Trouble with ELSA Web Interface
217 views
Skip to first unread message
Ed McGuigan
Dec 5, 2014, 2:52:07 PM12/5/14
to securit...@googlegroups.com
When I try to go to the ELSA web interface, I just get the left pane with what looks like the various canned queries ( I am new to ELSA and wanted to start playing with it ).
I get the following error in the /var/log/apache2/error.log file :
readdir() attempted on invalid dirhandle DIR at /opt/elsa/web/lib/StatsWriter.pm line 12.
closedir() attempted on invalid dirhandle DIR at /opt/elsa/web/lib/StatsWriter.pm line 19.
This is a fresh re-install with a server and sensor which I did because I had exactly the same issue last week and followed a thread with the same issue where Doug concluded that a re-install would be warranted. Didn't seem to fix the issue.
Any help would be appreciated. I'll have a dig into the perl module to see if I can garner anything ( name of the directory that doesn't exist for example ).
Cheers,
Ed McGuigan
**********************************************
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95190190 errors:0 dropped:0 overruns:0 frame:0
TX packets:93960877 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20728645994 (20.7 GB) TX bytes:11260112233 (11.2 GB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:185777774 errors:0 dropped:0 overruns:0 frame:0
TX packets:185777774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19576504869 (19.5 GB) TX bytes:19576504869 (19.5 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
19576504869 185777774 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
19576504869 185777774 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
20728645994 95190190 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
11260112233 93960877 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vgmain-lvroot 23G 2.6G 20G 12% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 284K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm
/dev/mapper/vgmain-lvvar 94G 14G 80G 15% /var
/dev/sda1 180M 64M 104M 39% /boot
/dev/mapper/vgmain-lvhome 14G 36M 13G 1% /home
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1068 root 3u IPv4 11277 0t0 TCP *:ssh_port (LISTEN)
sshd 1068 root 4u IPv6 11279 0t0 TCP *:ssh_port (LISTEN)
salt-mast 1245 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
searchd 1296 sphinxsearch 7u IPv4 11545 0t0 TCP *:9306 (LISTEN)
searchd 1296 sphinxsearch 8u IPv4 11546 0t0 TCP *:9312 (LISTEN)
mysqld 1329 mysql 13u IPv4 13478 0t0 TCP X.X.X.X:3306 (LISTEN)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vgmain-lvroot 23G 2.6G 20G 12% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 284K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm
/dev/mapper/vgmain-lvvar 94G 14G 80G 15% /var
/dev/sda1 180M 64M 104M 39% /boot
/dev/mapper/vgmain-lvhome 14G 36M 13G 1% /home
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1068 root 3u IPv4 11277 0t0 TCP *:ssh_port (LISTEN)
sshd 1068 root 4u IPv6 11279 0t0 TCP *:ssh_port (LISTEN)
salt-mast 1245 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
searchd 1296 sphinxsearch 7u IPv4 11545 0t0 TCP *:9306 (LISTEN)
searchd 1296 sphinxsearch 8u IPv4 11546 0t0 TCP *:9312 (LISTEN)
mysqld 1329 mysql 13u IPv4 13478 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1329 mysql 308u IPv4 1507621 0t0 TCP X.X.X.X:3306->X.X.X.X:37020 (ESTABLISHED)
mysqld 1329 mysql 309u IPv4 1507623 0t0 TCP X.X.X.X:3306->X.X.X.X:37021 (ESTABLISHED)
mysqld 1329 mysql 310u IPv4 1507625 0t0 TCP X.X.X.X:3306->X.X.X.X:37022 (ESTABLISHED)
mysqld 1329 mysql 311u IPv4 1507627 0t0 TCP X.X.X.X:3306->X.X.X.X:37023 (ESTABLISHED)
ossec-csy 1356 ossecm 5u IPv4 12954 0t0 UDP X.X.X.X:47143->X.X.X.X:514
salt-mast 1620 root 27u IPv4 13863 0t0 TCP *:4505 (LISTEN)
salt-mast 1620 root 29u IPv4 17679 0t0 TCP X.X.X.X:4505->X.X.X.X:46846 (ESTABLISHED)
salt-mast 1622 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1631 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1638 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1639 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1648 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
/usr/sbin 1955 root 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 1955 root 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1955 root 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 1955 root 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
sshd 1965 root 3u IPv4 14499 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38199 (ESTABLISHED)
sshd 2206 SO-user 3u IPv4 14499 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38199 (ESTABLISHED)
sshd 2206 SO-user 8u IPv6 14717 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2206 SO-user 9u IPv4 14718 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2206 SO-user 10u IPv4 1507620 0t0 TCP X.X.X.X:37020->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 11u IPv4 1507622 0t0 TCP X.X.X.X:37021->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 12u IPv4 1507624 0t0 TCP X.X.X.X:37022->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 13u IPv4 1507626 0t0 TCP X.X.X.X:37023->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 2217 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2217 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2217 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2217 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2218 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2218 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2218 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2218 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2219 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2219 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2219 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2219 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2220 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2220 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2220 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2220 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2221 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2221 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2221 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2221 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
ntpd 2888 ntp 16u IPv4 17569 0t0 UDP *:123
ntpd 2888 ntp 17u IPv6 17570 0t0 UDP *:123
ntpd 2888 ntp 18u IPv4 17576 0t0 UDP X.X.X.X:123
ntpd 2888 ntp 19u IPv4 17577 0t0 UDP X.X.X.X:123
ntpd 2888 ntp 20u IPv6 17578 0t0 UDP [X.X.X.X]:123
ntpd 2888 ntp 21u IPv6 17579 0t0 UDP [X.X.X.X]:123
/usr/sbin 3749 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 3749 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3749 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3749 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
tclsh 6441 root 3u IPv4 1417417 0t0 TCP X.X.X.X:47983->X.X.X.X:7736 (ESTABLISHED)
tclsh 7915 root 13u IPv4 1194515 0t0 TCP *:7734 (LISTEN)
tclsh 7915 root 14u IPv4 1194516 0t0 TCP *:7736 (LISTEN)
tclsh 7915 root 15u IPv4 1505276 0t0 TCP X.X.X.X:7736->X.X.X.X:44909 (ESTABLISHED)
tclsh 7915 root 16u IPv4 1505643 0t0 TCP X.X.X.X:7736->X.X.X.X:44919 (ESTABLISHED)
tclsh 7915 root 17u IPv4 1505644 0t0 TCP X.X.X.X:7736->X.X.X.X:44920 (ESTABLISHED)
tclsh 7915 root 18u IPv4 1505278 0t0 TCP X.X.X.X:7736->X.X.X.X:44921 (ESTABLISHED)
tclsh 7915 root 19u IPv4 1505683 0t0 TCP X.X.X.X:7736->X.X.X.X:44934 (ESTABLISHED)
tclsh 7915 root 20u IPv4 1505684 0t0 TCP X.X.X.X:7736->X.X.X.X:44935 (ESTABLISHED)
tclsh 7915 root 21u IPv4 1417154 0t0 TCP X.X.X.X:7736->X.X.X.X:47983 (ESTABLISHED)
tclsh 7915 root 22u IPv4 1505685 0t0 TCP X.X.X.X:7736->X.X.X.X:44947 (ESTABLISHED)
tclsh 7915 root 23u IPv4 1436568 0t0 TCP X.X.X.X:7734->X.X.X.X:47253 (ESTABLISHED)
/usr/sbin 8582 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 8582 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8582 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8582 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
ruby1.9.1 8743 www-data 12u IPv4 1511542 0t0 TCP X.X.X.X:57411 (LISTEN)
/usr/sbin 8758 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 8758 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8758 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8758 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
syslog-ng 11042 root 9u IPv4 1518071 0t0 TCP *:514 (LISTEN)
syslog-ng 11042 root 10u IPv4 1518072 0t0 UDP *:514
sshd 12426 root 3u IPv4 377748 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41773 (ESTABLISHED)
sshd 12657 SO-user 3u IPv4 377748 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41773 (ESTABLISHED)
sshd 15148 root 3u IPv4 387242 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41986 (ESTABLISHED)
sshd 15306 SO-user 3u IPv4 387242 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41986 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri Dec 5 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 33 rules
Done
Setting Flowbit State....
Enabled 39 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------17
Deleted:---0
Enabled Rules:----16800
Dropped Rules:----0
Disabled Rules:---3883
Total Rules:------20683
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table
=========================================================================
CPU Usage
=========================================================================
top - 19:40:18 up 2 days, 22:13, 2 users, load average: 0.16, 0.15, 0.14
Tasks: 191 total, 2 running, 189 sleeping, 0 stopped, 0 zombie
Cpu(s): 8.5%us, 1.8%sy, 0.0%ni, 87.1%id, 2.2%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 16434184k total, 6841188k used, 9592996k free, 164740k buffers
Swap: 15622140k total, 194448k used, 15427692k free, 3764716k cached
%CPU %MEM COMMAND
6.8 1.3 /usr/sbin/mysqld
2.4 0.0 sshd: SO-user
0.8 3.8 delayed_job
0.1 0.2 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 1.4 /usr/bin/searchd --nodetach
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [xfsaild/dm-3]
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/1:1H]
0.0 0.0 [rcu_sched]
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.0 [khugepaged]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/u4:0]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114
0.0 0.0 /sbin/init
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/u4:1]
0.0 0.0 [kswapd0]
0.0 0.5 Rack: /opt/snorby
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/u4:2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 PassengerHelperAgent
0.0 0.0 [ksoftirqd/1]
0.0 0.0 cron
0.0 0.0 vim rules/local.rules pulledpork/disablesid.conf
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [migration/0]
0.0 0.0 PassengerLoggingAgent
0.0 0.0 -bash
0.0 0.0 -bash
0.0 0.0 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [khungtaskd]
0.0 0.0 Passenger spawn server
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/u5:1]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 sudo vim rules/local.rules pulledpork/disablesid.conf
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u5:0]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [xfsalloc]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfs-data/dm-3]
0.0 0.0 [xfs-conv/dm-3]
0.0 0.0 [xfs-cil/dm-3]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [jbd2/dm-1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [ttm_swap]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/1:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 atd
0.0 0.0 whoopsie
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 PassengerWatchdog
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
119
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
226408 1:2100376 GPL ICMP_INFO PING Microsoft Windows
27574 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
27372 1:2008118 ET TFTP Outbound TFTP ACK
23237 1:9000017 Snort Alert [1:9000017:1]
17930 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
9656 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8581 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
6511 1:2016847 ET INFO Possible Chrome Plugin install
4868 1:2100651 GPL SHELLCODE x86 stealth NOOP
4408 1:2101201 GPL WEB_SERVER 403 Forbidden
3339 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2701 1:2010515 ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)
2701 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1693 1:2016360 ET INFO JAVA - ClassID
1601 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1507 1:2014520 ET INFO EXE - Served Attached HTTP
1440 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1047 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
962 1:2003410 ET POLICY FTP Login Successful
910 1:2100366 GPL ICMP_INFO PING *NIX
849 1:2000419 ET POLICY PE EXE or DLL Windows file download
788 1:2016502 ET INFO Java Serialized Data via vulnerable client
788 1:2016503 ET INFO Java Serialized Data
765 1:2101411 GPL SNMP public access udp
692 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
632 1:2014726 ET POLICY Outdated Windows Flash Version IE
451 1:2002825 ET POLICY POSSIBLE Web Crawl using Curl
424 1:2002383 ET SCAN Potential FTP Brute-Force attempt
419 1:2002878 ET POLICY iTunes User Agent
400 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
351 1:2011507 ET WEB_CLIENT PDF With Embedded File
337 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
337 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
330 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
328 1:2015561 ET INFO PDF Using CCITTFax Filter
311 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
304 1:2014819 ET INFO Packed Executable Download
291 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
276 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
255 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
244 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
206 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
192 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
190 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
188 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
181 1:2009702 ET POLICY DNS Update From External net
177 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
162 1:2001329 ET POLICY RDP connection request
157 1:2001330 ET POLICY RDP connection confirm
154 1:2014519 ET INFO EXE - Served Inline HTTP
Total
389756
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
7645699 1:2101411 GPL SNMP public access udp
226408 1:2100376 GPL ICMP_INFO PING Microsoft Windows
105709 1:2008118 ET TFTP Outbound TFTP ACK
54313 1:2018358 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
36783 1:2010908 ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
27505 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
23306 1:9000017 Snort Alert [1:9000017:1]
17930 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
9656 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8581 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
6511 1:2016847 ET INFO Possible Chrome Plugin install
4855 1:2100651 GPL SHELLCODE x86 stealth NOOP
4023 1:2101201 GPL WEB_SERVER 403 Forbidden
3327 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2610 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
2610 1:2010515 ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)
1692 1:2016360 ET INFO JAVA - ClassID
1601 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1503 1:2014520 ET INFO EXE - Served Attached HTTP
1438 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1047 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
962 1:2003410 ET POLICY FTP Login Successful
910 1:2100366 GPL ICMP_INFO PING *NIX
848 1:2000419 ET POLICY PE EXE or DLL Windows file download
781 1:2016503 ET INFO Java Serialized Data
781 1:2016502 ET INFO Java Serialized Data via vulnerable client
687 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
588 1:2014726 ET POLICY Outdated Windows Flash Version IE
451 1:2002825 ET POLICY POSSIBLE Web Crawl using Curl
424 1:2002383 ET SCAN Potential FTP Brute-Force attempt
418 1:2002878 ET POLICY iTunes User Agent
383 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
344 1:2011507 ET WEB_CLIENT PDF With Embedded File
337 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
332 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
329 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
327 1:2015561 ET INFO PDF Using CCITTFax Filter
309 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
304 1:2014819 ET INFO Packed Executable Download
290 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
271 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
253 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
206 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
192 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
188 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
181 1:2009702 ET POLICY DNS Update From External net
179 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
177 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
165 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
160 1:2001329 ET POLICY RDP connection request
Total
8203384
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
11041 supervising syslog-ng
11042 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1329 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1277 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 253 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/1417808417.47901
-rw-r--r-- 1 root root 2617 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/1417808357.47403
-rw-r--r-- 1 root root 16 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
ELSA Directory Sizes:
87M /nsm/elsa/data
12M /var/lib/mysql/syslog
28K /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2014-12-01 20:52:07 2014-12-05 19:39:10
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
--
*Disclaimer: *Under Florida law, e-mail addresses are public records. If
you do not want your e-mail address released in response to a public
records request, do not send electronic mail to this entity. Instead,
contact this office by phone or in writing.
I get the following error in the /var/log/apache2/error.log file :
readdir() attempted on invalid dirhandle DIR at /opt/elsa/web/lib/StatsWriter.pm line 12.
closedir() attempted on invalid dirhandle DIR at /opt/elsa/web/lib/StatsWriter.pm line 19.
This is a fresh re-install with a server and sensor which I did because I had exactly the same issue last week and followed a thread with the same issue where Doug concluded that a re-install would be warranted. Didn't seem to fix the issue.
Any help would be appreciated. I'll have a dig into the perl module to see if I can garner anything ( name of the directory that doesn't exist for example ).
Cheers,
Ed McGuigan
**********************************************
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95190190 errors:0 dropped:0 overruns:0 frame:0
TX packets:93960877 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20728645994 (20.7 GB) TX bytes:11260112233 (11.2 GB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:185777774 errors:0 dropped:0 overruns:0 frame:0
TX packets:185777774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19576504869 (19.5 GB) TX bytes:19576504869 (19.5 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
19576504869 185777774 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
19576504869 185777774 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
20728645994 95190190 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
11260112233 93960877 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vgmain-lvroot 23G 2.6G 20G 12% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 284K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm
/dev/mapper/vgmain-lvvar 94G 14G 80G 15% /var
/dev/sda1 180M 64M 104M 39% /boot
/dev/mapper/vgmain-lvhome 14G 36M 13G 1% /home
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1068 root 3u IPv4 11277 0t0 TCP *:ssh_port (LISTEN)
sshd 1068 root 4u IPv6 11279 0t0 TCP *:ssh_port (LISTEN)
salt-mast 1245 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
searchd 1296 sphinxsearch 7u IPv4 11545 0t0 TCP *:9306 (LISTEN)
searchd 1296 sphinxsearch 8u IPv4 11546 0t0 TCP *:9312 (LISTEN)
mysqld 1329 mysql 13u IPv4 13478 0t0 TCP X.X.X.X:3306 (LISTEN)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vgmain-lvroot 23G 2.6G 20G 12% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 284K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm
/dev/mapper/vgmain-lvvar 94G 14G 80G 15% /var
/dev/sda1 180M 64M 104M 39% /boot
/dev/mapper/vgmain-lvhome 14G 36M 13G 1% /home
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1068 root 3u IPv4 11277 0t0 TCP *:ssh_port (LISTEN)
sshd 1068 root 4u IPv6 11279 0t0 TCP *:ssh_port (LISTEN)
salt-mast 1245 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
searchd 1296 sphinxsearch 7u IPv4 11545 0t0 TCP *:9306 (LISTEN)
searchd 1296 sphinxsearch 8u IPv4 11546 0t0 TCP *:9312 (LISTEN)
mysqld 1329 mysql 13u IPv4 13478 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1329 mysql 308u IPv4 1507621 0t0 TCP X.X.X.X:3306->X.X.X.X:37020 (ESTABLISHED)
mysqld 1329 mysql 309u IPv4 1507623 0t0 TCP X.X.X.X:3306->X.X.X.X:37021 (ESTABLISHED)
mysqld 1329 mysql 310u IPv4 1507625 0t0 TCP X.X.X.X:3306->X.X.X.X:37022 (ESTABLISHED)
mysqld 1329 mysql 311u IPv4 1507627 0t0 TCP X.X.X.X:3306->X.X.X.X:37023 (ESTABLISHED)
ossec-csy 1356 ossecm 5u IPv4 12954 0t0 UDP X.X.X.X:47143->X.X.X.X:514
salt-mast 1620 root 27u IPv4 13863 0t0 TCP *:4505 (LISTEN)
salt-mast 1620 root 29u IPv4 17679 0t0 TCP X.X.X.X:4505->X.X.X.X:46846 (ESTABLISHED)
salt-mast 1622 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1631 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1638 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1639 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
salt-mast 1648 root 19u IPv4 12182 0t0 TCP *:4506 (LISTEN)
/usr/sbin 1955 root 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 1955 root 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1955 root 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 1955 root 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
sshd 1965 root 3u IPv4 14499 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38199 (ESTABLISHED)
sshd 2206 SO-user 3u IPv4 14499 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38199 (ESTABLISHED)
sshd 2206 SO-user 8u IPv6 14717 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2206 SO-user 9u IPv4 14718 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2206 SO-user 10u IPv4 1507620 0t0 TCP X.X.X.X:37020->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 11u IPv4 1507622 0t0 TCP X.X.X.X:37021->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 12u IPv4 1507624 0t0 TCP X.X.X.X:37022->X.X.X.X:3306 (ESTABLISHED)
sshd 2206 SO-user 13u IPv4 1507626 0t0 TCP X.X.X.X:37023->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 2217 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2217 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2217 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2217 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2218 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2218 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2218 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2218 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2219 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2219 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2219 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2219 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2220 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2220 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2220 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2220 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
/usr/sbin 2221 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 2221 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2221 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2221 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
ntpd 2888 ntp 16u IPv4 17569 0t0 UDP *:123
ntpd 2888 ntp 17u IPv6 17570 0t0 UDP *:123
ntpd 2888 ntp 18u IPv4 17576 0t0 UDP X.X.X.X:123
ntpd 2888 ntp 19u IPv4 17577 0t0 UDP X.X.X.X:123
ntpd 2888 ntp 20u IPv6 17578 0t0 UDP [X.X.X.X]:123
ntpd 2888 ntp 21u IPv6 17579 0t0 UDP [X.X.X.X]:123
/usr/sbin 3749 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 3749 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3749 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3749 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
tclsh 6441 root 3u IPv4 1417417 0t0 TCP X.X.X.X:47983->X.X.X.X:7736 (ESTABLISHED)
tclsh 7915 root 13u IPv4 1194515 0t0 TCP *:7734 (LISTEN)
tclsh 7915 root 14u IPv4 1194516 0t0 TCP *:7736 (LISTEN)
tclsh 7915 root 15u IPv4 1505276 0t0 TCP X.X.X.X:7736->X.X.X.X:44909 (ESTABLISHED)
tclsh 7915 root 16u IPv4 1505643 0t0 TCP X.X.X.X:7736->X.X.X.X:44919 (ESTABLISHED)
tclsh 7915 root 17u IPv4 1505644 0t0 TCP X.X.X.X:7736->X.X.X.X:44920 (ESTABLISHED)
tclsh 7915 root 18u IPv4 1505278 0t0 TCP X.X.X.X:7736->X.X.X.X:44921 (ESTABLISHED)
tclsh 7915 root 19u IPv4 1505683 0t0 TCP X.X.X.X:7736->X.X.X.X:44934 (ESTABLISHED)
tclsh 7915 root 20u IPv4 1505684 0t0 TCP X.X.X.X:7736->X.X.X.X:44935 (ESTABLISHED)
tclsh 7915 root 21u IPv4 1417154 0t0 TCP X.X.X.X:7736->X.X.X.X:47983 (ESTABLISHED)
tclsh 7915 root 22u IPv4 1505685 0t0 TCP X.X.X.X:7736->X.X.X.X:44947 (ESTABLISHED)
tclsh 7915 root 23u IPv4 1436568 0t0 TCP X.X.X.X:7734->X.X.X.X:47253 (ESTABLISHED)
/usr/sbin 8582 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 8582 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8582 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8582 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
ruby1.9.1 8743 www-data 12u IPv4 1511542 0t0 TCP X.X.X.X:57411 (LISTEN)
/usr/sbin 8758 www-data 4u IPv4 14358 0t0 TCP *:443 (LISTEN)
/usr/sbin 8758 www-data 5u IPv4 14361 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8758 www-data 6u IPv4 14363 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8758 www-data 7u IPv4 14368 0t0 TCP *:444 (LISTEN)
syslog-ng 11042 root 9u IPv4 1518071 0t0 TCP *:514 (LISTEN)
syslog-ng 11042 root 10u IPv4 1518072 0t0 UDP *:514
sshd 12426 root 3u IPv4 377748 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41773 (ESTABLISHED)
sshd 12657 SO-user 3u IPv4 377748 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41773 (ESTABLISHED)
sshd 15148 root 3u IPv4 387242 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41986 (ESTABLISHED)
sshd 15306 SO-user 3u IPv4 387242 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41986 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri Dec 5 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 33 rules
Done
Setting Flowbit State....
Enabled 39 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------17
Deleted:---0
Enabled Rules:----16800
Dropped Rules:----0
Disabled Rules:---3883
Total Rules:------20683
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table
=========================================================================
CPU Usage
=========================================================================
top - 19:40:18 up 2 days, 22:13, 2 users, load average: 0.16, 0.15, 0.14
Tasks: 191 total, 2 running, 189 sleeping, 0 stopped, 0 zombie
Cpu(s): 8.5%us, 1.8%sy, 0.0%ni, 87.1%id, 2.2%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 16434184k total, 6841188k used, 9592996k free, 164740k buffers
Swap: 15622140k total, 194448k used, 15427692k free, 3764716k cached
%CPU %MEM COMMAND
6.8 1.3 /usr/sbin/mysqld
2.4 0.0 sshd: SO-user
0.8 3.8 delayed_job
0.1 0.2 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 1.4 /usr/bin/searchd --nodetach
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [xfsaild/dm-3]
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/1:1H]
0.0 0.0 [rcu_sched]
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.6 /usr/sbin/apache2 -k start
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.0 [khugepaged]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/u4:0]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114
0.0 0.0 /sbin/init
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/u4:1]
0.0 0.0 [kswapd0]
0.0 0.5 Rack: /opt/snorby
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/u4:2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 PassengerHelperAgent
0.0 0.0 [ksoftirqd/1]
0.0 0.0 cron
0.0 0.0 vim rules/local.rules pulledpork/disablesid.conf
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [migration/0]
0.0 0.0 PassengerLoggingAgent
0.0 0.0 -bash
0.0 0.0 -bash
0.0 0.0 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [khungtaskd]
0.0 0.0 Passenger spawn server
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/u5:1]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 sudo vim rules/local.rules pulledpork/disablesid.conf
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u5:0]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [xfsalloc]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfs-data/dm-3]
0.0 0.0 [xfs-conv/dm-3]
0.0 0.0 [xfs-cil/dm-3]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [jbd2/dm-1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [ttm_swap]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/1:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 atd
0.0 0.0 whoopsie
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 PassengerWatchdog
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
119
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
226408 1:2100376 GPL ICMP_INFO PING Microsoft Windows
27574 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
27372 1:2008118 ET TFTP Outbound TFTP ACK
23237 1:9000017 Snort Alert [1:9000017:1]
17930 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
9656 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8581 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
6511 1:2016847 ET INFO Possible Chrome Plugin install
4868 1:2100651 GPL SHELLCODE x86 stealth NOOP
4408 1:2101201 GPL WEB_SERVER 403 Forbidden
3339 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2701 1:2010515 ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)
2701 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1693 1:2016360 ET INFO JAVA - ClassID
1601 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1507 1:2014520 ET INFO EXE - Served Attached HTTP
1440 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1047 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
962 1:2003410 ET POLICY FTP Login Successful
910 1:2100366 GPL ICMP_INFO PING *NIX
849 1:2000419 ET POLICY PE EXE or DLL Windows file download
788 1:2016502 ET INFO Java Serialized Data via vulnerable client
788 1:2016503 ET INFO Java Serialized Data
765 1:2101411 GPL SNMP public access udp
692 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
632 1:2014726 ET POLICY Outdated Windows Flash Version IE
451 1:2002825 ET POLICY POSSIBLE Web Crawl using Curl
424 1:2002383 ET SCAN Potential FTP Brute-Force attempt
419 1:2002878 ET POLICY iTunes User Agent
400 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
351 1:2011507 ET WEB_CLIENT PDF With Embedded File
337 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
337 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
330 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
328 1:2015561 ET INFO PDF Using CCITTFax Filter
311 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
304 1:2014819 ET INFO Packed Executable Download
291 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
276 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
255 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
244 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
206 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
192 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
190 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
188 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
181 1:2009702 ET POLICY DNS Update From External net
177 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
162 1:2001329 ET POLICY RDP connection request
157 1:2001330 ET POLICY RDP connection confirm
154 1:2014519 ET INFO EXE - Served Inline HTTP
Total
389756
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
7645699 1:2101411 GPL SNMP public access udp
226408 1:2100376 GPL ICMP_INFO PING Microsoft Windows
105709 1:2008118 ET TFTP Outbound TFTP ACK
54313 1:2018358 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
36783 1:2010908 ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake
27505 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
23306 1:9000017 Snort Alert [1:9000017:1]
17930 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
9656 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
8581 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
6511 1:2016847 ET INFO Possible Chrome Plugin install
4855 1:2100651 GPL SHELLCODE x86 stealth NOOP
4023 1:2101201 GPL WEB_SERVER 403 Forbidden
3327 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
2610 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
2610 1:2010515 ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)
1692 1:2016360 ET INFO JAVA - ClassID
1601 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1503 1:2014520 ET INFO EXE - Served Attached HTTP
1438 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1047 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
962 1:2003410 ET POLICY FTP Login Successful
910 1:2100366 GPL ICMP_INFO PING *NIX
848 1:2000419 ET POLICY PE EXE or DLL Windows file download
781 1:2016503 ET INFO Java Serialized Data
781 1:2016502 ET INFO Java Serialized Data via vulnerable client
687 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
588 1:2014726 ET POLICY Outdated Windows Flash Version IE
451 1:2002825 ET POLICY POSSIBLE Web Crawl using Curl
424 1:2002383 ET SCAN Potential FTP Brute-Force attempt
418 1:2002878 ET POLICY iTunes User Agent
383 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
344 1:2011507 ET WEB_CLIENT PDF With Embedded File
337 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
332 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
329 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
327 1:2015561 ET INFO PDF Using CCITTFax Filter
309 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
304 1:2014819 ET INFO Packed Executable Download
290 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
271 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
253 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
206 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
192 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
188 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
181 1:2009702 ET POLICY DNS Update From External net
179 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
177 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
165 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
160 1:2001329 ET POLICY RDP connection request
Total
8203384
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
11041 supervising syslog-ng
11042 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1329 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1277 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 253 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/1417808417.47901
-rw-r--r-- 1 root root 2617 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/1417808357.47403
-rw-r--r-- 1 root root 16 Dec 5 19:40 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
ELSA Directory Sizes:
87M /nsm/elsa/data
12M /var/lib/mysql/syslog
28K /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2014-12-01 20:52:07 2014-12-05 19:39:10
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
--
*Disclaimer: *Under Florida law, e-mail addresses are public records. If
you do not want your e-mail address released in response to a public
records request, do not send electronic mail to this entity. Instead,
contact this office by phone or in writing.
Ed McGuigan
Dec 5, 2014, 3:26:40 PM12/5/14
to securit...@googlegroups.com
A guy seemed to have a similar problem about a year back - https://groups.google.com/forum/#!topic/security-onion/defgI79K__o
One thing he noticed that I also have is a complaint about there being no virtual hosts associated with port 3154 on Apache:
+++++++++++++++++
sudo service apache2 restart
[sudo] password for *****:
* Restarting web server apache2 [Fri Dec 05 20:21:04 2014] [warn] NameVirtualHost localhost:3154 has no VirtualHosts
... waiting .[Fri Dec 05 20:21:06 2014] [warn] NameVirtualHost localhost:3154 has no VirtualHosts
+++++++++++++++++
One thing he noticed that I also have is a complaint about there being no virtual hosts associated with port 3154 on Apache:
+++++++++++++++++
sudo service apache2 restart
[sudo] password for *****:
* Restarting web server apache2 [Fri Dec 05 20:21:04 2014] [warn] NameVirtualHost localhost:3154 has no VirtualHosts
... waiting .[Fri Dec 05 20:21:06 2014] [warn] NameVirtualHost localhost:3154 has no VirtualHosts
+++++++++++++++++
Ed McGuigan
Dec 5, 2014, 3:48:36 PM12/5/14
to securit...@googlegroups.com
I took a look at the Perl module /opt/elsa/web/lib/StatsWriter.pm ( see below ). It looks like there should be a directory /opt/elsa/web/lib/StatsWriter and that this module is supposed to process a bunch of different perl files in this directory.
I tried just creating the missing StatsWriter directory to see if that would suppress the error and fix the problem. It seemed to suppress the error but not resolve the issue so I think this might be a red herring.
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
package StatsWriter;
use Moose::Role;
has 'stat_objects' => (is => 'rw', isa => 'ArrayRef', required => 1, default => sub { [] });
after BUILD => sub {
my $self = shift;
my $absolute_path = $INC{'StatsWriter.pm'};
$absolute_path =~ s/StatsWriter\.pm$/\/StatsWriter/;
opendir(DIR, $absolute_path);
while (my $file = readdir(DIR)){
next unless $file =~ /\.pm$/;
eval { require 'StatsWriter/' . $file; };
if ($@){
warn('Unable to include StatsWriter/' . $file . ': ' . $@);
}
}
closedir(DIR);
$self->stats_plugins();
foreach my $plugin_name ($self->stats_plugins()){
my $plugin = $plugin_name->new(conf => $self->conf);
push @{ $self->stat_objects }, $plugin;
}
return $self
};
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I tried just creating the missing StatsWriter directory to see if that would suppress the error and fix the problem. It seemed to suppress the error but not resolve the issue so I think this might be a red herring.
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
package StatsWriter;
use Moose::Role;
has 'stat_objects' => (is => 'rw', isa => 'ArrayRef', required => 1, default => sub { [] });
after BUILD => sub {
my $self = shift;
my $absolute_path = $INC{'StatsWriter.pm'};
$absolute_path =~ s/StatsWriter\.pm$/\/StatsWriter/;
opendir(DIR, $absolute_path);
while (my $file = readdir(DIR)){
next unless $file =~ /\.pm$/;
eval { require 'StatsWriter/' . $file; };
if ($@){
warn('Unable to include StatsWriter/' . $file . ': ' . $@);
}
}
closedir(DIR);
$self->stats_plugins();
foreach my $plugin_name ($self->stats_plugins()){
my $plugin = $plugin_name->new(conf => $self->conf);
push @{ $self->stat_objects }, $plugin;
}
return $self
};
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Doug Burks
Dec 5, 2014, 5:46:26 PM12/5/14
to securit...@googlegroups.com
Hi Ed,
Is it possible that there is a firewall somewhere preventing you from
connecting to port 3154 on your management server?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
Is it possible that there is a firewall somewhere preventing you from
connecting to port 3154 on your management server?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
Ed McGuigan
Dec 8, 2014, 8:53:57 AM12/8/14
to securit...@googlegroups.com
Hi Doug:
Thanks by the way for the work you have done with SO.
You know what Doug, there is an issue. The firewall policy looks OK but I can telnet to port 3154 locally and not remotely. Sorry for wasting your time.
Not sure what it is exactly but it can't be anything too complicated.
I will post the outcome just in case it might help somebody else.
Thanks,
Ed McGuigan.
Thanks by the way for the work you have done with SO.
You know what Doug, there is an issue. The firewall policy looks OK but I can telnet to port 3154 locally and not remotely. Sorry for wasting your time.
Not sure what it is exactly but it can't be anything too complicated.
I will post the outcome just in case it might help somebody else.
Thanks,
Ed McGuigan.
Ed McGuigan
Dec 8, 2014, 10:06:21 AM12/8/14
to securit...@googlegroups.com
Yes - it was my bad. Didn't have port 3154 allowed in the hardware firewall policy. Ooops!
Reply all
Reply to author
Forward
0 new messages