 19588 81.7 0.1 298600 96204 ? R 13:43 34:38 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 20607 0.0 0.0 4396 608 ? Ss 13:45 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 20611 85.9 0.1 296900 94352 ? R 13:45 34:44 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 21230 0.0 0.0 4396 608 ? Ss 13:46 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 21232 77.0 0.1 298536 95968 ? R 13:46 30:22 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 22049 0.0 0.0 4396 608 ? Ss 13:47 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 22052 89.0 0.1 296612 94136 ? R 13:47 34:11 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 22374 0.0 0.0 4396 612 ? Ss 13:49 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 22377 65.5 0.1 294380 91988 ? R 13:49 23:52 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 24120 0.0 0.0 4396 612 ? Ss 13:51 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 24122 86.0 0.1 298364 95724 ? R 13:51 29:37 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 25858 0.0 0.0 4396 604 ? Ss 13:55 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 25873 36.1 0.1 294384 91992 ? R 13:55 10:59 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 26539 0.0 0.0 4396 608 ? Ss 13:57 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 26542 82.0 0.1 294316 91876 ? R 13:57 23:18 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 30076 0.0 0.0 4396 612 ? Ss 14:01 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 30078 42.9 0.1 296816 94336 ? R 14:01 10:29 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 30165 0.0 0.0 4396 608 ? Ss 14:02 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 30168 0.4 0.0 241616 56648 ? S 14:02 0:06 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 30221 0.0 0.0 4396 612 ? Ss 14:03 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 30223 43.8 0.1 298376 95972 ? R 14:03 9:49 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 31842 0.0 0.0 4396 608 ? Ss 14:09 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 31847 63.8 0.1 298556 95948 ? R 14:09 10:28 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
root 31905 0.0 0.0 4396 608 ? Ss 14:10 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
root 31908 64.9 0.1 298388 95748 ? R 14:10 10:00 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf

I thought I saw another topic related to this. I have no active ELSA queries running. Perhaps ELSA's gone nuts because mysql is honked down due to the SSL issues?

Whatever the case, this is the update from hell.

[Doug Burks]

Replies inline.

On Fri, Jun 12, 2015 at 10:27 AM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> root 31905 0.0 0.0 4396 608 ? Ss 14:10 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
> root 31908 64.9 0.1 298388 95748 ? R 14:10 10:00 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
>
> I thought I saw another topic related to this. I have no active ELSA queries running. Perhaps ELSA's gone nuts because mysql is honked down due to the SSL issues?

Do you have any ELSA alerts?
- click ELSA
- click Alerts

You can also check the log files in /nsm/elsa/data/elsa/log/ for
additional clues.

> Whatever the case, this is the update from hell.

I understand your frustration, but comments like this are unnecessary.
Please be patient while we work through these issues. Thanks.

[simon.p...@googlemail.com]

I went with Torgeirs solution.

In /usr/bin on the sensors change the tls lines for any running agents (e.g snort_agent.tcl / sancp_agent.tcl / pcap_agent.tcl / pads_agent.tcl) from :

tls::import $sguildSocketID -ssl2 false -ssl3 false -tls1 true
tls::import $sguildSocketID -ssl2 false -ssl3 false -tls1 true

to :

tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5

tls::import $sguildSocketID -ssl2 false -ssl3 false -tls1 true -cipher MD5

On the server edit /usr/bin/sguil.tk and change the tls line from :

tls::import $socketID -ssl2 false -ssl3 false -tls1 true

to:

tls::import $socketID -ssl2 false -ssl3 false -tls1 true -cipher MD5

Doug / Torgeir appreciate you help with this issue.

[Jeff Nucciarone]

On Friday, June 12, 2015 at 10:31:57 AM UTC-4, Doug Burks wrote:
> Replies inline.
>
> On Fri, Jun 12, 2015 at 10:27 AM, Jeff Nucciarone
> <jeff.nu...@gmail.com> wrote:
> > root 31905 0.0 0.0 4396 608 ? Ss 14:10 0:00 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
> > root 31908 64.9 0.1 298388 95748 ? R 14:10 10:00 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
> >
> > I thought I saw another topic related to this. I have no active ELSA queries running. Perhaps ELSA's gone nuts because mysql is honked down due to the SSL issues?
>
> Do you have any ELSA alerts?
> - click ELSA
> - click Alerts
>

nothing there.

> You can also check the log files in /nsm/elsa/data/elsa/log/ for
> additional clues.
>

node.log has a lot of these. Sending just a snippet:

* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2571 [undef]
* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 1737 [undef]
* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2382 [undef]
* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3630 [undef]
* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2516 [undef]
* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2459 [undef]
* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3185 [undef]
* ERROR [2015/06/12 14:33:38] /opt/elsa/web/cron.pl (64) main:: 5023 [undef]
Total errors: 0 (%0)
* ERROR [2015/06/12 14:34:31] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
Total errors: 1 (%0.00168183117778637)
* ERROR [2015/06/12 14:35:05] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
Total errors: 1 (%0.00183928341518145)
* ERROR [2015/06/12 14:36:06] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
Total errors: 1 (%0.00177336407164391)
* ERROR [2015/06/12 14:36:39] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
* ERROR [2015/06/12 14:37:08] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
Total errors: 2 (%0.00394601846736643)

web.log had these, again just a snippet:

* ERROR [2015/06/12 14:13:40] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 869 [undef]
* ERROR [2015/06/12 14:14:40] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 930 [undef]
* ERROR [2015/06/12 14:27:37] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 30168 [undef]
* ERROR [2015/06/12 14:30:54] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 1016 [undef]
* ERROR [2015/06/12 14:33:04] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 1576 [undef]
* ERROR [2015/06/12 14:33:27] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 1686 [undef]
* ERROR [2015/06/12 14:33:35] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 1816 [undef]
* ERROR [2015/06/12 14:33:39] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 2653 [undef]
* ERROR [2015/06/12 14:34:55] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5074 [undef]
* ERROR [2015/06/12 14:36:01] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5173 [undef]
* ERROR [2015/06/12 14:37:05] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5648 [undef]
* ERROR [2015/06/12 14:37:59] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5704 [undef]
* ERROR [2015/06/12 14:38:58] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5779 [undef]
* ERROR [2015/06/12 14:40:34] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5829 [undef]
* ERROR [2015/06/12 14:41:04] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 5894 [undef]
* ERROR [2015/06/12 14:42:38] /opt/elsa/web/lib/Utils.pm (142) Utils::_dbh_error_handler 6376 [undef]

> > Whatever the case, this is the update from hell.
>
> I understand your frustration, but comments like this are unnecessary.
> Please be patient while we work through these issues. Thanks.

Doug, don't take it the wrong way. We're in it together. Me, ankle deep. You, waist deep, perhaps already up to your neck, trying to fix it.

[Doug Burks]

On Fri, Jun 12, 2015 at 11:07 AM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> node.log has a lot of these. Sending just a snippet:
>
> * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2571 [undef]
> * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 1737 [undef]
> * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2382 [undef]
> * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3630 [undef]
> * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2516 [undef]
> * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2459 [undef]
> * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3185 [undef]
> * ERROR [2015/06/12 14:33:38] /opt/elsa/web/cron.pl (64) main:: 5023 [undef]

Let's focus in on these.

Was this a simple "grep -i error node.log"?

If so, is there any additional detail on the following lines?
grep -i error -A2 node.log

[Doug Burks]

I found this bug on the upstream tcltls project:
http://sourceforge.net/p/tls/bugs/59/

So my guess is that Ubuntu will defer to the upstream tcltls project,
waiting on them to do an official update, and then we'd have to hope
that Ubuntu packages that update for 12.04 or backports the fix to the
existing package.

We may have to go ahead and update our Sguil packages to force a
different cipher.

[Jeff Nucciarone]

Inline

On Friday, June 12, 2015 at 11:10:21 AM UTC-4, Doug Burks wrote:
> On Fri, Jun 12, 2015 at 11:07 AM, Jeff Nucciarone
> <jeff.nu...@gmail.com> wrote:
> > node.log has a lot of these. Sending just a snippet:
> >
> > * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2571 [undef]
> > * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 1737 [undef]
> > * ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2382 [undef]
> > * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3630 [undef]
> > * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2516 [undef]
> > * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2459 [undef]
> > * ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3185 [undef]
> > * ERROR [2015/06/12 14:33:38] /opt/elsa/web/cron.pl (64) main:: 5023 [undef]
>
> Let's focus in on these.
>
> Was this a simple "grep -i error node.log"?
>

yes

> If so, is there any additional detail on the following lines?
> grep -i error -A2 node.log
>

If I just run the grep I get 9488 lines of glorious output. A lot to wade thru considering you're fighting something like 3 different fires at the moment.

If I zero in on the last error message from above, I get this:

* ERROR [2015/06/12 14:33:38] /opt/elsa/web/cron.pl (64) main:: 5023 [undef]

Another cron.pl script is querying, exiting
* WARN [2015/06/12 14:33:38] /opt/elsa/node/Reader.pm (369) Reader::parse_line 2649 [undef]

I'm guessing this doesn't get us much (Another cron.pl script is querying, exiting) as there were 70+ scripts running.

If I strip out references to the other running scripts and just look at the rime stamp 14:33:xx I see these:

* ERROR [2015/06/12 14:32:19] /opt/elsa/node/elsa.pl (295) main::_process_batch 2649 [undef]
Unable to parse log line: . Only parsed into:
$VAR1 = [
--
Total errors: 1 (%0.00173451511629924)
* DEBUG [2015/06/12 14:32:38] /opt/elsa/node/elsa.pl (318) main::_process_batch 2649 [undef]
file size for file /nsm/elsa/data/elsa/tmp/buffers//1434119498.59198 is 20380262
--

* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2571 [undef]

* DEBUG [2015/06/12 14:33:33] /opt/elsa/web/../node//Indexer.pm (145) Indexer::_get_current_archive_size 2516 [undef]
--

* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 1737 [undef]

* TRACE [2015/06/12 14:33:33] /opt/elsa/web/../node//Indexer.pm (1805) Indexer::_release_lock 2382 [undef]
--

* ERROR [2015/06/12 14:33:33] /opt/elsa/web/cron.pl (64) main:: 2382 [undef]

* WARN [2015/06/12 14:33:33] /opt/elsa/web/../node//Indexer.pm (803) Indexer::_check_consolidate 3630 [undef]
--

* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3630 [undef]

* TRACE [2015/06/12 14:33:34] /opt/elsa/web/../node//Indexer.pm (1782) Indexer::_get_lock 2459 [undef]
--

* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2516 [undef]

* WARN [2015/06/12 14:33:34] /opt/elsa/web/../node//Indexer.pm (803) Indexer::_check_consolidate 2459 [undef]
--

* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 2459 [undef]

* WARN [2015/06/12 14:33:34] /opt/elsa/web/../node//Indexer.pm (803) Indexer::_check_consolidate 3185 [undef]
--

* ERROR [2015/06/12 14:33:34] /opt/elsa/web/cron.pl (64) main:: 3185 [undef]

* WARN [2015/06/12 14:33:34] /opt/elsa/node/Reader.pm (369) Reader::parse_line 2649 [undef]
--

* ERROR [2015/06/12 14:33:38] /opt/elsa/web/cron.pl (64) main:: 5023 [undef]

* WARN [2015/06/12 14:33:38] /opt/elsa/node/Reader.pm (369) Reader::parse_line 2649 [undef]
--
Total errors: 0 (%0)
* DEBUG [2015/06/12 14:33:38] /opt/elsa/node/elsa.pl (318) main::_process_batch 2649 [undef]
file size for file /nsm/elsa/data/elsa/tmp/buffers//1434119558.59848 is 19215902

I dumped the results to a file but it is much too large to post here. Is there an alternative location I can dump these and other log files to make it easier on you? Do you use box or something similar?

[Jeff Nucciarone]

On Friday, June 12, 2015 at 11:53:28 AM UTC-4, Jeff Nucciarone wrote:
> Inline
>
> On Friday, June 12, 2015 at 11:10:21 AM UTC-4, Doug Burks wrote:
> > On Fri, Jun 12, 2015 at 11:07 AM, Jeff Nucciarone
> > <jeff.nu...@gmail.com> wrote:
> > > node.log has a lot of these. Sending just a snippet:
> > >

Doug - let's move this ELSA related discussion to the other thread on ELSA issues to keep things topically in place.

[Jeff Nucciarone]

On Friday, June 12, 2015 at 11:44:50 AM UTC-4, Doug Burks wrote:
> I found this bug on the upstream tcltls project:
> http://sourceforge.net/p/tls/bugs/59/
>
> So my guess is that Ubuntu will defer to the upstream tcltls project,
> waiting on them to do an official update, and then we'd have to hope
> that Ubuntu packages that update for 12.04 or backports the fix to the
> existing package.
>
> We may have to go ahead and update our Sguil packages to force a
> different cipher.

Thanks for your efforts on this, it really is appreciated.

[Matt .]

My other servers downgraded the ssl updates without issue.

If you need any information from a server that seems to be working fine post downgrade let me know. I'm happy to run any queries and send the output.

I'll start a new thread on the apache issue after the fires are out. :)

Thanks for your work on SO, and this current fun, been there before I can imagine how your last few hours have been.

Thanks,
Matt

[Jeff Nucciarone]

UPDATE at 12:20 PM: Clearing the ELSA load issue cleared up the logjam. Events are now updating. Mysql just couldn't catch up.

[Doug Burks]

I've created the following issue for this:

Update Sguil to use non-DH cipher #749
https://github.com/Security-Onion-Solutions/security-onion/issues/749

[Doug Burks]

Please note that is a single command that wrapped in the email and
became three lines. If you just copy/paste, you end up with three
different commands.

On Mon, Jun 15, 2015 at 10:12 AM, <namobud...@gmail.com> wrote:
> Running this command:

> sudo apt-get install libssl-dev=1.0.1-4ubuntu3
> libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
> openssl=1.0.1-4ubuntu3
>

> and the subsequent ones yield the following error (any ideas to move forward):
> ********************************error*****************************

[Doug Burks]

You should be able to delete your own messages through the web interface:
https://groups.google.com/forum/#!forum/security-onion

On Mon, Jun 15, 2015 at 10:17 AM, <namobud...@gmail.com> wrote:
>
> Can you please delete this message and the prior one as it contains information I should have redacted.

[namobud...@gmail.com]

Thanks Doug,

The following is the output I get when I try to run the recommended command to downgrade:

sudo apt-get install libssl-dev=1.0.1-4ubuntu3
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
libssl-dev : Depends: libssl1.0.0 (= 1.0.1-4ubuntu3) but 1.0.1-4ubuntu5.31 is to be installed
E: Unable to correct problems, you have held broken packages.

Any ideas how to move forward from here?

Thanks!

[Karl Browning]

Try:

[Lee Sharp]

On 06/15/2015 09:26 AM, namobud...@gmail.com wrote:
> Thanks Doug,
>
> The following is the output I get when I try to run the recommended command to downgrade:
>
> sudo apt-get install libssl-dev=1.0.1-4ubuntu3

You need to install ALL of the packages on one line at the same time.
Do not cut and paste, as that includes the CR/LB.

Lee

[Dave]

Doing this also worked for me.

[namobud...@gmail.com]

Awesome Karl!

This worked, do I just need to reboot?

Thanks!

[Karl Browning]

I think a reboot is required after that. I'm not sure. I'd do one if you can.

[namobud...@gmail.com]

Thanks, it's now registering in Squil. The symptom which started everything was that Snorby was not showing that agent. Does this take a little while to kick back in?

Thanks to the awesome Guru's of the group.

[namobud...@gmail.com]

Just wondering do the "\" in the command mean soft carriage returns so it doesn't start until the last line?

Thanks!

On Monday, June 15, 2015 at 10:30:25 AM UTC-4, Karl Browning wrote:

[Karl Browning]

I'll leave that to the real gurus. I just know how to copy/paste from a group like this. ;)

Doug Burks is doing an awesome job, and I wait for confirmation of the actual fix to this issue.

[Lee Sharp]

On 06/15/2015 09:44 AM, namobud...@gmail.com wrote:
> Just wondering do the "\" in the command mean soft carriage returns so it doesn't start until the last line?

Yes. It is a way to continue a single line after a cr/lb so you can
make cleaner looking scripts.

Lee

[Shane Castle]

I did some research on this today. The tcltls package uses a built-in
512-bit DH key, and no options for accessing a parameter file to force
it to use an external DH key, nor does it permit self-generating
ephemeral keys - in other words, it's pretty basic. I built a
"dh2048.pem" (see notes below), and one of the openssl options is to
show how to replicate that key as a static key in C, which I also did.
The quick fix that the tcltls authors can implement, then, is to
substitute the 2048-bit static key definition for the 512-bit one,
recompile, and produce a new package. So far there is no action on the
reported bug ( http://sourceforge.net/p/tls/bugs/59/ ).

So, it seems that in order for SO to move forward, and not have to do
one-off "apt-get install" commands for each new component so as to avoid
installing the latest openssl, we will have to modify the sguil agents
and the client to use the different cipher. These are:

sguil.tk
http_agent.tcl
ossec_agent.tcl
pads_agent.tcl
pcap_agent.tcl
sancp_agent.tcl
snort_agent.tcl

All in /usr/bin. Also, pcap_agent.tcl and sancp_agent.tcl have more than
one usage of 'tls::import', so all of them will need to be changed.

Also, in /usr/lib/sguild, we might have to change SguildConnect.tcl, but
so far it seems only the agents need to be changed. (I don't quite
understand this, because when building an SSL web server one is
cautioned to build a DH2048 param file and put it in the key storage
directory, and the sguild process is acting as the server here.)

Notes:
openssl dhparam -out ./keys/dh2048.pem 2048
openssl dhparam -in ./keys/dh2048.pem -C

On 12.06.2015 13:13, Doug Burks wrote:
> Hi Torgeir,
>
> Thanks for your feedback!
>
> I looked at changing the cipher in the tcl agents as an option as
> well. I'm hoping that Ubuntu will respond quickly with a tcltls
> package update, but if that doesn't happen, I may end up having to
> build new Sguil packages with updated ciphers.
>
> On Fri, Jun 12, 2015 at 5:53 AM, Torgeir Natvig
> <torgeir...@gmail.com> wrote:
>> If you can't downgrade, a workaround could be to force some other
>> cipher on the sensors, like MD5.
>>
>> change these lines in snort_agent.tcl and pcap_agent.tcl:

>>
>> tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true
>> -cipher MD5

[Giovanni Mellini]

Hi,
I did the upgrade to the broken SSL package and after reading this thread I did the revert to the working package.
After a reboot I cannot see the snort alert anymore.
Can someone help in solving this?
How I can debug the problem.

Tks
Giovanni

Il giorno giovedì 11 giugno 2015 22:47:00 UTC+2, Doug Burks ha scritto:
> There appears to be an issue with the SSL packages that Ubuntu just
> released. Please do not update your systems until further notice.
>
> Thanks!

[Doug Burks]

Hi Giovanni,

Please start a new thread and include sostat-redacted output.

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Giovanni Mellini]

Dear Doug
After some minute the sensors start to log again, so sorry for the email.
I can confirm that the openssl downgrade works fine.

Tks
Giovanni

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/E7HdGGUuq6c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[Jeff]

On Thursday, June 11, 2015 at 1:47:00 PM UTC-7, Doug Burks wrote:
> There appears to be an issue with the SSL packages that Ubuntu just
> released. Please do not update your systems until further notice.
>
> Thanks!
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

I am in the process of setting up a new standalone sensor. Normally I would update after installing SO but am reluctant to do that with the ssl package problem.

What is the best way for me to proceed without breaking things? If I proceed with settings things up without updating will that cause me problems down the line?

I installed via the Security Onion ISO (securityonion-12.04.5.1-20150205.iso).

[namobud...@gmail.com]

Couldn't you do the regular build, and then just downgrade the SSL using the procedure which was a simple cut and paste for me this morning?

[Doug Burks]

Hi Shane,

I did some more research on this today as well. I've successfully
tested the following ciphers in the Sguil client/agents to avoid the
DH issue:
RC4-MD5
RC4-SHA
AES256-SHA

Has anybody tested any other ciphers or have any other recommendations?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Lee Sharp]

On 06/15/2015 02:23 PM, Doug Burks wrote:
> Hi Shane,
>
> I did some more research on this today as well. I've successfully
> tested the following ciphers in the Sguil client/agents to avoid the
> DH issue:
> RC4-MD5
> RC4-SHA
> AES256-SHA
>
> Has anybody tested any other ciphers or have any other recommendations?

I just went through this on a project I maintain, SmallWall. I found
this to be a good overview of accepted best practice, and it runs about
a year ahead of the various projects cutting off support.

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

For the defaults, I am using Blowfish and sha-256. The author of
Blowfish recommends the newer Twofish, but I have not seen any exploits
for Blowfish yet. (And blowfish is VERY efficient on FreeBSD)

Lee

[Doug Burks]

After much experimenting, I've come to the conclusion that the best
solution is to go ahead and update the tcl-tls package myself. The
new package has been submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/_77EIVjN9M8/discussion

[Khalid Yusuff]

Thank you so much. Squil is now working fine. i used the test update.

[Doug Burks]

I should also mention that if you had manually added the -cipher
option to the Sguil client/agents, you should revert those changes
when updating tcl-tls to allow tcl-tls and openssl to negotiate the
best cipher.

[namobud...@gmail.com]

Once this package is out, will sudo soup fix up everything, if not will a manual step-by-step be issued?

Thanks Doug!

[Doug Burks]

Yes, once the updated tcl-tls package has been published to the stable
ppa, running "sudo soup" will install it and the latest openssl
packages and everything should be fine.

[namobud...@gmail.com]

This was days of work Doug, thanks again man.

If you're ever in New York, lunch is on me!

Thanks,

[Doug Burks]

All clear!

The new tcltls package has been published to the stable PPA:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

You may safely resume your regularly scheduled soup updates!

As a reminder, if you had manually changed the cipher in the Sguil
client/agents, you'll want to revert that change to allow OpenSSL to
negotiate a more secure cipher.

[Fellixx]

Truly thanks for the hard work on this.

[Alex Thompson]

All my daily logs prior to 6/12 have disappeared the day that the OpenSSL update was applied. Anyone else have this happen?

[Doug Burks]

Hi Alex,

Please start a new thread and provide more information.

What exactly do you mean by "daily logs"?

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.

On Thu, Jun 18, 2015 at 9:21 AM, Alex Thompson
<alex.t...@thompfam.net> wrote:
> All my daily logs prior to 6/12 have disappeared the day that the OpenSSL update was applied. Anyone else have this happen?
>

[CB]

I am still getting errors in log files for "ERROR: handshake failed: sslv3 alert handshake failure" even though i am apparently on latest version (sudo soup).

Infact this is now rapidly filling my SIEM!

/CB

[Doug Burks]

Hi Craig,

Have you tried the following?

http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html

If you continue to have issues with the Sguil client/agents connecting
to sguild, you may need to restart services:
sudo service nsm restart

and/or reboot:
sudo reboot

[Matt Vaughan]

Still having a problem here, Doug:

dpkg: dependency problems prevent configuration of libssl-dev:
libssl-dev depends on libssl1.0.0 (= 1.0.1-4ubuntu5.27); however:
Version of libssl1.0.0 on system is 1.0.1-4ubuntu5.31.
dpkg: error processing libssl-dev (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
Errors were encountered while processing:
libssl-dev
E: Sub-process /usr/bin/dpkg returned an error code (1)

[Doug Burks]

On Thu, Aug 13, 2015 at 1:32 PM, Matt Vaughan <mcva...@gmail.com> wrote:
> Still having a problem here, Doug:
>
> dpkg: dependency problems prevent configuration of libssl-dev:
> libssl-dev depends on libssl1.0.0 (= 1.0.1-4ubuntu5.27); however:
> Version of libssl1.0.0 on system is 1.0.1-4ubuntu5.31.
> dpkg: error processing libssl-dev (--configure):
> dependency problems - leaving unconfigured
> No apport report written because the error message indicates its a followup error from a previous failure.
> Errors were encountered while processing:
> libssl-dev
> E: Sub-process /usr/bin/dpkg returned an error code (1)

Hi Matt,

I haven't seen this particular issue.

Please start a new thread to troubleshoot and include the full output
of the following commands:

dpkg -l |grep ssl

sudo soup