Kibana, logstash, curator elasticalert and elastic search not starting

381 views

Skip to first unread message

David Izevbua

unread,

Aug 24, 2018, 6:07:44 AM8/24/18

to security-onion

sudo sostat-redacted
[sudo] password for dirivbogbe:
/usr/sbin/sostat: line 110: docker: command not found
/usr/sbin/sostat: line 479: docker: command not found
/usr/sbin/sostat: line 480: docker: command not found
/usr/sbin/sostat: line 481: docker: command not found
/usr/sbin/sostat: line 482: docker: command not found
/usr/sbin/sostat: line 483: docker: command not found
/usr/sbin/sostat: line 484: docker: command not found
/usr/sbin/sostat: line 485: docker: command not found
/usr/sbin/sostat: line 488: / : syntax error: operand expected (error token is "/ ")
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 9318 24 Aug 08:39:22
proxy proxy localhost running 9373 24 Aug 08:39:24
SO-server-eth2-1 worker localhost running 9492 24 Aug 08:39:25
SO-server-eth2-2 worker localhost running 9497 24 Aug 08:39:25
SO-server-eth2-3 worker localhost running 9506 24 Aug 08:39:25
SO-server-eth2-4 worker localhost running 9509 24 Aug 08:39:25
SO-server-eth2-5 worker localhost running 9510 24 Aug 08:39:25
SO-server-eth2-6 worker localhost running 9513 24 Aug 08:39:25
SO-server-eth2-7 worker localhost running 9516 24 Aug 08:39:25
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort_agent-5 (SO-user)[ OK ]
* snort_agent-6 (SO-user)[ OK ]
* snort_agent-7 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* snort-5 (alert data)[ OK ]
* snort-6 (alert data)[ OK ]
* snort-7 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
* barnyard2-5 (spooler, unified2 format)[ OK ]
* barnyard2-6 (spooler, unified2 format)[ OK ]
* barnyard2-7 (spooler, unified2 format)[ OK ]
Status: Elastic stack
* so-elasticsearch/usr/sbin/so-elastic-status: line 40: docker: command not found
[ FAIL ]
* so-logstash/usr/sbin/so-elastic-status: line 50: docker: command not found
[ FAIL ]
* so-kibana/usr/sbin/so-elastic-status: line 63: docker: command not found
[ FAIL ]
* so-curator/usr/sbin/so-elastic-status: line 90: docker: command not found
[ FAIL ]
* so-elastalert/usr/sbin/so-elastic-status: line 99: docker: command not found
[ FAIL ]

=========================================================================
Interface Status
=========================================================================
enp0s29f1u2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6344771 errors:0 dropped:0 overruns:0 frame:0
TX packets:74561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9057574037 (9.0 GB) TX bytes:12700133 (12.7 MB)
Memory:92d60000-92d7ffff

eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2053410111 errors:0 dropped:305986 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:844815394704 (844.8 GB) TX bytes:70 (70.0 B)

eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:92d20000-92d3ffff

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1198511 errors:0 dropped:0 overruns:0 frame:0
TX packets:1198511 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2338874550 (2.3 GB) TX bytes:2338874550 (2.3 GB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2338890305 1198537 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2338890305 1198537 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
9057752053 6344895 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
12700299 74562 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
3: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 1
4: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 1
5: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
844815779393 2053410771 0 3744 0 5083
RX errors: length crc frame fifo missed
0 0 0 0 302242
TX: bytes packets errors dropped carrier collsns
70 1 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 4
6: enp0s29f1u2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 9.2M 1.6G 1% /run
/dev/sda2 3.6T 252G 3.2T 8% /
tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda1 511M 3.4M 508M 1% /boot/efi
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 1.6G 0 1.6G 0% /run/user/1000

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1512 root 3u IPv4 12475 0t0 TCP *:ssh_port (LISTEN)
sshd 1512 root 4u IPv6 12477 0t0 TCP *:ssh_port (LISTEN)
ntpd 1733 ntp 16u IPv6 17770 0t0 UDP *:123
ntpd 1733 ntp 17u IPv4 17773 0t0 UDP *:123
ntpd 1733 ntp 18u IPv4 17778 0t0 UDP X.X.X.X:123
ntpd 1733 ntp 19u IPv4 17780 0t0 UDP X.X.X.X:123
ntpd 1733 ntp 20u IPv6 17782 0t0 UDP [X.X.X.X]:123
ntpd 1733 ntp 21u IPv6 17784 0t0 UDP [X.X.X.X]:123
sshd 2467 root 3u IPv4 12715 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:19866 (ESTABLISHED)
sshd 2484 root 3u IPv4 9572 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:19873 (ESTABLISHED)
sshd 2571 SO-user 3u IPv4 12715 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:19866 (ESTABLISHED)
sshd 2571 SO-user 9u IPv6 9603 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 2571 SO-user 10u IPv4 9604 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 2592 SO-user 3u IPv4 9572 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:19873 (ESTABLISHED)
mysqld 6872 mysql 26u IPv4 16359 0t0 TCP X.X.X.X:3306 (LISTEN)
apache2 8535 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
bro 9318 SO-user 4u IPv4 32783 0t0 UDP X.X.X.X:49401->X.X.X.X:53
bro 9326 SO-user 0u IPv4 22477 0t0 TCP *:47761 (LISTEN)
bro 9326 SO-user 1u IPv6 22478 0t0 TCP *:47761 (LISTEN)
bro 9326 SO-user 2u IPv4 22479 0t0 TCP X.X.X.X:47761->X.X.X.X:57700 (ESTABLISHED)
bro 9326 SO-user 4u IPv4 32783 0t0 UDP X.X.X.X:49401->X.X.X.X:53
bro 9326 SO-user 14u IPv4 22482 0t0 TCP X.X.X.X:47761->X.X.X.X:57702 (ESTABLISHED)
bro 9326 SO-user 19u IPv4 15313 0t0 TCP X.X.X.X:47761->X.X.X.X:57708 (ESTABLISHED)
bro 9326 SO-user 24u IPv4 15316 0t0 TCP X.X.X.X:47761->X.X.X.X:57712 (ESTABLISHED)
bro 9326 SO-user 29u IPv4 15319 0t0 TCP X.X.X.X:47761->X.X.X.X:57716 (ESTABLISHED)
bro 9326 SO-user 34u IPv4 29921 0t0 TCP X.X.X.X:47761->X.X.X.X:57720 (ESTABLISHED)
bro 9326 SO-user 39u IPv4 10210 0t0 TCP X.X.X.X:47761->X.X.X.X:57726 (ESTABLISHED)
bro 9326 SO-user 44u IPv4 10213 0t0 TCP X.X.X.X:47761->X.X.X.X:57728 (ESTABLISHED)
ossec-csy 9357 ossecm 5u IPv4 180121 0t0 UDP X.X.X.X:56304->X.X.X.X:514
bro 9373 SO-user 4u IPv4 20467 0t0 UDP X.X.X.X:38625->X.X.X.X:53
bro 9375 SO-user 0u IPv4 27050 0t0 TCP X.X.X.X:57700->X.X.X.X:47761 (ESTABLISHED)
bro 9375 SO-user 4u IPv4 20467 0t0 UDP X.X.X.X:38625->X.X.X.X:53
bro 9375 SO-user 12u IPv4 27055 0t0 TCP *:47762 (LISTEN)
bro 9375 SO-user 13u IPv6 27056 0t0 TCP *:47762 (LISTEN)
bro 9375 SO-user 14u IPv4 28346 0t0 TCP X.X.X.X:47762->X.X.X.X:49536 (ESTABLISHED)
bro 9375 SO-user 19u IPv4 15310 0t0 TCP X.X.X.X:47762->X.X.X.X:49538 (ESTABLISHED)
bro 9375 SO-user 24u IPv4 28349 0t0 TCP X.X.X.X:47762->X.X.X.X:49542 (ESTABLISHED)
bro 9375 SO-user 29u IPv4 28352 0t0 TCP X.X.X.X:47762->X.X.X.X:49546 (ESTABLISHED)
bro 9375 SO-user 34u IPv4 29918 0t0 TCP X.X.X.X:47762->X.X.X.X:49550 (ESTABLISHED)
bro 9375 SO-user 39u IPv4 29924 0t0 TCP X.X.X.X:47762->X.X.X.X:49556 (ESTABLISHED)
bro 9375 SO-user 44u IPv4 29927 0t0 TCP X.X.X.X:47762->X.X.X.X:49554 (ESTABLISHED)
sshd 9485 root 3u IPv4 386872 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:26040 (ESTABLISHED)
bro 9492 SO-user 4u IPv4 33807 0t0 UDP X.X.X.X:50404->X.X.X.X:53
bro 9497 SO-user 4u IPv4 25978 0t0 UDP X.X.X.X:36190->X.X.X.X:53
bro 9506 SO-user 4u IPv4 29036 0t0 UDP X.X.X.X:35462->X.X.X.X:53
bro 9509 SO-user 4u IPv4 30924 0t0 UDP X.X.X.X:39885->X.X.X.X:53
bro 9510 SO-user 4u IPv4 10185 0t0 UDP X.X.X.X:36985->X.X.X.X:53
bro 9513 SO-user 4u IPv4 14155 0t0 UDP X.X.X.X:47721->X.X.X.X:53
bro 9516 SO-user 4u IPv4 20475 0t0 UDP X.X.X.X:60537->X.X.X.X:53
bro 9525 SO-user 0u IPv4 31999 0t0 TCP X.X.X.X:57702->X.X.X.X:47761 (ESTABLISHED)
bro 9525 SO-user 4u IPv4 25978 0t0 UDP X.X.X.X:36190->X.X.X.X:53
bro 9525 SO-user 12u IPv4 32002 0t0 TCP X.X.X.X:49536->X.X.X.X:47762 (ESTABLISHED)
bro 9525 SO-user 17u IPv4 32007 0t0 TCP *:47764 (LISTEN)
bro 9525 SO-user 18u IPv6 32008 0t0 TCP *:47764 (LISTEN)
bro 9528 SO-user 0u IPv4 11179 0t0 TCP X.X.X.X:49538->X.X.X.X:47762 (ESTABLISHED)
bro 9528 SO-user 4u IPv4 10185 0t0 UDP X.X.X.X:36985->X.X.X.X:53
bro 9528 SO-user 12u IPv4 11182 0t0 TCP X.X.X.X:57708->X.X.X.X:47761 (ESTABLISHED)
bro 9528 SO-user 17u IPv4 11187 0t0 TCP *:47767 (LISTEN)
bro 9528 SO-user 18u IPv6 11188 0t0 TCP *:47767 (LISTEN)
bro 9529 SO-user 0u IPv4 11189 0t0 TCP X.X.X.X:49542->X.X.X.X:47762 (ESTABLISHED)
bro 9529 SO-user 4u IPv4 14155 0t0 UDP X.X.X.X:47721->X.X.X.X:53
bro 9529 SO-user 12u IPv4 11192 0t0 TCP X.X.X.X:57712->X.X.X.X:47761 (ESTABLISHED)
bro 9529 SO-user 17u IPv4 11197 0t0 TCP *:47768 (LISTEN)
bro 9529 SO-user 18u IPv6 11198 0t0 TCP *:47768 (LISTEN)
bro 9533 SO-user 0u IPv4 10190 0t0 TCP X.X.X.X:49546->X.X.X.X:47762 (ESTABLISHED)
bro 9533 SO-user 4u IPv4 20475 0t0 UDP X.X.X.X:60537->X.X.X.X:53
bro 9533 SO-user 12u IPv4 10193 0t0 TCP X.X.X.X:57716->X.X.X.X:47761 (ESTABLISHED)
bro 9533 SO-user 17u IPv4 10198 0t0 TCP *:47769 (LISTEN)
bro 9533 SO-user 18u IPv6 10199 0t0 TCP *:47769 (LISTEN)
bro 9540 SO-user 0u IPv4 10200 0t0 TCP X.X.X.X:49550->X.X.X.X:47762 (ESTABLISHED)
bro 9540 SO-user 4u IPv4 30924 0t0 UDP X.X.X.X:39885->X.X.X.X:53
bro 9540 SO-user 12u IPv4 10203 0t0 TCP X.X.X.X:57720->X.X.X.X:47761 (ESTABLISHED)
bro 9540 SO-user 17u IPv4 10208 0t0 TCP *:47766 (LISTEN)
bro 9540 SO-user 18u IPv6 10209 0t0 TCP *:47766 (LISTEN)
bro 9542 SO-user 0u IPv4 20476 0t0 TCP X.X.X.X:49554->X.X.X.X:47762 (ESTABLISHED)
bro 9542 SO-user 4u IPv4 29036 0t0 UDP X.X.X.X:35462->X.X.X.X:53
bro 9542 SO-user 12u IPv4 20479 0t0 TCP X.X.X.X:57728->X.X.X.X:47761 (ESTABLISHED)
bro 9542 SO-user 17u IPv4 34820 0t0 TCP *:47765 (LISTEN)
bro 9542 SO-user 18u IPv6 34821 0t0 TCP *:47765 (LISTEN)
bro 9543 SO-user 0u IPv4 22489 0t0 TCP X.X.X.X:49556->X.X.X.X:47762 (ESTABLISHED)
bro 9543 SO-user 4u IPv4 33807 0t0 UDP X.X.X.X:50404->X.X.X.X:53
bro 9543 SO-user 12u IPv4 22492 0t0 TCP X.X.X.X:57726->X.X.X.X:47761 (ESTABLISHED)
bro 9543 SO-user 17u IPv4 22497 0t0 TCP *:47763 (LISTEN)
bro 9543 SO-user 18u IPv6 22498 0t0 TCP *:47763 (LISTEN)
sshd 9892 SO-user 3u IPv4 386872 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:26040 (ESTABLISHED)
tclsh 10713 SO-user 13u IPv4 31053 0t0 TCP *:7734 (LISTEN)
tclsh 10713 SO-user 14u IPv6 31054 0t0 TCP *:7734 (LISTEN)
tclsh 10713 SO-user 15u IPv4 31057 0t0 TCP *:7736 (LISTEN)
tclsh 10713 SO-user 16u IPv6 31058 0t0 TCP *:7736 (LISTEN)
tclsh 10713 SO-user 17u IPv6 31077 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:33510 (ESTABLISHED)
tclsh 10713 SO-user 18u IPv6 31243 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:44547 (ESTABLISHED)
tclsh 10713 SO-user 19u IPv6 33302 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:45386 (ESTABLISHED)
tclsh 10713 SO-user 20u IPv6 36012 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:44651 (ESTABLISHED)
tclsh 10713 SO-user 21u IPv6 39058 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:45474 (ESTABLISHED)
tclsh 10713 SO-user 22u IPv6 37188 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:38876 (ESTABLISHED)
tclsh 10713 SO-user 23u IPv6 33308 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:36675 (ESTABLISHED)
tclsh 10713 SO-user 24u IPv6 34010 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:46015 (ESTABLISHED)
tclsh 10713 SO-user 25u IPv6 37200 0t0 TCP [X.X.X.X]:7736->[X.X.X.X]:35419 (ESTABLISHED)
tclsh 10775 SO-user 3u IPv6 35010 0t0 TCP [X.X.X.X]:33510->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 10944 SO-user 3u IPv6 28451 0t0 TCP [X.X.X.X]:44547->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 10975 SO-user 3u IPv6 30258 0t0 TCP [X.X.X.X]:45386->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 10975 SO-user 4u IPv4 30259 0t0 TCP X.X.X.X:8301 (LISTEN)
tclsh 10975 SO-user 5u IPv4 40458 0t0 TCP X.X.X.X:8301->X.X.X.X:59952 (ESTABLISHED)
tclsh 10998 SO-user 3u IPv6 37185 0t0 TCP [X.X.X.X]:44651->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 10998 SO-user 4u IPv4 39998 0t0 TCP X.X.X.X:8302 (LISTEN)
tclsh 10998 SO-user 5u IPv4 31534 0t0 TCP X.X.X.X:8302->X.X.X.X:52196 (ESTABLISHED)
tclsh 11021 SO-user 3u IPv6 30277 0t0 TCP [X.X.X.X]:45474->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 11021 SO-user 4u IPv4 30278 0t0 TCP X.X.X.X:8303 (LISTEN)
tclsh 11021 SO-user 5u IPv4 48266 0t0 TCP X.X.X.X:8303->X.X.X.X:53336 (ESTABLISHED)
tclsh 11044 SO-user 3u IPv6 28502 0t0 TCP [X.X.X.X]:38876->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 11044 SO-user 4u IPv4 26119 0t0 TCP X.X.X.X:8304 (LISTEN)
tclsh 11044 SO-user 5u IPv4 31535 0t0 TCP X.X.X.X:8304->X.X.X.X:46186 (ESTABLISHED)
apache2 11062 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
tclsh 11067 SO-user 3u IPv6 38093 0t0 TCP [X.X.X.X]:36675->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 11067 SO-user 4u IPv4 33309 0t0 TCP X.X.X.X:8305 (LISTEN)
tclsh 11067 SO-user 5u IPv4 51273 0t0 TCP X.X.X.X:8305->X.X.X.X:39532 (ESTABLISHED)
tclsh 11090 SO-user 3u IPv6 36096 0t0 TCP [X.X.X.X]:46015->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 11090 SO-user 4u IPv4 36097 0t0 TCP X.X.X.X:8306 (LISTEN)
tclsh 11090 SO-user 5u IPv4 51274 0t0 TCP X.X.X.X:8306->X.X.X.X:60292 (ESTABLISHED)
tclsh 11113 SO-user 3u IPv6 39115 0t0 TCP [X.X.X.X]:35419->[X.X.X.X]:7736 (ESTABLISHED)
tclsh 11113 SO-user 4u IPv4 37201 0t0 TCP X.X.X.X:8307 (LISTEN)
tclsh 11113 SO-user 5u IPv4 49414 0t0 TCP X.X.X.X:8307->X.X.X.X:60324 (ESTABLISHED)
apache2 11120 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
barnyard2 11349 SO-user 3u IPv4 31536 0t0 TCP X.X.X.X:59952->X.X.X.X:8301 (ESTABLISHED)
barnyard2 11378 SO-user 3u IPv4 31533 0t0 TCP X.X.X.X:52196->X.X.X.X:8302 (ESTABLISHED)
barnyard2 11401 SO-user 3u IPv4 47216 0t0 TCP X.X.X.X:53336->X.X.X.X:8303 (ESTABLISHED)
barnyard2 11424 SO-user 3u IPv4 31532 0t0 TCP X.X.X.X:46186->X.X.X.X:8304 (ESTABLISHED)
barnyard2 11447 SO-user 3u IPv4 49776 0t0 TCP X.X.X.X:39532->X.X.X.X:8305 (ESTABLISHED)
barnyard2 11476 SO-user 3u IPv4 50276 0t0 TCP X.X.X.X:60292->X.X.X.X:8306 (ESTABLISHED)
barnyard2 11499 SO-user 3u IPv4 49392 0t0 TCP X.X.X.X:60324->X.X.X.X:8307 (ESTABLISHED)
apache2 12074 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
sshd 17137 root 3u IPv4 126223 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:ssh_port020 (ESTABLISHED)
sshd 17836 SO-user 3u IPv4 126223 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:ssh_port020 (ESTABLISHED)
apache2 27322 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27557 root 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27560 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27561 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27562 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27563 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
apache2 27564 www-data 4u IPv6 153140 0t0 TCP *:443 (LISTEN)
syslog-ng 27612 root 19u IPv4 162018 0t0 TCP *:514 (LISTEN)
syslog-ng 27612 root 20u IPv4 162019 0t0 UDP *:514
sshd 28620 root 3u IPv4 157943 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:5026 (ESTABLISHED)
sshd 28810 SO-user 3u IPv4 157943 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:5026 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Fri Aug 24 08:39:28 UTC 2018
Backing up current local_rules.xml file.
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
Running PulledPork.

https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2990.tar.gz....
Rules tarball download of snortrules-snapshot-2990.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2990.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Setting Flowbit State....
Enabled 194 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------36269
Deleted:---1941
Enabled Rules:----30622
Dropped Rules:----0
Disabled Rules:---29585
Total Rules:------60207
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!

https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2990.tar.gz....
Rules tarball download of snortrules-snapshot-2990.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2990.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Skipped 0 rules (already disabled)
Done
Setting Flowbit State....
Enabled 194 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------36269
Deleted:---1941
Enabled Rules:----30622
Dropped Rules:----0
Disabled Rules:---29585
Total Rules:------60207
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
8.52 8.56 10.31
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 09:49:28 up 1:22, 4 users, load average: 8.52, 8.56, 10.31
Tasks: 312 total, 9 running, 303 sleeping, 0 stopped, 0 zombie
%Cpu(s): 13.7 us, 2.9 sy, 0.4 ni, 61.5 id, 19.1 wa, 0.0 hi, 2.4 si, 0.0 st
KiB Mem : 16418216 total, 266308 free, 14582620 used, 1569288 buff/cache
KiB Swap: 16764924 total, 11329236 free, 5435688 used. 1427088 avail Mem

%CPU %MEM COMMAND
32.4 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-7.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-7 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-7 -i SO-server-eth2-7 -U
24.8 7.3 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
23.9 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
22.3 0.8 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2018-08-24/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64MiB --interval 150MiB
21.4 6.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
20.9 7.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 3.6 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-7 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-7.stats -U --snaplen 1524
13.6 3.4 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-3.stats -U --snaplen 1524
12.1 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i SO-server-eth2-1 -U
11.2 3.8 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U --snaplen 1524
10.0 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-3 -i SO-server-eth2-3 -U
9.8 4.2 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-4.stats -U --snaplen 1524
9.7 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-4 -i SO-server-eth2-4 -U
9.5 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-6.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-6 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-6 -i SO-server-eth2-6 -U
9.4 4.5 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-2.stats -U --snaplen 1524
9.3 1.7 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
9.0 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-5.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-5 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-5 -i SO-server-eth2-5 -U
8.9 3.0 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-6 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-6.stats -U --snaplen 1524
8.8 0.1 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-2 -i SO-server-eth2-2 -U
7.2 0.8 /usr/sbin/mysqld
6.1 3.5 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-5 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-5.stats -U --snaplen 1524
5.1 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.0 8.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
3.9 8.4 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
3.9 8.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
3.9 8.1 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
2.6 0.1 /usr/sbin/syslog-ng -F
2.1 0.0 [kswapd0]
1.6 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.4 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-7.conf
1.1 0.0 [kswapd1]
0.7 0.0 /var/ossec/bin/ossec-syscheckd
0.6 0.0 -bash
0.2 0.0 /sbin/init
0.2 0.0 [rcu_sched]
0.2 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.1 0.0 [jbd2/sda2-8]
0.1 0.0 sshd: SO-user@pts/0
0.1 0.0 bash -c while [ -d /proc/$PPID ]; do sleep 1;head -v -n 8 /proc/meminfo; head -v -n 2 /proc/stat /proc/version /proc/uptime /proc/loadavg /proc/sys/fs/file-nr /proc/sys/kernel/hostname; tail -v -n 16 /proc/net/dev;echo '==> /proc/df <==';df;echo '==> /proc/who <==';who;echo '==> /proc/end <==';echo '##Moba##'; done
0.1 0.0 [kworker/u49:0]
0.1 0.0 /var/ossec/bin/ossec-analysisd
0.1 0.0 sshd: SO-user [priv]
0.1 0.0 sudo sostat-redacted
0.1 0.0 [kworker/u50:2]
0.1 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-3.conf
0.1 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-4.conf
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [kworker/9:1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kpsmoused]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [bioset]
0.0 0.0 [ixgbe]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kauditd]
0.0 0.0 /lib/systemd/systemd-journald
0.0 0.0 /lib/systemd/systemd-udevd
0.0 0.0 [kworker/14:1H]
0.0 0.0 [edac-poller]
0.0 0.0 [kipmi0]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 /usr/sbin/cron -f
0.0 0.0 /usr/sbin/atd -f
0.0 0.0 /usr/sbin/acpid
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /sbin/cgmanager -m name=systemd
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
0.0 0.0 [kworker/7:1H]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/agetty --noclear tty1 linux
0.0 0.0 [kworker/4:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
0.0 0.0 [kworker/11:1H]
0.0 0.0 php-fpm: pool www
0.0 0.0 php-fpm: pool www
0.0 0.0 [kworker/12:1H]
0.0 0.0 [kworker/6:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:119
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/10:1H]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 sshd: SO-user@notty
0.0 0.0 /usr/lib/openssh/sftp-server
0.0 0.0 -bash
0.0 0.0 [kworker/8:1H]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/13:2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/15:2]
0.0 0.0 [kworker/u48:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/3:0]
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [kworker/14:2]
0.0 0.0 sshd: SO-user@pts/3
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/10:1]
0.0 0.0 sleep 1
0.0 0.0 [kworker/11:0]
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/9:2]
0.0 0.0 [kworker/0:1]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-2.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-2.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-3.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-4.conf
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-5.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-5.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-6.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-6.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-7.conf
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/4:2]
0.0 0.0 [kworker/12:0]
0.0 0.0 [kworker/8:2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/4:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/10:0]
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 -bash
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-7.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-6.stats
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/7:2]
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-4.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-3.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-2.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-5.stats
0.0 0.0 [kworker/u50:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/u49:1]
0.0 0.0 [kworker/u48:1]
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/6:2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/5:0]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/2:3]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/u50:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 -bash
0.0 0.0 [kworker/2:2]
0.0 0.0 [kworker/0:2]
0.0 0.0 sh -
0.0 0.0 sh

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================

eth2: 100

=========================================================================
Packet Loss Stats
=========================================================================

NIC:

eth2:

RX packets:2053419554 dropped:305986 TX packets:1 dropped:0

-------------------------------------------------------------------------

pf_ring:

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 51217481
Tot Pkt Lost : 48723408

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 50526978
Tot Pkt Lost : 47846247

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 52105789
Tot Pkt Lost : 48731053

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 53017563
Tot Pkt Lost : 50459884

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 50843152
Tot Pkt Lost : 49129353

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 51013153
Tot Pkt Lost : 48552038

Appl. Name : snort-cluster-54-socket-0
Tot Packets : 58479411
Tot Pkt Lost : 49132067

Appl. Name : bro-eth2
Tot Packets : 215755021
Tot Pkt Lost : 214950325

Appl. Name : bro-eth2
Tot Packets : 222880466
Tot Pkt Lost : 222024879

Appl. Name : bro-eth2
Tot Packets : 217905292
Tot Pkt Lost : 217017888

Appl. Name : bro-eth2
Tot Packets : 223519701
Tot Pkt Lost : 219247752

Appl. Name : bro-eth2
Tot Packets : 214593275
Tot Pkt Lost : 209744170

Appl. Name : bro-eth2
Tot Packets : 218451841
Tot Pkt Lost : 214214512

Appl. Name : bro-eth2
Tot Packets : 216344027
Tot Pkt Lost : 215511459

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

/nsm/sensor_data/SO-server-eth2/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-4.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-5.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-6.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth2/snort-7.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------

Bro:

Average packet loss as percent across all Bro workers: 4724.246770

SO-server-eth2-1: <error: cannot connect to X.X.X.X:47763>
SO-server-eth2-2: <error: cannot connect to X.X.X.X:47764>
SO-server-eth2-3: <error: cannot connect to X.X.X.X:47765>
SO-server-eth2-4: 1535104200.056059 recvd=4347069 dropped=219247752 link=4347069
SO-server-eth2-5: 1535104200.256062 recvd=4937430 dropped=209744170 link=4937430
SO-server-eth2-6: 1535104200.460172 recvd=4330506 dropped=214214512 link=4330506
SO-server-eth2-7: <error: cannot connect to X.X.X.X:47769>

Capture Loss:

SO-server-eth2-4: 0
0.016749
0.100379
1.761493
75.351331
80.114613
80.434301
81.17378
81.528046
83.531643
SO-server-eth2-5: 0
0.016749
0.100379
1.761493
75.351331
80.114613
80.434301
81.17378
81.528046
83.531643
SO-server-eth2-6: 0
0.016749
0.100379
1.761493
75.351331
80.114613
80.434301
81.17378
81.528046
83.531643

If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).

-------------------------------------------------------------------------

Netsniff-NG:

This may take a second...

Percentage of packets dropped:

/var/log/nsm/SO-server-eth2/netsniff-ng.log -- 47.30

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.6.0 (unknown)
Total rings : 14

Standard (non ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 889
Cluster Fragment Discard : 0

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-enp0s29f1u2/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth2/dailylogs/ - 1 days
246G .
246G ./2018-08-24

/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 1 days
97M .
96M ./2018-08-24
96K ./stats

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
236250

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
91985 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
53006 119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
14879 129:12 stream5: TCP Small Segment Threshold Exceeded
14778 119:14 http_inspect: NON-RFC DEFINED CHAR
14561 129:4 stream5: TCP Timestamp is outside of PAWS window
10991 120:8 http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
10389 119:19 http_inspect: LONG HEADER
9611 129:15 stream5: Reset outside window
3816 1:2010935 ET SCAN Suspicious inbound to MSSQL port 1433
2502 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
909 1:2402000 ET DROP Dshield Block Listed Source group 1
870 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
670 1:2010937 ET SCAN Suspicious inbound to mySQL port 3306
534 139:1 sensitive_data: sensitive data global threshold exceeded
484 129:14 stream5: TCP Timestamp is missing
479 137:1 spp_ssl: Invalid Client HELLO after Server HELLO Detected
383 119:31 http_inspect: UNKNOWN METHOD
336 128:4 ssh: Protocol mismatch
307 140:18 sip: Content length mismatch
134 1:2008581 ET P2P BitTorrent DHT ping request
127 1:2500010 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 6
107 1:2011716 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
104 129:7 stream5: Limit on number of overlapping TCP packets reached
102 1:2500008 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 5
98 138:5 sensitive_data: sensitive data - eMail addresses
90 1:40522 MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting
80 1:2403404 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 53
66 1:2403440 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 71
64 1:2403474 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 88
64 1:2023016 ET TELNET SUSPICIOUS Path to BusyBox
58 1:2500014 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 8
58 1:2403458 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 80
56 1:2010936 ET SCAN Suspicious inbound to Oracle SQL port 1521
53 1:2403460 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 81
51 1:2001219 ET SCAN Potential SSH Scan
48 1:2403446 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 74
48 1:2403442 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 72
48 1:2403350 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 26
46 1:2403424 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 63
44 1:2403348 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 25
44 1:2403328 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 15
44 1:2403434 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 68
43 1:2403436 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 69
42 1:2010140 ET P2P Vuze BT UDP Connection
41 1:2403316 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 9
41 1:2403484 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 93
40 1:2403418 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 60
40 1:2403488 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95
40 1:2403498 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 100
38 1:2403320 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 11
Total
236287

=========================================================================
Last update
=========================================================================
Commandline: apt-get install -y redis-server
Requested-By: SO-user (1000)
Install: redis-tools:amd64 (2:3.0.6-1, automatic), libjemalloc1:amd64 (3.6.0-9ubuntu1, automatic), redis-server:amd64 (2:3.0.6-1)
End-Date: 2018-08-24 09:02:39

Start-Date: 2018-08-24 09:45:38
Commandline: apt autoremove
Requested-By: SO-user (1000)
Remove: linux-headers-4.4.0-31:amd64 (4.4.0-31.50)
End-Date: 2018-08-24 09:45:42

=========================================================================
Elasticsearch
=========================================================================

Elasticsearch is not running.

Try starting it with:

'sudo so-elastic-start'
OR
'sudo docker start so-elasticsearch'

If that does not work, try checking /var/log/elasticsearch/SO-server.log for clues.

=========================================================================
Logstash
=========================================================================

Logstash is not running.

Try starting it with:

'sudo so-elastic-start'
OR
'sudo docker start so-logstash'

If that does not work, try checking /var/log/logstash/logstash.log for clues.

=========================================================================
Kibana
=========================================================================

Kibana is not running.

Try starting it with:

'sudo so-elastic-start'
OR
'sudo docker start so-kibana'

If that does not work, try checking /var/log/kibana/kibana.log for clues.

=========================================================================
ElastAlert
=========================================================================

ElastAlert is not running.

Try starting it with:

'sudo so-elastic-start'
OR
'sudo docker start so-elastalert'

If that does not work, try checking /var/log/elastalert/elastalert_stderr.log for clues.

=========================================================================
Curator
=========================================================================

Curator is not running.

Try starting it with:

'sudo so-elastic-start'
OR
'sudo docker start so-curator'

If that does not work, try checking /var/log/curator/curator.log for clues.

=========================================================================
Version Information
=========================================================================

Ubuntu 16.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion109

Wes Lambert

unread,

Aug 24, 2018, 6:57:49 AM8/24/18

to securit...@googlegroups.com

It looks like Docker is not installed.

You may want to try running so-elastic-configure to see if that helps.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

https://twitter.com/therealwlambert

https://securityonion.net/

DAVID IZEVBUA

unread,

Oct 22, 2018, 10:23:08 AM10/22/18

to security-onion

Hello,

Please security onion not start

sudo sostat-redacted

Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero
Runtime error (func=(main), adr=14): Divide by zero

DAVID IZEVBUA

unread,

Oct 22, 2018, 10:30:14 AM10/22/18

to security-onion

Hello ,
Please metsniff-ng not starting.
Please see below.

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started

manager      manager localhost        running   2917   22 Oct 14:13:43
proxy        proxy   localhost        running   3706   22 Oct 14:13:47
41-184-204-74-eth2-1 worker localhost        running   5114   22 Oct
14:13:49
41-184-204-74-eth2-2 worker localhost        running   5121   22 Oct
14:13:49
41-184-204-74-eth2-3 worker localhost        running   5134   22 Oct
14:13:49
41-184-204-74-eth2-4 worker localhost        running   5125   22 Oct
14:13:49
41-184-204-74-eth2-5 worker localhost        running   5135   22 Oct
14:13:49
41-184-204-74-eth2-6 worker localhost        running   5132   22 Oct
14:13:49
41-184-204-74-eth2-7 worker localhost        running   5130   22 Oct
14:13:49
Status: 41-184-204-74-eth2
* netsniff-ng (full packet data)[ FAIL ]

* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort_agent-5 (SO-user)[ OK ]
* snort_agent-6 (SO-user)[ OK ]
* snort_agent-7 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* snort-5 (alert data)[ OK ]
* snort-6 (alert data)[ OK ]
* snort-7 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
* barnyard2-5 (spooler, unified2 format)[ OK ]
* barnyard2-6 (spooler, unified2 format)[ OK ]
* barnyard2-7 (spooler, unified2 format)[ OK ]
Status: Elastic stack

* so-elasticsearch[ OK ]
* so-logstash -- Logstash has started, but is still initializing...[
WARN ]
* so-kibana[ OK ]
* so-curator[ OK ]
* so-elastalert[ OK ]

=========================================================================
Interface Status
=========================================================================
br-caf319787969 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

          inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
          inet6 addr: X.X.X.X/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:84 (84.0 B) TX bytes:648 (648.0 B)

docker0   Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

          inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
          inet6 addr: X.X.X.X/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:1000 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4840700 (4.8 MB) TX bytes:134786 (134.7 KB)

enp0s29f1u2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:270 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17567 (17.5 KB) TX bytes:648 (648.0 B)

eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

UP BROADCAST MULTICAST MTU:1500 Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
          inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
          inet6 addr: X.X.X.X/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:387184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:551825553 (551.8 MB) TX bytes:3949825 (3.9 MB)

          Memory:92d60000-92d7ffff

eth2      Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
          UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1

RX packets:21034152 errors:0 dropped:1026 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000

RX bytes:7082780459 (7.0 GB) TX bytes:0 (0.0 B)

eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

UP BROADCAST MULTICAST MTU:1500 Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
          Memory:92d20000-92d3ffff

lo        Link encap:Local Loopback
          inet addr:X.X.X.X Mask:X.X.X.X
          inet6 addr: X.X.X.X/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1

          RX packets:508170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:508170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:3008884812 (3.0 GB) TX bytes:3008884812 (3.0 GB)

so-curator
-------------------------------------------------------------------------
(eth0)
veth717901c Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:690 (690.0 B)

(eth1)
veth57c384b Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:1459 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1789 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:190674 (190.6 KB) TX bytes:38016833 (38.0 MB)

so-elastalert
-------------------------------------------------------------------------
(eth0)
vetha0f3346 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:690 (690.0 B)

(eth1)
vethdeba8ab Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:556 errors:0 dropped:0 overruns:0 frame:0
          TX packets:441 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:142641 (142.6 KB) TX bytes:145410 (145.4 KB)

so-kibana
-------------------------------------------------------------------------
(eth0)
veth6a2b3a5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:617 errors:0 dropped:0 overruns:0 frame:0
          TX packets:586 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3228754 (3.2 MB) TX bytes:101046 (101.0 KB)

(eth1)
vethc83ac4e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:1238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:179848 (179.8 KB) TX bytes:1048385 (1.0 MB)

so-logstash
-------------------------------------------------------------------------
(eth0)
veth7c4454a Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:55 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2730 (2.7 KB) TX bytes:4302 (4.3 KB)

(eth1)
vethc098e8d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:914 (914.0 B)

so-elasticsearch
-------------------------------------------------------------------------
(eth0)
veth3fd2127 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:330 errors:0 dropped:0 overruns:0 frame:0
          TX packets:418 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1623300 (1.6 MB) TX bytes:31774 (31.7 KB)

(eth1)
veth3fe5650 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

          RX packets:3324 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:39211842 (39.2 MB) TX bytes:515346 (515.3 KB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

3060239409 523619 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

3060239409 523619 0 0 0 0

    TX errors: aborted fifo   window heartbeat transns
               0        0       0       0       0
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
mode DEFAULT group default qlen 1000
    link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
    RX: bytes packets errors dropped overrun mcast

551827315 387194 0 0 0 4

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

3952939 5201 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state

4: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state

DOWN mode DEFAULT group default qlen 1000
    link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
    RX: bytes packets errors dropped overrun mcast
    0          0        0       0       0       0
    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns
    0          0        0       0       0       0
    TX errors: aborted fifo   window heartbeat transns
               0        0       0       0       1
5: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
mq state UP mode DEFAULT group default qlen 1000
    link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
    RX: bytes packets errors dropped overrun mcast

7121289138 21238598 0 1026 0 1459

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns
    0          0        0       0       0       0
    TX errors: aborted fifo   window heartbeat transns

0 0 0 0 4
6: enp0s29f1u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

17697 272 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

648 8 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 0

7: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

4840756 1002 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

134870 1041 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

8: br-caf319787969: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

84 3 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

648 8 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

10: veth3fd2127@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

1623300 330 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

31774 418 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

12: veth3fe5650@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br-caf319787969 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

39211842 3324 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

515346 3275 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

14: veth7c4454a@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

RX: bytes packets errors dropped overrun mcast

2730 55 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

4302 67 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

16: vethc098e8d@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br-caf319787969 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

    RX: bytes packets errors dropped overrun mcast
    0          0        0       0       0       0
    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

914 13 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

18: veth6a2b3a5@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast

3228754 617 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

101046 586 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

20: vethc83ac4e@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br-caf319787969 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast

180735 1244 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

1051753 1123 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

22: vetha0f3346@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

690 9 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

24: vethdeba8ab@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br-caf319787969 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

RX: bytes packets errors dropped overrun mcast

142641 556 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

145410 441 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

26: veth717901c@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4

690 9 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

28: veth57c384b@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br-caf319787969 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4

RX: bytes packets errors dropped overrun mcast

190674 1459 0 0 0 0

    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes packets errors dropped carrier collsns

38016833 1789 0 0 0 0

TX errors: aborted fifo window heartbeat transns
0 0 0 0 2

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on

udev             14G     0   14G   0% /dev
tmpfs           2.8G 9.8M 2.8G   1% /run
/dev/sda2       3.6T 410G 3.0T 12% /
tmpfs            14G     0   14G   0% /dev/shm

tmpfs 5.0M 0 5.0M 0% /run/lock

tmpfs 14G 0 14G 0% /sys/fs/cgroup

/dev/sda1 511M 3.4M 508M 1% /boot/efi
cgmfs 100K 0 100K 0% /run/cgmanager/fs

tmpfs           2.8G     0 2.8G   0% /run/user/1001
overlay         3.6T 410G 3.0T 12%
/var/lib/docker/overlay2/714b37fc60d1c6a6a6090528374073c4c84743a42b5287063f06ef3f9dd1bed5/merged
shm              64M     0   64M   0%
/var/lib/docker/containers/dedab55550d6725f146f0bcb44707f2e95b6c1498c39f23e59ce6425341e720c/mounts/shm
overlay         3.6T 410G 3.0T 12%
/var/lib/docker/overlay2/35af56fd7b0e2acbbf194f57e61c24d97325c726ed06fe9853c6ac5645342a6d/merged
shm              64M     0   64M   0%
/var/lib/docker/containers/aa36a4df37f24c70474c9513a760f4f9c56281751dc548d794ee4ca30457ae19/mounts/shm
tmpfs           2.8G     0 2.8G   0% /run/user/1000
overlay         3.6T 410G 3.0T 12%
/var/lib/docker/overlay2/9b194d23c7900a1862d1c8af1a55ff26d00b2c8cc6bd71bf3f6fc11ca737457f/merged
shm              64M     0   64M   0%
/var/lib/docker/containers/de692ea276b0fe332ebde3909b069245e61abb3c048c3de4050a03c8094b92d6/mounts/shm
overlay         3.6T 410G 3.0T 12%
/var/lib/docker/overlay2/0d11537739a88abb4aced9ebb33ecb01396e58fa5c72a77ed3bd87482fb8773b/merged
shm              64M     0   64M   0%
/var/lib/docker/containers/6d3d8f5e3f29d6c3fc014cad7022dc697e283840eeb66fe3a031f8901aa46f80/mounts/shm
overlay         3.6T 410G 3.0T 12%
/var/lib/docker/overlay2/e635efe4a34c0925f21512794269af0778a1bfd6dee69f4fba214589606cef01/merged
shm              64M     0   64M   0%
/var/lib/docker/containers/11370449dde1a1a60fbc5a9367b737aba2fafdd5901e9a345030668f0e28778d/mounts/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

mongod     1390    mongodb    8u IPv4 10024      0t0 TCP
X.X.X.X:27017 (LISTEN)
mongod     1390    mongodb   15u IPv4 22854      0t0 TCP
X.X.X.X:27017->X.X.X.X:35472 (ESTABLISHED)
mongod     1390    mongodb   16u IPv4 10222      0t0 TCP
X.X.X.X:27017->X.X.X.X:35474 (ESTABLISHED)
mongod     1390    mongodb   17u IPv4 29796      0t0 TCP
X.X.X.X:27017->X.X.X.X:35658 (ESTABLISHED)
mongod     1390    mongodb   18u IPv4 28341      0t0 TCP
X.X.X.X:27017->X.X.X.X:35660 (ESTABLISHED)
syslog-ng 1394       root    8u IPv4 24712      0t0 TCP *:514 (LISTEN)
syslog-ng 1394       root    9u IPv4 24713      0t0 UDP *:514
node       1549 SO-user   10u IPv4 26421      0t0 TCP
X.X.X.X:35658->X.X.X.X:27017 (ESTABLISHED)
node       1549 SO-user   11u IPv4 26468      0t0 TCP
X.X.X.X:35660->X.X.X.X:27017 (ESTABLISHED)
node       1549 SO-user   12u IPv4 29306      0t0 TCP *:1800 (LISTEN)
nfcapd     1668       root    4u IPv4 19696      0t0 UDP *:2055
mysqld     1785      mysql   18u IPv4 24852      0t0 TCP X.X.X.X:3306
(LISTEN)
rwflowpac 1830       root    6u IPv4 20620      0t0 UDP X.X.X.X:2056
sshd       1860       root    3u IPv4 23640      0t0 TCP *:ssh_port
(LISTEN)
sshd       1860       root    4u IPv6 23642      0t0 TCP *:ssh_port
(LISTEN)
ossec-rem 1961     ossecr    4u IPv4 22769      0t0 UDP *:1514
ntop       1966       ntop    2u IPv4 19804      0t0 TCP *:3000 (LISTEN)
apache2    1972       root    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2027   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2027   www-data   17u IPv4 95412      0t0 TCP
X.X.X.X:59568->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2027   www-data   18u IPv4 92709      0t0 TCP
X.X.X.X:59636->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2027   www-data   19u IPv4 241686      0t0 TCP
X.X.X.X:59656->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2027   www-data   20u IPv4 232027      0t0 TCP
X.X.X.X:59704->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2028   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2028   www-data   17u IPv4 231952      0t0 TCP
X.X.X.X:59434->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2028   www-data   18u IPv4 235660      0t0 TCP
X.X.X.X:59606->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2029   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2029   www-data   17u IPv4 49034      0t0 TCP
X.X.X.X:59372->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2029   www-data   18u IPv4 92690      0t0 TCP
X.X.X.X:59618->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2029   www-data   19u IPv4 92739      0t0 TCP
X.X.X.X:59692->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2030   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2030   www-data   17u IPv4 144739      0t0 TCP
X.X.X.X:59414->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2030   www-data   18u IPv4 95420      0t0 TCP
X.X.X.X:59580->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2030   www-data   19u IPv4 95426      0t0 TCP
X.X.X.X:59588->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2030   www-data   20u IPv4 233118      0t0 TCP
X.X.X.X:59660->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2031   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    2031   www-data   17u IPv4 95439      0t0 TCP
X.X.X.X:59612->X.X.X.X:5601 (CLOSE_WAIT)
apache2    2031   www-data   18u IPv4 92759      0t0 TCP
X.X.X.X:59720->X.X.X.X:5601 (CLOSE_WAIT)
netdata    2422    netdata    3u IPv4 14232      0t0 TCP *:19999 (LISTEN)
netdata    2422    netdata    4u IPv6 14233      0t0 TCP *:19999 (LISTEN)
netdata    2422    netdata   10u IPv6 10098      0t0 UDP [X.X.X.X]:8125
netdata    2422    netdata   15u IPv4 10099      0t0 UDP X.X.X.X:8125
netdata    2422    netdata   16u IPv6 10103      0t0 TCP
[X.X.X.X]:8125 (LISTEN)
netdata    2422    netdata   17u IPv4 10104      0t0 TCP X.X.X.X:8125
(LISTEN)
python     2469    netdata    3u IPv4 21785      0t0 TCP
X.X.X.X:35472->X.X.X.X:27017 (ESTABLISHED)
python     2469    netdata    4u IPv4 28282      0t0 TCP
X.X.X.X:35474->X.X.X.X:27017 (ESTABLISHED)
bro        2917      SO-user    4u IPv4 21804      0t0 UDP
X.X.X.X:39378->X.X.X.X:53
bro        3259      SO-user    0u IPv4 23039      0t0 TCP *:47761
(LISTEN)
bro        3259      SO-user    1u IPv6 23040      0t0 TCP *:47761
(LISTEN)
bro        3259      SO-user    2u IPv4 23329      0t0 TCP
X.X.X.X:47761->X.X.X.X:44372 (ESTABLISHED)
bro        3259      SO-user    4u IPv4 21804      0t0 UDP
X.X.X.X:39378->X.X.X.X:53
bro        3259      SO-user   14u IPv4 24422      0t0 TCP
X.X.X.X:47761->X.X.X.X:44376 (ESTABLISHED)
bro        3259      SO-user   19u IPv4 24425      0t0 TCP
X.X.X.X:47761->X.X.X.X:44378 (ESTABLISHED)
bro        3259      SO-user   24u IPv4 21194      0t0 TCP
X.X.X.X:47761->X.X.X.X:44384 (ESTABLISHED)
bro        3259      SO-user   29u IPv4 21197      0t0 TCP
X.X.X.X:47761->X.X.X.X:44386 (ESTABLISHED)
bro        3259      SO-user   34u IPv4 31962      0t0 TCP
X.X.X.X:47761->X.X.X.X:44392 (ESTABLISHED)
bro        3259      SO-user   39u IPv4 33925      0t0 TCP
X.X.X.X:47761->X.X.X.X:44396 (ESTABLISHED)
bro        3259      SO-user   44u IPv4 24429      0t0 TCP
X.X.X.X:47761->X.X.X.X:44398 (ESTABLISHED)
bro        3706      SO-user    4u IPv4 24125      0t0 UDP
X.X.X.X:36667->X.X.X.X:53
bro        3782      SO-user    0u IPv4 20095      0t0 TCP
X.X.X.X:44372->X.X.X.X:47761 (ESTABLISHED)
bro        3782      SO-user    4u IPv4 24125      0t0 UDP
X.X.X.X:36667->X.X.X.X:53
bro        3782      SO-user   12u IPv4 20100      0t0 TCP *:47762
(LISTEN)
bro        3782      SO-user   13u IPv6 20101      0t0 TCP *:47762
(LISTEN)
bro        3782      SO-user   14u IPv4 24419      0t0 TCP
X.X.X.X:47762->X.X.X.X:47246 (ESTABLISHED)
bro        3782      SO-user   19u IPv4 29538      0t0 TCP
X.X.X.X:47762->X.X.X.X:47252 (ESTABLISHED)
bro        3782      SO-user   24u IPv4 30209      0t0 TCP
X.X.X.X:47762->X.X.X.X:47254 (ESTABLISHED)
bro        3782      SO-user   29u IPv4 31072      0t0 TCP
X.X.X.X:47762->X.X.X.X:47260 (ESTABLISHED)
bro        3782      SO-user   34u IPv4 31971      0t0 TCP
X.X.X.X:47762->X.X.X.X:47262 (ESTABLISHED)
bro        3782      SO-user   39u IPv4 18374      0t0 TCP
X.X.X.X:47762->X.X.X.X:47266 (ESTABLISHED)
bro        3782      SO-user   44u IPv4 24432      0t0 TCP
X.X.X.X:47762->X.X.X.X:47272 (ESTABLISHED)
bro        5114      SO-user    4u IPv4 31058      0t0 UDP
X.X.X.X:33578->X.X.X.X:53
bro        5121      SO-user    4u IPv4 32909      0t0 UDP
X.X.X.X:59409->X.X.X.X:53
bro        5125      SO-user    4u IPv4 28597      0t0 UDP
X.X.X.X:49472->X.X.X.X:53
bro        5130      SO-user    4u IPv4 27169      0t0 UDP
X.X.X.X:47745->X.X.X.X:53
bro        5132      SO-user    4u IPv4 18366      0t0 UDP
X.X.X.X:53591->X.X.X.X:53
bro        5134      SO-user    4u IPv4 30185      0t0 UDP
X.X.X.X:34461->X.X.X.X:53
bro        5135      SO-user    4u IPv4 28601      0t0 UDP
X.X.X.X:59658->X.X.X.X:53
bro        5232      SO-user    0u IPv4 21184      0t0 TCP
X.X.X.X:47246->X.X.X.X:47762 (ESTABLISHED)
bro        5232      SO-user    4u IPv4 28597      0t0 UDP
X.X.X.X:49472->X.X.X.X:53
bro        5232      SO-user   12u IPv4 21187      0t0 TCP
X.X.X.X:44376->X.X.X.X:47761 (ESTABLISHED)
bro        5232      SO-user   17u IPv4 21192      0t0 TCP *:47766
(LISTEN)
bro        5232      SO-user   18u IPv6 21193      0t0 TCP *:47766
(LISTEN)
bro        5233      SO-user    0u IPv4 16354      0t0 TCP
X.X.X.X:44378->X.X.X.X:47761 (ESTABLISHED)
bro        5233      SO-user    4u IPv4 30185      0t0 UDP
X.X.X.X:34461->X.X.X.X:53
bro        5233      SO-user   12u IPv4 16357      0t0 TCP
X.X.X.X:47252->X.X.X.X:47762 (ESTABLISHED)
bro        5233      SO-user   17u IPv4 16362      0t0 TCP *:47765
(LISTEN)
bro        5233      SO-user   18u IPv6 16363      0t0 TCP *:47765
(LISTEN)
bro        5251      SO-user    0u IPv4 27177      0t0 TCP
X.X.X.X:47254->X.X.X.X:47762 (ESTABLISHED)
bro        5251      SO-user    4u IPv4 31058      0t0 UDP
X.X.X.X:33578->X.X.X.X:53
bro        5251      SO-user   12u IPv4 27180      0t0 TCP
X.X.X.X:44384->X.X.X.X:47761 (ESTABLISHED)
bro        5251      SO-user   17u IPv4 27185      0t0 TCP *:47763
(LISTEN)
bro        5251      SO-user   18u IPv6 27186      0t0 TCP *:47763
(LISTEN)
bro        5252      SO-user    0u IPv4 27187      0t0 TCP
X.X.X.X:44386->X.X.X.X:47761 (ESTABLISHED)
bro        5252      SO-user    4u IPv4 18366      0t0 UDP
X.X.X.X:53591->X.X.X.X:53
bro        5252      SO-user   12u IPv4 27190      0t0 TCP
X.X.X.X:47260->X.X.X.X:47762 (ESTABLISHED)
bro        5252      SO-user   17u IPv4 27195      0t0 TCP *:47768
(LISTEN)
bro        5252      SO-user   18u IPv6 27196      0t0 TCP *:47768
(LISTEN)
bro        5259      SO-user    0u IPv4 31958      0t0 TCP
X.X.X.X:47262->X.X.X.X:47762 (ESTABLISHED)
bro        5259      SO-user    4u IPv4 27169      0t0 UDP
X.X.X.X:47745->X.X.X.X:53
bro        5259      SO-user   12u IPv4 31961      0t0 TCP
X.X.X.X:44392->X.X.X.X:47761 (ESTABLISHED)
bro        5259      SO-user   17u IPv4 31969      0t0 TCP *:47769
(LISTEN)
bro        5259      SO-user   18u IPv6 31970      0t0 TCP *:47769
(LISTEN)
bro        5264      SO-user    0u IPv4 28614      0t0 TCP
X.X.X.X:47266->X.X.X.X:47762 (ESTABLISHED)
bro        5264      SO-user    4u IPv4 28601      0t0 UDP
X.X.X.X:59658->X.X.X.X:53
bro        5264      SO-user   12u IPv4 28617      0t0 TCP

X.X.X.X:44396->X.X.X.X:47761 (ESTABLISHED)

bro        5264      SO-user   17u IPv4 28622      0t0 TCP *:47767
(LISTEN)
bro        5264      SO-user   18u IPv6 28623      0t0 TCP *:47767
(LISTEN)
bro        5278      SO-user    0u IPv4 31087      0t0 TCP

X.X.X.X:44398->X.X.X.X:47761 (ESTABLISHED)

bro        5278      SO-user    4u IPv4 32909      0t0 UDP
X.X.X.X:59409->X.X.X.X:53
bro        5278      SO-user   12u IPv4 31090      0t0 TCP
X.X.X.X:47272->X.X.X.X:47762 (ESTABLISHED)
bro        5278      SO-user   17u IPv4 31095      0t0 TCP *:47764
(LISTEN)
bro        5278      SO-user   18u IPv6 31096      0t0 TCP *:47764
(LISTEN)
ntpd       5581        ntp   16u IPv6 29609      0t0 UDP *:123
ntpd       5581        ntp   17u IPv4 29612      0t0 UDP *:123
ntpd       5581        ntp   18u IPv4 29618      0t0 UDP X.X.X.X:123
ntpd       5581        ntp   19u IPv4 29620      0t0 UDP X.X.X.X:123
ntpd       5581        ntp   20u IPv6 29622      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   21u IPv6 29624      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   25u IPv6 24539      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   26u IPv4 33461      0t0 UDP X.X.X.X:123
ntpd       5581        ntp   27u IPv4 33463      0t0 UDP X.X.X.X:123
ntpd       5581        ntp   28u IPv6 33468      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   29u IPv6 33470      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   30u IPv6 33472      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   31u IPv6 33474      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   32u IPv6 33476      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   33u IPv6 31662      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   34u IPv6 50550      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   35u IPv6 50552      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   36u IPv6 50554      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   37u IPv6 50556      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   38u IPv6 50558      0t0 UDP [X.X.X.X]:123
ntpd       5581        ntp   39u IPv6 71945      0t0 UDP [X.X.X.X]:123
apache2    5622   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    5622   www-data   17u IPv4 236690      0t0 TCP
X.X.X.X:59574->X.X.X.X:5601 (CLOSE_WAIT)
apache2    5763   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2    5763   www-data   17u IPv4 92678      0t0 TCP
X.X.X.X:59602->X.X.X.X:5601 (CLOSE_WAIT)
apache2    5763   www-data   18u IPv4 95484      0t0 TCP
X.X.X.X:59644->X.X.X.X:5601 (CLOSE_WAIT)
apache2    5763   www-data   19u IPv4 233221      0t0 TCP
X.X.X.X:59710->X.X.X.X:5601 (CLOSE_WAIT)
tclsh      5866      SO-user    3u IPv4 35095      0t0 TCP
X.X.X.X:8301 (LISTEN)
tclsh      5866      SO-user    5u IPv4 244961      0t0 TCP
X.X.X.X:8301->X.X.X.X:49094 (ESTABLISHED)
tclsh      5952      SO-user    3u IPv4 31341      0t0 TCP
X.X.X.X:8302 (LISTEN)
tclsh      5952      SO-user    5u IPv4 238432      0t0 TCP
X.X.X.X:8302->X.X.X.X:42894 (ESTABLISHED)
tclsh      6013      SO-user    3u IPv4 20423      0t0 TCP
X.X.X.X:8303 (LISTEN)
tclsh      6013      SO-user    5u IPv4 246152      0t0 TCP
X.X.X.X:8303->X.X.X.X:33444 (ESTABLISHED)
tclsh      6193      SO-user    3u IPv4 36487      0t0 TCP
X.X.X.X:8304 (LISTEN)
tclsh      6193      SO-user    5u IPv4 246188      0t0 TCP
X.X.X.X:8304->X.X.X.X:34668 (ESTABLISHED)
tclsh      6239      SO-user    3u IPv4 34086      0t0 TCP
X.X.X.X:8305 (LISTEN)
tclsh      6239      SO-user    5u IPv4 244845      0t0 TCP
X.X.X.X:8305->X.X.X.X:33734 (ESTABLISHED)
tclsh      6361      SO-user    3u IPv4 33233      0t0 TCP
X.X.X.X:8306 (LISTEN)
tclsh      6361      SO-user    5u IPv4 239390      0t0 TCP
X.X.X.X:8306->X.X.X.X:58032 (ESTABLISHED)
tclsh      6428      SO-user    3u IPv4 20463      0t0 TCP
X.X.X.X:8307 (LISTEN)
tclsh      6428      SO-user    5u IPv4 250925      0t0 TCP
X.X.X.X:8307->X.X.X.X:54582 (ESTABLISHED)
barnyard2 6751      SO-user    3u IPv4 243902      0t0 TCP
X.X.X.X:49094->X.X.X.X:8301 (ESTABLISHED)
barnyard2 6780      SO-user    3u IPv4 232191      0t0 TCP
X.X.X.X:42894->X.X.X.X:8302 (ESTABLISHED)
barnyard2 6804      SO-user    3u IPv4 246151      0t0 TCP
X.X.X.X:33444->X.X.X.X:8303 (ESTABLISHED)
barnyard2 6826      SO-user    3u IPv4 246187      0t0 TCP
X.X.X.X:34668->X.X.X.X:8304 (ESTABLISHED)
barnyard2 6845      SO-user    3u IPv4 244844      0t0 TCP
X.X.X.X:33734->X.X.X.X:8305 (ESTABLISHED)
barnyard2 6866      SO-user    3u IPv4 95664      0t0 TCP
X.X.X.X:58032->X.X.X.X:8306 (ESTABLISHED)
barnyard2 6887      SO-user    3u IPv4 250924      0t0 TCP
X.X.X.X:54582->X.X.X.X:8307 (ESTABLISHED)
sshd       7012       root    3u IPv4 42142      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:16222 (ESTABLISHED)
docker-pr 7041       root    4u IPv4 32375      0t0 TCP X.X.X.X:9300
(LISTEN)
docker-pr 7078       root    4u IPv4 32385      0t0 TCP X.X.X.X:9200
(LISTEN)
docker-pr 7415       root    4u IPv6 39223      0t0 TCP *:9600 (LISTEN)
docker-pr 7456       root    4u IPv6 44068      0t0 TCP *:6053 (LISTEN)
docker-pr 7474       root    4u IPv6 45201      0t0 TCP *:6052 (LISTEN)
docker-pr 7488       root    4u IPv6 45228      0t0 TCP *:6051 (LISTEN)
docker-pr 7509       root    4u IPv6 46141      0t0 TCP *:6050 (LISTEN)
docker-pr 7522       root    4u IPv6 45249      0t0 TCP *:5044 (LISTEN)
sshd       7928 SO-user    3u IPv4 42142      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:16222 (ESTABLISHED)
docker-pr 10340       root    3u IPv4 97377      0t0 TCP
X.X.X.X:5601->X.X.X.X:59372 (FIN_WAIT2)
docker-pr 10340       root    4u IPv4 48106      0t0 TCP X.X.X.X:5601
(LISTEN)
docker-pr 10340       root    6u IPv4 97379      0t0 TCP
X.X.X.X:37246->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root    7u IPv4 234296      0t0 TCP
X.X.X.X:5601->X.X.X.X:59414 (FIN_WAIT2)
docker-pr 10340       root    8u IPv4 234298      0t0 TCP
X.X.X.X:37288->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root    9u IPv4 240074      0t0 TCP
X.X.X.X:5601->X.X.X.X:59434 (FIN_WAIT2)
docker-pr 10340       root   10u IPv4 240076      0t0 TCP
X.X.X.X:37308->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   12u IPv4 95413      0t0 TCP
X.X.X.X:5601->X.X.X.X:59568 (FIN_WAIT2)
docker-pr 10340       root   13u IPv4 95415      0t0 TCP
X.X.X.X:37442->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   14u IPv4 92648      0t0 TCP
X.X.X.X:5601->X.X.X.X:59574 (FIN_WAIT2)
docker-pr 10340       root   15u IPv4 92650      0t0 TCP
X.X.X.X:37448->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   16u IPv4 92654      0t0 TCP
X.X.X.X:5601->X.X.X.X:59580 (FIN_WAIT2)
docker-pr 10340       root   17u IPv4 92656      0t0 TCP
X.X.X.X:37454->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   18u IPv4 95427      0t0 TCP
X.X.X.X:5601->X.X.X.X:59588 (FIN_WAIT2)
docker-pr 10340       root   19u IPv4 95429      0t0 TCP
X.X.X.X:37462->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   20u IPv4 92679      0t0 TCP
X.X.X.X:5601->X.X.X.X:59602 (FIN_WAIT2)
docker-pr 10340       root   21u IPv4 92681      0t0 TCP
X.X.X.X:37476->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   22u IPv4 235661      0t0 TCP
X.X.X.X:5601->X.X.X.X:59606 (FIN_WAIT2)
docker-pr 10340       root   23u IPv4 235663      0t0 TCP
X.X.X.X:37480->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   24u IPv4 95440      0t0 TCP
X.X.X.X:5601->X.X.X.X:59612 (FIN_WAIT2)
docker-pr 10340       root   25u IPv4 95442      0t0 TCP
X.X.X.X:37486->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   26u IPv4 95443      0t0 TCP
X.X.X.X:5601->X.X.X.X:59618 (FIN_WAIT2)
docker-pr 10340       root   27u IPv4 95445      0t0 TCP
X.X.X.X:37492->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   28u IPv4 92710      0t0 TCP
X.X.X.X:5601->X.X.X.X:59636 (FIN_WAIT2)
docker-pr 10340       root   29u IPv4 92712      0t0 TCP
X.X.X.X:37510->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   30u IPv4 238960      0t0 TCP
X.X.X.X:5601->X.X.X.X:59644 (FIN_WAIT2)
docker-pr 10340       root   31u IPv4 238962      0t0 TCP
X.X.X.X:37518->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   32u IPv4 92722      0t0 TCP
X.X.X.X:5601->X.X.X.X:59650 (FIN_WAIT2)
docker-pr 10340       root   33u IPv4 92724      0t0 TCP
X.X.X.X:37524->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   34u IPv4 241687      0t0 TCP
X.X.X.X:5601->X.X.X.X:59656 (FIN_WAIT2)
docker-pr 10340       root   35u IPv4 241689      0t0 TCP
X.X.X.X:37530->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   36u IPv4 238963      0t0 TCP
X.X.X.X:5601->X.X.X.X:59660 (FIN_WAIT2)
docker-pr 10340       root   37u IPv4 238965      0t0 TCP
X.X.X.X:37534->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   38u IPv4 95515      0t0 TCP
X.X.X.X:5601->X.X.X.X:59692 (FIN_WAIT2)
docker-pr 10340       root   39u IPv4 95516      0t0 TCP
X.X.X.X:5601->X.X.X.X:59694 (FIN_WAIT2)
docker-pr 10340       root   40u IPv4 95518      0t0 TCP
X.X.X.X:37568->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   41u IPv4 239116      0t0 TCP
X.X.X.X:37570->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   42u IPv4 92744      0t0 TCP
X.X.X.X:5601->X.X.X.X:59704 (FIN_WAIT2)
docker-pr 10340       root   43u IPv4 92746      0t0 TCP
X.X.X.X:37578->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   44u IPv4 233222      0t0 TCP
X.X.X.X:5601->X.X.X.X:59710 (FIN_WAIT2)
docker-pr 10340       root   45u IPv4 233224      0t0 TCP
X.X.X.X:37584->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   46u IPv4 92760      0t0 TCP
X.X.X.X:5601->X.X.X.X:59720 (FIN_WAIT2)
docker-pr 10340       root   47u IPv4 92762      0t0 TCP
X.X.X.X:37594->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 10340       root   48u IPv4 92830      0t0 TCP
X.X.X.X:5601->X.X.X.X:59748 (FIN_WAIT2)
docker-pr 10340       root   49u IPv4 92832      0t0 TCP
X.X.X.X:37622->X.X.X.X:5601 (CLOSE_WAIT)
sshd      17250       root    3u IPv4 141845      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:16538 (ESTABLISHED)
sshd      17397 SO-user    3u IPv4 141845      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:16538 (ESTABLISHED)
apache2   17839   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2   17839   www-data   17u IPv4 241756      0t0 TCP
X.X.X.X:59694->X.X.X.X:5601 (CLOSE_WAIT)
apache2   17839   www-data   18u IPv4 95619      0t0 TCP
X.X.X.X:59748->X.X.X.X:5601 (CLOSE_WAIT)
apache2   17845   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2   17846   www-data    4u IPv6 15735      0t0 TCP *:443 (LISTEN)
apache2   17846   www-data   17u IPv4 92721      0t0 TCP
X.X.X.X:59650->X.X.X.X:5601 (CLOSE_WAIT)
sshd      23417       root    3u IPv4 255082      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:21516 (ESTABLISHED)
sshd      23418       sshd    3u IPv4 255082      0t0 TCP
X.X.X.X:ssh_port->X.X.X.X:21516 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================

Mon Oct 22 07:01:01 UTC 2018

Backing up current local_rules.xml file.

Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.

Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.

Cleaning up local.rules backup files older than 30 days.

Sleeping for 21 minutes to avoid overwhelming rule sites.

Running PulledPork.

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\ /    PulledPork v0.7.3 - Making signature updates great
again!
       `--==\\/
     .-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/        / 66\_ cumm...@gmail.com
    |    \   \   _(")
     \   /-| ||'--' Rules give me wings!
      \_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2990.tar.gz....

They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....

They Match
Done!
Checking latest MD5 for community-rules.tar.gz....

No Match
Done

Rules tarball download of community-rules.tar.gz....
They Match
Done!

Enabled 190 flowbits

        Enabled 1 flowbits
        Done
Writing /etc/nsm/rules/downloaded.rules....
        Done
Generating sid-msg.map....
        Done
Writing v1 /etc/nsm/rules/sid-msg.map....
        Done
Writing /var/log/nsm/sid_changes.log....
        Done
Rule Stats...

        New:-------0
        Deleted:---0
        Enabled Rules:----30626
        Dropped Rules:----0
        Disabled Rules:---29792
        Total Rules:------60418

No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:

17.52 21.27 13.32

Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 14:24:31 up 11 min, 2 users, load average: 17.52, 21.27, 13.32
Tasks: 334 total, 18 running, 316 sleeping,   0 stopped,   0 zombie
%Cpu(s): 82.0 us, 3.6 sy, 0.1 ni, 11.0 id, 1.6 wa, 0.0 hi, 1.7 si,
0.0 st
KiB Mem : 28804520 total,   212328 free, 22723196 used, 5868996 buff/cache
KiB Swap: 16764924 total, 16575972 free,   188952 used. 5511632 avail Mem

%CPU %MEM COMMAND
132 9.4 /bin/java -Xms4000m -Xmx4000m -XX:+UseParNewGC
-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true
-Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true
-Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom -cp
/usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar
org.logstash.Logstash
80.5 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-7 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
80.5 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-3 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
80.4 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-1 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
80.3 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-5 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
80.0 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-2 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
79.7 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-4 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
79.7 2.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-6 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
78.1 1.1 tclsh /usr/bin/SO-userd -c

/etc/nsm/securityonion/SO-userd.conf -a
/etc/nsm/securityonion/autocat.conf -g
/etc/nsm/securityonion/SO-userd.queries -A
/etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

52.5 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local

-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto

49.5 3.5 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-2
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-2.stats -U
--snaplen 1524
48.4 3.6 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-7
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-7.stats -U
--snaplen 1524
47.6 3.6 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-5
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-5.stats -U
--snaplen 1524
46.0 3.5 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-1
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-1.stats -U
--snaplen 1524
45.5 3.6 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-4
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-4.stats -U
--snaplen 1524
43.1 3.5 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-3
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-3.stats -U
--snaplen 1524
40.4 3.6 snort -c /etc/nsm/41-184-204-74-eth2/snort.conf -u SO-user -g
SO-user -i eth2 -l /nsm/sensor_data/41-184-204-74-eth2/snort-6
--perfmon-file /nsm/sensor_data/41-184-204-74-eth2/snort-6.stats -U
--snaplen 1524
39.7 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-7.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-7 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-7 -i
41-184-204-74-eth2-7 -U
39.4 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-4.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-4 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-4 -i
41-184-204-74-eth2-4 -U
39.1 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-1.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-1 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-1 -i
41-184-204-74-eth2-1 -U
38.5 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-3.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-3 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-3 -i
41-184-204-74-eth2-3 -U
35.7 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-5.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-5 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-5 -i
41-184-204-74-eth2-5 -U
35.3 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-2.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-2 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-2 -i
41-184-204-74-eth2-2 -U
33.9 0.0 barnyard2 -c /etc/nsm/41-184-204-74-eth2/barnyard2-6.conf -u
SO-user -g SO-user -d /nsm/sensor_data/41-184-204-74-eth2/snort-6 -f
snort.unified2 -w /etc/nsm/41-184-204-74-eth2/barnyard2.waldo-6 -i
41-184-204-74-eth2-6 -U
33.2 22.7 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Xms4104m -Xmx4104m
-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m
-Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true
-XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
-Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true
-Djava.io.tmpdir=/tmp/elasticsearch.RueHJ3rH
-XX:+HeapDumpOnOutOfMemoryError -XX:+PrintGCDetails
-XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution
-XX:+PrintGCApplicationStoppedTime -Xloggc:logs/gc.log
-XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32
-XX:GCLogFileSize=64m -Des.cgroups.hierarchy.override=/
-Des.path.home=/usr/share/elasticsearch
-Des.path.conf=/usr/share/elasticsearch/config
-Des.distribution.flavor=oss -Des.distribution.type=tar -cp
/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch
-Ecluster.name=SO-server -Ebootstrap.memory_lock=true
-Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X
11.1 0.0 /var/ossec/bin/ossec-syscheckd
8.1 0.0 /usr/sbin/syslog-ng -F
6.0 0.0 /var/ossec/bin/wazuh-modulesd
4.9 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local

-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto

3.5 0.5 /usr/sbin/mysqld
3.3 0.0 /usr/libexec/netdata/plugins.d/apps.plugin 1
2.8 0.4 /usr/share/kibana/bin/../node/bin/node --no-warnings
/usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/
--cpuacct.cgroup.path.override=/
--kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
1.7 0.0 /sbin/init
1.7 0.0 /var/ossec/bin/ossec-analysisd
1.7 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local

-p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto

1.5 0.3 /usr/sbin/netdata -P /var/run/netdata/netdata.pid -D -W set
global process scheduling policy keep -W set global OOM score keep
1.5 0.2 /usr/bin/python /usr/libexec/netdata/plugins.d/python.d.plugin 1
0.9 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-6 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.9 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-5 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.9 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-2 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-4 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.5 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-3 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-1 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.6 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live
-p local -p 41-184-204-74-eth2-7 local.bro broctl
base/frameworks/cluster local-worker.bro broctl/auto
0.6 0.1 python -m elastalert.elastalert --config
/etc/elastalert/conf/elastalert_config.yaml --verbose
0.5 0.2 /usr/bin/mongod --config /etc/mongodb.conf
0.5 0.1 docker-containerd --config
/var/run/docker/containerd/containerd.toml
0.4 0.1 /usr/bin/dockerd -H fd://
0.3 0.0 bash /usr/libexec/netdata/plugins.d/tc-qos-helper.sh 1
0.2 0.0 [rcu_sched]
0.2 0.0 [ksoftirqd/5]
0.2 0.2 /home/SO-user/.nvm/versions/node/v8.9.3/bin/node
/home/SO-user/FlowBAT/private/bundle/main.js
0.1 0.0 [kswapd0]
0.1 0.0 [kswapd1]
0.1 0.0 /var/ossec/bin/ossec-remoted
0.1 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local

-p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto

0.1 0.0 /usr/bin/python /usr/bin/supervisord -c
/etc/elastalert/conf/elastalert_supervisord.conf -n
0.1 0.0 sshd: root [priv]

0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]

0.0 0.0 [kworker/5:0H]

0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]

0.0 0.0 [kworker/10:0]

0.0 0.0 [kworker/10:0H]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]

0.0 0.0 [kworker/13:0]

0.0 0.0 [kworker/13:0H]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]

0.0 0.0 [kworker/u49:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 [vmstat]

0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]

0.0 0.0 [kworker/7:1]

0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]

0.0 0.0 [kworker/u50:2]

0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]

0.0 0.0 [kworker/u50:3]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/15:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/4:2]
0.0 0.0 [kworker/13:1]

0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]

0.0 0.0 [kworker/u48:1]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/8:1]

0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]

0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/0:2]
0.0 0.0 [bioset]
0.0 0.0 [ixgbe]
0.0 0.0 [jbd2/sda2-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/4:1H]
0.0 0.0 [kworker/12:1H]
0.0 0.0 [kauditd]
0.0 0.0 /lib/systemd/systemd-journald
0.0 0.0 [kworker/14:2]
0.0 0.0 [kworker/u49:2]
0.0 0.0 [kworker/6:2]
0.0 0.0 /lib/systemd/systemd-udevd
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/5:2]

0.0 0.0 [edac-poller]
0.0 0.0 [kipmi0]
0.0 0.0 [kvm-irqfd-clean]

0.0 0.0 [kworker/9:2]
0.0 0.0 [kworker/2:2]
0.0 0.0 /usr/sbin/atd -f
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/cron -f

0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork
--nopidfile --systemd-activation

0.0 0.0 /sbin/cgmanager -m name=systemd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/acpid
0.0 0.0 [kworker/3:1H]
0.0 0.0 /usr/bin/lxcfs /var/lib/lxcfs/
0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
0.0 0.0 [kworker/6:1H]
0.0 0.0 [kworker/7:2]
0.0 0.0 /usr/bin/nfcapd -D -l /var/cache/nfdump -P
/var/run/nfcapd.pid -p 2055
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/local/sbin/rwflowpack --compression-method=best
--sensor-configuration=/data/sensors.conf
--site-config-file=/data/silk.conf --output-mode=local-storage
--root-directory=/data/ --pidfile=/var/log/rwflowpack.pid
--log-level=info --log-directory=/var/log --log-basename=rwflowpack

0.0 0.0 /sbin/agetty --noclear tty1 linux

0.0 0.0 [kworker/10:1H]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 /var/ossec/bin/wazuh-db
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop
--access-log-file /var/log/ntop/access.log -i none -p
/etc/ntop/protocol.list -O /var/log/ntop

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [kworker/14:1H]
0.0 0.0 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
0.0 0.0 php-fpm: pool www

0.0 0.0 php-fpm: pool www

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/8:2]
0.0 0.0 [kworker/12:2]

0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c
/etc/nsm/securityonion/SO-userd.conf -a
/etc/nsm/securityonion/autocat.conf -g
/etc/nsm/securityonion/SO-userd.queries -A
/etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f

/var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c
/etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f
/var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c
/etc/nsm/ossec/ossec_agent.conf

0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/15:2]
0.0 0.0 [cfg80211]
0.0 0.0 [kworker/9:1H]
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status

-p broctl -p broctl-live -p local -p manager local.bro broctl
base/frameworks/cluster local-manager.bro broctl/auto

0.0 0.0 tclsh /usr/bin/SO-userd -c

/etc/nsm/securityonion/SO-userd.conf -a
/etc/nsm/securityonion/autocat.conf -g
/etc/nsm/securityonion/SO-userd.queries -A
/etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c
/etc/nsm/securityonion/SO-userd.conf -a
/etc/nsm/securityonion/autocat.conf -g
/etc/nsm/securityonion/SO-userd.queries -A
/etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.0 [kworker/u48:2]

0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status
-p broctl -p broctl-live -p local -p proxy local.bro broctl
base/frameworks/cluster local-proxy broctl/auto

0.0 0.0 [kworker/11:1H]

0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-1

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-2

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-3

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-4

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-6

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-7

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U

.status -p broctl -p broctl-live -p local -p 41-184-204-74-eth2-5

local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto

0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:119
0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 [kworker/8:1H]

0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/pcap_agent.conf

0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/pcap_agent.conf

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-1.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-1.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-2.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-2.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-3.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-3.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-4.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-4.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-5.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-5.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-5.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-6.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-6.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-6.stats

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-7.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c

/etc/nsm/41-184-204-74-eth2/snort_agent-7.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/41-184-204-74-eth2/snort-7.stats

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
9300 -container-ip X.X.X.X -container-port 9300
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
9200 -container-ip X.X.X.X -container-port 9200
0.0 0.0 docker-containerd-shim -namespace moby -workdir
/var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/dedab55550d6725f146f0bcb44707f2e95b6c1498c39f23e59ce6425341e720c
-address /var/run/docker/containerd/docker-containerd.sock
-containerd-binary /usr/bin/docker-containerd -runtime-root
/var/run/docker/runtime-runc
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
9600 -container-ip X.X.X.X -container-port 9600
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
6053 -container-ip X.X.X.X -container-port 6053
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
6052 -container-ip X.X.X.X -container-port 6052
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
6051 -container-ip X.X.X.X -container-port 6051
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
6050 -container-ip X.X.X.X -container-port 6050
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
5044 -container-ip X.X.X.X -container-port 5044
0.0 0.0 docker-containerd-shim -namespace moby -workdir
/var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/aa36a4df37f24c70474c9513a760f4f9c56281751dc548d794ee4ca30457ae19
-address /var/run/docker/containerd/docker-containerd.sock
-containerd-binary /usr/bin/docker-containerd -runtime-root
/var/run/docker/runtime-runc

0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)

0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 -bash
0.0 0.0 [kworker/13:1H]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port
5601 -container-ip X.X.X.X -container-port 5601
0.0 0.0 docker-containerd-shim -namespace moby -workdir
/var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/de692ea276b0fe332ebde3909b069245e61abb3c048c3de4050a03c8094b92d6
-address /var/run/docker/containerd/docker-containerd.sock
-containerd-binary /usr/bin/docker-containerd -runtime-root
/var/run/docker/runtime-runc
0.0 0.0 docker-containerd-shim -namespace moby -workdir
/var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/6d3d8f5e3f29d6c3fc014cad7022dc697e283840eeb66fe3a031f8901aa46f80
-address /var/run/docker/containerd/docker-containerd.sock
-containerd-binary /usr/bin/docker-containerd -runtime-root
/var/run/docker/runtime-runc
0.0 0.0 [kworker/10:2]
0.0 0.0 docker-containerd-shim -namespace moby -workdir
/var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/11370449dde1a1a60fbc5a9367b737aba2fafdd5901e9a345030668f0e28778d
-address /var/run/docker/containerd/docker-containerd.sock
-containerd-binary /usr/bin/docker-containerd -runtime-root
/var/run/docker/runtime-runc
0.0 0.0 /bin/bash

0.0 0.0 sshd: SO-user [priv]

0.0 0.0 [kworker/3:0]

0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 -bash

0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start

0.0 0.0 [kworker/u50:0]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/u49:0]
0.0 0.0 sudo sostat-redacted

0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat

0.0 0.0 sshd: root [net]

0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================

eth2: 19284637

=========================================================================
Packet Loss Stats
=========================================================================

NIC:

eth2:

RX packets:21250848 dropped:1026 TX packets:0 dropped:0

-------------------------------------------------------------------------

pf_ring:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: <unknown>
Tot Packets: 0
Tot Pkt Lost: 0
Loss as a percentage:

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1238151
Tot Pkt Lost: 57968
Loss as a percentage: 4.60

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1521369
Tot Pkt Lost: 373234
Loss as a percentage: 24.50

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1307294
Tot Pkt Lost: 117205
Loss as a percentage: 8.90

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1727726
Tot Pkt Lost: 119692
Loss as a percentage: 6.90

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1687841
Tot Pkt Lost: 164370
Loss as a percentage: 9.70

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1166065
Tot Pkt Lost: 473
Loss as a percentage: 0

Appl. Name: snort-cluster-54-socket-0
Tot Packets: 1761771
Tot Pkt Lost: 80668
Loss as a percentage: 4.50

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

/nsm/sensor_data/41-184-204-74-eth2/snort-1.stats last reported
pkt_drop_percent as 20.558
/nsm/sensor_data/41-184-204-74-eth2/snort-2.stats last reported
pkt_drop_percent as 52.357
/nsm/sensor_data/41-184-204-74-eth2/snort-3.stats last reported
pkt_drop_percent as 12.564
/nsm/sensor_data/41-184-204-74-eth2/snort-4.stats last reported
pkt_drop_percent as 28.389
/nsm/sensor_data/41-184-204-74-eth2/snort-5.stats last reported
pkt_drop_percent as 30.460
/nsm/sensor_data/41-184-204-74-eth2/snort-6.stats last reported
pkt_drop_percent as 0.000
/nsm/sensor_data/41-184-204-74-eth2/snort-7.stats last reported
pkt_drop_percent as 15.522
-------------------------------------------------------------------------

Bro:

Average packet loss as percent across all Bro workers: 26.891290

41-184-204-74-eth2-1: 1540218271.942222 recvd=15308852 dropped=4944773
link=20279253
41-184-204-74-eth2-2: 1540218271.507145 recvd=14050746 dropped=6187567
link=20281298
41-184-204-74-eth2-3: 1540218273.072250 recvd=15035278 dropped=5253885
link=20293151
41-184-204-74-eth2-4: 1540218272.709685 recvd=15213243 dropped=5066385
link=20299806
41-184-204-74-eth2-5: 1540218271.310810 recvd=14386676 dropped=5862363
link=20300426
41-184-204-74-eth2-6: 1540218272.057230 recvd=14420490 dropped=5836097
link=20309033
41-184-204-74-eth2-7: 1540218272.728095 recvd=15220427 dropped=5055316
link=20314211

No capture loss reported.

-------------------------------------------------------------------------

Netsniff-NG:

0 Loss

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 7.2.0
(7.2.0-stable:9b3fd353fc66a219b73860fd5214fbd541df2515)

Total rings : 14

Standard (non ZC) Options
Ring slots : 4096

Slot version : 17

Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard

Cluster Fragment Queue : 0

Cluster Fragment Discard : 0

=========================================================================
Log Archive
=========================================================================

/nsm/sensor_data/41-184-204-74-enp0s29f1u2/dailylogs/ - 0 days
4.0K    .

/nsm/sensor_data/41-184-204-74-eth0/dailylogs/ - 0 days
4.0K    .

/nsm/sensor_data/41-184-204-74-eth1/dailylogs/ - 0 days
4.0K    .

/nsm/sensor_data/41-184-204-74-eth2/dailylogs/ - 20 days
84K     .
4.0K    ./2018-10-03
4.0K    ./2018-10-04
4.0K    ./2018-10-05
4.0K    ./2018-10-06
4.0K    ./2018-10-07
4.0K    ./2018-10-08
4.0K    ./2018-10-09
4.0K    ./2018-10-10
4.0K    ./2018-10-11
4.0K    ./2018-10-12
4.0K    ./2018-10-13
4.0K    ./2018-10-14
4.0K    ./2018-10-15
4.0K    ./2018-10-16
4.0K    ./2018-10-17
4.0K    ./2018-10-18
4.0K    ./2018-10-19
4.0K    ./2018-10-20
4.0K    ./2018-10-21
4.0K    ./2018-10-22

/nsm/sensor_data/41-184-204-74-eth3/dailylogs/ - 0 days
4.0K    .

/nsm/bro/logs/ - 3 days
1.3G    .
507M    ./2018-10-03
100M    ./2018-10-12
626M    ./2018-10-22
38M     ./stats

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)

164724

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature

989297 129:15 stream5: Reset outside window
465202 120:3   http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN
HTTP RESPONSE
202799 129:4   stream5: TCP Timestamp is outside of PAWS window
119526 129:12 stream5: TCP Small Segment Threshold Exceeded
86657   128:4   ssh: Protocol mismatch
63365   119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
54230   3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit
attempt
53621   119:19 http_inspect: LONG HEADER
49587   1:2010935       ET SCAN Suspicious inbound to MSSQL port 1433
47309   139:1   sensitive_data: sensitive data global threshold exceeded
24360   129:14 stream5: TCP Timestamp is missing
15628   1:2016149       ET INFO Session Traversal Utilities for NAT
(STUN Binding Request)
13630   1:2016150       ET INFO Session Traversal Utilities for NAT
(STUN Binding Response)
11564   3:21355 PROTOCOL-DNS potential dns cache poisoning attempt -
mismatched txid
9376    1:2010144       ET P2P Vuze BT UDP Connection (5)
8638    125:1   ftp_pp: Telnet command on FTP command channel
8551    1:2008581       ET P2P BitTorrent DHT ping request
7307    129:5   stream5: Bad segment, overlap adjusted size less
than/equal 0
6667    119:14 http_inspect: NON-RFC DEFINED CHAR
5247    1:2010140       ET P2P Vuze BT UDP Connection
4517    141:1   imap: Unknown IMAP4 command
4270    137:1   spp_ssl: Invalid Client HELLO after Server HELLO Detected
4085    129:2   stream5: Data on SYN packet
4054    140:27 sip: Maximum dialogs in a session reached
3939    1:2402000       ET DROP Dshield Block Listed Source group 1
2952    1:2014703       ET DNS Non-DNS or Non-Compliant DNS traffic on
DNS port Reserved Bit Set
2919    1:2010937       ET SCAN Suspicious inbound to mySQL port 3306
2814    1:2008585       ET P2P BitTorrent DHT announce_peers request
2366    1:2022913       ET INFO WinHttp AutoProxy Request wpad.dat
Possible BadTunnel
2159    3:30881 MALWARE-OTHER dns request with long host name segment -
possible data exfiltration attempt
1948    1:2011716       ET SCAN Sipvicious User-Agent Detected
(friendly-scanner)
1798    1:2014702       ET DNS Non-DNS or Non-Compliant DNS traffic on
DNS port Opcode 8 through 15 set
1788    138:5   sensitive_data: sensitive data - eMail addresses
1750    119:31 http_inspect: UNKNOWN METHOD
1733    1:2008578       ET SCAN Sipvicious Scan
1582    1:2023472       ET POLICY External IP Lookup Domain
(myip.opendns .com in DNS lookup)
1367    119:28 http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
1317    123:13 frag3: Fragments smaller than configured min_fragment_length
1274    119:15 http_inspect: OVERSIZE REQUEST-URI DIRECTORY
1094    1:2500018       ET COMPROMISED Known Compromised or Hostile Host
Traffic TCP group 10
1086    1:2017162       ET SCAN SipCLI VOIP Scan
988     1:2018904       ET INFO Session Traversal Utilities for NAT
(STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change
IP flag false change port flag false)
962     123:8   frag3: Fragmentation overlap
903     142:1   pop: Unknown POP3 command
863     129:8   stream5: Data sent on stream after TCP Reset
825     123:12 frag3: Number of overlapping fragments exceed configured
limit
813     3:31738 PROTOCOL-DNS domain not found containing random-looking
hostname - possible DGA detected
790     1:31136 MALWARE-CNC Win.Trojan.ZeroAccess inbound connection
620     1:2403412       ET CINS Active Threat Intelligence Poor
Reputation IP TCP group 57
608     1:2000334       ET P2P BitTorrent peer sync
Total
2344714

=========================================================================
Last update
=========================================================================
Commandline: apt-get -y remove --purge linux-image-4.4.0-135-generic
linux-headers-4.4.0-135-generic
Requested-By: SO-user (1000)
Purge: linux-image-4.4.0-135-generic:amd64 (4.4.0-135.161),
linux-signed-image-4.4.0-135-generic:amd64 (4.4.0-135.161),
linux-image-extra-4.4.0-135-generic:amd64 (4.4.0-135.161),
linux-headers-4.4.0-135-generic:amd64 (4.4.0-135.161)
End-Date: 2018-10-22 13:54:33

Start-Date: 2018-10-22 13:59:03
Commandline: apt-get -y dist-upgrade
Requested-By: SO-user (1000)
Upgrade: pfring-dkms:amd64 (7.2.0, 7.2.0), libssh-gcrypt-4:amd64
(0.6.3-4.3, 0.6.3-4.3ubuntu0.1), ntopng:amd64 (3.6.181012-5267,
3.6.181022-5354), pfring:amd64 (7.2.0-2187, 7.2.0-2193), nprobe:amd64
(8.6.181012-6309, 8.6.181022-6310), ntopng-data:amd64 (3.6.181012,
3.6.181022)
End-Date: 2018-10-22 13:59:50

=========================================================================
Elasticsearch
=========================================================================

Elasticsearch is running.

Cluster Name: "SO-server"
Cluster Status: "green"
Total Nodes: 1
Failed Nodes: 0
Total Indices: 65
Total Shards: 85
Total Documents: 247808375
Total Size: 325771MB
Free Memory: 1%
Total Number of Events: 247808375
Avg. Event Size (In Bytes): 1314

CONTAINER ID        NAME                CPU %               MEM USAGE /
LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
dedab55550d6        so-elasticsearch    2.31%               5.032GiB /
27.47GiB   18.32%              570kB / 41.8MB      2.82GB / 2.49MB     144

=========================================================================
Logstash
=========================================================================

Logstash is running.

CONTAINER ID        NAME                CPU %               MEM USAGE /
LIMIT    MEM %               NET I/O             BLOCK I/O           PIDS
aa36a4df37f2        so-logstash         105.23%             2.59GiB /
27.47GiB   9.43%               5.96kB / 3.27kB     68.6MB / 401kB      59

Logstash Queue Stats:

Queue Type:
Queue settings can be modified in /etc/logstash/logstash.yml.

Event Summary (since restart):

Events In:
Events Out:

=========================================================================
Kibana
=========================================================================

Kibana is running.

CONTAINER ID        NAME                CPU %               MEM USAGE /
LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
de692ea276b0        so-kibana           0.75%               118.2MiB /
27.47GiB   0.42%               1.23MB / 3.52MB     65.7MB / 4.1kB      10

=========================================================================
ElastAlert
=========================================================================

ElastAlert is running.

CONTAINER ID        NAME                CPU %               MEM USAGE /
LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
6d3d8f5e3f29        so-elastalert       0.02%               50.71MiB /
27.47GiB   0.18%               146kB / 143kB       23.3MB / 20.5kB     2

=========================================================================
Curator
=========================================================================

Curator is running.

CONTAINER ID        NAME                CPU %               MEM USAGE /
LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
11370449dde1        so-curator          99.54%              51.39MiB /
27.47GiB   0.18%               40.1MB / 200kB      4.32MB / 0B         3

=========================================================================
Version Information
=========================================================================

Ubuntu 16.04.5 LTS

securityonion-sostat 20120722-0ubuntu0securityonion111

Steven J

unread,

Oct 22, 2018, 11:38:50 PM10/22/18

to securit...@googlegroups.com

Not sure if this could be relevant to your installation, is this a new install or has something changed?
https://groups.google.com/forum/#!topic/security-onion/6wlDJUtPVXg

Wes Lambert

unread,

Oct 23, 2018, 12:07:19 PM10/23/18

to securit...@googlegroups.com

Hi David,

Did you actually run the setup script to configure the box?

Thanks,

Wes

Wes Lambert

unread,

Oct 23, 2018, 12:11:49 PM10/23/18

to securit...@googlegroups.com

Hi David,

You may want to try taking a look a the log(s) in /var/log/nsm/.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages