Elsa Blank Page can't query
331 views
Skip to first unread message
Will B
Jul 21, 2015, 1:07:04 PM7/21/15
to securit...@googlegroups.com
I am pretty sure I broke elsa,
it's currently a blank page with just the toolbar on left.
it states that in soredacted that apt-get -y dist-upgrade was ran...not sure if this happened with sosoup?
I should also mention that /nsm is an iscsi that was added last week...
at somepoint in the server's life this was ran:
sudo chown sphinxsearch:sphinxsearch /nsm/elsa/data/sphinx/*
1469 sudo chmod g+s /nsm/elsa/data/sphinx
1471 sudo service sphinxsearch restart
1472 sudo indexer --rotate --all
1773 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
sudo service sphinxsearch status
sphinxsearch start/running, process 21664
web_conf info:
},
"peer_id_multiplier": 1000000000000,
"query_timeout": 10000,
"nodes": {
"127.0.0.1": {
"db": "syslog",
"username": "xxxx",
"password": "xxxx",
"port": 3306,
"sphinx_port": 9306
elsa node info:
logs
#"days": 90,
"percentage": 33,
"table_size": 10000000
},
# Size limit for logs + index size. Set this to be 90-95% of your total data disk space.
"log_size_limit" : 20647196000,
"sphinx" : {
#"days": 14,
here is logs...
sudo tail -f /nsm/elsa/data/elsa/log/node.log
Getting index schema with command: /usr/bin/indextool --config /etc/sphinxsearch/sphinx.conf --dumpheader temp_71 2>&1
* TRACE [2015/07/21 16:58:02] /opt/elsa/web/../node//Indexer.pm (1889) Indexer::_index_records 32559 [undef]
Unlocked indexes between 66639879 and 66648414
* TRACE [2015/07/21 16:58:02] /opt/elsa/web/../node//Indexer.pm (2828) Indexer::record_host_stats 32559 [undef]
Only found 1 hosts in temp_71
* TRACE [2015/07/21 16:58:07] /opt/elsa/web/../node//Indexer.pm (2860) Indexer::record_host_stats 32559 [undef]
Finished in 5.00607585906982 with 8536 records counted
* TRACE [2015/07/21 16:58:07] /opt/elsa/web/../node//Indexer.pm (620) Indexer::_oversize_log_rotate 32559 [undef]
Effective log_size_limit: 20647196000, archive_limit: 6813574680
* DEBUG [2015/07/21 16:58:07] /opt/elsa/web/../node//Indexer.pm (163) Indexer::_get_current_index_size 32559 [undef]
Current size of indexed logs in database is 2239934912
* TRACE [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (182) Indexer::_get_current_index_size 32559 [undef]
Found size of Sphinx indexes 1028331652 for total size of 3268266564
* DEBUG [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (145) Indexer::_get_current_archive_size 32559 [undef]
Current size of archived logs in database is 7681895669
* DEBUG [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (254) Indexer::rotate_logs 32559 [undef]
Deleted /nsm/elsa/data/elsa/tmp/buffers//1437497776.28674
* TRACE [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (1782) Indexer::_get_lock 32559 [undef]
Locked directory
* TRACE [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (1805) Indexer::_release_lock 32559 [undef]
Unlocked directory
* TRACE [2015/07/21 16:58:08] /opt/elsa/web/../node//Indexer.pm (1782) Indexer::_get_lock 32559 [undef]
Locked query
soredacted:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 15894 0 20 Jul 21:52:54
Status: SO-server-eth4
* netsniff-ng (full packet data)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
Status: SO-server-eth5
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:148169 errors:0 dropped:0 overruns:0 frame:0
TX packets:137182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33820301 (33.8 MB) TX bytes:103251662 (103.2 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:535517202 errors:0 dropped:0 overruns:219 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:462383193783 (462.3 GB) TX bytes:0 (0.0 B)
Memory:ddfc0000-ddfe0000
eth5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:190692422 errors:0 dropped:0 overruns:100 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:169720970674 (169.7 GB) TX bytes:0 (0.0 B)
Memory:ddfe0000-de000000
eth6 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:dd3c0000-dd3e0000
eth7 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:dd3e0000-dd400000
eth8 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45475 errors:0 dropped:0 overruns:0 frame:0
TX packets:88275 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:205360864 (205.3 MB) TX bytes:61369820 (61.3 MB)
eth9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15466178 errors:0 dropped:0 overruns:0 frame:0
TX packets:461626489 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6590599766 (6.5 GB) TX bytes:691517752464 (691.5 GB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:694101 errors:0 dropped:0 overruns:0 frame:0
TX packets:694101 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:703433328 (703.4 MB) TX bytes:703433328 (703.4 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
703433328 694101 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
703433328 694101 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
33820301 148169 0 0 0 39956
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
103251662 137182 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
205360864 45475 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
61369820 88275 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
462383194767 535517209 0 0 0 84553
RX errors: length crc frame fifo missed
0 0 0 219 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
8: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
6590599766 15466178 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
691517752464 461626489 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
9: eth5: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
169720979426 190692435 0 0 0 4554464
RX errors: length crc frame fifo missed
0 0 0 100 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
10: eth6: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
11: eth7: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 134G 100G 28G 79% /
udev 48G 12K 48G 1% /dev
tmpfs 9.5G 880K 9.5G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 48G 0 48G 0% /run/shm
/dev/sdb 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /nsm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iscsid 2322 root 8u IPv4 22603 0t0 TCP *:58499 (LISTEN)
iscsid 2322 root 9u IPv4 23145 0t0 TCP X.X.X.X:43937->X.X.X.X:3260 (ESTABLISHED)
iscsid 2322 root 17u IPv4 23241 0t0 TCP X.X.X.X:60525->X.X.X.X:3260 (ESTABLISHED)
ntpd 3133 ntp 16u IPv4 1750 0t0 UDP *:123
ntpd 3133 ntp 17u IPv6 1753 0t0 UDP *:123
ntpd 3133 ntp 18u IPv4 1760 0t0 UDP X.X.X.X:123
ntpd 3133 ntp 19u IPv4 1762 0t0 UDP X.X.X.X:123
ntpd 3133 ntp 20u IPv4 1764 0t0 UDP X.X.X.X:123
ntpd 3133 ntp 21u IPv4 1766 0t0 UDP X.X.X.X:123
ntpd 3133 ntp 22u IPv6 1768 0t0 UDP [X.X.X.X]:123
ntpd 3133 ntp 23u IPv6 1770 0t0 UDP [X.X.X.X]:123
ntpd 3133 ntp 24u IPv6 1772 0t0 UDP [X.X.X.X]:123
ntpd 3133 ntp 25u IPv6 1774 0t0 UDP [X.X.X.X]:123
sshd 3176 root 3u IPv4 24927 0t0 TCP *:ssh_port (LISTEN)
sshd 3176 root 4u IPv6 24929 0t0 TCP *:ssh_port (LISTEN)
avahi-dae 3213 avahi 12u IPv4 24961 0t0 UDP *:5353
avahi-dae 3213 avahi 13u IPv6 24962 0t0 UDP *:5353
avahi-dae 3213 avahi 14u IPv4 24963 0t0 UDP *:41252
avahi-dae 3213 avahi 15u IPv6 24964 0t0 UDP *:42816
cupsd 3240 root 8u IPv6 1369654 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3240 root 9u IPv4 1369655 0t0 TCP X.X.X.X:631 (LISTEN)
mysqld 3512 mysql 12u IPv4 19675 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 3512 mysql 290u IPv4 1356459 0t0 TCP X.X.X.X:3306->X.X.X.X:41353 (ESTABLISHED)
mysqld 3512 mysql 295u IPv4 1357063 0t0 TCP X.X.X.X:3306->X.X.X.X:41355 (ESTABLISHED)
/usr/sbin 9287 root 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 9287 root 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9287 root 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9287 root 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
tclsh 15068 SO-user 13u IPv4 1312322 0t0 TCP *:7734 (LISTEN)
tclsh 15068 SO-user 14u IPv4 1312323 0t0 TCP *:7736 (LISTEN)
tclsh 15068 SO-user 15u IPv4 1607828 0t0 TCP X.X.X.X:7736->X.X.X.X:33838 (ESTABLISHED)
tclsh 15068 SO-user 16u IPv4 1611838 0t0 TCP X.X.X.X:7736->X.X.X.X:33842 (ESTABLISHED)
tclsh 15068 SO-user 17u IPv4 1591953 0t0 TCP X.X.X.X:7736->X.X.X.X:33844 (ESTABLISHED)
tclsh 15068 SO-user 18u IPv4 1607007 0t0 TCP X.X.X.X:7736->X.X.X.X:33832 (ESTABLISHED)
tclsh 15068 SO-user 19u IPv4 1607774 0t0 TCP X.X.X.X:7736->X.X.X.X:33830 (ESTABLISHED)
tclsh 15068 SO-user 20u IPv4 1611885 0t0 TCP X.X.X.X:7736->X.X.X.X:33853 (ESTABLISHED)
tclsh 15068 SO-user 21u IPv4 1588821 0t0 TCP X.X.X.X:7736->X.X.X.X:33855 (ESTABLISHED)
tclsh 15068 SO-user 22u IPv4 1593962 0t0 TCP X.X.X.X:7736->X.X.X.X:33848 (ESTABLISHED)
bro 15894 SO-user 4u IPv4 137669 0t0 UDP X.X.X.X:49451->X.X.X.X:53
bro 15983 SO-user 0u IPv4 132059 0t0 TCP *:47760 (LISTEN)
bro 15983 SO-user 1u IPv6 132060 0t0 TCP *:47760 (LISTEN)
bro 15983 SO-user 4u IPv4 137669 0t0 UDP X.X.X.X:49451->X.X.X.X:53
tclsh 18312 SO-user 3u IPv4 1603874 0t0 TCP X.X.X.X:33830->X.X.X.X:7736 (ESTABLISHED)
tclsh 18418 SO-user 3u IPv4 1610810 0t0 TCP X.X.X.X:33832->X.X.X.X:7736 (ESTABLISHED)
sshd 18680 root 3u IPv4 1686504 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:21288 (ESTABLISHED)
tclsh 18874 SO-user 3u IPv4 1591916 0t0 TCP X.X.X.X:33838->X.X.X.X:7736 (ESTABLISHED)
sshd 18933 SO-user 3u IPv4 1686504 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:21288 (ESTABLISHED)
tclsh 19123 SO-user 3u IPv4 1609116 0t0 TCP X.X.X.X:33842->X.X.X.X:7736 (ESTABLISHED)
tclsh 19220 SO-user 3u IPv4 1610965 0t0 TCP X.X.X.X:33844->X.X.X.X:7736 (ESTABLISHED)
tclsh 19491 SO-user 3u IPv4 1607313 0t0 TCP X.X.X.X:33848->X.X.X.X:7736 (ESTABLISHED)
tclsh 19854 SO-user 3u IPv4 1609353 0t0 TCP X.X.X.X:33853->X.X.X.X:7736 (ESTABLISHED)
tclsh 19854 SO-user 4u IPv4 1609354 0t0 TCP X.X.X.X:8401 (LISTEN)
tclsh 19854 SO-user 6u IPv4 1607897 0t0 TCP X.X.X.X:8401->X.X.X.X:38325 (ESTABLISHED)
tclsh 19952 SO-user 3u IPv4 1615032 0t0 TCP X.X.X.X:33855->X.X.X.X:7736 (ESTABLISHED)
tclsh 19952 SO-user 4u IPv4 1615033 0t0 TCP X.X.X.X:8501 (LISTEN)
tclsh 19952 SO-user 6u IPv4 1614079 0t0 TCP X.X.X.X:8501->X.X.X.X:48649 (ESTABLISHED)
ruby1.9.1 21343 www-data 12u IPv4 1700774 0t0 TCP X.X.X.X:50491 (LISTEN)
searchd 21671 sphinxsearch 7u IPv4 1702411 0t0 TCP *:9306 (LISTEN)
searchd 21671 sphinxsearch 8u IPv4 1702412 0t0 TCP *:9312 (LISTEN)
syslog-ng 23656 root 24u IPv4 749835 0t0 TCP *:514 (LISTEN)
syslog-ng 23656 root 25u IPv4 749836 0t0 UDP *:514
/usr/sbin 28550 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28550 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28550 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28550 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
/usr/sbin 28550 www-data 19u IPv4 1731647 0t0 TCP X.X.X.X:444->X.X.X.X:ssh_port062 (ESTABLISHED)
/usr/sbin 28555 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28555 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28555 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28555 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
/usr/sbin 28556 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28556 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28556 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28556 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
/usr/sbin 28557 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28557 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28557 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28557 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
/usr/sbin 28563 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28563 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28563 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28563 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
/usr/sbin 28843 www-data 4u IPv4 24242 0t0 TCP *:443 (LISTEN)
/usr/sbin 28843 www-data 5u IPv4 24245 0t0 TCP *:9876 (LISTEN)
/usr/sbin 28843 www-data 6u IPv4 24247 0t0 TCP *:3154 (LISTEN)
/usr/sbin 28843 www-data 7u IPv4 24251 0t0 TCP *:444 (LISTEN)
barnyard2 32071 SO-user 3u IPv4 1592003 0t0 TCP X.X.X.X:38325->X.X.X.X:8401 (ESTABLISHED)
barnyard2 32071 SO-user 4u IPv4 1357061 0t0 TCP X.X.X.X:41353->X.X.X.X:3306 (ESTABLISHED)
barnyard2 32147 SO-user 3u IPv4 1594007 0t0 TCP X.X.X.X:48649->X.X.X.X:8501 (ESTABLISHED)
barnyard2 32147 SO-user 4u IPv4 1345394 0t0 TCP X.X.X.X:41355->X.X.X.X:3306 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Tue Jul 21 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cxxxxx
@_/ / 66\_ xxx...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 1 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 11 rules
Done
Setting Flowbit State....
Enabled 42 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------41
Deleted:---11
Enabled Rules:----17981
Dropped Rules:----1
Disabled Rules:---4025
Total Rules:------22007
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table...done.
Restarting Barnyard2.
Restarting: SO-server-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth5
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth5
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.88 1.63 1.59
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 16:34:57 up 19:04, 2 SO-users, load average: 1.88, 1.63, 1.59
Tasks: 333 total, 4 running, 327 sleeping, 2 stopped, 0 zombie
Cpu(s): 4.5%us, 1.8%sy, 0.1%ni, 93.3%id, 0.1%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 98993164k total, 98500732k used, 492432k free, 85440k buffers
Swap: 49496580k total, 458480k used, 49038100k free, 90973732k cached
%CPU %MEM COMMAND
21.2 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
19.5 0.5 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -F /etc/nsm/SO-server-eth4/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth4/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-1.stats -U
14.8 0.5 snort -c /etc/nsm/SO-server-eth5/snort.conf -u SO-user -g SO-user -i eth5 -F /etc/nsm/SO-server-eth5/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth5/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth5/snort-1.stats -U
11.9 0.0 prads -i eth4 -c /etc/nsm/SO-server-eth4/prads.conf -u SO-user -g SO-user -L /nsm/sensor_data/SO-server-eth4/sancp/ -f /nsm/sensor_data/SO-server-eth4/pads.fifo -b ip or (vlan and ip)
10.4 0.0 netsniff-ng -i eth4 -o /nsm/sensor_data/SO-server-eth4/dailylogs/2015-07-21/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
9.7 0.2 /usr/sbin/mysqld
9.2 0.0 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
7.2 0.0 argus -i eth4 -F /etc/nsm/SO-server-eth4/argus.conf -w /nsm/sensor_data/SO-server-eth4/argus/2015-07-21.log
4.5 0.0 netsniff-ng -i eth5 -o /nsm/sensor_data/SO-server-eth5/dailylogs/2015-07-21/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
4.3 0.0 prads -i eth5 -c /etc/nsm/SO-server-eth5/prads.conf -u SO-user -g SO-user -L /nsm/sensor_data/SO-server-eth5/sancp/ -f /nsm/sensor_data/SO-server-eth5/pads.fifo -b ip or (vlan and ip)
3.3 0.0 argus -i eth5 -F /etc/nsm/SO-server-eth5/argus.conf -w /nsm/sensor_data/SO-server-eth5/argus/2015-07-21.log
1.6 0.1 Rack: /opt/snorby
0.5 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.3 0.0 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth4/sancp_agent.conf
0.3 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.3 0.0 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth5/sancp_agent.conf
0.2 0.0 [kworker/u64:1]
0.2 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-1 -i 1 -U
0.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth5/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth5/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth5/barnyard2.waldo-1 -i 1 -U
0.1 0.0 delayed_job
0.1 0.0 [kworker/u64:0]
0.1 0.0 [ksoftirqd/0]
0.1 0.0 [kworker/u64:3]
0.1 0.5 /usr/bin/searchd --nodetach
0.1 0.0 [kworker/u64:2]
0.1 0.0 [kipmi0]
0.1 0.0 [kswapd0]
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 [rcu_sched]
0.0 0.0 PassengerHelperAgent
0.0 0.0 [rcuos/0]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/u65:1]
0.0 0.0 -bash
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuos/11]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth5/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 [kworker/u65:2]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [kworker/0:2]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuos/2]
0.0 0.0 [kworker/u65:0]
0.0 0.0 [rcuos/14]
0.0 0.0 [kworker/2:1]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/7]
0.0 0.0 [kworker/12:0]
0.0 0.0 [rcuos/1]
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [rcuos/8]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [rcuos/3]
0.0 0.0 /sbin/iscsid
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 [rcuos/12]
0.0 0.0 [rcuos/13]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [khugepaged]
0.0 0.0 [jbd2/sdc-8]
0.0 0.0 /sbin/init
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth5/pads_agent.conf
0.0 0.0 [rcuos/9]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/15:1]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 vim stat
0.0 0.0 [migration/10]
0.0 0.0 vim securityonion.conf
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth4/pads_agent.conf
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/7:0]
0.0 0.0 [migration/15]
0.0 0.0 [migration/11]
0.0 0.0 [migration/0]
0.0 0.0 [kworker/7:2]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth5/pcap_agent.conf
0.0 0.0 [kworker/14:1]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 cron
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/9:1]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 cat /nsm/sensor_data/SO-server-eth5/pads.fifo
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/12]
0.0 0.0 [migration/1]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [migration/5]
0.0 0.0 [migration/13]
0.0 0.0 [migration/8]
0.0 0.0 [migration/9]
0.0 0.0 [watchdog/8]
0.0 0.0 [watchdog/15]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [migration/6]
0.0 0.0 [watchdog/10]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/6]
0.0 0.0 [watchdog/9]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/14]
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [watchdog/7]
0.0 0.0 [watchdog/11]
0.0 0.0 [watchdog/14]
0.0 0.0 Passenger spawn server
0.0 0.0 PassengerLoggingAgent
0.0 0.0 cat /nsm/sensor_data/SO-server-eth4/pads.fifo
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/2]
0.0 0.0 [migration/4]
0.0 0.0 [migration/3]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 [khubd]
0.0 0.0 lightdm
0.0 0.0 [kthreadd]
0.0 0.0 [scsi_eh_1]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuos/21]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [rcuob/4]
0.0 0.0 [rcuob/5]
0.0 0.0 [rcuob/6]
0.0 0.0 [rcuob/7]
0.0 0.0 [rcuob/8]
0.0 0.0 [rcuob/9]
0.0 0.0 [rcuob/10]
0.0 0.0 [rcuob/11]
0.0 0.0 [rcuob/12]
0.0 0.0 [rcuob/13]
0.0 0.0 [rcuob/14]
0.0 0.0 [rcuob/15]
0.0 0.0 [rcuob/16]
0.0 0.0 [rcuob/17]
0.0 0.0 [rcuob/18]
0.0 0.0 [rcuob/19]
0.0 0.0 [rcuob/20]
0.0 0.0 [rcuob/21]
0.0 0.0 [rcuob/22]
0.0 0.0 [rcuob/23]
0.0 0.0 [rcuob/24]
0.0 0.0 [rcuob/25]
0.0 0.0 [rcuob/26]
0.0 0.0 [rcuob/27]
0.0 0.0 [rcuob/28]
0.0 0.0 [rcuob/29]
0.0 0.0 [rcuob/30]
0.0 0.0 [rcuob/31]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [kworker/4:0]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [kworker/9:0]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/6:2]
0.0 0.0 [iscsi_eh]
0.0 0.0 [ib_addr]
0.0 0.0 [ib_mcast]
0.0 0.0 [iw_cm_wq]
0.0 0.0 [ib_cm]
0.0 0.0 [rdma_cm]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [iscsi_q_3]
0.0 0.0 [scsi_wq_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [iscsi_q_4]
0.0 0.0 [scsi_wq_4]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 PassengerWatchdog
0.0 0.0 [jbd2/sdb-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/12:2]
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth4/sancp_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth5/sancp_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth4/pads_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth5/pads_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth5/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth5/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth5/snort-1.stats
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 [kworker/11:1]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user/SO-SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth4: 10313567
eth5: 6454696
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth4/dailylogs/ - 5 days
1.5T .
51G ./2015-07-17
200G ./2015-07-18
343G ./2015-07-19
525G ./2015-07-20
388G ./2015-07-21
/nsm/sensor_data/SO-server-eth5/dailylogs/ - 2 days
161G .
2.9G ./2015-07-20
158G ./2015-07-21
/nsm/sensor_data/SO-server-eth6/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth7/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth8/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth9/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 5 days
1.4G .
315M ./2015-07-17
180M ./2015-07-18
179M ./2015-07-19
447M ./2015-07-20
261M ./2015-07-21
9.6M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.108639
bro: 1437496497.720373 recvd=523082417 dropped=568269 link=523082417
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth4/snort-1.stats last reported pkt_drop_percent as 1.638
/nsm/sensor_data/SO-server-eth5/snort-1.stats last reported pkt_drop_percent as 3.162
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 3
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/15894-eth4.12
Appl. Name : <unknown>
Tot Packets : 523658097
Tot Pkt Lost : 568269
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/32243-eth4.125
Appl. Name : snort-cluster-55-socket-0
Tot Packets : 362002320
Tot Pkt Lost : 12573607
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 3938
/proc/net/pf_ring/32324-eth5.126
Appl. Name : snort-cluster-56-socket-0
Tot Packets : 170777449
Tot Pkt Lost : 10492495
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 3791
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +133832 Lost: -5763
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +119828 Lost: -640
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +103096 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +186810 Lost: -3686
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +118887 Lost: -3746
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +118604 Lost: -5628
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +120209 Lost: -2710
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +141481 Lost: -36716
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +243996 Lost: -4413
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +121262 Lost: -6182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +146245 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +136484 Lost: -8834
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +119241 Lost: -9235
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +120803 Lost: -10038
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +120483 Lost: -15182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +120393 Lost: -16213
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +111064 Lost: -23257
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +118185 Lost: -16194
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +172897 Lost: -6695
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +181359 Lost: -7223
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +104004 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +160497 Lost: -1288
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +124778 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +172947 Lost: -11886
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720155006 Processed: +145787 Lost: -4774
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720155006 Processed: +124179 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720213712 Processed: Cannot Lost: open or create file nsm sensor_data SO-server-eth4 dailylogs 2015-07-20 snort
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720213712 Processed: log Lost:
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720213712 Processed: 1437427443! Lost: Read-only file system
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +124269 Lost: -1639
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +146193 Lost: -244
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +225852 Lost: -2733
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +122050 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +158801 Lost: -12550
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +116932 Lost: -9025
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +118444 Lost: -5866
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +119115 Lost: -22076
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +118988 Lost: -4911
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +132250 Lost: -13641
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +100792 Lost: -5
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
117660
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
4527 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
2605 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
2573 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2318 1:2014819 ET INFO Packed Executable Download
1914 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
1114 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
963 1:2000419 ET POLICY PE EXE or DLL Windows file download
950 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
875 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
671 1:2100651 GPL SHELLCODE x86 stealth NOOP
555 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
442 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
426 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
420 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
398 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
361 10000:2 PADS Changed Asset - unknown @https
310 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
301 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
244 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
241 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
235 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
219 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
219 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
191 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
146 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
140 1:2014520 ET INFO EXE - Served Attached HTTP
120 1:2101411 GPL SNMP public access udp
118 10000:2 PADS Changed Asset - unknown @microsoft-ds
117 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
116 1:2001329 ET POLICY RDP connection request
115 1:2008120 ET TFTP Outbound TFTP Read Request
111 1:2402000 ET DROP Dshield Block Listed Source group 1
111 10000:1 PADS New Asset - smb Windows SMB
106 10000:2 PADS Changed Asset - unknown @www
103 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
85 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
74 10000:2 PADS Changed Asset - http Microsoft-IIS 7.5
63 10000:2 PADS Changed Asset - smb Windows SMB
50 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
49 1:2000418 ET POLICY Executable and linking format (ELF) file download
44 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.1)
40 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
40 10000:2 PADS Changed Asset - dns TCP DNS Server
40 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
39 10000:2 PADS Changed Asset - http Microsoft-IIS 6.0
39 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
37 10000:1 PADS New Asset - unknown @www
33 10000:1 PADS New Asset - unknown @https
31 1:2010908 ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
30 10000:2 PADS Changed Asset - http Windows-Update (Agent)
30 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
29 1:2000334 ET P2P BitTorrent peer sync
25 10000:2 PADS Changed Asset - http ccmhttp
25 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
24 1:2008518 ET EXPLOIT SQL sp_configure attempt
22 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
18 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
18 10000:1 PADS New Asset - unknown @microsoft-ds
17 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
17 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Microsoft Lync)
17 10000:1 PADS New Asset - unknown @snmp
16 10000:2 PADS Changed Asset - unknown @ldap
16 1:2017174 ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect
15 1:2101603 GPL WEB_SERVER DELETE attempt
15 1:2016671 ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)
15 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
14 1:2008578 ET SCAN Sipvicious Scan
14 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
14 10000:1 PADS New Asset - dns TCP DNS Server
14 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
14 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/5.131.3790.3959)
13 10000:1 PADS New Asset - unknown @domain
12 1:2012648 ET POLICY Dropbox Client Broadcasting
12 1:2016503 ET INFO Java Serialized Data
12 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
12 1:2016502 ET INFO Java Serialized Data via vulnerable client
12 1:2016360 ET INFO JAVA - ClassID
11 1:2017330 ET WEB_SERVER SQLi - SELECT and sysobject
11 10000:2 PADS Changed Asset - unknown @smtp
11 10000:2 PADS Changed Asset - http Server: BigIP
11 1:2000105 ET WEB_SERVER SQL sp_password attempt
10 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
10 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
10 10000:2 PADS Changed Asset - http ocspd/1.0.2
10 10000:2 PADS Changed Asset - http Microsoft-IIS 8.0
10 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
10 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
10 10000:2 PADS Changed Asset - http Microsoft BITS/7.5
10 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
10 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Microsoft Lync)
9 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.3)
8 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17729 Client (Protocol/1.21)
8 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
8 10000:2 PADS Changed Asset - http ocspd/1.0
8 10000:1 PADS New Asset - http Microsoft (CryptoAPI/6.1)
8 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
8 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
8 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
8 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
7 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
7 1:2100673 GPL SQL sp_start_job - program execution
7 1:2103017 GPL EXPLOIT WINS overflow attempt
7 10000:2 PADS Changed Asset - smtp Generic SMTP (2.0.0)
7 10000:2 PADS Changed Asset - http Microsoft-WebDAV (MiniRedir/6.1.7601)
7 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.0)
7 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)
7 10000:2 PADS Changed Asset - http Apache Coyote 1.1
7 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
7 10000:2 PADS Changed Asset - http ocspd/1.0.3
6 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
6 1:2018087 ET INFO Control Panel Applet File Download
6 10000:1 PADS New Asset - ssl Generic TLS 1.0 SSL
6 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
6 1:2011507 ET WEB_CLIENT PDF With Embedded File
6 1:2009247 ET SHELLCODE Rothenburg Shellcode
6 10000:2 PADS Changed Asset - unknown @domain
5 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17831 Client (Protocol/1.21)
5 10000:2 PADS Changed Asset - domain DNS SQR No Error
5 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.2)
5 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 12.0.21005.1, Ultimate, SKU:17)
5 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
5 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
5 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
5 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4719) Windows NT 6.1
4 10000:1 PADS New Asset - http Microsoft-IIS 6.0
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
4 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Skype for Business)
4 10000:2 PADS Changed Asset - http SMS CCM 5.0
4 10000:1 PADS New Asset - http Microsoft-IIS 7.5
4 10000:2 PADS Changed Asset - http Microsoft Office Excel 2010 (14.0.7147) Windows NT 6.1
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
4 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
4 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
4 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
4 10000:1 PADS New Asset - unknown @ldap
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 12.0.31101.0, Ultimate, SKU:17)
4 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDS; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)
4 1:2102470 GPL NETBIOS SMB C$ unicode share access
4 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
4 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
4 10000:2 PADS Changed Asset - http Apache 2.2.12 (Ubuntu)
4 1:2003410 ET POLICY FTP Login Successful
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
3 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
3 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
3 10000:2 PADS Changed Asset - http Microsoft-IIS 8.5
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
3 10000:2 PADS Changed Asset - http Microsoft Office Word 2010 (14.0.7147) Windows NT 6.1
3 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
3 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
3 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
3 10000:2 PADS Changed Asset - http SMS CCM 5.0 TS
3 10000:2 PADS Changed Asset - http Microsoft-WebDAV (MiniRedir/6.3.9600)
3 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2010
3 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
3 10000:2 PADS Changed Asset - http Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7151; Pro)
3 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
3 10000:1 PADS New Asset - unknown @ntp
2 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
2 10000:2 PADS Changed Asset - http Microsoft Office Protocol Discovery
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143
2 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 9.0.30729.5820)
2 10000:2 PADS Changed Asset - http ccmsetup
2 10000:1 PADS New Asset - http Windows-Update (Agent)
2 1:2403306 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 4
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
2 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2010 (14.0.7153) Windows NT 6.1
2 10000:2 PADS Changed Asset - http VMware VI Client/4.0.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485)
2 1:2013115 ET WEB_SERVER Muieblackcat scanner
2 10000:1 PADS New Asset - http Windows-Update-Agent/7.9.9600.17729 Client (Protocol/1.21)
2 10000:2 PADS Changed Asset - ssh PuTTY Release_0.60 (Protocol 2.0)
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.40219.457)
2 10000:1 PADS New Asset - domain DNS SQR No Error
2 10000:2 PADS Changed Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5e5fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\p
2 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
2 10000:2 PADS Changed Asset - http Microsoft (WNS/6.3)
2 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4737) Windows NT 6.1
2 10000:2 PADS Changed Asset - http Microsoft Office/14.0 (Windows NT 6.1; OWSSUPP 14.0.7153; Pro)
2 10000:2 PADS Changed Asset - http TwistedWeb 8.2.0
2 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
2 1:2500084 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 43
2 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 10.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/7.0)
2 10000:1 PADS New Asset - unknown @rtsp
2 10000:1 PADS New Asset - http Microsoft-IIS 8.0
2 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.30319.1)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
2 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 15.8.20082)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:1 PADS New Asset - http Team Foundation (devenv.exe, 12.0.31101.0, Ultimate, SKU:17)
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143
1 10000:1 PADS New Asset - http TeamSoft WinInet Component
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; GoogleToolbar 7.5.6227.252; Windows 6.1; MSIE 9.10.9200.17377)
1 10000:1 PADS New Asset - http Apache 2.2.17 (Ubuntu)
1 10000:2 PADS Changed Asset - http Microsoft NCSI
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; LGLS740 Build/KOT49I.LS740ZV4) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Mobile Safari/537.36 Connections Optimizer (1.4.1445)
1 1:2500008 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 5
1 10000:2 PADS Changed Asset - http OpenAPI40DrvLibrary
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
1 1:2002192 ET CHAT MSN status change
1 10000:1 PADS New Asset - http com.rebelvox.voxer 2.7.2.014856
1 1:2403303 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 2
1 10000:1 PADS New Asset - http LiveUpdateEngine (X.X.X.X LUE/X.X.X.X (Windows;6.1;SP1.0;X64;ENU))
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
1 1:2013933 ET POLICY HTTP traffic on port 443 (CONNECT)
1 10000:2 PADS Changed Asset - http Microsoft Office Word 2013
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
1 10000:2 PADS Changed Asset - http ccmhttp¯
1 10000:1 PADS New Asset - unknown @openvpn
1 10000:1 PADS New Asset - http Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7153; Pro)
1 10000:2 PADS Changed Asset - http Debian APT (HTTP/1.3 (1.0.1ubuntu2))
1 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_76
1 10000:2 PADS Changed Asset - ssh Cisco SSH 1.25 (Protocol 2.0)
1 1:2522704 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 353
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; InfoPath.3; Microsoft Outlook 14.0.7153; ms (office; M
1 1:2002327 ET CHAT Google Talk (Jabber) Client Login
1 1:2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
1 10000:2 PADS Changed Asset - http OC/15.0.4623.1000 (Microsoft Lync)
1 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.16403 Client (Protocol/1.20)
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 10000:1 PADS New Asset - http Skype WISPr
1 10000:1 PADS New Asset - http Python (urllib/1.17)
1 10000:2 PADS Changed Asset - http iPhone5,2/8.4 (12H143)
1 1:2403327 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 14
1 10000:2 PADS Changed Asset - http JNLP/1.7.0 javaws/X.X.X.X (<internal>) Java/1.7.0_55
1 1:2500042 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 22
1 10000:2 PADS Changed Asset - http Microsoft Office OneNote 2010
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
1 1:2003615 ET INFO WinUpack Modified PE Header Outbound
1 10000:1 PADS New Asset - unknown @syslog
1 10000:2 PADS Changed Asset - http Microsoft Office OneNote 2013 (15.0.4727) Windows NT 6.2
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 10.1.14)
1 10000:1 PADS New Asset - http Apache Coyote 1.1
1 10000:1 PADS New Asset - unknown @imaps
1 10000:2 PADS Changed Asset - http ocspd (unknown version) CFNetwork/520.5.3 Darwin/11.4.2 (x86_64) (Macmini4%2C1)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.0.1; SCH (I545 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.2; SM (T800 Build/LRX22G))
1 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 11.0.61030.0, Ultimate, SKU:8)
1 1:2001343 ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
1 10000:1 PADS New Asset - http gSOAP/2.7
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
1 10000:1 PADS New Asset - http RC_ANDROID_7.0_WTL
1 10000:1 PADS New Asset - http Microsoft-IIS 8.5
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 10000:2 PADS Changed Asset - http Microsoft BITS/7.7
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
1 10000:1 PADS New Asset - http OC/15.0.4737.1000 (Microsoft Lync)
1 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
1 10000:2 PADS Changed Asset - http Debian APT (HTTP/1.3 (0.8.16~exp12ubuntu10.22))
1 10000:1 PADS New Asset - http Apache 2.2.12 (Ubuntu)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5
1 1:2500034 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 18
1 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
1 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2010 (14.0.7151) Windows NT 6.1
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
1 10000:1 PADS New Asset - unknown @smtp
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/7.1.7 Safari/537.85.16
1 10000:2 PADS Changed Asset - smtp Generic SMTP (e8c175991f2d43da3915c4a72a5758fc) (mx1.buyseasons.com)
1 10000:1 PADS New Asset - http ccmhttp
1 10000:1 PADS New Asset - http ocspd/1.0.3
1 1:2003614 ET INFO WinUpack Modified PE Header Inbound
1 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
1 10000:2 PADS Changed Asset - http MpCommunication
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
1 10000:2 PADS Changed Asset - http Server: lighttpd
1 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:1 PADS New Asset - http ocspd/1.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
1 10000:2 PADS Changed Asset - http OC/15.0.4420.1017 (Microsoft Lync)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
1 1:2403343 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 22
1 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
1 10000:1 PADS New Asset - http Valve/Steam HTTP Client 1.0
1 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:1 PADS New Asset - unknown @irc
1 10000:1 PADS New Asset - http Kontiki Client X.X.X.X
1 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
1 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Skype for Business)
1 1:2400016 ET DROP Spamhaus DROP Listed Traffic Inbound group 17
1 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 10000:1 PADS New Asset - unknown @pop3
1 10000:2 PADS Changed Asset - sql MySQL 3.1.10-DL,30,0.00,2ct,6,6,,,,0,0,0.00000,0.00000,0,0.00000,0.00000,$0.41,$0.27,$0.27,,$1.99,,,,,$1.99,$1.99,,1.9900,$1.26,,,,,2/12/2009,12/28/2009,,2030,,04 Party,05 Juvenile Party,10 Girl Party,15 Favors and Toys,15 Party F
1 10000:2 PADS Changed Asset - http Microsoft Office Upload Center 2010 (14.0.7147) Windows NT 6.1
1 1:2019601 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4
1 10000:2 PADS Changed Asset - http Apache 2.2.8 (Ubuntu)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
Total
26193
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
114125 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
13508 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
8600 1:2014819 ET INFO Packed Executable Download
7851 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
6591 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
6065 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
4976 1:2000419 ET POLICY PE EXE or DLL Windows file download
4642 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
4225 1:2100651 GPL SHELLCODE x86 stealth NOOP
3968 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3519 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
3462 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
3415 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
3100 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
2829 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
1995 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
1912 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
1912 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
1442 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1395 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
1046 1:2014520 ET INFO EXE - Served Attached HTTP
996 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
923 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
840 1:2402000 ET DROP Dshield Block Listed Source group 1
785 1:2001329 ET POLICY RDP connection request
716 10000:2 PADS Changed Asset - unknown @https
680 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
636 1:2101411 GPL SNMP public access udp
624 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
543 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
455 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
450 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
416 1:2016503 ET INFO Java Serialized Data
414 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
368 1:2016502 ET INFO Java Serialized Data via vulnerable client
358 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
280 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
269 10000:2 PADS Changed Asset - unknown @microsoft-ds
268 10000:1 PADS New Asset - smb Windows SMB
257 1:2008120 ET TFTP Outbound TFTP Read Request
241 1:2000418 ET POLICY Executable and linking format (ELF) file download
230 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
217 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
215 10000:2 PADS Changed Asset - unknown @www
191 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
175 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
174 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
171 10000:2 PADS Changed Asset - smb Windows SMB
168 1:2000334 ET P2P BitTorrent peer sync
158 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
Total
219882
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
4527 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
2605 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
2573 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2318 1:2014819 ET INFO Packed Executable Download
1914 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
1078 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
963 1:2000419 ET POLICY PE EXE or DLL Windows file download
951 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
875 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
671 1:2100651 GPL SHELLCODE x86 stealth NOOP
555 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
442 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
426 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
420 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
398 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
310 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
244 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
241 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
235 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
219 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
219 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
191 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
146 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
140 1:2014520 ET INFO EXE - Served Attached HTTP
121 1:2101411 GPL SNMP public access udp
116 1:2001329 ET POLICY RDP connection request
115 1:2008120 ET TFTP Outbound TFTP Read Request
106 1:2402000 ET DROP Dshield Block Listed Source group 1
103 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
50 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
49 1:2000418 ET POLICY Executable and linking format (ELF) file download
39 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
36 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
31 1:2010908 ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
30 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
29 1:2000334 ET P2P BitTorrent peer sync
25 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
24 1:2008518 ET EXPLOIT SQL sp_configure attempt
16 1:2017174 ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect
15 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
15 1:2101603 GPL WEB_SERVER DELETE attempt
15 1:2016671 ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)
14 1:2008578 ET SCAN Sipvicious Scan
14 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
14 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
14 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
12 1:2016503 ET INFO Java Serialized Data
12 1:2016502 ET INFO Java Serialized Data via vulnerable client
12 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
12 1:2012648 ET POLICY Dropbox Client Broadcasting
12 1:2016360 ET INFO JAVA - ClassID
11 1:2000105 ET WEB_SERVER SQL sp_password attempt
11 1:2017330 ET WEB_SERVER SQLi - SELECT and sysobject
10 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
8 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
8 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
8 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
8 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
8 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
7 1:2103017 GPL EXPLOIT WINS overflow attempt
7 1:2100673 GPL SQL sp_start_job - program execution
6 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
6 1:2009247 ET SHELLCODE Rothenburg Shellcode
6 1:2018087 ET INFO Control Panel Applet File Download
6 1:2011507 ET WEB_CLIENT PDF With Embedded File
5 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
5 1:2402001 ET DROP Dshield Block Listed Source group 1
5 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
4 1:2003410 ET POLICY FTP Login Successful
4 1:2102470 GPL NETBIOS SMB C$ unicode share access
4 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
4 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
4 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
4 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
4 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
4 1:90019401 ET POLICY Vulnerable Java Version 1.8.x Detected
3 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
3 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
3 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
3 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
3 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
3 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
3 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2 1:2500084 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 43
2 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
2 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
2 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
2 1:2013115 ET WEB_SERVER Muieblackcat scanner
2 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2 1:2403306 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 4
1 1:2500042 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 22
1 1:2500034 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 18
1 1:2400016 ET DROP Spamhaus DROP Listed Traffic Inbound group 17
1 1:2522704 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 353
1 1:2403343 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 22
1 1:2002192 ET CHAT MSN status change
1 1:2403303 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 2
1 1:2003615 ET INFO WinUpack Modified PE Header Outbound
1 1:2003614 ET INFO WinUpack Modified PE Header Inbound
1 1:2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
1 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
1 1:2500008 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 5
1 1:2001343 ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C
1 1:2403327 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 14
1 1:2013933 ET POLICY HTTP traffic on port 443 (CONNECT)
1 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
1 1:2019601 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4
1 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
1 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
1 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
1 1:2002327 ET CHAT Google Talk (Jabber) Client Login
1 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
1 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
1 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
1 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
Total
23935
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
115385 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
69753 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
40001 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
27139 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
19885 1:2014819 ET INFO Packed Executable Download
19606 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
18876 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
15708 1:2000419 ET POLICY PE EXE or DLL Windows file download
15334 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
14829 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
12607 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
12445 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
12369 1:2100651 GPL SHELLCODE x86 stealth NOOP
11049 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
9933 1:2101892 GPL SNMP null community string attempt
7656 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
7299 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
5743 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
4641 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
4574 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
4234 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
4234 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
3294 1:2014520 ET INFO EXE - Served Attached HTTP
2245 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2124 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2028 1:2001329 ET POLICY RDP connection request
1856 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
1758 1:2101411 GPL SNMP public access udp
1583 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
1402 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1267 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
1256 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1246 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
1054 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
924 1:2000418 ET POLICY Executable and linking format (ELF) file download
907 1:2016503 ET INFO Java Serialized Data
766 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
758 1:2102470 GPL NETBIOS SMB C$ unicode share access
758 1:2008120 ET TFTP Outbound TFTP Read Request
716 1:2000032 ET NETBIOS LSA exploit
680 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
578 1:2014726 ET POLICY Outdated Windows Flash Version IE
557 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
534 1:2000334 ET P2P BitTorrent peer sync
516 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
501 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
431 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
393 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response
392 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
380 1:2402000 ET DROP Dshield Block Listed Source group 1
Total
499846
=========================================================================
Last update
=========================================================================
Start-Date: 2015-07-20 15:22:36
Commandline: apt-get -y dist-upgrade
Install: linux-image-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57:amd64 (3.13.0-57.95~precise1, automatic)
Upgrade: bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libnss3:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), libwmf0.2-7:amd64 (X.X.X.X-10ubuntu1, X.X.X.X-10ubuntu1.1), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion34, 20120722-0ubuntu0securityonion35), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), securityonion-SO-user-agent-ossec:amd64 (20120726-0ubuntu0securityonion15, 20120726-0ubuntu0securityonion16), php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libcupsfilters1:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), firefox-globalmenu:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), php5-sqlite:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), php5-gd:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox-locale-en:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), linux-image-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc-bin:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), securityonion-tcpudpflow:amd64 (001-0ubuntu0securityonion1, 001-0ubuntu0securityonion3), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), php5-mysql:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-libc-dev:amd64 (3.2.0-86.124, 3.2.0-87.125), grub-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), php5-cli:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), grub2-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), php5-common:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), cups-filters:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), libnss3-1d:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1)
End-Date: 2015-07-20 15:23:43
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
23655 supervising syslog-ng
23656 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
3512 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
21664 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
14G /nsm/elsa/data
60M /var/lib/mysql/syslog
1.5G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-07-21 12:27:14 2015-07-21 16:33:15
Doug Burks
Jul 21, 2015, 5:51:14 PM7/21/15
to securit...@googlegroups.com
Hi Will,
Replies inline.
On Tue, Jul 21, 2015 at 1:07 PM, Will B <wib...@gmail.com> wrote:
>
>
> I am pretty sure I broke elsa,
> it's currently a blank page with just the toolbar on left.
>
> it states that in soredacted that apt-get -y dist-upgrade was ran...not sure if this happened with sosoup?
Yes, /usr/bin/soup is just a simple wrapper for apt-get dist-upgrade.
> I should also mention that /nsm is an iscsi that was added last week...
Did you follow all instructions here?
https://github.com/Security-Onion-Solutions/security-onion/wiki/NewDisk
> at somepoint in the server's life this was ran:
When is "somepoint"?
> sudo chown sphinxsearch:sphinxsearch /nsm/elsa/data/sphinx/*
> 1469 sudo chmod g+s /nsm/elsa/data/sphinx
> 1471 sudo service sphinxsearch restart
> 1472 sudo indexer --rotate --all
> 1773 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
>
> sudo service sphinxsearch status
> sphinxsearch start/running, process 21664
>
> web_conf info:
> },
> "peer_id_multiplier": 1000000000000,
> "query_timeout": 10000,
The most recent ELSA packages should have replaced this value in
/etc/elsa_web.conf assuming that elsa_web.conf had no syntax errors.
Have you made any manual changes to that file?
Are there any comments in that file?
Also see:
https://groups.google.com/d/topic/security-onion/BGvfr0vD2jw/discussion
https://groups.google.com/d/topic/security-onion/bSnPjsPVJLE/discussion
> "nodes": {
> "127.0.0.1": {
> "db": "syslog",
> "username": "xxxx",
> "password": "xxxx",
> "port": 3306,
> "sphinx_port": 9306
>
> elsa node info:
>
> logs
> #"days": 90,
> "percentage": 33,
> "table_size": 10000000
> },
> # Size limit for logs + index size. Set this to be 90-95% of your total data disk space.
> "log_size_limit" : 20647196000,
> "sphinx" : {
> #"days": 14,
>
>
>
> here is logs...
>
>
> sudo tail -f /nsm/elsa/data/elsa/log/node.log
If the problem is with the ELSA web interface, you might want to look
at web.log in that same directory.
> soredacted:
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * SO-user server[ OK ]
> Status: HIDS
> * ossec_agent (SO-user)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 15894 0 20 Jul 21:52:54
> Status: SO-server-eth4
> * netsniff-ng (full packet data)[ OK ]
> * snort_agent-1 (SO-user)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
For best performance, please consider disabling the following services:
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses
<snip>
/dev/sdb 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /nsm
Why is /mnt listed twice?
Why is /dev/sdc listed twice?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Tue, Jul 21, 2015 at 1:07 PM, Will B <wib...@gmail.com> wrote:
>
>
> I am pretty sure I broke elsa,
> it's currently a blank page with just the toolbar on left.
>
> it states that in soredacted that apt-get -y dist-upgrade was ran...not sure if this happened with sosoup?
> I should also mention that /nsm is an iscsi that was added last week...
https://github.com/Security-Onion-Solutions/security-onion/wiki/NewDisk
> at somepoint in the server's life this was ran:
> sudo chown sphinxsearch:sphinxsearch /nsm/elsa/data/sphinx/*
> 1469 sudo chmod g+s /nsm/elsa/data/sphinx
> 1471 sudo service sphinxsearch restart
> 1472 sudo indexer --rotate --all
> 1773 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
>
> sudo service sphinxsearch status
> sphinxsearch start/running, process 21664
>
> web_conf info:
> },
> "peer_id_multiplier": 1000000000000,
> "query_timeout": 10000,
/etc/elsa_web.conf assuming that elsa_web.conf had no syntax errors.
Have you made any manual changes to that file?
Are there any comments in that file?
Also see:
https://groups.google.com/d/topic/security-onion/BGvfr0vD2jw/discussion
https://groups.google.com/d/topic/security-onion/bSnPjsPVJLE/discussion
> "nodes": {
> "127.0.0.1": {
> "db": "syslog",
> "username": "xxxx",
> "password": "xxxx",
> "port": 3306,
> "sphinx_port": 9306
>
> elsa node info:
>
> logs
> #"days": 90,
> "percentage": 33,
> "table_size": 10000000
> },
> # Size limit for logs + index size. Set this to be 90-95% of your total data disk space.
> "log_size_limit" : 20647196000,
> "sphinx" : {
> #"days": 14,
>
>
>
> here is logs...
>
>
> sudo tail -f /nsm/elsa/data/elsa/log/node.log
at web.log in that same directory.
> soredacted:
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * SO-user server[ OK ]
> Status: HIDS
> * ossec_agent (SO-user)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 15894 0 20 Jul 21:52:54
> Status: SO-server-eth4
> * netsniff-ng (full packet data)[ OK ]
> * snort_agent-1 (SO-user)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
<snip>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 134G 100G 28G 79% /
> udev 48G 12K 48G 1% /dev
> tmpfs 9.5G 880K 9.5G 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 48G 0 48G 0% /run/shm
Something looks strange here:
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 134G 100G 28G 79% /
> udev 48G 12K 48G 1% /dev
> tmpfs 9.5G 880K 9.5G 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 48G 0 48G 0% /run/shm
/dev/sdb 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /mnt
/dev/sdc 4.0T 1.7T 2.2T 45% /nsm
Why is /dev/sdc listed twice?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Will B
Jul 22, 2015, 5:22:11 PM7/22/15
to security-onion
Hi Doug, thanks for the help
I disabled some processes
I did follow the add disk on the wiki.
I don't know why sdc /sdb was mounted but I fixed that
I want to say those commands were ran last month.
Thanks,
Will
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 13139 0 22 Jul 20:57:30
Status: SO-server-eth5
Status: SO-server-eth6
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131003 errors:0 dropped:0 overruns:0 frame:0
TX packets:61060 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40590106 (40.5 MB) TX bytes:16995377 (16.9 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:842501379 errors:0 dropped:0 overruns:52593 frame:0
TX packets:142507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:393615390 (393.6 MB) TX bytes:114783022 (114.7 MB)
eth9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31481423 errors:0 dropped:0 overruns:0 frame:0
TX packets:901189317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6454508352 (6.4 GB) TX bytes:1350068151034 (1.3 TB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2186254 errors:0 dropped:0 overruns:0 frame:0
TX packets:2186254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1243594418 (1.2 GB) TX bytes:1243594418 (1.2 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1243594418 2186254 0 0 0 0
393615390 65106 0 0 0 0
none 48G 88K 48G 1% /run/shm
/dev/sdc 4.0T 2.8T 1.1T 72% /nsm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iscsid 2380 root 8u IPv4 16577 0t0 TCP *:35898 (LISTEN)
iscsid 2380 root 9u IPv4 11510 0t0 TCP X.X.X.X:41893->X.X.X.X:3260 (ESTABLISHED)
iscsid 2380 root 17u IPv4 11534 0t0 TCP X.X.X.X:42660->X.X.X.X:3260 (ESTABLISHED)
avahi-dae 2907 avahi 12u IPv4 17615 0t0 UDP *:5353
avahi-dae 2907 avahi 13u IPv6 17616 0t0 UDP *:5353
avahi-dae 2907 avahi 14u IPv4 17617 0t0 UDP *:37130
avahi-dae 2907 avahi 15u IPv6 17618 0t0 UDP *:38828
cupsd 2929 root 8u IPv6 1553453 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2929 root 9u IPv4 1553454 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 3146 root 3u IPv4 2021 0t0 TCP *:ssh_port (LISTEN)
sshd 3146 root 4u IPv6 2023 0t0 TCP *:ssh_port (LISTEN)
ossec-csy 3602 ossecm 5u IPv4 25624 0t0 UDP X.X.X.X:43354->X.X.X.X:514
ossec-rem 3627 ossecr 4u IPv4 24668 0t0 UDP *:1514
sshd 7748 root 3u IPv4 3036837 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33392 (ESTABLISHED)
sshd 8009 SO-user 3u IPv4 3036837 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33392 (ESTABLISHED)
ntpd 8524 ntp 16u IPv4 31825 0t0 UDP *:123
ntpd 8524 ntp 17u IPv6 31826 0t0 UDP *:123
ntpd 8524 ntp 18u IPv4 31832 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 19u IPv4 31833 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 20u IPv4 31834 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 21u IPv4 31835 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 22u IPv6 31836 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 23u IPv6 31837 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 24u IPv6 31838 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 25u IPv6 31839 0t0 UDP [X.X.X.X]:123
/usr/sbin 10413 root 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 10413 root 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10413 root 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
tclsh 11891 SO-user 13u IPv4 3371674 0t0 TCP *:7734 (LISTEN)
tclsh 11891 SO-user 14u IPv4 3371675 0t0 TCP *:7736 (LISTEN)
tclsh 11891 SO-user 15u IPv4 3400774 0t0 TCP X.X.X.X:7736->X.X.X.X:36677 (ESTABLISHED)
tclsh 11891 SO-user 16u IPv4 3394121 0t0 TCP X.X.X.X:7736->X.X.X.X:36678 (ESTABLISHED)
tclsh 11891 SO-user 17u IPv4 3374902 0t0 TCP X.X.X.X:7736->X.X.X.X:36679 (ESTABLISHED)
tclsh 11891 SO-user 18u IPv4 3400776 0t0 TCP X.X.X.X:7736->X.X.X.X:36680 (ESTABLISHED)
tclsh 11891 SO-user 19u IPv4 3371676 0t0 TCP X.X.X.X:7736->X.X.X.X:36681 (ESTABLISHED)
tclsh 11891 SO-user 20u IPv4 3400038 0t0 TCP X.X.X.X:7736->X.X.X.X:36682 (ESTABLISHED)
tclsh 11891 SO-user 21u IPv4 3400039 0t0 TCP X.X.X.X:7736->X.X.X.X:36683 (ESTABLISHED)
tclsh 11891 SO-user 22u IPv4 3400040 0t0 TCP X.X.X.X:7736->X.X.X.X:36684 (ESTABLISHED)
tclsh 11891 SO-user 23u IPv4 3394124 0t0 TCP X.X.X.X:7736->X.X.X.X:36685 (ESTABLISHED)
tclsh 11973 SO-user 3u IPv4 3398921 0t0 TCP X.X.X.X:36680->X.X.X.X:7736 (ESTABLISHED)
bro 13139 SO-user 4u IPv4 3386280 0t0 UDP X.X.X.X:34864->X.X.X.X:53
bro 13143 SO-user 0u IPv4 3386293 0t0 TCP *:47760 (LISTEN)
bro 13143 SO-user 1u IPv6 3386294 0t0 TCP *:47760 (LISTEN)
bro 13143 SO-user 4u IPv4 3386280 0t0 UDP X.X.X.X:34864->X.X.X.X:53
tclsh 13270 SO-user 3u IPv4 3394608 0t0 TCP X.X.X.X:8401 (LISTEN)
tclsh 13270 SO-user 5u IPv4 3383796 0t0 TCP X.X.X.X:8401->X.X.X.X:51954 (ESTABLISHED)
tclsh 13270 SO-user 7u IPv4 3374903 0t0 TCP X.X.X.X:36682->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13386 SO-user 3u IPv4 3397633 0t0 TCP X.X.X.X:51954->X.X.X.X:8401 (ESTABLISHED)
tclsh 13439 SO-user 6u IPv4 3394120 0t0 TCP X.X.X.X:36677->X.X.X.X:7736 (ESTABLISHED)
tclsh 13540 SO-user 3u IPv4 3400775 0t0 TCP X.X.X.X:36679->X.X.X.X:7736 (ESTABLISHED)
tclsh 13591 SO-user 3u IPv4 3396670 0t0 TCP X.X.X.X:8501 (LISTEN)
tclsh 13591 SO-user 5u IPv4 3395857 0t0 TCP X.X.X.X:8501->X.X.X.X:34531 (ESTABLISHED)
tclsh 13591 SO-user 7u IPv4 3383828 0t0 TCP X.X.X.X:36681->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13701 SO-user 3u IPv4 3371663 0t0 TCP X.X.X.X:34531->X.X.X.X:8501 (ESTABLISHED)
tclsh 13750 SO-user 6u IPv4 3394123 0t0 TCP X.X.X.X:36683->X.X.X.X:7736 (ESTABLISHED)
tclsh 13845 SO-user 3u IPv4 3398143 0t0 TCP X.X.X.X:36684->X.X.X.X:7736 (ESTABLISHED)
tclsh 13897 SO-user 3u IPv4 3388081 0t0 TCP X.X.X.X:8601 (LISTEN)
tclsh 13897 SO-user 5u IPv4 3388177 0t0 TCP X.X.X.X:8601->X.X.X.X:54412 (ESTABLISHED)
tclsh 13897 SO-user 7u IPv4 3400777 0t0 TCP X.X.X.X:36685->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13992 SO-user 3u IPv4 3374852 0t0 TCP X.X.X.X:54412->X.X.X.X:8601 (ESTABLISHED)
tclsh 14041 SO-user 6u IPv4 3400037 0t0 TCP X.X.X.X:36678->X.X.X.X:7736 (ESTABLISHED)
searchd 14109 sphinxsearch 7u IPv4 3398866 0t0 TCP *:9306 (LISTEN)
searchd 14109 sphinxsearch 8u IPv4 3398867 0t0 TCP *:9312 (LISTEN)
/usr/sbin 17690 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17690 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17690 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17691 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17691 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17691 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17692 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17692 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17692 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17693 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17693 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17693 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18008 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 18008 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18008 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18045 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 18045 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18045 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
dema 20500 root 4u IPv4 3303404 0t0 TCP *:30001 (LISTEN)
dema 20500 root 5u IPv6 3303405 0t0 TCP *:30001 (LISTEN)
syslog-ng 31988 root 24u IPv4 345116 0t0 TCP *:514 (LISTEN)
syslog-ng 31988 root 25u IPv4 345117 0t0 UDP *:514
mysqld 32343 mysql 10u IPv4 3342258 0t0 TCP X.X.X.X:3306 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Wed Jul 22 07:01:01 UTC 2015
@_/ / 66\_ cumm...@gmail.com
Done
New:-------5
Deleted:---0
Enabled Rules:----17913
Dropped Rules:----1
Disabled Rules:---4026
Total Rules:------21940
Restarting: SO-server-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth5
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth6
Tasks: 430 total, 4 running, 375 sleeping, 46 stopped, 5 zombie
Cpu(s): 5.2%us, 2.4%sy, 0.1%ni, 91.8%id, 0.2%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 98993164k total, 98517076k used, 476088k free, 32148k buffers
Swap: 49496580k total, 377376k used, 49119204k free, 91614184k cached
%CPU %MEM COMMAND
40.1 0.3 snort -c /etc/nsm/SO-server-eth5/snort.conf -u SO-user -g SO-user -i eth5 -F /etc/nsm/SO-server-eth5/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth5/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth5/snort-1.stats -U
37.7 0.3 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -F /etc/nsm/SO-server-eth4/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth4/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-1.stats -U
27.5 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
20.0 0.0 netsniff-ng -i eth4 -o /nsm/sensor_data/SO-server-eth4/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
17.5 0.0 netsniff-ng -i eth5 -o /nsm/sensor_data/SO-server-eth5/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
8.6 0.0 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
7.3 0.1 /usr/sbin/mysqld
5.6 0.0 netsniff-ng -i eth6 -o /nsm/sensor_data/SO-server-eth6/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
5.5 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
4.6 0.3 snort -c /etc/nsm/SO-server-eth6/snort.conf -u SO-user -g SO-user -i eth6 -F /etc/nsm/SO-server-eth6/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth6/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth6/snort-1.stats -U
0.7 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.6 0.0 [ksoftirqd/0]
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth5/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth5/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth5/barnyard2.waldo-1 -i 1 -U
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-1 -i 1 -U
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth6/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth6/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth6/barnyard2.waldo-1 -i 1 -U
0.3 0.0 [kworker/u64:2]
0.2 0.0 [kipmi0]
0.2 0.0 [kworker/u64:3]
0.2 0.0 [kworker/u64:1]
0.2 0.0 [kswapd0]
0.2 0.5 /usr/bin/searchd --nodetach
0.1 0.0 [rcu_sched]
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 [kworker/u65:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/0:2]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [khugepaged]
0.0 0.0 [rcuos/11]
0.0 0.0 [kworker/u65:2]
0.0 0.0 wish /usr/bin/SO-user.tk
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/12]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuos/3]
0.0 0.0 [kworker/6:1]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 [ksoftirqd/4]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 xfdesktop
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/12:0]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [jbd2/sdc-8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/0]
0.0 0.0 [rcuos/8]
0.0 0.0 vim sostat
0.0 0.0 Thunar --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth6/pcap_agent.conf
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [ksoftirqd/15]
0.0 0.0 /sbin/init
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth6/pads_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth6/snort_agent-1.conf
0.0 0.0 /var/ossec/bin/ossec-remoted
0.0 0.0 vim sostat
0.0 0.0 xfce4-panel
0.0 0.0 xfce4-power-manager
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [migration/11]
0.0 0.0 vim sostat
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 vim sostat
0.0 0.0 [ksoftirqd/10]
0.0 0.0 xfwm4 --replace
0.0 0.0 [ksoftirqd/3]
0.0 0.0 vim sensor.conf
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 update-notifier
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/4:2]
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 xscreensaver -no-splash
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/11:0]
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/9:2]
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 [migration/14]
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 cron
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/11:2]
0.0 0.0 vim sostat
0.0 0.0 [kworker/15:1]
0.0 0.0 bash
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/2]
0.0 0.0 /usr/bin/xfce4-terminal
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [watchdog/10]
0.0 0.0 PassengerHelperAgent
0.0 0.0 vim /home/SO-user/sostat
0.0 0.0 nm-applet
0.0 0.0 [migration/12]
0.0 0.0 [kworker/3:0]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 18874402 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 [migration/9]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/13]
0.0 0.0 [migration/4]
0.0 0.0 vim local.rules
0.0 0.0 [migration/8]
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 vim sosetup
0.0 0.0 [kworker/1:0]
0.0 0.0 [migration/6]
0.0 0.0 [migration/15]
0.0 0.0 vim sostat
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor_ps-restart
0.0 0.0 [watchdog/8]
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 18874416 thunar-tpa Trash Applet Display the trash can
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/12]
0.0 0.0 [watchdog/14]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 xfce4-volumed
0.0 0.0 xfce4-settings-helper
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 18874409 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 vim local.rules
0.0 0.0 [migration/5]
0.0 0.0 vim SO-userd.access
0.0 0.0 vim administration.conf
0.0 0.0 vim securityonion.conf
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 /bin/bash /usr/sbin/nsm --all --restart
0.0 0.0 [migration/3]
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 18874401 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.11 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 vim servertab
0.0 0.0 [migration/7]
0.0 0.0 /bin/bash /usr/sbin/nsm --all --status
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor_ps-status
0.0 0.0 vim SO-userd.SO-users
0.0 0.0 vim servertab
0.0 0.0 vim secuirityonion.conf
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 [kthreadd]
0.0 0.0 [khubd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 [kpsmoused]
0.0 0.0 /bin/bash /usr/bin/sostat /home/SO-user/sostat
0.0 0.0 [su] <defunct>
0.0 0.0 sudo sostat
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 /bin/bash /etc/init.d/nsm status
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed s/?[^mk]*[mk]//g;s/[??]//g
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor --status
0.0 0.0 [su] <defunct>
0.0 0.0 [grep] <defunct>
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 sudo vim /home/SO-user/sostat
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/6:2]
0.0 0.0 [kworker/5:0]
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.11 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=SO-users
0.0 0.0 [xfce4-terminal] <defunct>
0.0 0.0 sudo vim servertab
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kworker/7:1]
0.0 0.0 sudo vim elsa_web.conf
0.0 0.0 [su] <defunct>
0.0 0.0 sudo service nsm restart
0.0 0.0 /bin/bash /etc/init.d/nsm restart
0.0 0.0 cat /nsm/sensor_data/SO-server-eth4/pads.fifo
0.0 0.0 rm -f /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720213712
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth6/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth6/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth6/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth6/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth6/pads.fifo
0.0 0.0 PassengerWatchdog
0.0 0.0 sudo vim servertab
0.0 0.0 sudo vim local.rules
0.0 0.0 supervising syslog-ng
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth4: 10781054
eth5: 9762342
eth6: 1252662
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth4/dailylogs/ - 4 days
2.3T .
343G ./2015-07-19
525G ./2015-07-20
745G ./2015-07-21
662G ./2015-07-22
/nsm/sensor_data/SO-server-eth5/dailylogs/ - 1 days
336G .
336G ./2015-07-22
/nsm/sensor_data/SO-server-eth6/dailylogs/ - 1 days
100G .
100G ./2015-07-22
/nsm/sensor_data/SO-server-eth7/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth8/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth9/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 4 days
1.5G .
179M ./2015-07-19
447M ./2015-07-20
470M ./2015-07-21
369M ./2015-07-22
9.9M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
bro: 1437599741.727591 recvd=18100353 dropped=0 link=18100353
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth4/snort-1.stats last reported pkt_drop_percent as 7.827
/nsm/sensor_data/SO-server-eth5/snort-1.stats last reported pkt_drop_percent as 6.472
/nsm/sensor_data/SO-server-eth6/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 4
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/13139-eth4.312
Appl. Name : <unknown>
Tot Packets : 18141061
Tot Pkt Lost : 0
Appl. Name : snort-cluster-55-socket-0
Tot Packets : 17486227
Tot Pkt Lost : 1172178
/proc/net/pf_ring/13653-eth5.314
Appl. Name : snort-cluster-56-socket-0
Tot Packets : 15913614
Tot Pkt Lost : 1180846
/proc/net/pf_ring/13953-eth6.315
Appl. Name : snort-cluster-57-socket-0
Tot Packets : 2213952
Tot Pkt Lost : 0
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +122915 Lost: -10425
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +221728 Lost: -1306
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +122710 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +165677 Lost: -1782
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +147017 Lost: -3182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +126664 Lost: -13974
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +141957 Lost: -8414
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +125099 Lost: -2829
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +133832 Lost: -5763
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +119828 Lost: -640
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +103096 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +186810 Lost: -3686
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118887 Lost: -3746
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118604 Lost: -5628
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120209 Lost: -2710
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +141481 Lost: -36716
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +243996 Lost: -4413
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +121262 Lost: -6182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +146245 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +136484 Lost: -8834
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +119241 Lost: -9235
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120803 Lost: -10038
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120483 Lost: -15182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120393 Lost: -16213
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +111064 Lost: -23257
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118185 Lost: -16194
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +172897 Lost: -6695
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +181359 Lost: -7223
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +104004 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +160497 Lost: -1288
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +124778 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +172947 Lost: -11886
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +162514 Lost: -1302
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +106637 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +170991 Lost: -4687
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +154798 Lost: -3333
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120645 Lost: -5
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +141754 Lost: -2366
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120857 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120945 Lost: -4187
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120085 Lost: -5506
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +123398 Lost: -1036
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +108707 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +128032 Lost: -3552
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +154170 Lost: -2292
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +105077 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +131690 Lost: -4417
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +140224 Lost: -8206
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +226274 Lost: -2771
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +132410 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +181161 Lost: -996
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131772 Lost: -6443
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +140682 Lost: -14045
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +105714 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130746 Lost: -7630
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120076 Lost: -10704
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +116901 Lost: -6423
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118711 Lost: -1686
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120579 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +181459 Lost: -1434
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123054 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143013 Lost: -3512
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120622 Lost: -13
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +154202 Lost: -3240
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123567 Lost: -5261
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123947 Lost: -10668
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124933 Lost: -593
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125618 Lost: -250
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +138305 Lost: -12562
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +161529 Lost: -7533
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123726 Lost: -7925
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124352 Lost: -95186
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124178 Lost: -9487
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123631 Lost: -1527
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124787 Lost: -5428
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +113442 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130210 Lost: -16529
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124296 Lost: -8187
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120050 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +129030 Lost: -5680
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +106130 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130942 Lost: -9355
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +137997 Lost: -1709
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +110284 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +138803 Lost: -2291
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +109344 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143250 Lost: -315
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126205 Lost: -12448
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127183 Lost: -9613
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +140277 Lost: -10156
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +144761 Lost: -10690
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +141335 Lost: -2745
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126904 Lost: -17888
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126613 Lost: -30986
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131333 Lost: -359
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128822 Lost: -1208
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128495 Lost: -1990
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +129526 Lost: -4170
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123454 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130346 Lost: -28059
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125421 Lost: -54258
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123318 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127266 Lost: -6106
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122220 Lost: -2079
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +111828 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +139462 Lost: -11205
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133160 Lost: -8407
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118353 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126723 Lost: -27960
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122802 Lost: -15463
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +152898 Lost: -806
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121844 Lost: -22915
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123852 Lost: -9070
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123398 Lost: -7547
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123578 Lost: -17889
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122923 Lost: -7414
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121144 Lost: -10
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +150117 Lost: -4823
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122608 Lost: -6379
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121504 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123689 Lost: -9505
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123673 Lost: -7715
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123669 Lost: -26908
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123114 Lost: -4508
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122414 Lost: -8218
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +134747 Lost: -6138
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +113392 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131556 Lost: -2448
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121275 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +142524 Lost: -2066
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133930 Lost: -5976
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121706 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131629 Lost: -1865
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123920 Lost: -7749
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126529 Lost: -1297
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120818 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127334 Lost: -1470
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128950 Lost: -8334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128403 Lost: -24534
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125940 Lost: -11
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127142 Lost: -2151
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125421 Lost: -7375
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124824 Lost: -1041
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +152938 Lost: -25175
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121123 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123648 Lost: -18219
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136593 Lost: -17920
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133793 Lost: -939
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133426 Lost: -3280
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133990 Lost: -5788
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121683 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +139265 Lost: -3222
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125248 Lost: -3606
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125690 Lost: -16038
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126375 Lost: -3359
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125373 Lost: -4376
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130020 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125361 Lost: -7107
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123372 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128375 Lost: -3596
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143244 Lost: -5755
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120232 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131927 Lost: -3264
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118647 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +132947 Lost: -8518
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +108442 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136694 Lost: -3631
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124600 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136018 Lost: -20848
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120289 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128001 Lost: -10611
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118668 Lost: -13
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +126869 Lost: -13869
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +125720 Lost: -15334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +118653 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +134129 Lost: -8009
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +123191 Lost: -5334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +123197 Lost: -4730
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +211708 Lost: -4278
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +123020 Lost: -2807
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +122269 Lost: -4101
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +132067 Lost: -2132
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +112144 Lost: -183
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +143557 Lost: -819
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +127357 Lost: -15066
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126096 Lost: -5544
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +128738 Lost: -1074
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126976 Lost: -8916
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126626 Lost: -5093
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +112753 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +157067 Lost: -6731
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +158989 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +171836 Lost: -2729
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +121981 Lost: -12
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +142693 Lost: -5950
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +125816 Lost: -13252
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +141334 Lost: -9429
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +124530 Lost: -3300
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +124269 Lost: -1639
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +146193 Lost: -244
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +225852 Lost: -2733
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +122050 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +158801 Lost: -12550
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +116932 Lost: -9025
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +118444 Lost: -5866
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +119115 Lost: -22076
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +118988 Lost: -4911
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +132250 Lost: -13641
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +100792 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +163896 Lost: -7894
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +128139 Lost: -2937
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +160198 Lost: -6223
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132148 Lost: -126
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +125104 Lost: -2601
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +122390 Lost: -8249
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +125736 Lost: -4045
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +111875 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154812 Lost: -4627
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +131741 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +169607 Lost: -5068
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +104366 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +126636 Lost: -2701
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +120720 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +126649 Lost: -5907
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +117572 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +155761 Lost: -2895
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +101248 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +160082 Lost: -8016
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +115014 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154056 Lost: -910
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +118483 Lost: -7
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132780 Lost: -17971
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +119645 Lost: -11
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +131585 Lost: -6510
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +156422 Lost: -1214
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +119539 Lost: -9
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154520 Lost: -8090
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +105620 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132095 Lost: -3696
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +107849 Lost: -6725
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +168436 Lost: -3371
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +106481 Lost: -12
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +141840 Lost: -7635
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +177061 Lost: -5485
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131973 Lost: -1302
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +112145 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133332 Lost: -4789
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116055 Lost: -12082
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114805 Lost: -5394
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115221 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153068 Lost: -2269
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125961 Lost: -9114
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153862 Lost: -408
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120299 Lost: -4160
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120649 Lost: -76983
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121997 Lost: -3762
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115541 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121631 Lost: -16395
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121917 Lost: -6323
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +113985 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131494 Lost: -7180
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119810 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139812 Lost: -18350
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137714 Lost: -852
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +148134 Lost: -17305
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +142878 Lost: -7234
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +158840 Lost: -872
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123838 Lost: -16788
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123182 Lost: -23040
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125161 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +129636 Lost: -585
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116864 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +130585 Lost: -5673
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122860 Lost: -49508
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131171 Lost: -2787
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +117724 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133212 Lost: -163
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123250 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +140477 Lost: -14640
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120594 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125566 Lost: -26702
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120468 Lost: -23880
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +103108 Lost: -8
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137002 Lost: -20932
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +104113 Lost: -13
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +136907 Lost: -15433
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +101979 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139120 Lost: -14351
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +100317 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +126654 Lost: -14494
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120827 Lost: -1082
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122205 Lost: -5177
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120052 Lost: -13773
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115475 Lost: -15
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153516 Lost: -10295
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120991 Lost: -7069
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119930 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +124876 Lost: -11648
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122170 Lost: -4810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121836 Lost: -24399
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122345 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121573 Lost: -2682
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +112399 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +163828 Lost: -9284
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +127282 Lost: -1951
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114726 Lost: -11
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133634 Lost: -5754
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +130543 Lost: -2575
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121702 Lost: -1091
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125262 Lost: -2983
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119358 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +128076 Lost: -1122
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +128236 Lost: -6473
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +127351 Lost: -23934
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +126338 Lost: -2380
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123639 Lost: -3046
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122559 Lost: -1025
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +151733 Lost: -18565
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121109 Lost: -776
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121984 Lost: -14005
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114488 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139275 Lost: -6535
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133150 Lost: -21638
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +132183 Lost: -606
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131265 Lost: -2283
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121634 Lost: -1671
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116628 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137077 Lost: -5439
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122646 Lost: -5769
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123068 Lost: -13932
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +124631 Lost: -3910
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119203 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123009 Lost: -13575
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +129284 Lost: -719
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +141506 Lost: -8137
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119103 Lost: -8
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +136449 Lost: -18810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125726 Lost: -9938
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +125810 Lost: -9986
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +122797 Lost: -11030
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +113348 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +136727 Lost: -1471
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +120965 Lost: -2121
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +123562 Lost: -990
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +122213 Lost: -4684
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +108801 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +136706 Lost: -3810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +125750 Lost: -22037
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +124713 Lost: -3093
File: /var/log/nsm/SO-server-eth6/netsniff-ng.log.20150722205750 Processed: +144415 Lost: -666
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
126455
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
26354 1:2100651 GPL SHELLCODE x86 stealth NOOP
8229 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
6172 1:2014819 ET INFO Packed Executable Download
4084 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
3650 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2120 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1653 1:2000419 ET POLICY PE EXE or DLL Windows file download
1336 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1237 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
862 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
830 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
791 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
791 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
741 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
616 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
518 1:2014520 ET INFO EXE - Served Attached HTTP
509 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
467 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
461 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
319 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
309 1:2001329 ET POLICY RDP connection request
294 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
294 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
278 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
260 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
258 10000:1 PADS New Asset - unknown @https
251 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
249 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
238 1:2101411 GPL SNMP public access udp
233 10000:2 PADS Changed Asset - unknown @https
230 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
227 1:2014518 ET INFO EXE - OSX Disk Image Download
223 1:2100366 GPL ICMP_INFO PING *NIX
223 1:2100368 GPL ICMP_INFO PING BSDtype
212 1:2012843 ET POLICY Cleartext WordPress Login
197 1:2012648 ET POLICY Dropbox Client Broadcasting
186 1:2402000 ET DROP Dshield Block Listed Source group 1
179 10000:1 PADS New Asset - smb Windows SMB
173 1:2008120 ET TFTP Outbound TFTP Read Request
165 1:2002383 ET SCAN Potential FTP Brute-Force attempt response
153 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
132 1:2016503 ET INFO Java Serialized Data
132 1:2016502 ET INFO Java Serialized Data via vulnerable client
131 10000:2 PADS Changed Asset - unknown @microsoft-ds
128 10000:2 PADS Changed Asset - unknown @www
126 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
123 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
123 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
119 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
116 1:2011507 ET WEB_CLIENT PDF With Embedded File
113 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
108 1:2014726 ET POLICY Outdated Windows Flash Version IE
103 10000:2 PADS Changed Asset - smb Windows SMB
95 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
83 10000:1 PADS New Asset - unknown @www
82 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.1)
82 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
70 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
69 1:2016360 ET INFO JAVA - ClassID
62 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
62 10000:1 PADS New Asset - dns TCP DNS Server
60 10000:2 PADS Changed Asset - http Windows-Update (Agent)
58 10000:2 PADS Changed Asset - http Microsoft-IIS 7.5
58 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
57 1:2016715 ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray
48 1:2013414 ET POLICY Executable served from Amazon S3
48 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
46 1:2000418 ET POLICY Executable and linking format (ELF) file download
46 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
45 10000:1 PADS New Asset - unknown @microsoft-ds
45 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
42 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
37 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
36 10000:2 PADS Changed Asset - dns TCP DNS Server
36 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
35 10000:1 PADS New Asset - ssl Generic TLS 1.0 SSL
35 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
34 10000:2 PADS Changed Asset - http ccmhttp
34 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
33 10000:2 PADS Changed Asset - unknown @ldap
30 10000:2 PADS Changed Asset - http Microsoft-IIS 6.0
29 10000:1 PADS New Asset - unknown @domain
29 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
28 10000:1 PADS New Asset - unknown @snmp
28 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
27 1:2003492 ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
26 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
26 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
26 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
25 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
24 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
24 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
24 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
24 1:2017640 ET WEB_SERVER Possible Encrypted Webshell Download
23 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
23 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
23 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.3)
22 1:2002026 ET CHAT IRC PRIVMSG command
21 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17729 Client (Protocol/1.21)
21 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
21 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
20 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
20 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
19 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Microsoft Lync)
19 1:2000334 ET P2P BitTorrent peer sync
19 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
19 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
19 1:2018087 ET INFO Control Panel Applet File Download
18 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/5.131.3790.3959)
18 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
17 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
17 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
17 1:2008578 ET SCAN Sipvicious Scan
16 10000:2 PADS Changed Asset - unknown @domain
16 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
16 10000:2 PADS Changed Asset - http ocspd/1.0.2
16 1:2103017 GPL EXPLOIT WINS overflow attempt
16 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
14 10000:2 PADS Changed Asset - http ocspd/1.0
14 10000:2 PADS Changed Asset - http Microsoft NCSI
14 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
14 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
13 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2002878 ET POLICY iTunes User Agent
13 1:2014932 ET POLICY DynDNS CheckIp External IP Address Server Response
13 10000:2 PADS Changed Asset - http Microsoft-WebDAV (MiniRedir/6.1.7601)
12 1:2015707 ET INFO JAVA - document.createElement applet
12 10000:2 PADS Changed Asset - http SMS CCM 5.0
12 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
12 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
12 1:2021378 ET POLICY External IP Lookup - checkip.dyndns.org
12 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
12 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
12 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
12 1:2013028 ET POLICY curl User-Agent Outbound
11 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
11 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
11 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
11 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
11 10000:2 PADS Changed Asset - domain DNS SQR No Error
11 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 12.0.21005.1, Ultimate, SKU:17)
10 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17831 Client (Protocol/1.21)
10 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
10 1:2012692 ET POLICY Microsoft SO-user-agent automated process response to automated request
10 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
10 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
10 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
9 10000:2 PADS Changed Asset - http ocspd/1.0.3
9 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
9 10000:2 PADS Changed Asset - http Apache Coyote 1.1
9 10000:1 PADS New Asset - unknown @ntp
9 1:2003310 ET P2P Edonkey Publicize File
9 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
9 10000:1 PADS New Asset - http Microsoft-IIS 6.0
9 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
9 10000:1 PADS New Asset - unknown @rtsp
9 10000:1 PADS New Asset - http Microsoft (CryptoAPI/6.1)
8 10000:1 PADS New Asset - http Server: BigIP
8 1:2100673 GPL SQL sp_start_job - program execution
8 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Spotify/X.X.X.X Safari/537.36
8 1:2016847 ET INFO Possible Chrome Plugin install
8 1:2010645 ET POLICY User-Agent (Launcher)
7 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
7 10000:2 PADS Changed Asset - http Microsoft-IIS 8.0
7 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
7 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Skype for Business)
7 10000:2 PADS Changed Asset - http Server: BigIP
6 1:2500078 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 40
6 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
6 1:2101016 GPL WEB_SERVER global.asa access
6 1:2403302 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 2
6 10000:2 PADS Changed Asset - unknown @smtp
6 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485)
6 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
6 10000:1 PADS New Asset - domain DNS SQR No Error
6 10000:1 PADS New Asset - http Microsoft-IIS 7.5
6 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Microsoft Lync)
6 10000:2 PADS Changed Asset - http SMS CCM 5.0 TS
6 10000:2 PADS Changed Asset - http iPhone7,2/8.4 (12H143)
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
5 10000:2 PADS Changed Asset - http Microsoft Office Excel 2010 (14.0.7147) Windows NT 6.1
5 10000:2 PADS Changed Asset - http Mac OS X/10.10.4 (14E46)
5 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
5 10000:2 PADS Changed Asset - http Microsoft-IIS 8.5
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Spotify/X.X.X.X Safari/537.36
5 10000:2 PADS Changed Asset - http Microsoft (WNS/6.3)
5 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
5 10000:1 PADS New Asset - http CaptiveNetworkSupport (306.20.1 wispr)
5 1:2101201 GPL WEB_SERVER 403 Forbidden
5 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LG (D850 Build/LRX21Y))
4 10000:1 PADS New Asset - unknown @ftp
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
4 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143
4 1:2021173 ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon
4 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
4 1:2016856 ET POLICY Android Dalvik Executable File Download
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
4 1:2020712 ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert
4 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (306.20.1 wispr)
4 10000:2 PADS Changed Asset - http iPhone4,1/8.4 (12H143)
4 10000:2 PADS Changed Asset - http ccmsetup
4 1:2005530 ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
4 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
4 1:2010781 ET POLICY PsExec service created
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.30319.1)
4 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
4 10000:2 PADS Changed Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5d2fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\p
4 10000:1 PADS New Asset - http OC/15.0.4737.1000 (Microsoft Lync)
4 1:2002327 ET CHAT Google Talk (Jabber) Client Login
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
4 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
4 1:2002823 ET POLICY POSSIBLE Web Crawl using Wget
4 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response
4 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (G900V Build/LRX21T))
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.40219.457)
4 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2010 (14.0.7153) Windows NT 6.1
4 1:2102698 GPL SQL create file buffer overflow attempt
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
4 1:2011227 ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
4 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
4 10000:2 PADS Changed Asset - smtp Generic SMTP (2.0.0)
4 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17930 Client (Protocol/1.21)
4 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
3 1:2002192 ET CHAT MSN status change
3 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone6,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/U.S.Cellular;FBID
3 1:2100232 GPL CHAT Google Talk Logon
3 10000:2 PADS Changed Asset - http iPhone6,1/8.4 (12H143)
3 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.2)
3 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Skype for Business)
3 10000:2 PADS Changed Asset - http MobileAsset/1.1
3 1:2001219 ET SCAN Potential SSH Scan
3 10000:1 PADS New Asset - http ocspd/1.0.2
3 10000:2 PADS Changed Asset - http Apache 2.2.8 (Ubuntu)
3 10000:1 PADS New Asset - http Android
3 10000:2 PADS Changed Asset - http (null)/(null) ((null))
3 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
3 10000:1 PADS New Asset - http CaptiveNetworkSupport (261.1.2 wispr)
3 1:2100877 GPL CHAT Google Talk Startup
3 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4719) Windows NT 6.1
3 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.16403 Client (Protocol/1.20)
3 1:2101616 GPL DNS named version attempt
3 10000:1 PADS New Asset - http boingo client
3 1:2010067 ET POLICY Data POST to an image file (jpg)
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
3 1:2102470 GPL NETBIOS SMB C$ unicode share access
3 10000:1 PADS New Asset - http Spotify (Win32/0.71/0)
3 10000:2 PADS Changed Asset - unknown @imaps
3 10000:2 PADS Changed Asset - http Java/1.7.0_71
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
2 10000:2 PADS Changed Asset - unknown @ssh
2 10000:2 PADS Changed Asset - http Microsoft Windows Network Diagnostics
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
2 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM (G920R4 Build/LMY47X))
2 10000:2 PADS Changed Asset - http Valve/Steam HTTP Client 1.0
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1; LG (H811 Build/LMY47D))
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10
2 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4737) Windows NT 6.2
2 10000:2 PADS Changed Asset - http WifiHotspot
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone6,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/U.S.Cellular;
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (277.10.5 wispr)
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.40219.1)
2 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900R4 Build/JSS15J))
2 10000:1 PADS New Asset - ssh OpenSSH 5.9 (Protocol 2.0)
2 1:2019622 ET MALWARE Win32/DealPly Checkin
2 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
2 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.16422 Client (Protocol/1.20)
2 10000:1 PADS New Asset - http SAMSUNG (Android)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
2 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.4,12H143,iPhone6,1])
2 10000:1 PADS New Asset - http MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
2 1:2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.10;FBBV/5758778;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/AT&T;FBID/phone
2 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
2 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2013 (15.0.4737) Windows NT 6.1
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (G900V Build/LRX21T))
2 10000:2 PADS Changed Asset - http iPhone6,1/7.1.2 (11D257)
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (305 wispr)
2 1:2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SCH (I545 Build/LRX22C))
2 10000:1 PADS New Asset - unknown @snmp-trap
2 10000:1 PADS New Asset - http MSDW
2 10000:2 PADS Changed Asset - http Adobe Application Manager 2.0
2 10000:1 PADS New Asset - http PhotoGrid/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
2 10000:1 PADS New Asset - unknown @smtp
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
2 10000:2 PADS Changed Asset - http Microsoft Office/15.0 (Windows NT 6.1; Microsoft Lync 15.0.4737; Pro)
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2
2 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SM (N910V Build/LRX22C))
2 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
2 10000:1 PADS New Asset - unknown @ldap
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice 14))
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; MS (RTC LM 8))
2 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900R4 Build/JSS15J))
2 10000:1 PADS New Asset - http Apache Coyote 1.1
2 10000:2 PADS Changed Asset - http iPhone4,1/8.3 (12F70)
2 1:2403308 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 5
2 10000:1 PADS New Asset - ssh Cisco SSH 1.25 (Protocol 2.0)
2 10000:1 PADS New Asset - unknown @syslog
2 10000:2 PADS Changed Asset - http MpCommunication
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 11.0.61030.0, Ultimate, SKU:8)
2 10000:2 PADS Changed Asset - http iPhone6,1/8.1.3 (12B466)
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
2 10000:1 PADS New Asset - http POF/383 CFNetwork/711.4.6 Darwin/14.0.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
2 10000:2 PADS Changed Asset - sql MySQL 3.1.10-DL,30,0.00,4ct,180,180,,,,0,0,0,0.00000,$0.45,$0.45,$0.45,,$3.99,,,,$3.99,,,$2.77,,,,3/2/2010,5/25/2009,,2248,,04 Party,05 Juvenile Party,09 Boy Party,15 Favors and Toys,15 Party Favor,15 Miscellaneous,,Super Hero,Bat
2 1:2016878 ET POLICY Unsupported/Fake Windows NT Version 4.
2 1:2400017 ET DROP Spamhaus DROP Listed Traffic Inbound group 18
2 10000:1 PADS New Asset - http Microsoft NCSI
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (306.3.1 wispr)
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG (D415 Build/KOT49I.D41510e))
2 1:2101603 GPL WEB_SERVER DELETE attempt
2 1:2100235 GPL CHAT Jabber/Google Talk Logon Success
2 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
2 10000:2 PADS Changed Asset - http iPhone7,2/8.3 (12F70)
2 10000:2 PADS Changed Asset - http Mac OS X/10.8.3 (12D78)
2 10000:2 PADS Changed Asset - http Microsoft BITS/7.7
2 10000:1 PADS New Asset - http Apache (HttpClient/UNAVAILABLE (java 1.4))
2 10000:2 PADS Changed Asset - http Apache 2.2.12 (Ubuntu)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDS; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)
2 10000:2 PADS Changed Asset - http Download Flash Player Installer/1.0
2 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
2 10000:1 PADS New Asset - ssh OpenSSH 6.6.1p1 (Protocol 2.0)
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; Clever Internet Suite 6.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1080 Build/SU6 (7.2))
2 1:2010514 ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/7.1.7 Safari/537.85.16
2 1:2500080 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41
2 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SCH (I545 Build/LRX22C))
1 10000:2 PADS Changed Asset - http DavClnt
1 10000:1 PADS New Asset - http WSDAPI
1 10000:2 PADS Changed Asset - ssh OpenSSH 6.6.1p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900V Build/LRX21V))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 4.4.2; SM-T217S Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Safari/537.36 Sprint Connections Optimizer (1.4.1445)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LG (D850 Build/LRX21Y))
1 10000:2 PADS Changed Asset - http okhttp/2.4.0
1 10000:2 PADS Changed Asset - http JNLP/1.7.0 javaws/X.X.X.X (<internal>) Java/1.7.0_51
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.0.1; SM (N910V Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
1 1:2009715 ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt
1 1:2100494 GPL ATTACK_RESPONSE command completed
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; SGH (M919 Build/KTU84P))
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3; Microsoft Outlook
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1080 Build/SU6 (7.2))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM-G920R4 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.0 Chrome/38.0.2125.102 Mobile Safari/537.36Accept (Encoding: gzip,deflate,sdch)
1 10000:1 PADS New Asset - ssh PuTTY Release_0.60 (Protocol 2.0)
1 10000:1 PADS New Asset - http YouMailAndroid/3.15.11[6989] (hltevzw 5.0; hltevzw/Verizon/SM-N900V; en-US) Android (Runtime/0.9 YouMailAPI/3,4)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/7.0)
1 10000:2 PADS Changed Asset - http Android
1 10000:1 PADS New Asset - http Spotify/100900133 (0; 0; 1)
1 10000:1 PADS New Asset - unknown @nfs
1 10000:1 PADS New Asset - http GeoServices/982.64 CFNetwork/711.3.18 Darwin/14.0.0
1 10000:1 PADS New Asset - http iPhone6,1/8.4 (12H143)
1 10000:1 PADS New Asset - http KingdomRush/740 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; LG (D321/D32110c Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B435 Safari/600.1.4
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; InfoPath.3; Microsoft Outlook 15.0.4737; Microsoft Outlook 15.0.4737; ms (office; MSOffice 15))
1 10000:1 PADS New Asset - http com.apple.invitation (registration [iPhone OS,8.4,12H143,iPhone6,1])
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0.1; SM (N910V Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Spotify/100700157 (9; 0; 2)
1 10000:2 PADS Changed Asset - http Google Update/X.X.X.X;winhttp
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.4;FBSS/2; FBCR/AT&T;FBID/phone;
1 10000:1 PADS New Asset - http Google Talk
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 10000:1 PADS New Asset - http Test
1 10000:1 PADS New Asset - http AppleCoreMedia/1.0.0.12H143 (iPhone; U; CPU OS 8_4 like Mac OS X; en_us)
1 10000:2 PADS Changed Asset - http iPad4,2/8.4 (12H143)
1 10000:1 PADS New Asset - http Debian APT (HTTP/1.3 (0.8.16~exp12ubuntu10.24))
1 10000:1 PADS New Asset - http APSDaemon.exe (unknown version) CFNetwork/520.20.14
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; 0PCV1 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
1 10000:1 PADS New Asset - http [FBAN/FB4A;FBAV/X.X.X.X.234;FBBV/12793182;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FBCR/;FBMF/samsung;FBBD/samsung;FBPN/com.facebook.katana;FBDV/SGH-T989;FBSV/2.3.6;FBOP/1;FBCA/armeabi (v7a:armeabi;])
1 10000:1 PADS New Asset - http Google Update/X.X.X.X;winhttp;cup
1 10000:2 PADS Changed Asset - http MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
1 10000:1 PADS New Asset - ssh PuTTY Local:_Jul__9_2015_19:33:53 (Protocol 2.0)
1 1:2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible))
1 10000:2 PADS Changed Asset - http Team Foundation (TFSBuildServiceHost.exe, 10.0.40219.1)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SGH (T999L Build/JSS15J))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0; SM (G900R4 Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Spotify/100900133 (9; 0; 2)
1 10000:1 PADS New Asset - http Podcasts/2.2.1
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143 Twitter for iPhone
1 10000:1 PADS New Asset - http Spotify/330000988 (6; 2; 7)
1 10000:2 PADS Changed Asset - http Apache 2.4.7 (Ubuntu)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3; Microsoft Outlook 15.0
1 10000:2 PADS Changed Asset - http Windows (Update )
1 10000:1 PADS New Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5e5fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\prosh
1 10000:1 PADS New Asset - ssh PuTTY Local:_Jul__9_2015_19:31:51 (Protocol 2.0)
1 10000:1 PADS New Asset - http Debian APT (HTTP/1.3 (1.0.1ubuntu2))
1 10000:1 PADS New Asset - http WSLib 1.4 [3, 0, 0, 97]
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900P Build/LRX21V))
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LGLS990 Build/LRX21Y)
1 10000:2 PADS Changed Asset - http VSServices/12.0.21005.1 (devenv.exe ,Ultimate, SKU:17)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; InfoPath.3; Tablet PC 2.0; Microsoft Outlook 14.0
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 5 Build/LMY48B)
1 10000:1 PADS New Asset - http PSR:7.13.11:Mozilla/5.0 (Linux; Android 5.0; SM (G900V Build/LRX21T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 15.8.20082)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice 14))
1 10000:1 PADS New Asset - http CaptiveNetworkSupport (277 wispr)
1 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
1 10000:1 PADS New Asset - http CaptiveNetworkSupport (209.39 wispr)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 4.4.4; en-us; SAMSUNG-SM (G900A Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.6 Chrome/28.0.1500.94 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 5 Build/LMY48B)
1 10000:1 PADS New Asset - http server (bag [iPhone OS,8.4,12H143,iPhone4,1])
1 10000:1 PADS New Asset - http Mac OS X/10.10.4 (14E46)
1 10000:1 PADS New Asset - http Microsoft BITS/7.8
1 10000:1 PADS New Asset - http okhttp/2.2.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:2 PADS Changed Asset - http iPhone6,1/8.3 (12F70)
1 10000:1 PADS New Asset - rdp Remote Desktop Protocol (Windows 2000 Server)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SGH (I747 Build/JSS15J))
1 10000:1 PADS New Asset - http UES Update (Macintosh; A; 32bit; PVT F; VDB 24911; BPC 4.5.15; APP scep_mac; TDB 24911; LNG 1033; x32c; APP scep_mac; BEO 0; ASP 0.10; RA 0; OSR 12.3.0)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; Tablet PC 2.0; Microsoft Outlook
1 10000:1 PADS New Asset - http BIG (IP Edge Client)
1 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.4,12H143,iPad4,2])
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1; XT1254 Build/SU3TL (38) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Microsoft Office Protocol Discovery
1 10000:2 PADS Changed Asset - http Mac OS X/10.10.3 (14D136)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SGH (T399N Build/KOT49H))
1 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/10.0)
1 10000:2 PADS Changed Asset - http Windows-Update (Agent/4.0)
1 10000:2 PADS Changed Asset - smtp Generic SMTP - Possible Postfix (HMAIL)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
1 10000:1 PADS New Asset - http GroupMe/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Java/1.7.0_71
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/6.0.51363 Mobile/12H143 Safari/600.1.4
1 10000:1 PADS New Asset - http AndroidDownloadManager/4.4.2 (Linux; U; Android 4.4.2; 710C Build/KOT49H)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Microsoft Outlook 15.0.4737; Microsoft Outlook 15.0.4737; ms (offi
1 10000:1 PADS New Asset - http Microsoft (CryptoAPI/6.3)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
1 10000:1 PADS New Asset - http Microsoft-IIS 8.0
1 10000:2 PADS Changed Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5e5fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\p
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH (T999L Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.2; HTC One Build/LRX22G)
1 10000:1 PADS New Asset - http Fit.I.Am/X.X.X.X (iPhone; iOS 8.3; Scale/2.00)
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG (D950 Build/KOT49I.D95020f))
1 10000:1 PADS New Asset - http IMTransferAgent/1000 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
1 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SAMSUNG-SM (G900A Build/LRX21T))
1 10000:2 PADS Changed Asset - http Microsoft Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)
1 10000:2 PADS Changed Asset - http MacOutlook/14.5.3.150624 (Intel Mac OS X 10.9.4)
1 10000:2 PADS Changed Asset - http iPhone5,1/8.4 (12H143)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; SM (G900T Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http MSFrontPage/14.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows; ( ^ÿÖ)
1 10000:2 PADS Changed Asset - http Mail/53 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en (us; LGLS740 Build/KOT49I.LS740ZV4) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B435
1 10000:1 PADS New Asset - http Apache 2.2.8 (Ubuntu)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM (G920R4 Build/LMY47X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 GSA/X.X.X.X.arm64)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.28.10 (KHTML, like Gecko)
1 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
1 10000:1 PADS New Asset - http securityd (unknown version) CFNetwork/672.1.15 Darwin/14.0.0
1 1:2403344 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
1 10000:1 PADS New Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G386T Build/JSS15J))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; LG (D321 Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - ssl OpenSSL
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook 15.0.4737; Microsoft Out
1 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.3,12F70,iPhone7,2])
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Ruby
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1; XT1254 Build/SU3TL (38))
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900V Build/LRX21V))
1 10000:2 PADS Changed Asset - http JNLP/1.7.0 javaws/X.X.X.X (<internal>) Java/1.7.0_25
1 10000:1 PADS New Asset - http Download Flash Player Installer/1.0
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
1 10000:2 PADS Changed Asset - http com.apple.geod/1077.0.18 CFNetwork/720.4.4 Darwin/14.4.0 (x86_64)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; LG (D321/D32110c Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Spotify/330000982 (6; 2; 7)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/43.0.2357.61 Mobile/12H143 Safari/600.1.4
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 10.0)
1 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (277 wispr)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0; SM (G900V Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Instagram 7.2.1 Android (19/4.4.2; 320dpi; 720x1184; motorola; XT1055; ghost; qcom; en_US)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SM (G900A Build/JSS15J))
1 1:2100876 GPL CHAT Google Talk Version Check
1 10000:1 PADS New Asset - http Java/1.6.0_45
1 10000:1 PADS New Asset - http MicroMessenger Client
1 10000:2 PADS Changed Asset - http Windows-Update-Agent/10.0.10011.0 Client (Protocol/1.32)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)
1 10000:1 PADS New Asset - http intl=us; os-version=iPad2,2; internet-connection=lan; cpu-speed=466; pstn-call-enable=true; appid=iPhoneMessenger (2.2.9.5468)
1 10000:1 PADS New Asset - http Software%20Update (unknown version) CFNetwork/673.3 Darwin/13.3.0 (x86_64) (MacPro3%2C1)
1 10000:1 PADS New Asset - http TWCWidget/420953 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM (G920P Build/LMY47X))
1 10000:2 PADS Changed Asset - http UES Update (Macintosh; A; 32bit; PVT F; VDB 24911; BPC 4.5.15; APP scep_mac; TDB 24911; LNG 1033; x32c; APP scep_mac; BEO 0; ASP 0.10; RA 0; OSR 13.3.0)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900T Build/JSS15J))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM-G920P Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.0 Chrome/38.0.2125.102 Mobile Safari/537.36Accept (Encoding: gzip,deflate,sdch)
1 10000:1 PADS New Asset - http Instagram 7.1.1 (iPhone6,1; iPhone OS 8_3; en_US; en) AppleWebKit/420 ()
1 10000:1 PADS New Asset - http Microsoft-WebDAV (MiniRedir/6.3.9600)
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 10000:1 PADS New Asset - http server (bag [Mac OS X,10.9.5,13F1096,MacBookPro11,2])
1 10000:1 PADS New Asset - http (null)/(null) (Macintosh; OS X 10.10.3; 14D136) AppleWebKit/0600.5.17
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SM (G386T Build/KOT49H))
1 10000:2 PADS Changed Asset - http Lync%202013/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - http Java/1.8.0_45
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; Tablet PC 2.0)
1 10000:1 PADS New Asset - http OneDrive/5.4.3 CFNetwork/711.4.6 Darwin/14.0.0
1 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SPH (L900 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:1 PADS New Asset - http Team%20Stream/670 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - ssh PuTTY Local:_Jul__9_2015_19:31:51 (Protocol 2.0)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http BBCNews/X.X.X.X GNL (SM (G900V; Android 5.0))
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0)
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SGH (T999L Build/JSS15J))
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; VS810PP Build/KOT49I.VS810PP2)
1 10000:2 PADS Changed Asset - http Java/1.6.0_45
1 10000:1 PADS New Asset - http Apache 2.2.25 (Unix)
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.10;FBBV/5758778;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/AT&T;FBID/phone;FBL
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SPH (L900 Build/KOT49H))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.4; en-us; SAMSUNG-SM (G900A Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.6 Chrome/28.0.1500.94 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http UPS5
Total
71657
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
119642 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
29691 1:2100651 GPL SHELLCODE x86 stealth NOOP
16171 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
13155 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
13008 1:2014819 ET INFO Packed Executable Download
7512 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
7245 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
7065 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
6368 1:2000419 ET POLICY PE EXE or DLL Windows file download
4712 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3976 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
3598 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
3526 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
3414 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
3272 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
2535 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2051 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
1916 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
1759 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
1759 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
1511 10000:2 PADS Changed Asset - unknown @https
1510 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1439 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
1376 1:2014520 ET INFO EXE - Served Attached HTTP
1017 1:2001329 ET POLICY RDP connection request
1002 1:2402000 ET DROP Dshield Block Listed Source group 1
874 1:2101411 GPL SNMP public access udp
734 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
679 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
618 1:2014726 ET POLICY Outdated Windows Flash Version IE
576 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
568 10000:2 PADS Changed Asset - unknown @www
568 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
551 10000:1 PADS New Asset - unknown @https
539 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
534 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
529 10000:2 PADS Changed Asset - unknown @microsoft-ds
518 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
499 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
477 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
464 1:2016502 ET INFO Java Serialized Data via vulnerable client
464 1:2016503 ET INFO Java Serialized Data
454 1:2012648 ET POLICY Dropbox Client Broadcasting
399 1:903221 443 traffic
393 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
368 1:2008120 ET TFTP Outbound TFTP Read Request
360 10000:2 PADS Changed Asset - smb Windows SMB
324 1:2014518 ET INFO EXE - OSX Disk Image Download
320 10000:1 PADS New Asset - smb Windows SMB
303 1:2000418 ET POLICY Executable and linking format (ELF) file download
Total
286462
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
26353 1:2100651 GPL SHELLCODE x86 stealth NOOP
8229 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
6160 1:2014819 ET INFO Packed Executable Download
4084 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
3493 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
1883 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1602 1:2000419 ET POLICY PE EXE or DLL Windows file download
1336 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1131 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
842 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
830 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
791 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
791 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
689 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
594 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
509 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
494 1:2014520 ET INFO EXE - Served Attached HTTP
467 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
438 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
294 1:2001329 ET POLICY RDP connection request
294 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
284 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
276 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
249 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
235 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
230 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
227 1:2014518 ET INFO EXE - OSX Disk Image Download
226 1:2101411 GPL SNMP public access udp
223 1:2100368 GPL ICMP_INFO PING BSDtype
223 1:2100366 GPL ICMP_INFO PING *NIX
212 1:2012843 ET POLICY Cleartext WordPress Login
191 1:2012648 ET POLICY Dropbox Client Broadcasting
173 1:2008120 ET TFTP Outbound TFTP Read Request
166 1:2002383 ET SCAN Potential FTP Brute-Force attempt response
132 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
132 1:2016503 ET INFO Java Serialized Data
132 1:2016502 ET INFO Java Serialized Data via vulnerable client
126 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
122 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
122 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
119 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
116 1:2011507 ET WEB_CLIENT PDF With Embedded File
113 1:2402000 ET DROP Dshield Block Listed Source group 1
107 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
101 1:2014726 ET POLICY Outdated Windows Flash Version IE
79 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
69 1:2016360 ET INFO JAVA - ClassID
62 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
57 1:2016715 ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray
48 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
48 1:2013414 ET POLICY Executable served from Amazon S3
46 1:2000418 ET POLICY Executable and linking format (ELF) file download
46 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
45 1:2402000 ET DROP Dshield Block Listed Source group 1
42 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
40 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
36 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
35 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
32 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
28 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
27 1:2003492 ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
24 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
24 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
24 1:2017640 ET WEB_SERVER Possible Encrypted Webshell Download
23 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
23 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
22 1:2002026 ET CHAT IRC PRIVMSG command
21 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
20 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
20 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
20 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
19 1:2000334 ET P2P BitTorrent peer sync
19 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
19 1:2018087 ET INFO Control Panel Applet File Download
17 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
17 1:90019401 ET POLICY Vulnerable Java Version 1.8.x Detected
16 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
16 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
16 1:2103017 GPL EXPLOIT WINS overflow attempt
16 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
14 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
13 1:2008578 ET SCAN Sipvicious Scan
13 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2014932 ET POLICY DynDNS CheckIp External IP Address Server Response
13 1:2002878 ET POLICY iTunes User Agent
12 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
12 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
12 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
12 1:2021378 ET POLICY External IP Lookup - checkip.dyndns.org
12 1:2013028 ET POLICY curl User-Agent Outbound
12 1:2015707 ET INFO JAVA - document.createElement applet
11 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
10 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
10 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
10 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
10 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
10 1:2012692 ET POLICY Microsoft SO-user-agent automated process response to automated request
10 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial
9 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
9 1:2003310 ET P2P Edonkey Publicize File
9 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
9 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
9 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
8 1:2100673 GPL SQL sp_start_job - program execution
8 1:2016847 ET INFO Possible Chrome Plugin install
8 1:2010645 ET POLICY User-Agent (Launcher)
7 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
7 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
6 1:2500078 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 40
6 1:2403302 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 2
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
6 1:2101016 GPL WEB_SERVER global.asa access
5 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
5 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
4 1:2402001 ET DROP Dshield Block Listed Source group 1
4 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
4 1:2002823 ET POLICY POSSIBLE Web Crawl using Wget
4 1:2102698 GPL SQL create file buffer overflow attempt
4 1:2005530 ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT
4 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response
4 1:2016856 ET POLICY Android Dalvik Executable File Download
4 1:2020712 ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2010781 ET POLICY PsExec service created
4 1:2011227 ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
4 1:2021173 ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon
4 1:2002327 ET CHAT Google Talk (Jabber) Client Login
4 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
4 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
3 1:2101616 GPL DNS named version attempt
3 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2001219 ET SCAN Potential SSH Scan
3 1:2402000 ET DROP Dshield Block Listed Source group 1
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2100877 GPL CHAT Google Talk Startup
3 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
3 1:2100232 GPL CHAT Google Talk Logon
3 1:2010067 ET POLICY Data POST to an image file (jpg)
2 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
2 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
2 1:2016878 ET POLICY Unsupported/Fake Windows NT Version 4.
2 1:2010514 ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
2 1:2500080 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41
2 1:2102470 GPL NETBIOS SMB C$ unicode share access
2 1:2002192 ET CHAT MSN status change
2 1:2403308 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 5
2 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
2 1:2101603 GPL WEB_SERVER DELETE attempt
2 1:2019622 ET MALWARE Win32/DealPly Checkin
2 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
2 1:2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
2 1:2018908 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
2 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
2 1:2100235 GPL CHAT Jabber/Google Talk Logon Success
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 1:2015561 ET INFO PDF Using CCITTFax Filter
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 1:2009715 ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt
1 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
1 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
1 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2010819 ET CHAT Facebook Chat using XMPP
1 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
1 1:2100876 GPL CHAT Google Talk Version Check
1 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
1 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 1:2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible))
1 1:2400017 ET DROP Spamhaus DROP Listed Traffic Inbound group 18
1 1:2100494 GPL ATTACK_RESPONSE command completed
Total
67169
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
115389 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
52240 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
37451 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
36652 1:2100651 GPL SHELLCODE x86 stealth NOOP
26230 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
22106 1:2014819 ET INFO Packed Executable Download
18189 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
18038 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
17044 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
14802 1:2000419 ET POLICY PE EXE or DLL Windows file download
13287 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
11682 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
11185 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9748 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
6480 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
5700 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
4556 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
4544 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
4398 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
4398 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
3087 1:2014520 ET INFO EXE - Served Attached HTTP
2226 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2150 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1908 1:2001329 ET POLICY RDP connection request
1793 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
1678 1:2101411 GPL SNMP public access udp
1359 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
1282 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
1254 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
983 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
814 1:2016503 ET INFO Java Serialized Data
808 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
799 1:2000418 ET POLICY Executable and linking format (ELF) file download
779 1:2008120 ET TFTP Outbound TFTP Read Request
743 1:2102470 GPL NETBIOS SMB C$ unicode share access
715 1:2000032 ET NETBIOS LSA exploit
488 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
487 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
473 1:2000334 ET P2P BitTorrent peer sync
442 1:2014726 ET POLICY Outdated Windows Flash Version IE
429 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
416 1:2016502 ET INFO Java Serialized Data via vulnerable client
404 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
396 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
Total
499566
=========================================================================
Last update
=========================================================================
Start-Date: 2015-07-02 16:28:55
Commandline: apt-get install open-iscsi
Install: open-iscsi:amd64 (2.0.871-0ubuntu9.12.04.2), open-iscsi-utils:amd64 (2.0.871-0ubuntu9.12.04.2, automatic)
End-Date: 2015-07-02 16:28:57
Start-Date: 2015-07-20 15:22:36
Commandline: apt-get -y dist-upgrade
Install: linux-image-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57:amd64 (3.13.0-57.95~precise1, automatic)
Upgrade: bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libnss3:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), libwmf0.2-7:amd64 (X.X.X.X-10ubuntu1, X.X.X.X-10ubuntu1.1), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion34, 20120722-0ubuntu0securityonion35), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), securityonion-SO-user-agent-ossec:amd64 (20120726-0ubuntu0securityonion15, 20120726-0ubuntu0securityonion16), php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libcupsfilters1:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), firefox-globalmenu:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), php5-sqlite:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), php5-gd:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox-locale-en:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), linux-image-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc-bin:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), securityonion-tcpudpflow:amd64 (001-0ubuntu0securityonion1, 001-0ubuntu0securityonion3), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), php5-mysql:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-libc-dev:amd64 (3.2.0-86.124, 3.2.0-87.125), grub-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), php5-cli:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), grub2-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), php5-common:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), cups-filters:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), libnss3-1d:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1)
End-Date: 2015-07-20 15:23:43
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
31987 supervising syslog-ng
31988 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
3.0G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-07-22 16:44:10 2015-07-22 21:14:02
On Tuesday, July 21, 2015 at 4:51:14 PM UTC-5, Doug Burks wrote:
> Hi Will,
>
> Replies inline.
>
> On Tue, Jul 21, 2015 at 1:07 PM,
> >
> >
I disabled some processes
I did follow the add disk on the wiki.
I don't know why sdc /sdb was mounted but I fixed that
I want to say those commands were ran last month.
Thanks,
Will
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
Status: SO-server-eth4
* netsniff-ng (full packet data)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* pads_agent (SO-user)[ OK ]
* netsniff-ng (full packet data)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth5
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* pads_agent (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth6
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* pads_agent (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:61060 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40590106 (40.5 MB) TX bytes:16995377 (16.9 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:761501343813 (761.5 GB) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Memory:ddfc0000-ddfe0000
eth5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:434055041 errors:0 dropped:0 overruns:97119 frame:0
eth5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:406389895894 (406.3 GB) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Memory:ddfe0000-de000000
eth6 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
eth6 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:166784709 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111489010002 (111.4 GB) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Memory:dd3c0000-dd3e0000
eth7 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:dd3e0000-dd400000
eth8 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65106 errors:0 dropped:0 overruns:0 frame:0
eth7 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:dd3e0000-dd400000
eth8 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:142507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:393615390 (393.6 MB) TX bytes:114783022 (114.7 MB)
eth9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:901189317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6454508352 (6.4 GB) TX bytes:1350068151034 (1.3 TB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
TX packets:2186254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1243594418 (1.2 GB) TX bytes:1243594418 (1.2 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1243594418 2186254 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
40590106 131003 0 0 0 49161
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
16995377 61060 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
114783022 142507 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
761501489499 842501582 0 0 0 104138
0 0 0 0
7: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 52593 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
8: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
6454508352 31481423 0 0 0 0
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
8: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1350068151034 901189317 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
9: eth5: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
406389981420 434055151 0 0 0 6030897
0 0 0 0
9: eth5: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 97119 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
10: eth6: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
111489054570 166784755 0 0 0 52075
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
11: eth7: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
11: eth7: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 134G 100G 28G 79% /
udev 48G 12K 48G 1% /dev
tmpfs 9.5G 884K 9.5G 1% /run
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 134G 100G 28G 79% /
udev 48G 12K 48G 1% /dev
none 48G 88K 48G 1% /run/shm
/dev/sdc 4.0T 2.8T 1.1T 72% /nsm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iscsid 2380 root 9u IPv4 11510 0t0 TCP X.X.X.X:41893->X.X.X.X:3260 (ESTABLISHED)
iscsid 2380 root 17u IPv4 11534 0t0 TCP X.X.X.X:42660->X.X.X.X:3260 (ESTABLISHED)
avahi-dae 2907 avahi 12u IPv4 17615 0t0 UDP *:5353
avahi-dae 2907 avahi 13u IPv6 17616 0t0 UDP *:5353
avahi-dae 2907 avahi 14u IPv4 17617 0t0 UDP *:37130
avahi-dae 2907 avahi 15u IPv6 17618 0t0 UDP *:38828
cupsd 2929 root 8u IPv6 1553453 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2929 root 9u IPv4 1553454 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 3146 root 3u IPv4 2021 0t0 TCP *:ssh_port (LISTEN)
sshd 3146 root 4u IPv6 2023 0t0 TCP *:ssh_port (LISTEN)
ossec-csy 3602 ossecm 5u IPv4 25624 0t0 UDP X.X.X.X:43354->X.X.X.X:514
ossec-rem 3627 ossecr 4u IPv4 24668 0t0 UDP *:1514
sshd 7748 root 3u IPv4 3036837 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33392 (ESTABLISHED)
sshd 8009 SO-user 3u IPv4 3036837 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:33392 (ESTABLISHED)
ntpd 8524 ntp 16u IPv4 31825 0t0 UDP *:123
ntpd 8524 ntp 17u IPv6 31826 0t0 UDP *:123
ntpd 8524 ntp 18u IPv4 31832 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 19u IPv4 31833 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 20u IPv4 31834 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 21u IPv4 31835 0t0 UDP X.X.X.X:123
ntpd 8524 ntp 22u IPv6 31836 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 23u IPv6 31837 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 24u IPv6 31838 0t0 UDP [X.X.X.X]:123
ntpd 8524 ntp 25u IPv6 31839 0t0 UDP [X.X.X.X]:123
/usr/sbin 10413 root 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 10413 root 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10413 root 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
tclsh 11891 SO-user 13u IPv4 3371674 0t0 TCP *:7734 (LISTEN)
tclsh 11891 SO-user 14u IPv4 3371675 0t0 TCP *:7736 (LISTEN)
tclsh 11891 SO-user 15u IPv4 3400774 0t0 TCP X.X.X.X:7736->X.X.X.X:36677 (ESTABLISHED)
tclsh 11891 SO-user 16u IPv4 3394121 0t0 TCP X.X.X.X:7736->X.X.X.X:36678 (ESTABLISHED)
tclsh 11891 SO-user 17u IPv4 3374902 0t0 TCP X.X.X.X:7736->X.X.X.X:36679 (ESTABLISHED)
tclsh 11891 SO-user 18u IPv4 3400776 0t0 TCP X.X.X.X:7736->X.X.X.X:36680 (ESTABLISHED)
tclsh 11891 SO-user 19u IPv4 3371676 0t0 TCP X.X.X.X:7736->X.X.X.X:36681 (ESTABLISHED)
tclsh 11891 SO-user 20u IPv4 3400038 0t0 TCP X.X.X.X:7736->X.X.X.X:36682 (ESTABLISHED)
tclsh 11891 SO-user 21u IPv4 3400039 0t0 TCP X.X.X.X:7736->X.X.X.X:36683 (ESTABLISHED)
tclsh 11891 SO-user 22u IPv4 3400040 0t0 TCP X.X.X.X:7736->X.X.X.X:36684 (ESTABLISHED)
tclsh 11891 SO-user 23u IPv4 3394124 0t0 TCP X.X.X.X:7736->X.X.X.X:36685 (ESTABLISHED)
tclsh 11973 SO-user 3u IPv4 3398921 0t0 TCP X.X.X.X:36680->X.X.X.X:7736 (ESTABLISHED)
bro 13139 SO-user 4u IPv4 3386280 0t0 UDP X.X.X.X:34864->X.X.X.X:53
bro 13143 SO-user 0u IPv4 3386293 0t0 TCP *:47760 (LISTEN)
bro 13143 SO-user 1u IPv6 3386294 0t0 TCP *:47760 (LISTEN)
bro 13143 SO-user 4u IPv4 3386280 0t0 UDP X.X.X.X:34864->X.X.X.X:53
tclsh 13270 SO-user 3u IPv4 3394608 0t0 TCP X.X.X.X:8401 (LISTEN)
tclsh 13270 SO-user 5u IPv4 3383796 0t0 TCP X.X.X.X:8401->X.X.X.X:51954 (ESTABLISHED)
tclsh 13270 SO-user 7u IPv4 3374903 0t0 TCP X.X.X.X:36682->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13386 SO-user 3u IPv4 3397633 0t0 TCP X.X.X.X:51954->X.X.X.X:8401 (ESTABLISHED)
tclsh 13439 SO-user 6u IPv4 3394120 0t0 TCP X.X.X.X:36677->X.X.X.X:7736 (ESTABLISHED)
tclsh 13540 SO-user 3u IPv4 3400775 0t0 TCP X.X.X.X:36679->X.X.X.X:7736 (ESTABLISHED)
tclsh 13591 SO-user 3u IPv4 3396670 0t0 TCP X.X.X.X:8501 (LISTEN)
tclsh 13591 SO-user 5u IPv4 3395857 0t0 TCP X.X.X.X:8501->X.X.X.X:34531 (ESTABLISHED)
tclsh 13591 SO-user 7u IPv4 3383828 0t0 TCP X.X.X.X:36681->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13701 SO-user 3u IPv4 3371663 0t0 TCP X.X.X.X:34531->X.X.X.X:8501 (ESTABLISHED)
tclsh 13750 SO-user 6u IPv4 3394123 0t0 TCP X.X.X.X:36683->X.X.X.X:7736 (ESTABLISHED)
tclsh 13845 SO-user 3u IPv4 3398143 0t0 TCP X.X.X.X:36684->X.X.X.X:7736 (ESTABLISHED)
tclsh 13897 SO-user 3u IPv4 3388081 0t0 TCP X.X.X.X:8601 (LISTEN)
tclsh 13897 SO-user 5u IPv4 3388177 0t0 TCP X.X.X.X:8601->X.X.X.X:54412 (ESTABLISHED)
tclsh 13897 SO-user 7u IPv4 3400777 0t0 TCP X.X.X.X:36685->X.X.X.X:7736 (ESTABLISHED)
barnyard2 13992 SO-user 3u IPv4 3374852 0t0 TCP X.X.X.X:54412->X.X.X.X:8601 (ESTABLISHED)
tclsh 14041 SO-user 6u IPv4 3400037 0t0 TCP X.X.X.X:36678->X.X.X.X:7736 (ESTABLISHED)
searchd 14109 sphinxsearch 7u IPv4 3398866 0t0 TCP *:9306 (LISTEN)
searchd 14109 sphinxsearch 8u IPv4 3398867 0t0 TCP *:9312 (LISTEN)
/usr/sbin 17690 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17690 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17690 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17691 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17691 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17691 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17692 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17692 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17692 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17693 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 17693 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17693 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18008 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 18008 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18008 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18045 www-data 4u IPv4 32356 0t0 TCP *:443 (LISTEN)
/usr/sbin 18045 www-data 5u IPv4 32359 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18045 www-data 6u IPv4 32361 0t0 TCP *:3154 (LISTEN)
dema 20500 root 4u IPv4 3303404 0t0 TCP *:30001 (LISTEN)
dema 20500 root 5u IPv6 3303405 0t0 TCP *:30001 (LISTEN)
syslog-ng 31988 root 24u IPv4 345116 0t0 TCP *:514 (LISTEN)
syslog-ng 31988 root 25u IPv4 345117 0t0 UDP *:514
mysqld 32343 mysql 10u IPv4 3342258 0t0 TCP X.X.X.X:3306 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Done
Deleted:---0
Enabled Rules:----17913
Dropped Rules:----1
Disabled Rules:---4026
Total Rules:------21940
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting: SO-server-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth5
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth6
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth5
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth6
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth5
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.76 1.53 1.63
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 21:15:41 up 23:28, 2 SO-users, load average: 1.76, 1.53, 1.63
If load average is higher than processing units,
then tune until load average is lower than processing units.
Tasks: 430 total, 4 running, 375 sleeping, 46 stopped, 5 zombie
Cpu(s): 5.2%us, 2.4%sy, 0.1%ni, 91.8%id, 0.2%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 98993164k total, 98517076k used, 476088k free, 32148k buffers
Swap: 49496580k total, 377376k used, 49119204k free, 91614184k cached
%CPU %MEM COMMAND
40.1 0.3 snort -c /etc/nsm/SO-server-eth5/snort.conf -u SO-user -g SO-user -i eth5 -F /etc/nsm/SO-server-eth5/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth5/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth5/snort-1.stats -U
37.7 0.3 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -F /etc/nsm/SO-server-eth4/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth4/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-1.stats -U
27.5 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
20.0 0.0 netsniff-ng -i eth4 -o /nsm/sensor_data/SO-server-eth4/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
17.5 0.0 netsniff-ng -i eth5 -o /nsm/sensor_data/SO-server-eth5/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
8.6 0.0 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
7.3 0.1 /usr/sbin/mysqld
5.6 0.0 netsniff-ng -i eth6 -o /nsm/sensor_data/SO-server-eth6/dailylogs/2015-07-22/ --SO-user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
5.5 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
4.6 0.3 snort -c /etc/nsm/SO-server-eth6/snort.conf -u SO-user -g SO-user -i eth6 -F /etc/nsm/SO-server-eth6/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth6/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth6/snort-1.stats -U
0.7 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.6 0.0 [ksoftirqd/0]
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth5/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth5/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth5/barnyard2.waldo-1 -i 1 -U
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-1 -i 1 -U
0.6 0.0 barnyard2 -c /etc/nsm/SO-server-eth6/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth6/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth6/barnyard2.waldo-1 -i 1 -U
0.3 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.3 0.0 [kworker/u64:0]
0.3 0.0 [kworker/u64:2]
0.2 0.0 [kipmi0]
0.2 0.0 [kworker/u64:3]
0.2 0.0 [kworker/u64:1]
0.2 0.0 [kswapd0]
0.2 0.5 /usr/bin/searchd --nodetach
0.1 0.0 [rcu_sched]
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 [kworker/u65:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/0:2]
0.0 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 [kworker/u65:0]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [khugepaged]
0.0 0.0 [rcuos/11]
0.0 0.0 [kworker/u65:2]
0.0 0.0 wish /usr/bin/SO-user.tk
0.0 0.0 [rcuos/0]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth5/snort_agent-1.conf
0.0 0.0 [rcuos/10]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/12]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/6]
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuos/3]
0.0 0.0 [kworker/6:1]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/iscsid
0.0 0.0 [ksoftirqd/4]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 xfdesktop
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/12:0]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [jbd2/sdc-8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/0]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth5/pcap_agent.conf
0.0 0.0 -bash
0.0 0.0 [rcuos/8]
0.0 0.0 vim sostat
0.0 0.0 Thunar --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth6/pcap_agent.conf
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [ksoftirqd/15]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [rcuos/9]
0.0 0.0 /sbin/init
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth6/pads_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth6/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth5/pads_agent.conf
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth4/pads_agent.conf
0.0 0.0 vim sostat
0.0 0.0 /var/ossec/bin/ossec-remoted
0.0 0.0 vim sostat
0.0 0.0 xfce4-panel
0.0 0.0 xfce4-power-manager
0.0 0.0 [ksoftirqd/14]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 vim elsa_web.conf
0.0 0.0 [migration/11]
0.0 0.0 vim sostat
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 vim sostat
0.0 0.0 [ksoftirqd/10]
0.0 0.0 xfwm4 --replace
0.0 0.0 [ksoftirqd/3]
0.0 0.0 vim sensor.conf
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 update-notifier
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/4:2]
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 xscreensaver -no-splash
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/11:0]
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/9:2]
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 [migration/14]
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 cron
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 18874403 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/11:2]
0.0 0.0 vim sostat
0.0 0.0 [kworker/15:1]
0.0 0.0 bash
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/2]
0.0 0.0 /usr/bin/xfce4-terminal
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [watchdog/10]
0.0 0.0 PassengerHelperAgent
0.0 0.0 vim /home/SO-user/sostat
0.0 0.0 nm-applet
0.0 0.0 [migration/12]
0.0 0.0 [kworker/3:0]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 18874402 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 [migration/9]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/13]
0.0 0.0 [migration/4]
0.0 0.0 vim local.rules
0.0 0.0 [migration/8]
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 vim sosetup
0.0 0.0 [kworker/1:0]
0.0 0.0 [migration/6]
0.0 0.0 [migration/15]
0.0 0.0 vim sostat
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor_ps-restart
0.0 0.0 [watchdog/8]
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 18874416 thunar-tpa Trash Applet Display the trash can
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/11]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/5]
0.0 0.0 [watchdog/7]
0.0 0.0 [watchdog/9]
0.0 0.0 [watchdog/7]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/15]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/6]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/12]
0.0 0.0 [watchdog/14]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 xfce4-volumed
0.0 0.0 xfce4-settings-helper
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 18874409 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 vim so_rules.rules
0.0 0.0 vim local.rules
0.0 0.0 [migration/5]
0.0 0.0 vim SO-userd.access
0.0 0.0 vim administration.conf
0.0 0.0 vim securityonion.conf
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 /bin/bash /usr/sbin/nsm --all --restart
0.0 0.0 [migration/3]
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 18874401 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.11 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 vim servertab
0.0 0.0 [migration/7]
0.0 0.0 /bin/bash /usr/sbin/nsm --all --status
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor_ps-status
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 vim SO-userd.SO-users
0.0 0.0 vim servertab
0.0 0.0 vim secuirityonion.conf
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 Passenger spawn server
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kthreadd]
0.0 0.0 [khubd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [scsi_eh_1]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [edac-poller]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 [kpsmoused]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [iscsi_eh]
0.0 0.0 [ib_addr]
0.0 0.0 [ib_mcast]
0.0 0.0 [iw_cm_wq]
0.0 0.0 [ib_cm]
0.0 0.0 [rdma_cm]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [iscsi_q_3]
0.0 0.0 [scsi_wq_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [iscsi_q_4]
0.0 0.0 [scsi_wq_4]
0.0 0.0 [ib_addr]
0.0 0.0 [ib_mcast]
0.0 0.0 [iw_cm_wq]
0.0 0.0 [ib_cm]
0.0 0.0 [rdma_cm]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [iscsi_q_3]
0.0 0.0 [scsi_wq_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [iscsi_q_4]
0.0 0.0 [scsi_wq_4]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 sudo sostat /home/SO-user/sostat
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 /bin/bash /usr/bin/sostat /home/SO-user/sostat
0.0 0.0 [su] <defunct>
0.0 0.0 sudo sostat
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 /bin/bash /etc/init.d/nsm status
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed s/?[^mk]*[mk]//g;s/[??]//g
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor --status
0.0 0.0 [su] <defunct>
0.0 0.0 [grep] <defunct>
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 sudo vim /home/SO-user/sostat
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/6:2]
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 sudo vim sosetup
0.0 0.0 [kworker/5:0]
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.11 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=SO-users
0.0 0.0 [xfce4-terminal] <defunct>
0.0 0.0 sudo vim servertab
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kworker/7:1]
0.0 0.0 sudo vim elsa_web.conf
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 sudo sostat
0.0 0.0 [su] <defunct>
0.0 0.0 sudo service nsm restart
0.0 0.0 /bin/bash /etc/init.d/nsm restart
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 /bin/bash /usr/sbin/nsm_sensor --restart
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth4/pads_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-1.stats
0.0 0.0 cat /nsm/sensor_data/SO-server-eth4/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth5/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth5/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth5/snort-1.stats
0.0 0.0 xargs rm -f
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth5/snort-1.stats
0.0 0.0 rm -f /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150720213712
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth5/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth5/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth6/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth6/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth6/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth6/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth6/pads.fifo
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/12:1]
0.0 0.0 PassengerWatchdog
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/9:1]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user/SO-SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/10:2]
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user/SO-SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 sudo vim servertab
0.0 0.0 sudo vim local.rules
0.0 0.0 supervising syslog-ng
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth5: 9762342
eth6: 1252662
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .
2.3T .
343G ./2015-07-19
525G ./2015-07-20
745G ./2015-07-21
662G ./2015-07-22
/nsm/sensor_data/SO-server-eth5/dailylogs/ - 1 days
336G .
336G ./2015-07-22
/nsm/sensor_data/SO-server-eth6/dailylogs/ - 1 days
100G .
100G ./2015-07-22
/nsm/sensor_data/SO-server-eth7/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth8/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth9/dailylogs/ - 0 days
4.0K .
1.5G .
179M ./2015-07-19
447M ./2015-07-20
470M ./2015-07-21
369M ./2015-07-22
9.9M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
bro: 1437599741.727591 recvd=18100353 dropped=0 link=18100353
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth5/snort-1.stats last reported pkt_drop_percent as 6.472
/nsm/sensor_data/SO-server-eth6/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Appl. Name : <unknown>
Tot Packets : 18141061
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/13338-eth4.313
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
Appl. Name : snort-cluster-55-socket-0
Tot Packets : 17486227
Tot Pkt Lost : 1172178
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4086
Reflect: Fwd Errors: 0
Min Num Slots : 4098
/proc/net/pf_ring/13653-eth5.314
Appl. Name : snort-cluster-56-socket-0
Tot Packets : 15913614
Tot Pkt Lost : 1180846
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 3990
Reflect: Fwd Errors: 0
Min Num Slots : 4098
/proc/net/pf_ring/13953-eth6.315
Appl. Name : snort-cluster-57-socket-0
Tot Packets : 2213952
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4074
Reflect: Fwd Errors: 0
Min Num Slots : 4098
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +221728 Lost: -1306
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +122710 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +165677 Lost: -1782
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +147017 Lost: -3182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +126664 Lost: -13974
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +141957 Lost: -8414
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log Processed: +125099 Lost: -2829
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +133832 Lost: -5763
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +119828 Lost: -640
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +103096 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +186810 Lost: -3686
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118887 Lost: -3746
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118604 Lost: -5628
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120209 Lost: -2710
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +141481 Lost: -36716
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +243996 Lost: -4413
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +121262 Lost: -6182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +146245 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +136484 Lost: -8834
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +119241 Lost: -9235
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120803 Lost: -10038
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120483 Lost: -15182
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +120393 Lost: -16213
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +111064 Lost: -23257
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +118185 Lost: -16194
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +172897 Lost: -6695
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +181359 Lost: -7223
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +104004 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +160497 Lost: -1288
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +124778 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721174324 Processed: +172947 Lost: -11886
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +162514 Lost: -1302
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +106637 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +170991 Lost: -4687
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +154798 Lost: -3333
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120645 Lost: -5
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +141754 Lost: -2366
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120857 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120945 Lost: -4187
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +120085 Lost: -5506
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +123398 Lost: -1036
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +108707 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +128032 Lost: -3552
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +154170 Lost: -2292
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +105077 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +131690 Lost: -4417
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +140224 Lost: -8206
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +226274 Lost: -2771
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +132410 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150721215110 Processed: +181161 Lost: -996
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131772 Lost: -6443
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +140682 Lost: -14045
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +105714 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130746 Lost: -7630
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120076 Lost: -10704
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +116901 Lost: -6423
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118711 Lost: -1686
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120579 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +181459 Lost: -1434
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123054 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143013 Lost: -3512
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120622 Lost: -13
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +154202 Lost: -3240
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123567 Lost: -5261
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123947 Lost: -10668
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124933 Lost: -593
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125618 Lost: -250
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +138305 Lost: -12562
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +161529 Lost: -7533
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123726 Lost: -7925
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124352 Lost: -95186
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124178 Lost: -9487
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123631 Lost: -1527
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124787 Lost: -5428
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +113442 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130210 Lost: -16529
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124296 Lost: -8187
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120050 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +129030 Lost: -5680
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +106130 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130942 Lost: -9355
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +137997 Lost: -1709
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +110284 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +138803 Lost: -2291
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +109344 Lost: -6
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143250 Lost: -315
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126205 Lost: -12448
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127183 Lost: -9613
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +140277 Lost: -10156
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +144761 Lost: -10690
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +141335 Lost: -2745
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126904 Lost: -17888
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126613 Lost: -30986
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131333 Lost: -359
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128822 Lost: -1208
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128495 Lost: -1990
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +129526 Lost: -4170
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123454 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130346 Lost: -28059
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125421 Lost: -54258
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123318 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127266 Lost: -6106
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122220 Lost: -2079
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +111828 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +139462 Lost: -11205
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133160 Lost: -8407
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118353 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126723 Lost: -27960
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122802 Lost: -15463
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +152898 Lost: -806
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121844 Lost: -22915
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123852 Lost: -9070
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123398 Lost: -7547
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123578 Lost: -17889
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122923 Lost: -7414
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121144 Lost: -10
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +150117 Lost: -4823
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122608 Lost: -6379
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121504 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123689 Lost: -9505
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123673 Lost: -7715
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123669 Lost: -26908
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123114 Lost: -4508
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +122414 Lost: -8218
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +134747 Lost: -6138
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +113392 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131556 Lost: -2448
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121275 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +142524 Lost: -2066
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133930 Lost: -5976
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121706 Lost: -8
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131629 Lost: -1865
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123920 Lost: -7749
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126529 Lost: -1297
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120818 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127334 Lost: -1470
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128950 Lost: -8334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128403 Lost: -24534
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125940 Lost: -11
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +127142 Lost: -2151
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125421 Lost: -7375
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124824 Lost: -1041
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +152938 Lost: -25175
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121123 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123648 Lost: -18219
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136593 Lost: -17920
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133793 Lost: -939
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133426 Lost: -3280
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +133990 Lost: -5788
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +121683 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +139265 Lost: -3222
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125248 Lost: -3606
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125690 Lost: -16038
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +126375 Lost: -3359
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125373 Lost: -4376
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +130020 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +125361 Lost: -7107
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +123372 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128375 Lost: -3596
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +143244 Lost: -5755
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120232 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +131927 Lost: -3264
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118647 Lost: -1
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +132947 Lost: -8518
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +108442 Lost: -3
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136694 Lost: -3631
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +124600 Lost: -7
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +136018 Lost: -20848
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +120289 Lost: -4
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +128001 Lost: -10611
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722170431 Processed: +118668 Lost: -13
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +126869 Lost: -13869
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +125720 Lost: -15334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +118653 Lost: -2
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +134129 Lost: -8009
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +123191 Lost: -5334
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722182512 Processed: +123197 Lost: -4730
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +211708 Lost: -4278
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +123020 Lost: -2807
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722201818 Processed: +122269 Lost: -4101
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +132067 Lost: -2132
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +112144 Lost: -183
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +143557 Lost: -819
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +127357 Lost: -15066
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126096 Lost: -5544
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +128738 Lost: -1074
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126976 Lost: -8916
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +126626 Lost: -5093
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20150722205518 Processed: +112753 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +157067 Lost: -6731
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +158989 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +171836 Lost: -2729
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +121981 Lost: -12
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +142693 Lost: -5950
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +125816 Lost: -13252
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +141334 Lost: -9429
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log Processed: +124530 Lost: -3300
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +124269 Lost: -1639
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +146193 Lost: -244
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +225852 Lost: -2733
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +122050 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +158801 Lost: -12550
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +116932 Lost: -9025
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +118444 Lost: -5866
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +119115 Lost: -22076
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +118988 Lost: -4911
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +132250 Lost: -13641
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721174341 Processed: +100792 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +163896 Lost: -7894
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +128139 Lost: -2937
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +160198 Lost: -6223
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132148 Lost: -126
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +125104 Lost: -2601
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +122390 Lost: -8249
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +125736 Lost: -4045
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +111875 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154812 Lost: -4627
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +131741 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +169607 Lost: -5068
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +104366 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +126636 Lost: -2701
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +120720 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +126649 Lost: -5907
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +117572 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +155761 Lost: -2895
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +101248 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +160082 Lost: -8016
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +115014 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154056 Lost: -910
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +118483 Lost: -7
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132780 Lost: -17971
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +119645 Lost: -11
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +131585 Lost: -6510
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +156422 Lost: -1214
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +119539 Lost: -9
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +154520 Lost: -8090
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +105620 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +132095 Lost: -3696
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +107849 Lost: -6725
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +168436 Lost: -3371
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +106481 Lost: -12
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +141840 Lost: -7635
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150721215123 Processed: +177061 Lost: -5485
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131973 Lost: -1302
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +112145 Lost: -5
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133332 Lost: -4789
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116055 Lost: -12082
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114805 Lost: -5394
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115221 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153068 Lost: -2269
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125961 Lost: -9114
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153862 Lost: -408
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120299 Lost: -4160
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120649 Lost: -76983
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121997 Lost: -3762
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115541 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121631 Lost: -16395
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121917 Lost: -6323
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +113985 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131494 Lost: -7180
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119810 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139812 Lost: -18350
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137714 Lost: -852
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +148134 Lost: -17305
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +142878 Lost: -7234
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +158840 Lost: -872
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123838 Lost: -16788
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123182 Lost: -23040
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125161 Lost: -6
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +129636 Lost: -585
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116864 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +130585 Lost: -5673
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122860 Lost: -49508
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131171 Lost: -2787
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +117724 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133212 Lost: -163
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123250 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +140477 Lost: -14640
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120594 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125566 Lost: -26702
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120468 Lost: -23880
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +103108 Lost: -8
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137002 Lost: -20932
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +104113 Lost: -13
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +136907 Lost: -15433
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +101979 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139120 Lost: -14351
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +100317 Lost: -3
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +126654 Lost: -14494
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120827 Lost: -1082
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122205 Lost: -5177
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120052 Lost: -13773
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +115475 Lost: -15
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +153516 Lost: -10295
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +120991 Lost: -7069
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119930 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +124876 Lost: -11648
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122170 Lost: -4810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121836 Lost: -24399
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122345 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121573 Lost: -2682
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +112399 Lost: -2
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +163828 Lost: -9284
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +127282 Lost: -1951
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114726 Lost: -11
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133634 Lost: -5754
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +130543 Lost: -2575
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121702 Lost: -1091
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125262 Lost: -2983
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119358 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +128076 Lost: -1122
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +128236 Lost: -6473
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +127351 Lost: -23934
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +126338 Lost: -2380
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123639 Lost: -3046
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122559 Lost: -1025
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +151733 Lost: -18565
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121109 Lost: -776
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121984 Lost: -14005
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +114488 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +139275 Lost: -6535
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +133150 Lost: -21638
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +132183 Lost: -606
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +131265 Lost: -2283
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +121634 Lost: -1671
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +116628 Lost: -1
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +137077 Lost: -5439
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +122646 Lost: -5769
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123068 Lost: -13932
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +124631 Lost: -3910
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119203 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +123009 Lost: -13575
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +129284 Lost: -719
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +141506 Lost: -8137
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +119103 Lost: -8
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +136449 Lost: -18810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722170515 Processed: +125726 Lost: -9938
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +125810 Lost: -9986
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +122797 Lost: -11030
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +113348 Lost: -4
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +136727 Lost: -1471
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722182525 Processed: +120965 Lost: -2121
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +123562 Lost: -990
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +122213 Lost: -4684
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722201831 Processed: +108801 Lost: -10
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +136706 Lost: -3810
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +125750 Lost: -22037
File: /var/log/nsm/SO-server-eth5/netsniff-ng.log.20150722205528 Processed: +124713 Lost: -3093
File: /var/log/nsm/SO-server-eth6/netsniff-ng.log.20150722205750 Processed: +144415 Lost: -666
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
8229 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
6172 1:2014819 ET INFO Packed Executable Download
4084 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
3650 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2120 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1653 1:2000419 ET POLICY PE EXE or DLL Windows file download
1336 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1237 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
862 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
830 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
791 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
791 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
741 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
616 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
518 1:2014520 ET INFO EXE - Served Attached HTTP
509 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
467 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
461 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
319 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
309 1:2001329 ET POLICY RDP connection request
294 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
294 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
278 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
260 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
258 10000:1 PADS New Asset - unknown @https
251 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
249 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
238 1:2101411 GPL SNMP public access udp
233 10000:2 PADS Changed Asset - unknown @https
230 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
227 1:2014518 ET INFO EXE - OSX Disk Image Download
223 1:2100366 GPL ICMP_INFO PING *NIX
223 1:2100368 GPL ICMP_INFO PING BSDtype
212 1:2012843 ET POLICY Cleartext WordPress Login
197 1:2012648 ET POLICY Dropbox Client Broadcasting
186 1:2402000 ET DROP Dshield Block Listed Source group 1
179 10000:1 PADS New Asset - smb Windows SMB
173 1:2008120 ET TFTP Outbound TFTP Read Request
165 1:2002383 ET SCAN Potential FTP Brute-Force attempt response
153 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
132 1:2016503 ET INFO Java Serialized Data
132 1:2016502 ET INFO Java Serialized Data via vulnerable client
131 10000:2 PADS Changed Asset - unknown @microsoft-ds
128 10000:2 PADS Changed Asset - unknown @www
126 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
123 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
123 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
119 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
116 1:2011507 ET WEB_CLIENT PDF With Embedded File
113 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
108 1:2014726 ET POLICY Outdated Windows Flash Version IE
103 10000:2 PADS Changed Asset - smb Windows SMB
95 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
83 10000:1 PADS New Asset - unknown @www
82 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.1)
82 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
70 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
69 1:2016360 ET INFO JAVA - ClassID
62 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
62 10000:1 PADS New Asset - dns TCP DNS Server
60 10000:2 PADS Changed Asset - http Windows-Update (Agent)
58 10000:2 PADS Changed Asset - http Microsoft-IIS 7.5
58 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
57 1:2016715 ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray
48 1:2013414 ET POLICY Executable served from Amazon S3
48 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
46 1:2000418 ET POLICY Executable and linking format (ELF) file download
46 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
45 10000:1 PADS New Asset - unknown @microsoft-ds
45 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
42 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
37 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
36 10000:2 PADS Changed Asset - dns TCP DNS Server
36 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
35 10000:1 PADS New Asset - ssl Generic TLS 1.0 SSL
35 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
34 10000:2 PADS Changed Asset - http ccmhttp
34 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
33 10000:2 PADS Changed Asset - unknown @ldap
30 10000:2 PADS Changed Asset - http Microsoft-IIS 6.0
29 10000:1 PADS New Asset - unknown @domain
29 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
28 10000:1 PADS New Asset - unknown @snmp
28 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
27 1:2003492 ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
26 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
26 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
26 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
25 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
24 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
24 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
24 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
24 1:2017640 ET WEB_SERVER Possible Encrypted Webshell Download
23 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
23 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
23 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.3)
22 1:2002026 ET CHAT IRC PRIVMSG command
21 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17729 Client (Protocol/1.21)
21 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
21 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
20 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
20 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
19 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Microsoft Lync)
19 1:2000334 ET P2P BitTorrent peer sync
19 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
19 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
19 1:2018087 ET INFO Control Panel Applet File Download
18 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/5.131.3790.3959)
18 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
17 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
17 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
17 1:2008578 ET SCAN Sipvicious Scan
16 10000:2 PADS Changed Asset - unknown @domain
16 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
16 10000:2 PADS Changed Asset - http ocspd/1.0.2
16 1:2103017 GPL EXPLOIT WINS overflow attempt
16 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
14 10000:2 PADS Changed Asset - http ocspd/1.0
14 10000:2 PADS Changed Asset - http Microsoft NCSI
14 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
14 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
13 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2002878 ET POLICY iTunes User Agent
13 1:2014932 ET POLICY DynDNS CheckIp External IP Address Server Response
13 10000:2 PADS Changed Asset - http Microsoft-WebDAV (MiniRedir/6.1.7601)
12 1:2015707 ET INFO JAVA - document.createElement applet
12 10000:2 PADS Changed Asset - http SMS CCM 5.0
12 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
12 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
12 1:2021378 ET POLICY External IP Lookup - checkip.dyndns.org
12 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
12 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
12 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
12 1:2013028 ET POLICY curl User-Agent Outbound
11 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
11 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
11 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
11 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
11 10000:2 PADS Changed Asset - domain DNS SQR No Error
11 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 12.0.21005.1, Ultimate, SKU:17)
10 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17831 Client (Protocol/1.21)
10 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
10 1:2012692 ET POLICY Microsoft SO-user-agent automated process response to automated request
10 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
10 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
10 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
10 10000:2 PADS Changed Asset - http Microsoft BITS/7.5
10 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial
9 10000:2 PADS Changed Asset - http ocspd/1.0.3
9 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
9 10000:2 PADS Changed Asset - http Apache Coyote 1.1
9 10000:1 PADS New Asset - unknown @ntp
9 1:2003310 ET P2P Edonkey Publicize File
9 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
9 10000:1 PADS New Asset - http Microsoft-IIS 6.0
9 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
9 10000:1 PADS New Asset - unknown @rtsp
9 10000:1 PADS New Asset - http Microsoft (CryptoAPI/6.1)
8 10000:1 PADS New Asset - http Server: BigIP
8 1:2100673 GPL SQL sp_start_job - program execution
8 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Spotify/X.X.X.X Safari/537.36
8 1:2016847 ET INFO Possible Chrome Plugin install
8 1:2010645 ET POLICY User-Agent (Launcher)
7 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
7 10000:2 PADS Changed Asset - http Microsoft-IIS 8.0
7 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
7 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.0)
7 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
7 10000:2 PADS Changed Asset - http OC/15.0.4737.1000 (Skype for Business)
7 10000:2 PADS Changed Asset - http Server: BigIP
6 1:2500078 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 40
6 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
6 1:2101016 GPL WEB_SERVER global.asa access
6 1:2403302 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 2
6 10000:2 PADS Changed Asset - unknown @smtp
6 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485)
6 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
6 10000:1 PADS New Asset - domain DNS SQR No Error
6 10000:1 PADS New Asset - http Microsoft-IIS 7.5
6 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Microsoft Lync)
6 10000:2 PADS Changed Asset - http SMS CCM 5.0 TS
6 10000:2 PADS Changed Asset - http iPhone7,2/8.4 (12H143)
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
5 10000:2 PADS Changed Asset - http Microsoft Office Excel 2010 (14.0.7147) Windows NT 6.1
5 10000:2 PADS Changed Asset - http Mac OS X/10.10.4 (14E46)
5 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
5 10000:2 PADS Changed Asset - http Microsoft-IIS 8.5
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Spotify/X.X.X.X Safari/537.36
5 10000:2 PADS Changed Asset - http Microsoft (WNS/6.3)
5 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
5 10000:1 PADS New Asset - http CaptiveNetworkSupport (306.20.1 wispr)
5 1:2101201 GPL WEB_SERVER 403 Forbidden
5 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LG (D850 Build/LRX21Y))
4 10000:1 PADS New Asset - unknown @ftp
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
4 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143
4 1:2021173 ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon
4 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
4 1:2016856 ET POLICY Android Dalvik Executable File Download
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
4 1:2020712 ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert
4 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (306.20.1 wispr)
4 1:2003410 ET POLICY FTP Login Successful
4 10000:2 PADS Changed Asset - ssh PuTTY Release_0.60 (Protocol 2.0)
4 10000:2 PADS Changed Asset - http iPhone4,1/8.4 (12H143)
4 10000:2 PADS Changed Asset - http ccmsetup
4 1:2005530 ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
4 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
4 1:2010781 ET POLICY PsExec service created
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.30319.1)
4 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
4 10000:2 PADS Changed Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5d2fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\p
4 10000:1 PADS New Asset - http OC/15.0.4737.1000 (Microsoft Lync)
4 1:2002327 ET CHAT Google Talk (Jabber) Client Login
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
4 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
4 1:2002823 ET POLICY POSSIBLE Web Crawl using Wget
4 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response
4 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (G900V Build/LRX21T))
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.40219.457)
4 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2010 (14.0.7153) Windows NT 6.1
4 1:2102698 GPL SQL create file buffer overflow attempt
4 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 12.0.31101.0, Ultimate, SKU:17)
4 10000:2 PADS Changed Asset - http Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7153; Pro)
4 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
4 1:2011227 ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
4 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
4 10000:2 PADS Changed Asset - smtp Generic SMTP (2.0.0)
4 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.17930 Client (Protocol/1.21)
4 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
3 1:2002192 ET CHAT MSN status change
3 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone6,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/U.S.Cellular;FBID
3 1:2100232 GPL CHAT Google Talk Logon
3 10000:2 PADS Changed Asset - http iPhone6,1/8.4 (12H143)
3 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/6.2)
3 10000:2 PADS Changed Asset - http OC/15.0.4727.1001 (Skype for Business)
3 10000:2 PADS Changed Asset - http MobileAsset/1.1
3 1:2001219 ET SCAN Potential SSH Scan
3 10000:1 PADS New Asset - http ocspd/1.0.2
3 10000:2 PADS Changed Asset - http Apache 2.2.8 (Ubuntu)
3 10000:1 PADS New Asset - http Android
3 10000:2 PADS Changed Asset - http (null)/(null) ((null))
3 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
3 10000:1 PADS New Asset - http CaptiveNetworkSupport (261.1.2 wispr)
3 1:2100877 GPL CHAT Google Talk Startup
3 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4719) Windows NT 6.1
3 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.16403 Client (Protocol/1.20)
3 1:2101616 GPL DNS named version attempt
3 10000:1 PADS New Asset - http boingo client
3 1:2010067 ET POLICY Data POST to an image file (jpg)
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
3 1:2102470 GPL NETBIOS SMB C$ unicode share access
3 10000:1 PADS New Asset - http Spotify (Win32/0.71/0)
3 10000:2 PADS Changed Asset - unknown @imaps
3 10000:2 PADS Changed Asset - http Java/1.7.0_71
3 10000:2 PADS Changed Asset - http Microsoft-WebDAV (MiniRedir/6.3.9600)
3 10000:1 PADS New Asset - http Apache 2.4.7 (Ubuntu)
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:39.0) Gecko/20100101 Firefox/39.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
2 10000:2 PADS Changed Asset - unknown @ssh
2 10000:2 PADS Changed Asset - http Microsoft Windows Network Diagnostics
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
2 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM (G920R4 Build/LMY47X))
2 10000:2 PADS Changed Asset - http Valve/Steam HTTP Client 1.0
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1; LG (H811 Build/LMY47D))
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10
2 10000:2 PADS Changed Asset - http Microsoft Office Word 2013 (15.0.4737) Windows NT 6.2
2 10000:2 PADS Changed Asset - http WifiHotspot
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone6,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/U.S.Cellular;
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (277.10.5 wispr)
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 10.0.40219.1)
2 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900R4 Build/JSS15J))
2 10000:1 PADS New Asset - ssh OpenSSH 5.9 (Protocol 2.0)
2 1:2019622 ET MALWARE Win32/DealPly Checkin
2 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
2 10000:2 PADS Changed Asset - http Windows-Update-Agent/7.9.9600.16422 Client (Protocol/1.20)
2 10000:1 PADS New Asset - http SAMSUNG (Android)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
2 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.4,12H143,iPhone6,1])
2 10000:1 PADS New Asset - http MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
2 1:2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.10;FBBV/5758778;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/AT&T;FBID/phone
2 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
2 10000:2 PADS Changed Asset - http Microsoft Office Outlook 2013 (15.0.4737) Windows NT 6.1
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (G900V Build/LRX21T))
2 10000:2 PADS Changed Asset - http iPhone6,1/7.1.2 (11D257)
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (305 wispr)
2 1:2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SCH (I545 Build/LRX22C))
2 10000:1 PADS New Asset - unknown @snmp-trap
2 10000:1 PADS New Asset - http MSDW
2 10000:2 PADS Changed Asset - http Adobe Application Manager 2.0
2 10000:1 PADS New Asset - http PhotoGrid/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
2 10000:1 PADS New Asset - unknown @smtp
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
2 10000:2 PADS Changed Asset - http Microsoft Office/15.0 (Windows NT 6.1; Microsoft Lync 15.0.4737; Pro)
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2
2 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SM (N910V Build/LRX22C))
2 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
2 10000:1 PADS New Asset - unknown @ldap
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice 14))
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; MS (RTC LM 8))
2 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900R4 Build/JSS15J))
2 10000:1 PADS New Asset - http Apache Coyote 1.1
2 10000:2 PADS Changed Asset - http iPhone4,1/8.3 (12F70)
2 1:2403308 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 5
2 10000:1 PADS New Asset - ssh Cisco SSH 1.25 (Protocol 2.0)
2 10000:1 PADS New Asset - unknown @syslog
2 10000:2 PADS Changed Asset - http MpCommunication
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 11.0.61030.0, Ultimate, SKU:8)
2 10000:2 PADS Changed Asset - http iPhone6,1/8.1.3 (12B466)
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
2 10000:1 PADS New Asset - http POF/383 CFNetwork/711.4.6 Darwin/14.0.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
2 10000:2 PADS Changed Asset - sql MySQL 3.1.10-DL,30,0.00,4ct,180,180,,,,0,0,0,0.00000,$0.45,$0.45,$0.45,,$3.99,,,,$3.99,,,$2.77,,,,3/2/2010,5/25/2009,,2248,,04 Party,05 Juvenile Party,09 Boy Party,15 Favors and Toys,15 Party Favor,15 Miscellaneous,,Super Hero,Bat
2 1:2016878 ET POLICY Unsupported/Fake Windows NT Version 4.
2 1:2400017 ET DROP Spamhaus DROP Listed Traffic Inbound group 18
2 10000:1 PADS New Asset - http Microsoft NCSI
2 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (306.3.1 wispr)
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG (D415 Build/KOT49I.D41510e))
2 1:2101603 GPL WEB_SERVER DELETE attempt
2 1:2100235 GPL CHAT Jabber/Google Talk Logon Success
2 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
2 10000:2 PADS Changed Asset - http iPhone7,2/8.3 (12F70)
2 10000:2 PADS Changed Asset - http Mac OS X/10.8.3 (12D78)
2 10000:2 PADS Changed Asset - http Microsoft BITS/7.7
2 10000:1 PADS New Asset - http Apache (HttpClient/UNAVAILABLE (java 1.4))
2 10000:2 PADS Changed Asset - http Apache 2.2.12 (Ubuntu)
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDS; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)
2 10000:2 PADS Changed Asset - http Download Flash Player Installer/1.0
2 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
2 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
2 10000:1 PADS New Asset - http Microsoft (WNS/6.3)
2 10000:1 PADS New Asset - ssh OpenSSH 6.6.1p1 (Protocol 2.0)
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; Clever Internet Suite 6.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
2 10000:2 PADS Changed Asset - http Team Foundation (devenv.exe, 9.0.30729.5820)
2 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.2; D6603 Build/23.1.A.0.726)
2 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1080 Build/SU6 (7.2))
2 1:2010514 ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/7.1.7 Safari/537.85.16
2 1:2500080 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41
2 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; SCH (I545 Build/LRX22C))
1 10000:2 PADS Changed Asset - http DavClnt
1 10000:1 PADS New Asset - http WSDAPI
1 10000:2 PADS Changed Asset - ssh OpenSSH 6.6.1p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900V Build/LRX21V))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 4.4.2; SM-T217S Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Safari/537.36 Sprint Connections Optimizer (1.4.1445)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LG (D850 Build/LRX21Y))
1 10000:2 PADS Changed Asset - http okhttp/2.4.0
1 10000:2 PADS Changed Asset - http JNLP/1.7.0 javaws/X.X.X.X (<internal>) Java/1.7.0_51
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
1 1:2010819 ET CHAT Facebook Chat using XMPP
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.0.1; SM (N910V Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
1 1:2009715 ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt
1 1:2100494 GPL ATTACK_RESPONSE command completed
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; SGH (M919 Build/KTU84P))
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3; Microsoft Outlook
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1080 Build/SU6 (7.2))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM-G920R4 Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.0 Chrome/38.0.2125.102 Mobile Safari/537.36Accept (Encoding: gzip,deflate,sdch)
1 10000:1 PADS New Asset - ssh PuTTY Release_0.60 (Protocol 2.0)
1 10000:1 PADS New Asset - http YouMailAndroid/3.15.11[6989] (hltevzw 5.0; hltevzw/Verizon/SM-N900V; en-US) Android (Runtime/0.9 YouMailAPI/3,4)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/7.0)
1 10000:2 PADS Changed Asset - http Android
1 10000:2 PADS Changed Asset - http OpenAPI40DrvLibrary
1 10000:1 PADS New Asset - http securityd (unknown version) CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Spotify/100900133 (0; 0; 1)
1 10000:1 PADS New Asset - unknown @nfs
1 10000:1 PADS New Asset - http GeoServices/982.64 CFNetwork/711.3.18 Darwin/14.0.0
1 10000:1 PADS New Asset - http iPhone6,1/8.4 (12H143)
1 10000:1 PADS New Asset - http KingdomRush/740 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; LG (D321/D32110c Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B435 Safari/600.1.4
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; InfoPath.3; Microsoft Outlook 15.0.4737; Microsoft Outlook 15.0.4737; ms (office; MSOffice 15))
1 10000:1 PADS New Asset - http com.apple.invitation (registration [iPhone OS,8.4,12H143,iPhone6,1])
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0.1; SM (N910V Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Spotify/100700157 (9; 0; 2)
1 10000:2 PADS Changed Asset - http Google Update/X.X.X.X;winhttp
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143 [FBAN/FBIOS;FBAV/X.X.X.X.220;FBBV/12945441;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.4;FBSS/2; FBCR/AT&T;FBID/phone;
1 10000:1 PADS New Asset - http Google Talk
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 10000:1 PADS New Asset - http Test
1 10000:1 PADS New Asset - http AppleCoreMedia/1.0.0.12H143 (iPhone; U; CPU OS 8_4 like Mac OS X; en_us)
1 10000:2 PADS Changed Asset - http iPad4,2/8.4 (12H143)
1 10000:1 PADS New Asset - http Debian APT (HTTP/1.3 (0.8.16~exp12ubuntu10.24))
1 10000:1 PADS New Asset - http APSDaemon.exe (unknown version) CFNetwork/520.20.14
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; 0PCV1 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
1 10000:1 PADS New Asset - http [FBAN/FB4A;FBAV/X.X.X.X.234;FBBV/12793182;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FBCR/;FBMF/samsung;FBBD/samsung;FBPN/com.facebook.katana;FBDV/SGH-T989;FBSV/2.3.6;FBOP/1;FBCA/armeabi (v7a:armeabi;])
1 10000:1 PADS New Asset - http Google Update/X.X.X.X;winhttp;cup
1 10000:2 PADS Changed Asset - http MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
1 10000:1 PADS New Asset - ssh PuTTY Local:_Jul__9_2015_19:33:53 (Protocol 2.0)
1 1:2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible))
1 10000:2 PADS Changed Asset - http Team Foundation (TFSBuildServiceHost.exe, 10.0.40219.1)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SGH (T999L Build/JSS15J))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0; SM (G900R4 Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Spotify/100900133 (9; 0; 2)
1 10000:1 PADS New Asset - http Podcasts/2.2.1
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.2; SM (T800 Build/LRX22G))
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143 Twitter for iPhone
1 10000:1 PADS New Asset - http Spotify/330000988 (6; 2; 7)
1 10000:2 PADS Changed Asset - http Apache 2.4.7 (Ubuntu)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3; Microsoft Outlook 15.0
1 10000:2 PADS Changed Asset - http Windows (Update )
1 10000:1 PADS New Asset - http TeamSoft WinInet Component
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
1 10000:1 PADS New Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5e5fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\prosh
1 10000:1 PADS New Asset - ssh PuTTY Local:_Jul__9_2015_19:31:51 (Protocol 2.0)
1 10000:1 PADS New Asset - http Debian APT (HTTP/1.3 (1.0.1ubuntu2))
1 10000:1 PADS New Asset - http WSLib 1.4 [3, 0, 0, 97]
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900P Build/LRX21V))
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.1; LGLS990 Build/LRX21Y)
1 10000:2 PADS Changed Asset - http VSServices/12.0.21005.1 (devenv.exe ,Ultimate, SKU:17)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; InfoPath.3; Tablet PC 2.0; Microsoft Outlook 14.0
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 5 Build/LMY48B)
1 10000:1 PADS New Asset - http PSR:7.13.11:Mozilla/5.0 (Linux; Android 5.0; SM (G900V Build/LRX21T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 15.8.20082)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice 14))
1 10000:1 PADS New Asset - http CaptiveNetworkSupport (277 wispr)
1 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
1 10000:1 PADS New Asset - http CaptiveNetworkSupport (209.39 wispr)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 4.4.4; en-us; SAMSUNG-SM (G900A Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.6 Chrome/28.0.1500.94 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 5 Build/LMY48B)
1 10000:2 PADS Changed Asset - http Server: lighttpd
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900V Build/JSS15J))
1 10000:1 PADS New Asset - http server (bag [iPhone OS,8.4,12H143,iPhone4,1])
1 10000:1 PADS New Asset - http Mac OS X/10.10.4 (14E46)
1 10000:2 PADS Changed Asset - smtp Generic SMTP (e8c175991f2d43da3915c4a72a5758fc) (mx1.buyseasons.com)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
1 10000:1 PADS New Asset - http Microsoft BITS/7.8
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 10.1.14)
1 1:2015561 ET INFO PDF Using CCITTFax Filter
1 10000:1 PADS New Asset - http okhttp/2.2.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
1 10000:2 PADS Changed Asset - http Mac OS X/10.10.2 (14C1514)
1 10000:2 PADS Changed Asset - http iPhone6,1/8.3 (12F70)
1 10000:1 PADS New Asset - rdp Remote Desktop Protocol (Windows 2000 Server)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SGH (I747 Build/JSS15J))
1 10000:1 PADS New Asset - http UES Update (Macintosh; A; 32bit; PVT F; VDB 24911; BPC 4.5.15; APP scep_mac; TDB 24911; LNG 1033; x32c; APP scep_mac; BEO 0; ASP 0.10; RA 0; OSR 12.3.0)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; Tablet PC 2.0; Microsoft Outlook
1 10000:1 PADS New Asset - http BIG (IP Edge Client)
1 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.4,12H143,iPad4,2])
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1; XT1254 Build/SU3TL (38) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Microsoft Office Protocol Discovery
1 10000:2 PADS Changed Asset - http Mac OS X/10.10.3 (14D136)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SGH (T399N Build/KOT49H))
1 10000:2 PADS Changed Asset - http Microsoft (CryptoAPI/10.0)
1 10000:2 PADS Changed Asset - http Windows-Update (Agent/4.0)
1 10000:2 PADS Changed Asset - smtp Generic SMTP - Possible Postfix (HMAIL)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
1 10000:1 PADS New Asset - http GroupMe/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Java/1.7.0_71
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/6.0.51363 Mobile/12H143 Safari/600.1.4
1 10000:1 PADS New Asset - http AndroidDownloadManager/4.4.2 (Linux; U; Android 4.4.2; 710C Build/KOT49H)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Microsoft Outlook 15.0.4737; Microsoft Outlook 15.0.4737; ms (offi
1 10000:1 PADS New Asset - http Microsoft (CryptoAPI/6.3)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)
1 1:2522704 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 353
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM (G920P Build/LMY47X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/X.X.X.X.234;])
1 10000:1 PADS New Asset - http Microsoft-IIS 8.0
1 10000:2 PADS Changed Asset - sql MySQL 5.0.88-classic-nt) (CN[6]*=5e5fa60)</INT_DB_INFO></RATING_ENGINE><RATING_ENGINE><NAME>BWTI ProShip UPS Engine</NAME><DLLPATH>C:\\Program Files (x86)\\ProShip\\Server\\bwti_ups.dll</DLLPATH><DATA_DIR_PATH>C:\\Program Files (x86)\\p
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH (T999L Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0.2; HTC One Build/LRX22G)
1 10000:1 PADS New Asset - http Fit.I.Am/X.X.X.X (iPhone; iOS 8.3; Scale/2.00)
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG (D950 Build/KOT49I.D95020f))
1 10000:1 PADS New Asset - http IMTransferAgent/1000 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
1 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SAMSUNG-SM (G900A Build/LRX21T))
1 10000:2 PADS Changed Asset - http Microsoft Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)
1 10000:2 PADS Changed Asset - http MacOutlook/14.5.3.150624 (Intel Mac OS X 10.9.4)
1 10000:2 PADS Changed Asset - http iPhone5,1/8.4 (12H143)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
1 10000:2 PADS Changed Asset - http securityd (unknown version) CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; SM (G900T Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http MSFrontPage/14.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows; ( ^ÿÖ)
1 10000:2 PADS Changed Asset - http Mail/53 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en (us; LGLS740 Build/KOT49I.LS740ZV4) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7153; ms (office; MSOffice
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B435
1 10000:1 PADS New Asset - unknown @pop3
1 10000:2 PADS Changed Asset - http Office Source Engine
1 10000:1 PADS New Asset - http Apache 2.2.8 (Ubuntu)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM (G920R4 Build/LMY47X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 GSA/X.X.X.X.arm64)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.28.10 (KHTML, like Gecko)
1 10000:2 PADS Changed Asset - http OC/15.0.4623.1000 (Microsoft Lync)
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
1 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
1 10000:1 PADS New Asset - http securityd (unknown version) CFNetwork/672.1.15 Darwin/14.0.0
1 1:2403344 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
1 10000:1 PADS New Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G386T Build/JSS15J))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.2; LG (D321 Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - ssl OpenSSL
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5
1 10000:2 PADS Changed Asset - vnc VNC (Protocol 003.008\\n");)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook 15.0.4737; Microsoft Out
1 10000:2 PADS Changed Asset - http server (bag [iPhone OS,8.3,12F70,iPhone7,2])
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Ruby
1 10000:2 PADS Changed Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1; XT1254 Build/SU3TL (38))
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.0; SM (N900V Build/LRX21V))
1 10000:2 PADS Changed Asset - http JNLP/1.7.0 javaws/X.X.X.X (<internal>) Java/1.7.0_25
1 10000:1 PADS New Asset - http Download Flash Player Installer/1.0
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
1 10000:2 PADS Changed Asset - http com.apple.geod/1077.0.18 CFNetwork/720.4.4 Darwin/14.4.0 (x86_64)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; LG (D321/D32110c Build/KOT49I.D32110c) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.1599.103 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - unknown @imaps
1 10000:2 PADS Changed Asset - http Dreamweaver
1 10000:2 PADS Changed Asset - http Debian APT (HTTP/1.3 (1.0.1ubuntu2))
1 10000:1 PADS New Asset - http CaptiveNetworkSupport (305 wispr)
1 10000:1 PADS New Asset - http Spotify/330000982 (6; 2; 7)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/43.0.2357.61 Mobile/12H143 Safari/600.1.4
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36
1 10000:2 PADS Changed Asset - http Mozilla/3.0 (compatible; Adobe Synchronizer 10.0)
1 10000:2 PADS Changed Asset - http CaptiveNetworkSupport (277 wispr)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.0; SM (G900V Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36)
1 10000:1 PADS New Asset - http Instagram 7.2.1 Android (19/4.4.2; 320dpi; 720x1184; motorola; XT1055; ghost; qcom; en_US)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SM (G900A Build/JSS15J))
1 1:2100876 GPL CHAT Google Talk Version Check
1 10000:1 PADS New Asset - http Java/1.6.0_45
1 10000:1 PADS New Asset - http MicroMessenger Client
1 10000:2 PADS Changed Asset - http Windows-Update-Agent/10.0.10011.0 Client (Protocol/1.32)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)
1 10000:1 PADS New Asset - http intl=us; os-version=iPad2,2; internet-connection=lan; cpu-speed=466; pstn-call-enable=true; appid=iPhoneMessenger (2.2.9.5468)
1 10000:1 PADS New Asset - http Software%20Update (unknown version) CFNetwork/673.3 Darwin/13.3.0 (x86_64) (MacPro3%2C1)
1 10000:1 PADS New Asset - http TWCWidget/420953 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36
1 10000:1 PADS New Asset - http Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM (G920P Build/LMY47X))
1 10000:2 PADS Changed Asset - http UES Update (Macintosh; A; 32bit; PVT F; VDB 24911; BPC 4.5.15; APP scep_mac; TDB 24911; LNG 1033; x32c; APP scep_mac; BEO 0; ASP 0.10; RA 0; OSR 13.3.0)
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SM (G900T Build/JSS15J))
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 5.1.1; SM-G920P Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.0 Chrome/38.0.2125.102 Mobile Safari/537.36Accept (Encoding: gzip,deflate,sdch)
1 1:2013933 ET POLICY HTTP traffic on port 443 (CONNECT)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
1 10000:1 PADS New Asset - http Instagram 7.1.1 (iPhone6,1; iPhone OS 8_3; en_US; en) AppleWebKit/420 ()
1 10000:1 PADS New Asset - http Microsoft-WebDAV (MiniRedir/6.3.9600)
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 10000:1 PADS New Asset - http server (bag [Mac OS X,10.9.5,13F1096,MacBookPro11,2])
1 10000:1 PADS New Asset - http (null)/(null) (Macintosh; OS X 10.10.3; 14D136) AppleWebKit/0600.5.17
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SM (G386T Build/KOT49H))
1 10000:2 PADS Changed Asset - http Lync%202013/X.X.X.X CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - http Java/1.8.0_45
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; Tablet PC 2.0)
1 10000:1 PADS New Asset - http OneDrive/5.4.3 CFNetwork/711.4.6 Darwin/14.0.0
1 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SPH (L900 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:1 PADS New Asset - http Microsoft-IIS 8.5
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
1 10000:1 PADS New Asset - http Team%20Stream/670 CFNetwork/711.4.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - http Debian APT (HTTP/1.3 (0.8.16~exp12ubuntu10.22))
1 10000:1 PADS New Asset - http iPhone7,2/8.3 (12F70)
1 10000:2 PADS Changed Asset - ssh PuTTY Local:_Jul__9_2015_19:31:51 (Protocol 2.0)
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http BBCNews/X.X.X.X GNL (SM (G900V; Android 5.0))
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0)
1 10000:1 PADS New Asset - http Dalvik/1.6.0 (Linux; U; Android 4.3; SGH (T999L Build/JSS15J))
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; VS810PP Build/KOT49I.VS810PP2)
1 10000:2 PADS Changed Asset - http Java/1.6.0_45
1 10000:1 PADS New Asset - http Apache 2.2.25 (Unix)
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 [FBAN/FBIOS;FBAV/X.X.X.X.10;FBBV/5758778;FBDV/iPhone5,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.3;FBSS/2; FBCR/AT&T;FBID/phone;FBL
1 10000:2 PADS Changed Asset - http Dalvik/1.6.0 (Linux; U; Android 4.4.2; SPH (L900 Build/KOT49H))
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.4.4; en-us; SAMSUNG-SM (G900A Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.6 Chrome/28.0.1500.94 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http UPS5
Total
71657
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
29691 1:2100651 GPL SHELLCODE x86 stealth NOOP
16171 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
13155 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
13008 1:2014819 ET INFO Packed Executable Download
7512 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
7245 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
7065 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
6368 1:2000419 ET POLICY PE EXE or DLL Windows file download
4712 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3976 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
3598 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
3526 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
3414 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
3272 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
2535 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2051 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
1916 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
1759 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
1759 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
1511 10000:2 PADS Changed Asset - unknown @https
1510 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1439 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
1376 1:2014520 ET INFO EXE - Served Attached HTTP
1017 1:2001329 ET POLICY RDP connection request
1002 1:2402000 ET DROP Dshield Block Listed Source group 1
874 1:2101411 GPL SNMP public access udp
734 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
679 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
618 1:2014726 ET POLICY Outdated Windows Flash Version IE
576 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
568 10000:2 PADS Changed Asset - unknown @www
568 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
551 10000:1 PADS New Asset - unknown @https
539 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
534 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
529 10000:2 PADS Changed Asset - unknown @microsoft-ds
518 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
499 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
477 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
464 1:2016502 ET INFO Java Serialized Data via vulnerable client
464 1:2016503 ET INFO Java Serialized Data
454 1:2012648 ET POLICY Dropbox Client Broadcasting
399 1:903221 443 traffic
393 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
368 1:2008120 ET TFTP Outbound TFTP Read Request
360 10000:2 PADS Changed Asset - smb Windows SMB
324 1:2014518 ET INFO EXE - OSX Disk Image Download
320 10000:1 PADS New Asset - smb Windows SMB
303 1:2000418 ET POLICY Executable and linking format (ELF) file download
Total
286462
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
8229 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
6160 1:2014819 ET INFO Packed Executable Download
4084 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
3493 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
1883 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1602 1:2000419 ET POLICY PE EXE or DLL Windows file download
1336 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1131 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
842 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
830 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
791 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
791 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
689 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
594 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
509 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
494 1:2014520 ET INFO EXE - Served Attached HTTP
467 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
438 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
294 1:2001329 ET POLICY RDP connection request
294 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
284 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
276 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
249 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
235 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
230 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
227 1:2014518 ET INFO EXE - OSX Disk Image Download
226 1:2101411 GPL SNMP public access udp
223 1:2100368 GPL ICMP_INFO PING BSDtype
223 1:2100366 GPL ICMP_INFO PING *NIX
212 1:2012843 ET POLICY Cleartext WordPress Login
191 1:2012648 ET POLICY Dropbox Client Broadcasting
173 1:2008120 ET TFTP Outbound TFTP Read Request
166 1:2002383 ET SCAN Potential FTP Brute-Force attempt response
132 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
132 1:2016503 ET INFO Java Serialized Data
132 1:2016502 ET INFO Java Serialized Data via vulnerable client
126 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
122 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
122 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
119 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
116 1:2011507 ET WEB_CLIENT PDF With Embedded File
113 1:2402000 ET DROP Dshield Block Listed Source group 1
107 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
101 1:2014726 ET POLICY Outdated Windows Flash Version IE
79 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
69 1:2016360 ET INFO JAVA - ClassID
62 1:2100230 GPL CHAT Jabber/Google Talk Outgoing Traffic
57 1:2016715 ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray
48 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
48 1:2013414 ET POLICY Executable served from Amazon S3
46 1:2000418 ET POLICY Executable and linking format (ELF) file download
46 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
45 1:2402000 ET DROP Dshield Block Listed Source group 1
42 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
40 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
36 1:2019613 ET POLICY Office Document Download Containing AutoOpen Macro
35 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
32 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
28 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
27 1:2003492 ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
24 1:2102469 GPL NETBIOS SMB-DS D$ unicode share access
24 1:2015745 ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
24 1:2017640 ET WEB_SERVER Possible Encrypted Webshell Download
23 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
23 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
22 1:2002026 ET CHAT IRC PRIVMSG command
21 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
20 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
20 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
20 1:2019835 ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
19 1:2000334 ET P2P BitTorrent peer sync
19 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
19 1:2018087 ET INFO Control Panel Applet File Download
17 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
17 1:90019401 ET POLICY Vulnerable Java Version 1.8.x Detected
16 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
16 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
16 1:2103017 GPL EXPLOIT WINS overflow attempt
16 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
14 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
13 1:2008578 ET SCAN Sipvicious Scan
13 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2014932 ET POLICY DynDNS CheckIp External IP Address Server Response
13 1:2002878 ET POLICY iTunes User Agent
12 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
12 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
12 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
12 1:2021378 ET POLICY External IP Lookup - checkip.dyndns.org
12 1:2013028 ET POLICY curl User-Agent Outbound
12 1:2015707 ET INFO JAVA - document.createElement applet
11 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
10 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
10 1:2014381 ET POLICY HTTP HEAD invalid method case outbound
10 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
10 1:2103134 GPL WEB_CLIENT PNG large colour depth download attempt
10 1:2012692 ET POLICY Microsoft SO-user-agent automated process response to automated request
10 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial
9 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
9 1:2003310 ET P2P Edonkey Publicize File
9 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
9 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
9 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
8 1:2100673 GPL SQL sp_start_job - program execution
8 1:2016847 ET INFO Possible Chrome Plugin install
8 1:2010645 ET POLICY User-Agent (Launcher)
7 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
7 1:2010524 ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)
6 1:2500078 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 40
6 1:2403302 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 2
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
6 1:2101016 GPL WEB_SERVER global.asa access
5 1:2402001 ET DROP Dshield Block Listed Source group 1
5 1:2101201 GPL WEB_SERVER 403 Forbidden
5 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
5 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
4 1:2402001 ET DROP Dshield Block Listed Source group 1
4 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
4 1:2003410 ET POLICY FTP Login Successful
4 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
4 1:2002823 ET POLICY POSSIBLE Web Crawl using Wget
4 1:2102698 GPL SQL create file buffer overflow attempt
4 1:2005530 ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT
4 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response
4 1:2016856 ET POLICY Android Dalvik Executable File Download
4 1:2020712 ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert
4 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
4 1:2010781 ET POLICY PsExec service created
4 1:2011227 ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
4 1:2021173 ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon
4 1:2002327 ET CHAT Google Talk (Jabber) Client Login
4 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
4 1:2016670 ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)
3 1:2101616 GPL DNS named version attempt
3 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
3 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3 1:2001219 ET SCAN Potential SSH Scan
3 1:2402000 ET DROP Dshield Block Listed Source group 1
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2100877 GPL CHAT Google Talk Startup
3 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
3 1:2100232 GPL CHAT Google Talk Logon
3 1:2010067 ET POLICY Data POST to an image file (jpg)
2 1:2018232 ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)
2 1:2018383 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)
2 1:2016878 ET POLICY Unsupported/Fake Windows NT Version 4.
2 1:2010514 ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
2 1:2500080 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41
2 1:2102470 GPL NETBIOS SMB C$ unicode share access
2 1:2002192 ET CHAT MSN status change
2 1:2403308 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 5
2 1:2017938 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
2 1:2101603 GPL WEB_SERVER DELETE attempt
2 1:2019622 ET MALWARE Win32/DealPly Checkin
2 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
2 1:2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
2 1:2018908 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
2 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
2 1:2100235 GPL CHAT Jabber/Google Talk Logon Success
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 1:2522704 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 353
1 1:2403344 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
1 1:2015561 ET INFO PDF Using CCITTFax Filter
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 1:2009715 ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt
1 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
1 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
1 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2013933 ET POLICY HTTP traffic on port 443 (CONNECT)
1 1:2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
1 1:2010819 ET CHAT Facebook Chat using XMPP
1 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
1 1:2100876 GPL CHAT Google Talk Version Check
1 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
1 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 13
1 1:2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible))
1 1:2400017 ET DROP Spamhaus DROP Listed Traffic Inbound group 18
1 1:2100494 GPL ATTACK_RESPONSE command completed
Total
67169
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
52240 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
37451 1:90103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
36652 1:2100651 GPL SHELLCODE x86 stealth NOOP
26230 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
22106 1:2014819 ET INFO Packed Executable Download
18189 1:90000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
18038 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
17044 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
14802 1:2000419 ET POLICY PE EXE or DLL Windows file download
13287 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
11682 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
11185 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
9933 1:2101892 GPL SNMP null community string attempt
9794 1:2102472 GPL NETBIOS SMB-DS C$ unicode share access
9748 1:2015004 ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP
6480 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
5700 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
4556 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
4544 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
4398 1:2011037 ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
4398 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
3087 1:2014520 ET INFO EXE - Served Attached HTTP
2226 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2150 1:2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1908 1:2001329 ET POLICY RDP connection request
1793 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
1678 1:2101411 GPL SNMP public access udp
1359 1:2021243 ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor
1282 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
1254 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1246 1:2008701 ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)
1198 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
983 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
814 1:2016503 ET INFO Java Serialized Data
808 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
799 1:2000418 ET POLICY Executable and linking format (ELF) file download
779 1:2008120 ET TFTP Outbound TFTP Read Request
743 1:2102470 GPL NETBIOS SMB C$ unicode share access
715 1:2000032 ET NETBIOS LSA exploit
680 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
528 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
488 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
487 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
473 1:2000334 ET P2P BitTorrent peer sync
442 1:2014726 ET POLICY Outdated Windows Flash Version IE
429 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
416 1:2016502 ET INFO Java Serialized Data via vulnerable client
404 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
396 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
Total
499566
=========================================================================
Last update
=========================================================================
Start-Date: 2015-07-02 16:28:55
Commandline: apt-get install open-iscsi
Install: open-iscsi:amd64 (2.0.871-0ubuntu9.12.04.2), open-iscsi-utils:amd64 (2.0.871-0ubuntu9.12.04.2, automatic)
End-Date: 2015-07-02 16:28:57
Start-Date: 2015-07-20 15:22:36
Commandline: apt-get -y dist-upgrade
Install: linux-image-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57-generic:amd64 (3.13.0-57.95~precise1, automatic), linux-headers-3.13.0-57:amd64 (3.13.0-57.95~precise1, automatic)
Upgrade: bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libnss3:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), libwmf0.2-7:amd64 (X.X.X.X-10ubuntu1, X.X.X.X-10ubuntu1.1), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion34, 20120722-0ubuntu0securityonion35), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), securityonion-SO-user-agent-ossec:amd64 (20120726-0ubuntu0securityonion15, 20120726-0ubuntu0securityonion16), php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libcupsfilters1:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), firefox-globalmenu:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), php5-sqlite:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), php5-gd:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), firefox-locale-en:amd64 (38.0+build3-0ubuntu0.12.04.1, 39.0+build5-0ubuntu0.12.04.2), linux-image-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), grub-pc-bin:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), securityonion-tcpudpflow:amd64 (001-0ubuntu0securityonion1, 001-0ubuntu0securityonion3), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.49), php5-mysql:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), linux-libc-dev:amd64 (3.2.0-86.124, 3.2.0-87.125), grub-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), php5-cli:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), grub2-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.11), php5-common:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.19), cups-filters:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), libnss3-1d:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1)
End-Date: 2015-07-20 15:23:43
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
31988 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
32343 /usr/sbin/mysqld
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
14102 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
831
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
14G /nsm/elsa/data
61M /var/lib/mysql/syslog
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
14G /nsm/elsa/data
3.0G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
On Tuesday, July 21, 2015 at 4:51:14 PM UTC-5, Doug Burks wrote:
> Hi Will,
>
> Replies inline.
>
> On Tue, Jul 21, 2015 at 1:07 PM,
> >
> >
Doug Burks
Jul 22, 2015, 6:07:05 PM7/22/15
to securit...@googlegroups.com
Looks like pads_agent is still running. You'll want to disable that as well.
Did you see my other questions concerning /etc/elsa_web.conf?
The most recent ELSA packages should have replaced this value in
/etc/elsa_web.conf assuming that elsa_web.conf had no syntax errors.
Have you made any manual changes to that file?
Are there any comments in that file?
Also see:
https://groups.google.com/d/topic/security-onion/BGvfr0vD2jw/discussion
https://groups.google.com/d/topic/security-onion/bSnPjsPVJLE/discussion
Also, from your latest sostat:
ELSA Buffers in Queue:
831
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Did you see my other questions concerning /etc/elsa_web.conf?
The most recent ELSA packages should have replaced this value in
/etc/elsa_web.conf assuming that elsa_web.conf had no syntax errors.
Have you made any manual changes to that file?
Are there any comments in that file?
Also see:
https://groups.google.com/d/topic/security-onion/BGvfr0vD2jw/discussion
https://groups.google.com/d/topic/security-onion/bSnPjsPVJLE/discussion
ELSA Buffers in Queue:
831
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Will B
Jul 23, 2015, 11:33:04 AM7/23/15
to securit...@googlegroups.com
Hi Doug, I removed Pads (i misspelled it on my bash file :( )
and I never touched elsa_web.conf
I ran another sostat and had a elsa buffers in queue of 2
I'm not sure if It's because /nsm is an iscsi?
Anyhow, I checked elsa this morning and everything seems to be back to normal....
I'm not entirely sure what fixed it.
I receive this on every query,
atching because estimated query time is 149 seconds.127.0.0.1: Batching because estimated query time is 149 seconds
but changing the date/time allows me to query just fine.
Thanks for your support and help!
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/_iYmpEldX2U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
DefensiveDepth
Jul 23, 2015, 11:37:13 AM7/23/15
to security-onion, wib...@gmail.com
Under ELSA, Admin --> Stats, view the stats and see if you had any abnormally high volumes of events recently.
-Josh
Will B
Jul 23, 2015, 12:06:14 PM7/23/15
to securit...@googlegroups.com
Hi Josh, thanks for taking the time to respond.
Elsa -> admin -> stats
returns "no data available"
On Thu, Jul 23, 2015 at 10:37 AM, DefensiveDepth <joshb...@gmail.com> wrote:
Under ELSA, Admin --> Stats, view the stats and see if you had any abnormally high volumes of events recently.
-Josh
DefensiveDepth
Jul 23, 2015, 12:33:31 PM7/23/15
to security-onion, wib...@gmail.com
What is the "default" date/time when refreshing the page, and what do you have to change it to for it to work without the batching?
Reply all
Reply to author
Forward
0 new messages