On Friday, June 12, 2015 at 9:47:05 AM UTC-4, Doug Burks wrote:
> Please send sostat output.
>
tail of pcap_agent.log:
Sending sguild (sock3) LastPcapTime {2015-06-12 13:52:02}
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
tail of snort_agent.log:
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
tail of barnyard2.log:
WARNING: Ignoring bad line in SID file: 'v1'
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/REDACTED-eth2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
sguil: sensor name = REDACTED-eth2
sguil: agent port = 8000
sguil: Connected to localhost on 8000.
sostat from the master:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5239 9 12 Jun 13:21:45
proxy proxy localhost running 5423 9 12 Jun 13:21:47
SO-server-eth2-1 worker localhost running 6638 2 12 Jun 13:21:51
SO-server-eth2-2 worker localhost running 6633 2 12 Jun 13:21:51
SO-server-eth2-3 worker localhost running 6632 2 12 Jun 13:21:51
SO-server-eth2-4 worker localhost running 6634 2 12 Jun 13:21:51
SO-server-eth3-1 worker localhost running 6631 2 12 Jun 13:21:51
SO-server-eth3-2 worker localhost running 6636 2 12 Jun 13:21:51
SO-server-eth3-3 worker localhost running 6637 2 12 Jun 13:21:51
SO-server-eth3-4 worker localhost running 6635 2 12 Jun 13:21:51
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588334 errors:0 dropped:0 overruns:0 frame:0
TX packets:217391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:315714265 (315.7 MB) TX bytes:309863929 (309.8 MB)
Interrupt:36 Memory:da000000-da012800
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:91393067 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104232555193 (104.2 GB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:df2c0000-df2e0000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:41 Memory:df3c0000-df3e0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:605602 errors:0 dropped:0 overruns:0 frame:0
TX packets:605602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1769509207 (1.7 GB) TX bytes:1769509207 (1.7 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1769509207 605602 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1769509207 605602 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
315714265 588334 0 0 0 9973
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
309863929 217391 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
104232996145 91393427 0 0 0 10197
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 44G 97G 32% /
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 852K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sdb2 18T 15T 2.8T 84% /nsm
/dev/sda1 484M 300M 159M 66% /boot
/dev/sda5 29G 174M 27G 1% /tmp
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda11 19G 492M 18G 3% /home
/dev/sda7 29G 1011M 26G 4% /var
/dev/sdb1 1.0T 150G 875G 15% /var/lib/mysql
/dev/sda8 29G 5.4G 22G 20% /var/log
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 2149 avahi 12u IPv4 29912 0t0 UDP *:5353
avahi-dae 2149 avahi 13u IPv6 29913 0t0 UDP *:5353
avahi-dae 2149 avahi 14u IPv4 29914 0t0 UDP *:38898
avahi-dae 2149 avahi 15u IPv6 29915 0t0 UDP *:54578
cupsd 2151 root 8u IPv6 29931 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2151 root 9u IPv4 29932 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2161 root 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2220 root 3u IPv4 1525 0t0 TCP *:ssh_port (LISTEN)
sshd 2220 root 4u IPv6 1527 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2553 root 10u IPv4 16624 0t0 TCP X.X.X.X:59570->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2553 root 21u IPv4 10890 0t0 TCP X.X.X.X:44510->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2608 root 9u IPv4 30032 0t0 TCP *:514 (LISTEN)
syslog-ng 2608 root 10u IPv4 30033 0t0 UDP *:514
mysqld 2656 mysql 10u IPv4 25697 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2656 mysql 13u IPv4 8665 0t0 TCP X.X.X.X:3306->X.X.X.X:49211 (ESTABLISHED)
mysqld 2656 mysql 26u IPv4 23011 0t0 TCP X.X.X.X:3306->X.X.X.X:49213 (ESTABLISHED)
mysqld 2656 mysql 421u IPv4 22027 0t0 TCP X.X.X.X:3306->X.X.X.X:49209 (ESTABLISHED)
mysqld 2656 mysql 857u IPv4 28212 0t0 TCP X.X.X.X:3306->X.X.X.X:49206 (ESTABLISHED)
searchd 2669 sphinxsearch 7u IPv4 32276 0t0 TCP *:9306 (LISTEN)
searchd 2669 sphinxsearch 8u IPv4 32277 0t0 TCP *:9312 (LISTEN)
sshd 2721 SO-user 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2721 SO-user 8u IPv6 1705 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2721 SO-user 9u IPv4 1706 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2721 SO-user 10u IPv4 22026 0t0 TCP X.X.X.X:49209->X.X.X.X:3306 (ESTABLISHED)
snmpd 2882 snmp 8u IPv4 11452 0t0 UDP X.X.X.X:161
snmpd 2882 snmp 9u IPv4 32395 0t0 UDP *:39439
salt-mast 2977 root 12u IPv4 13547 0t0 TCP *:4505 (LISTEN)
salt-mast 2977 root 14u IPv4 12468 0t0 TCP X.X.X.X:4505->X.X.X.X:44510 (ESTABLISHED)
salt-mast 2977 root 15u IPv4 1806 0t0 TCP X.X.X.X:4505->X.X.X.X:34950 (ESTABLISHED)
salt-mast 2977 root 16u IPv4 13658 0t0 TCP X.X.X.X:4505->X.X.X.X:40080 (ESTABLISHED)
salt-mast 2989 root 20u IPv4 12449 0t0 TCP *:4506 (LISTEN)
salt-mast 2989 root 21u IPv4 26712 0t0 TCP X.X.X.X:4506->X.X.X.X:59570 (ESTABLISHED)
salt-mast 2989 root 23u IPv4 26701 0t0 TCP X.X.X.X:4506->X.X.X.X:40628 (ESTABLISHED)
salt-mast 2989 root 29u IPv4 28730 0t0 TCP X.X.X.X:4506->X.X.X.X:53560 (ESTABLISHED)
ntpd 3239 ntp 16u IPv4 32428 0t0 UDP *:123
ntpd 3239 ntp 17u IPv6 32429 0t0 UDP *:123
ntpd 3239 ntp 18u IPv4 32435 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 19u IPv4 32436 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 20u IPv6 32437 0t0 UDP [X.X.X.X]:123
ntpd 3239 ntp 21u IPv6 32438 0t0 UDP [X.X.X.X]:123
ossec-csy 4334 ossecm 5u IPv4 30568 0t0 UDP X.X.X.X:60485->X.X.X.X:514
sshd 4364 root 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 9u IPv6 1882 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 4517 SO-user 10u IPv4 1883 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 4517 SO-user 11u IPv4 30671 0t0 TCP X.X.X.X:49206->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 4631 root 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 4631 root 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4631 root 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4631 root 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
tclsh 4811 SO-user 13u IPv4 30661 0t0 TCP *:7734 (LISTEN)
tclsh 4811 SO-user 14u IPv4 30662 0t0 TCP *:7736 (LISTEN)
tclsh 4811 SO-user 15u IPv4 34002 0t0 TCP X.X.X.X:7736->X.X.X.X:39312 (ESTABLISHED)
tclsh 4811 SO-user 16u IPv4 34003 0t0 TCP X.X.X.X:7736->X.X.X.X:39313 (ESTABLISHED)
tclsh 4811 SO-user 17u IPv4 28211 0t0 TCP X.X.X.X:7736->X.X.X.X:34399 (ESTABLISHED)
tclsh 4811 SO-user 18u IPv4 27003 0t0 TCP X.X.X.X:7736->X.X.X.X:34400 (ESTABLISHED)
tclsh 4811 SO-user 19u IPv4 24974 0t0 TCP X.X.X.X:7736->X.X.X.X:34401 (ESTABLISHED)
tclsh 4811 SO-user 20u IPv4 22951 0t0 TCP X.X.X.X:7736->X.X.X.X:34403 (ESTABLISHED)
tclsh 4811 SO-user 21u IPv4 26022 0t0 TCP X.X.X.X:7736->X.X.X.X:44159 (ESTABLISHED)
tclsh 4811 SO-user 22u IPv4 15839 0t0 TCP X.X.X.X:7736->X.X.X.X:44160 (ESTABLISHED)
tclsh 4811 SO-user 23u IPv4 15847 0t0 TCP X.X.X.X:7736->X.X.X.X:34404 (ESTABLISHED)
tclsh 4811 SO-user 24u IPv4 72917 0t0 TCP X.X.X.X:7734->X.X.X.X:37117 (ESTABLISHED)
tclsh 4868 SO-user 3u IPv4 22950 0t0 TCP X.X.X.X:34403->X.X.X.X:7736 (ESTABLISHED)
bro 5239 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 0u IPv4 28071 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 1u IPv6 28072 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 2u IPv4 25923 0t0 TCP X.X.X.X:47761->X.X.X.X:34387 (ESTABLISHED)
bro 5255 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 251u IPv4 24917 0t0 TCP X.X.X.X:47761->X.X.X.X:34397 (ESTABLISHED)
bro 5255 SO-user 255u IPv4 26838 0t0 TCP X.X.X.X:47761->X.X.X.X:34398 (ESTABLISHED)
bro 5255 SO-user 256u IPv4 24919 0t0 TCP X.X.X.X:47761->X.X.X.X:34401 (ESTABLISHED)
bro 5255 SO-user 257u IPv4 26878 0t0 TCP X.X.X.X:47761->X.X.X.X:34402 (ESTABLISHED)
bro 5255 SO-user 258u IPv4 8569 0t0 TCP X.X.X.X:47761->X.X.X.X:34404 (ESTABLISHED)
bro 5255 SO-user 259u IPv4 11589 0t0 TCP X.X.X.X:47761->X.X.X.X:34406 (ESTABLISHED)
bro 5255 SO-user 260u IPv4 28113 0t0 TCP X.X.X.X:47761->X.X.X.X:34408 (ESTABLISHED)
bro 5255 SO-user 261u IPv4 25982 0t0 TCP X.X.X.X:47761->X.X.X.X:34410 (ESTABLISHED)
bro 5423 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 0u IPv4 9608 0t0 TCP X.X.X.X:34387->X.X.X.X:47761 (ESTABLISHED)
bro 5425 SO-user 1u IPv4 9611 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 2u IPv6 9612 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 251u IPv4 8565 0t0 TCP X.X.X.X:47762->X.X.X.X:46585 (ESTABLISHED)
bro 5425 SO-user 255u IPv4 24918 0t0 TCP X.X.X.X:47762->X.X.X.X:46588 (ESTABLISHED)
bro 5425 SO-user 256u IPv4 9666 0t0 TCP X.X.X.X:47762->X.X.X.X:46589 (ESTABLISHED)
bro 5425 SO-user 257u IPv4 15802 0t0 TCP X.X.X.X:47762->X.X.X.X:46592 (ESTABLISHED)
bro 5425 SO-user 258u IPv4 8570 0t0 TCP X.X.X.X:47762->X.X.X.X:46594 (ESTABLISHED)
bro 5425 SO-user 259u IPv4 20742 0t0 TCP X.X.X.X:47762->X.X.X.X:46596 (ESTABLISHED)
bro 5425 SO-user 260u IPv4 8571 0t0 TCP X.X.X.X:47762->X.X.X.X:46598 (ESTABLISHED)
bro 5425 SO-user 261u IPv4 12657 0t0 TCP X.X.X.X:47762->X.X.X.X:46600 (ESTABLISHED)
bro 6631 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6632 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6633 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6634 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6635 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6636 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6637 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6638 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6639 SO-user 0u IPv4 25948 0t0 TCP X.X.X.X:46585->X.X.X.X:47762 (ESTABLISHED)
bro 6639 SO-user 1u IPv4 25949 0t0 TCP X.X.X.X:34397->X.X.X.X:47761 (ESTABLISHED)
bro 6639 SO-user 2u IPv4 25952 0t0 TCP *:47767 (LISTEN)
bro 6639 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6639 SO-user 251u IPv6 25953 0t0 TCP *:47767 (LISTEN)
bro 6642 SO-user 0u IPv4 25954 0t0 TCP X.X.X.X:34398->X.X.X.X:47761 (ESTABLISHED)
bro 6642 SO-user 1u IPv4 25957 0t0 TCP X.X.X.X:46588->X.X.X.X:47762 (ESTABLISHED)
bro 6642 SO-user 2u IPv4 25960 0t0 TCP *:47765 (LISTEN)
bro 6642 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6642 SO-user 251u IPv6 25961 0t0 TCP *:47765 (LISTEN)
bro 6651 SO-user 0u IPv4 21912 0t0 TCP X.X.X.X:46589->X.X.X.X:47762 (ESTABLISHED)
bro 6651 SO-user 1u IPv4 21913 0t0 TCP X.X.X.X:34401->X.X.X.X:47761 (ESTABLISHED)
bro 6651 SO-user 2u IPv4 21916 0t0 TCP *:47766 (LISTEN)
bro 6651 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6651 SO-user 251u IPv6 21917 0t0 TCP *:47766 (LISTEN)
bro 6686 SO-user 0u IPv4 14656 0t0 TCP X.X.X.X:34402->X.X.X.X:47761 (ESTABLISHED)
bro 6686 SO-user 1u IPv4 14657 0t0 TCP X.X.X.X:46592->X.X.X.X:47762 (ESTABLISHED)
bro 6686 SO-user 2u IPv4 14660 0t0 TCP *:47769 (LISTEN)
bro 6686 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6686 SO-user 251u IPv6 14661 0t0 TCP *:47769 (LISTEN)
bro 6729 SO-user 0u IPv4 21926 0t0 TCP X.X.X.X:34404->X.X.X.X:47761 (ESTABLISHED)
bro 6729 SO-user 1u IPv4 21927 0t0 TCP X.X.X.X:46594->X.X.X.X:47762 (ESTABLISHED)
bro 6729 SO-user 2u IPv4 21930 0t0 TCP *:47764 (LISTEN)
bro 6729 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6729 SO-user 251u IPv6 21931 0t0 TCP *:47764 (LISTEN)
bro 6732 SO-user 0u IPv4 21932 0t0 TCP X.X.X.X:34406->X.X.X.X:47761 (ESTABLISHED)
bro 6732 SO-user 1u IPv4 21933 0t0 TCP X.X.X.X:46596->X.X.X.X:47762 (ESTABLISHED)
bro 6732 SO-user 2u IPv4 21936 0t0 TCP *:47763 (LISTEN)
bro 6732 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6732 SO-user 251u IPv6 21937 0t0 TCP *:47763 (LISTEN)
bro 6737 SO-user 0u IPv4 21938 0t0 TCP X.X.X.X:34408->X.X.X.X:47761 (ESTABLISHED)
bro 6737 SO-user 1u IPv4 21939 0t0 TCP X.X.X.X:46598->X.X.X.X:47762 (ESTABLISHED)
bro 6737 SO-user 2u IPv4 21942 0t0 TCP *:47768 (LISTEN)
bro 6737 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6737 SO-user 251u IPv6 21943 0t0 TCP *:47768 (LISTEN)
bro 6742 SO-user 0u IPv4 17811 0t0 TCP X.X.X.X:34410->X.X.X.X:47761 (ESTABLISHED)
bro 6742 SO-user 1u IPv4 17812 0t0 TCP X.X.X.X:46600->X.X.X.X:47762 (ESTABLISHED)
bro 6742 SO-user 2u IPv4 17815 0t0 TCP *:47770 (LISTEN)
bro 6742 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6742 SO-user 251u IPv6 17816 0t0 TCP *:47770 (LISTEN)
tclsh 6869 SO-user 3u IPv4 8623 0t0 TCP X.X.X.X:34404->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 3u IPv4 17008 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6900 SO-user 5u IPv4 14708 0t0 TCP X.X.X.X:34399->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 7u IPv4 25009 0t0 TCP X.X.X.X:8000->X.X.X.X:59239 (ESTABLISHED)
barnyard2 6951 SO-user 3u IPv4 11638 0t0 TCP X.X.X.X:59239->X.X.X.X:8000 (ESTABLISHED)
barnyard2 6951 SO-user 4u IPv4 35853 0t0 TCP X.X.X.X:49211->X.X.X.X:3306 (ESTABLISHED)
tclsh 7086 SO-user 3u IPv4 15838 0t0 TCP X.X.X.X:34400->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 3u IPv4 11088 0t0 TCP X.X.X.X:8100 (LISTEN)
tclsh 7135 SO-user 5u IPv4 11217 0t0 TCP X.X.X.X:34401->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 7u IPv4 26047 0t0 TCP X.X.X.X:8100->X.X.X.X:45801 (ESTABLISHED)
barnyard2 7219 SO-user 3u IPv4 12905 0t0 TCP X.X.X.X:45801->X.X.X.X:8100 (ESTABLISHED)
barnyard2 7219 SO-user 4u IPv4 12908 0t0 TCP X.X.X.X:49213->X.X.X.X:3306 (ESTABLISHED)
sshd 13264 root 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
sshd 13423 SO-user 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
/usr/sbin 16531 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 16531 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 16531 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 16531 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
sshd 17023 root 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 9u IPv6 68865 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 17332 SO-user 10u IPv4 68866 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 17332 SO-user 12u IPv4 68889 0t0 TCP X.X.X.X:6010->X.X.X.X:60074 (ESTABLISHED)
wish 17574 SO-user 3u IPv4 53614 0t0 TCP X.X.X.X:60074->X.X.X.X:6010 (ESTABLISHED)
wish 17574 SO-user 4u IPv4 71911 0t0 TCP X.X.X.X:37117->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 19362 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 19362 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19362 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19362 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 20451 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 20451 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20451 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20451 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22184 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22184 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22184 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22184 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22217 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22217 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22217 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22217 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22226 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22226 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22226 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22226 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 12 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
Running PulledPork.
Error 500 when fetching
https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/emerging.rules.tar.gz.md5 at /usr/bin/
pulledpork.pl line 463
mainX.X.X.Xmd5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', '
https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/') called at /usr/bin/
pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_
cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2973.tar.gz....
Rules tarball download of snortrules-snapshot-2973.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Updating Snorby's sig_reference table.../usr/bin/rule-update: line 309: 9557 Segmentation fault /usr/bin/barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf > /var/log/nsm/barnyard2-snorby.log 2>&1
done.
Restarting Barnyard2.
Restarting: SO-server-eth2
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth2
* stopping: suricata (alert data)
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
27.77 23.29 16.06
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 13:51:01 up 30 min, 2 users, load average: 27.77, 23.29, 16.06
Tasks: 384 total, 25 running, 359 sleeping, 0 stopped, 0 zombie
Cpu(s): 38.4%us, 12.9%sy, 0.9%ni, 44.9%id, 1.9%wa, 0.0%hi, 1.0%si, 0.0%st
Mem: 65965188k total, 65707376k used, 257812k free, 59384k buffers
Swap: 36981308k total, 268k used, 36981040k free, 49126608k cached
%CPU %MEM COMMAND
278 0.6 /usr/sbin/mysqld
90.0 0.0 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
105 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
92.0 0.8 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
90.5 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
88.2 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
86.5 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
85.6 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
82.8 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
81.1 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
76.1 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
73.8 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
66.1 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
58.3 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
49.9 0.1 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
32.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.8 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo -i 1 -U
27.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
24.8 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
24.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.4 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.1 0.9 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
7.2 0.0 perl /opt/elsa/node/
elsa.pl -c /etc/elsa_node.conf
5.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
4.6 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.5 7.5 /usr/bin/searchd --nodetach
2.7 0.0 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
1.7 1.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3
1.7 0.0 /var/ossec/bin/ossec-syscheckd
1.5 0.0 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 0.0 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
0.7 0.1 /usr/bin/python /usr/bin/salt-master
0.6 0.0 wish /usr/bin/SO-user.tk
0.5 0.0 [flush-8:16]
0.5 0.0 perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf
0.4 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.3 0.0 /var/ossec/bin/ossec-analysisd
0.3 0.0 sshd: SO-user
0.3 0.1 delayed_job
0.3 0.0 [kworker/0:2]
0.2 0.0 sshd: SO-user
0.2 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.2 0.0 [xfsaild/sdb2]
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /sbin/init
0.1 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.1 0.0 [kswapd1]
0.1 0.0 [kworker/0:0]
0.1 0.0 [kworker/0:3]
0.1 0.0 [kswapd0]
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 /usr/bin/python /usr/bin/salt-minion
0.1 0.1 /usr/sbin/apache2 -k start
0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/1:0]
0.0 0.0 -bash
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.0 -bash
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/u:0]
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [xfsaild/sdb1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.8 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth3/bpf-pcap.ops
0.0 0.0 [migration/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/12:1]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [xfsbufd/sdb2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/15]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/4:2]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 Passenger spawn server
0.0 0.0 [migration/1]
0.0 0.0 [migration/2]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [migration/8]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/10]
0.0 0.0 [migration/11]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [migration/16]
0.0 0.0 [migration/17]
0.0 0.0 [migration/18]
0.0 0.0 [migration/20]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [migration/23]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [kworker/13:1]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 lightdm
0.0 0.0 cron
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/8:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/14:2]
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [kworker/5:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 PassengerHelperAgent
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [watchdog/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [watchdog/20]
0.0 0.0 [kworker/21:0]
0.0 0.0 [watchdog/21]
0.0 0.0 [kworker/22:0]
0.0 0.0 [watchdog/22]
0.0 0.0 [kworker/23:0]
0.0 0.0 [watchdog/23]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/15:1]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 [kpsmoused]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/
elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found|SO-user|SO-user/SO-user/g
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/
cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 27067858
eth3: 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 10 days
7.8T .
1000G ./2015-06-03
771G ./2015-06-04
612G ./2015-06-05
850G ./2015-06-06
1.2T ./2015-06-07
464G ./2015-06-08
862G ./2015-06-09
908G ./2015-06-10
815G ./2015-06-11
555G ./2015-06-12
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 10 days
6.0M .
1.2M ./2015-06-03
996K ./2015-06-04
100K ./2015-06-05
148K ./2015-06-06
1.0M ./2015-06-07
136K ./2015-06-08
68K ./2015-06-09
96K ./2015-06-10
1.3M ./2015-06-11
1004K ./2015-06-12
/nsm/bro/logs/ - 20 days
53G .
1.7G ./2015-05-24
1.8G ./2015-05-25
2.8G ./2015-05-26
2.7G ./2015-05-27
2.8G ./2015-05-28
2.9G ./2015-05-29
1.7G ./2015-05-30
1.9G ./2015-05-31
3.3G ./2015-06-01
3.6G ./2015-06-02
3.2G ./2015-06-03
3.3G ./2015-06-04
3.1G ./2015-06-05
1.5G ./2015-06-06
1.9G ./2015-06-07
3.4G ./2015-06-08
3.0G ./2015-06-09
3.3G ./2015-06-10
3.1G ./2015-06-11
1.4G ./2015-06-12
1.3G ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-1: 1434117062.946515 recvd=5067633 dropped=0 link=5067633
SO-server-eth2-2: 1434117063.146265 recvd=6463885 dropped=0 link=6463885
SO-server-eth2-3: 1434117063.346373 recvd=3338798 dropped=0 link=3338798
SO-server-eth2-4: 1434117062.585244 recvd=13876547 dropped=0 link=13876547
SO-server-eth3-1: 1434117063.746455 recvd=0 dropped=0 link=0
SO-server-eth3-2: 1434117063.946420 recvd=0 dropped=0 link=0
SO-server-eth3-3: 1434117064.150450 recvd=0 dropped=0 link=0
SO-server-eth3-4: 1434117064.350567 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
tcp.segment_memcap_drop | RxPFReth24 | 0
/nsm/sensor_data/SO-server-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth34 | 0
tcp.segment_memcap_drop | RxPFReth34 | 0
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 16
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/6631-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6632-eth2.2
Appl. Name : bro-eth2
Tot Packets : 3341882
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6633-eth2.5
Appl. Name : bro-eth2
Tot Packets : 6479368
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6634-eth2.3
Appl. Name : bro-eth2
Tot Packets : 14055060
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 0
/proc/net/pf_ring/6635-eth3.7
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6636-eth3.6
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6637-eth3.4
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6638-eth2.8
Appl. Name : bro-eth2
Tot Packets : 5071877
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/7192-eth2.9
Appl. Name : Suricata
Tot Packets : 3225736
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65523
/proc/net/pf_ring/7194-eth2.10
Appl. Name : Suricata
Tot Packets : 13463541
Tot Pkt Lost : 2890133
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 0
/proc/net/pf_ring/7195-eth2.11
Appl. Name : Suricata
Tot Packets : 6322912
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65318
/proc/net/pf_ring/7196-eth2.12
Appl. Name : Suricata
Tot Packets : 4960118
Tot Pkt Lost : 66309
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65342
/proc/net/pf_ring/7381-eth3.13
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7383-eth3.14
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7389-eth3.15
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7391-eth3.16
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log Processed: +559626 Lost: -309720
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150608000004 Processed: +405673 Lost: -39608
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +134665 Lost: -41651
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +199478 Lost: -56179
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +202015 Lost: -64280
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +144792 Lost: -55219
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +138168 Lost: -45614
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +145931 Lost: -79232
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142384 Lost: -93918
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +111200 Lost: -58768
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +170675 Lost: -26390
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +160829 Lost: -23526
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +220800 Lost: -98712
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +121634 Lost: -4157
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +383817 Lost: -47196
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +203344 Lost: -217257
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142529 Lost: -33740
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +243511 Lost: -5928
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +154932 Lost: -26336
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +462978 Lost: -3431
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +159543 Lost: -41148
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +185819 Lost: -25878
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +213027 Lost: -27718
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +172679 Lost: -393
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +183188 Lost: -51550
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +116575 Lost: -116274
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +81423 Lost: -8794
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +209425 Lost: -28287
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7487
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2541 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain
chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
75 1:2008581 ET P2P BitTorrent DHT ping request
71 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
64 1:2522770 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386
60 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
58 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
48 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
45 1:2522466 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234
42 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
41 1:2522230 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
39 1:2402000 ET DROP Dshield Block Listed Source group 1
39 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
38 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
36 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
35 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
32 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
32 1:2012648 ET POLICY Dropbox Client Broadcasting
31 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
28 1:2000418 ET POLICY Executable and linking format (ELF) file download
26 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
25 1:2522388 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195
24 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
23 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
22 1:2002157 ET CHAT Skype User-Agent detected
18 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
16 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
16 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
14 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
14 1:2012171 ET INFO DYNAMIC_DNS Query to
3322.org Domain
13 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
13 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
12 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
11 1:2020085 ET ATTACK_RESPONSE Microsoft CScript Banner Outbound
11 1:2000345 ET TROJAN IRC Nick change on non-standard port
10 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
8 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
8 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
8 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
7 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
7 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
6 1:2000032 ET NETBIOS LSA exploit
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
5 1:2016847 ET INFO Possible Chrome Plugin install
5 1:2014488 ET INFO DYNAMIC_DNS Query to a *.
darktech.org Domain
5 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
5 1:2008120 ET TFTP Outbound TFTP Read Request
4 1:2000334 ET P2P BitTorrent peer sync
4 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
4 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4 1:2019542 ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)
4 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
4 1:
2014041404 TLSv1.2 Malicious Heartbleed Request V2
4 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
3 1:2020716 ET POLICY Possible External IP Lookup
ipinfo.io
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
3 1:2016754 ET POLICY Internal Host Retrieving External IP via
myip.dnsomatic.com - Possible Infection
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
3 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2 1:2013414 ET POLICY Executable served from Amazon S3
2 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
2 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
2 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
2 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
2 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
2 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
2 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
2 1:2000347 ET TROJAN IRC Private message on non-standard port
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
2 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
2 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
2 1:2014906 ET INFO .exe File requested over FTP
2 1:2522906 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454
2 1:2018193 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
2 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
2 1:2221013 SURICATA HTTP request header invalid
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0
1 1:18206 OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt
1 1:2002664 ET SCAN Nessus User Agent
1 1:2014781 ET INFO DYNAMIC_DNS Query to
3322.net Domain *.
3322.net
1 1:2010067 ET POLICY Data POST to an image file (jpg)
1 1:21858 FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2012118 ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect
1 1:2520110 ET TOR Known Tor Exit Node Traffic group 56
1 1:2500068 ET COMPROMISED Known Compromised or Hostile Host Traffic group 35
1 1:2523066 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534
1 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2014727 ET POLICY Outdated Mac Flash Version
1 1:2522660 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331
1 1:2403331 ET CINS Active Threat Intelligence Poor Reputation IP group 32
1 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 1:2500090 ET COMPROMISED Known Compromised or Hostile Host Traffic group 46
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
1 1:2017877 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6
1 1:30514 SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2522110 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56
1 1:
2014041720 OpenSSL SSLv3 heartbeat read overrun attempt
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2019284 ET ATTACK_RESPONSE Output of id command from HTTP server
1 1:2520132 ET TOR Known Tor Exit Node Traffic group 67
1 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
1 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
1 1:2522526 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264
1 1:2403324 ET CINS Active Threat Intelligence Poor Reputation IP group 25
1 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
1 1:20878 OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt
1 1:2522784 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393
1 1:2403323 ET CINS Active Threat Intelligence Poor Reputation IP group 24
1 1:2008986 ET POLICY Internal Host Retrieving External IP via
whatismyip.com - Possible Infection
1 1:2522718 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360
1 1:
2014041714 SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2403314 ET CINS Active Threat Intelligence Poor Reputation IP group 15
1 1:2404015 ET CNC Shadowserver Reported CnC Server IP group 16
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2522132 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2522272 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137
1 1:
2014041722 OpenSSL TLSv1.1 heartbeat read overrun attempt
1 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
Total
40287
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1430177 1:2000419 ET POLICY PE EXE or DLL Windows file download
935789 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
900546 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
221289 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
214793 1:2013298 ET POLICY Nessus Server SSL certificate detected
184360 1:2015561 ET INFO PDF Using CCITTFax Filter
157869 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
146003 1:2008117 ET TFTP Outbound TFTP Data Transfer
118188 1:28283 BLACKLIST DNS request for known malware domain
chickenkiller.com
117459 1:2220006 SURICATA SMTP no server welcome message
114367 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
97757 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
94777 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
78288 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
78288 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
77769 1:2001329 ET POLICY RDP connection request
63587 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
45162 1:2001330 ET POLICY RDP connection confirm
43070 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
41652 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
34400 1:2008453 ET SCAN Tomcat Auth Brute Force attempt (admin)
31996 1:2001219 ET SCAN Potential SSH Scan
25392 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
20085 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19411 1:2002157 ET CHAT Skype User-Agent detected
16890 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
15860 1:2210004 SURICATA STREAM 3way handshake SYNACK resend with different ack
14329 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
13718 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
13083 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
12379 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
12131 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
11892 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
11436 1:2019232 ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
11281 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
10644 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
10298 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
10032 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
9020 1:2221002 SURICATA HTTP request field missing colon
8525 1:2013028 ET POLICY curl User-Agent Outbound
8375 1:2008581 ET P2P BitTorrent DHT ping request
7147 1:31978 OS-OTHER Bash CGI environment variable injection attempt
6349 1:2018087 ET INFO Control Panel Applet File Download
5881 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
5504 1:2019239 ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie
5357 1:2221013 SURICATA HTTP request header invalid
4705 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4639 1:2012648 ET POLICY Dropbox Client Broadcasting
4457 1:25358 APP-DETECT Acunetix web vulnerability scan attempt
3663 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
Total
5649988
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2540 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain
chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 Snort Alert [1:2008517:2]
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
75 1:2008581 ET P2P BitTorrent DHT ping request
71 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
64 1:2522770 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386
60 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
58 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
48 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
45 1:2522466 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234
42 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
41 1:2522230 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
39 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
39 1:2402000 ET DROP Dshield Block Listed Source group 1
38 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
36 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
35 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
32 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
32 1:2012648 ET POLICY Dropbox Client Broadcasting
31 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
28 1:2000418 ET POLICY Executable and linking format (ELF) file download
26 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
25 1:2522388 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195
24 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
23 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
22 1:2002157 ET CHAT Skype User-Agent detected
18 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
16 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
16 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
14 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
14 1:2012171 ET INFO DYNAMIC_DNS Query to
3322.org Domain
13 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
13 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
12 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
11 1:2020085 ET ATTACK_RESPONSE Microsoft CScript Banner Outbound
11 1:2000345 ET TROJAN IRC Nick change on non-standard port
10 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
8 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
8 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
8 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
7 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
7 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
6 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2000032 ET NETBIOS LSA exploit
5 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
5 1:2008120 ET TFTP Outbound TFTP Read Request
5 1:2014488 ET INFO DYNAMIC_DNS Query to a *.
darktech.org Domain
5 1:2016847 ET INFO Possible Chrome Plugin install
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
4 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
4 1:2000334 ET P2P BitTorrent peer sync
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
4 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
4 1:
2014041404 TLSv1.2 Malicious Heartbleed Request V2
4 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
4 1:2019542 ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
3 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
3 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
3 1:2016754 ET POLICY Internal Host Retrieving External IP via
myip.dnsomatic.com - Possible Infection
3 1:2020716 ET POLICY Possible External IP Lookup
ipinfo.io
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
2 1:2221013 SURICATA HTTP request header invalid
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
2 1:2013414 ET POLICY Executable served from Amazon S3
2 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
2 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
2 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
2 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
2 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
2 1:2522906 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454
2 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
2 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
2 1:2018193 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
2 1:2014906 ET INFO .exe File requested over FTP
2 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
2 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
2 1:2000347 ET TROJAN IRC Private message on non-standard port
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2500090 ET COMPROMISED Known Compromised or Hostile Host Traffic group 46
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2019284 ET ATTACK_RESPONSE Output of id command from HTTP server
1 1:2522784 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393
1 1:2520110 ET TOR Known Tor Exit Node Traffic group 56
1 1:2522110 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2403324 ET CINS Active Threat Intelligence Poor Reputation IP group 25
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2520132 ET TOR Known Tor Exit Node Traffic group 67
1 1:2522132 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67
1 1:2500068 ET COMPROMISED Known Compromised or Hostile Host Traffic group 35
1 1:2403314 ET CINS Active Threat Intelligence Poor Reputation IP group 15
1 1:2403331 ET CINS Active Threat Intelligence Poor Reputation IP group 32
1 1:2403323 ET CINS Active Threat Intelligence Poor Reputation IP group 24
1 1:2002664 ET SCAN Nessus User Agent
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2404015 ET CNC Shadowserver Reported CnC Server IP group 16
1 1:2522718 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360
1 1:2014727 ET POLICY Outdated Mac Flash Version
1 1:2522272 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137
1 1:2523066 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2014781 ET INFO DYNAMIC_DNS Query to
3322.net Domain *.
3322.net
1 1:2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
1 1:
2014041722 OpenSSL TLSv1.1 heartbeat read overrun attempt
1 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
1 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
1 1:2010067 ET POLICY Data POST to an image file (jpg)
1 1:2522660 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331
1 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
1 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
1 1:
2014041720 OpenSSL SSLv3 heartbeat read overrun attempt
1 1:2017877 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6
1 1:2008986 Snort Alert [1:2008986:5]
1 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
1 1:2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2522526 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2012118 ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect
1 1:30514 SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:
2014041714 SSLv3 large heartbeat response - possible ssl heartbleed attempt
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 1:21858 FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt
1 1:20878 OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt
1 1:18206 OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt
Total
40287
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
184026 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
177134 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
153320 1:2000419 ET POLICY PE EXE or DLL Windows file download
147316 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
112205 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
39907 1:2015561 ET INFO PDF Using CCITTFax Filter
21426 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
18988 1:28283 BLACKLIST DNS request for known malware domain
chickenkiller.com
17253 1:2220006 SURICATA SMTP no server welcome message
14457 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
10248 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
7284 1:2013298 ET POLICY Nessus Server SSL certificate detected
7256 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
6946 1:2008517 Snort Alert [1:2008517:2]
5965 1:2221002 SURICATA HTTP request field missing colon
5532 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
4579 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4260 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
4140 1:2001219 ET SCAN Potential SSH Scan
3831 1:2221013 SURICATA HTTP request header invalid
3439 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2816 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
2779 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2629 1:2013028 ET POLICY curl User-Agent Outbound
2421 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2385 1:2001329 ET POLICY RDP connection request
2298 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
2242 1:2001330 ET POLICY RDP connection confirm
2008 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
1915 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
1835 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
1789 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
1749 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
1314 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
1290 1:2008581 ET P2P BitTorrent DHT ping request
975 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
813 1:2018087 ET INFO Control Panel Applet File Download
762 1:2012648 ET POLICY Dropbox Client Broadcasting
714 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
695 1:2018489 ET SCAN NMAP OS Detection Probe
621 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
610 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
605 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
547 1:2522778 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390
523 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
430 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
430 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
424 1:2010066 ET POLICY Data POST to an image file (gif)
420 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
408 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Total
999876
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2606 supervising syslog-ng
2608 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
2656 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
2647 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
15096 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
24821 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_76
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
8
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
6.3T /nsm/elsa/data
424M /var/lib/mysql/syslog
858M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2014-03-20 20:01:00 2015-06-12 13:46:37
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X