MySQL Error on Security Onion Sensor

Chris Green

unread,

Dec 15, 2016, 2:30:45 PM12/15/16

to security-onion

I noticed the following error when running sostat:

:ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

Does anybody have any idea what could be causing this? The sensor has all current updates, and I have tried restarting the sensor and manually starting the MySQL service and I get the following error:

start: Job failed to start

===============================================================================

The following is the redacted sostat output:

=========================================================================
Service Status
=========================================================================
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 3679 4 15 Dec 19:08:02
proxy proxy localhost running 3787 4 15 Dec 19:08:06
SO-server-eth1-1 worker localhost running 3871 2 15 Dec 19:08:07
SO-server-eth1-2 worker localhost running 3872 2 15 Dec 19:08:07
SO-server-eth1-3 worker localhost running 3862 2 15 Dec 19:08:07
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort_agent-5 (SO-user)[ OK ]
* snort_agent-6 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* snort-5 (alert data)[ OK ]
* snort-6 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
* barnyard2-5 (spooler, unified2 format)[ OK ]
* barnyard2-6 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:48534768 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14354434617 (14.3 GB) TX bytes:0 (0.0 B)

eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:108064 errors:0 dropped:0 overruns:0 frame:0
TX packets:280673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7869502 (7.8 MB) TX bytes:414718904 (414.7 MB)
Memory:daf00000-daf80000

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:71943 errors:0 dropped:0 overruns:0 frame:0
TX packets:71943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:700119477 (700.1 MB) TX bytes:700119477 (700.1 MB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
700119477 71943 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
700119477 71943 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
14354448883 48534815 0 0 0 33025
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
7869502 108064 0 0 0 4
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
414718904 280673 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda6 282G 9.5G 258G 4% /
udev 95G 4.0K 95G 1% /dev
tmpfs 19G 844K 19G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 95G 0 95G 0% /run/shm
/dev/sda1 94G 593M 89G 1% /boot
/dev/sda3 282G 5.1G 263G 2% /var
/dev/sda5 16T 13T 1.8T 89% /nsm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1727 avahi 12u IPv4 8688 0t0 UDP *:5353
avahi-dae 1727 avahi 13u IPv6 8689 0t0 UDP *:5353
avahi-dae 1727 avahi 14u IPv4 8690 0t0 UDP *:40454
avahi-dae 1727 avahi 15u IPv6 8691 0t0 UDP *:46708
cupsd 1729 root 8u IPv6 232 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1729 root 9u IPv4 233 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1799 root 3r IPv4 1611 0t0 TCP *:ssh_port (LISTEN)
sshd 1799 root 4u IPv6 1613 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 2039 root 9u IPv4 8945 0t0 TCP *:514 (LISTEN)
syslog-ng 2039 root 10u IPv4 8946 0t0 UDP *:514
searchd 2208 sphinxsearch 7u IPv4 22909 0t0 TCP *:9306 (LISTEN)
searchd 2208 sphinxsearch 8u IPv4 22910 0t0 TCP *:9312 (LISTEN)
critical- 2209 root 5u IPv4 9505 0t0 TCP X.X.X.X:36727->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 8u IPv4 22976 0t0 TCP X.X.X.X:38837->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 9u IPv4 22982 0t0 TCP X.X.X.X:36733->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 10u IPv4 23011 0t0 TCP X.X.X.X:51843->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 11u IPv4 23109 0t0 TCP X.X.X.X:38846->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 12u IPv4 23120 0t0 TCP X.X.X.X:51849->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 13u IPv4 23138 0t0 TCP X.X.X.X:51852->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 14u IPv4 23144 0t0 TCP X.X.X.X:38852->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 15u IPv4 23154 0t0 TCP X.X.X.X:36748->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 16u IPv4 23160 0t0 TCP X.X.X.X:51855->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 17u IPv4 23172 0t0 TCP X.X.X.X:38856->X.X.X.X:443 (ESTABLISHED)
critical- 2209 root 18u IPv4 23179 0t0 TCP X.X.X.X:36752->X.X.X.X:443 (ESTABLISHED)
redis-ser 2232 redis 4u IPv4 1955 0t0 TCP X.X.X.X:6379 (LISTEN)
ntpd 2377 ntp 16u IPv4 23040 0t0 UDP *:123
ntpd 2377 ntp 17u IPv6 23041 0t0 UDP *:123
ntpd 2377 ntp 18u IPv4 23047 0t0 UDP X.X.X.X:123
ntpd 2377 ntp 19u IPv4 23048 0t0 UDP X.X.X.X:123
ntpd 2377 ntp 20u IPv6 23049 0t0 UDP [X.X.X.X]:123
ntpd 2377 ntp 21u IPv6 23050 0t0 UDP [X.X.X.X]:123
splunkd 2428 root 4u IPv4 23139 0t0 TCP *:8089 (LISTEN)
splunkd 2428 root 51u IPv4 51832 0t0 TCP X.X.X.X:42761->X.X.X.X:9997 (ESTABLISHED)
splunkd 2428 root 53u IPv4 55442 0t0 TCP X.X.X.X:42102->X.X.X.X:8089 (ESTABLISHED)
/usr/sbin 2848 root 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2848 root 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2848 root 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2982 www-data 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2982 www-data 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2982 www-data 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2983 www-data 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2983 www-data 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2983 www-data 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2984 www-data 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2984 www-data 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2984 www-data 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2985 www-data 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2985 www-data 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2985 www-data 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2986 www-data 4u IPv4 9066 0t0 TCP *:443 (LISTEN)
/usr/sbin 2986 www-data 5u IPv4 9069 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2986 www-data 6u IPv4 9071 0t0 TCP *:3154 (LISTEN)
sshd 2987 root 3r IPv4 23218 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43060 (ESTABLISHED)
sshd 3147 SO-user 3u IPv4 23218 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43060 (ESTABLISHED)
ssh 3514 root 3r IPv4 25073 0t0 TCP X.X.X.X:51442->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3514 root 4u IPv6 9640 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3514 root 5u IPv4 9641 0t0 TCP X.X.X.X:3306 (LISTEN)
bro 3679 SO-user 4u IPv4 23453 0t0 UDP X.X.X.X:51972->X.X.X.X:53
bro 3753 SO-user 0u IPv4 20734 0t0 TCP *:47761 (LISTEN)
bro 3753 SO-user 1u IPv6 20735 0t0 TCP *:47761 (LISTEN)
bro 3753 SO-user 2u IPv4 20766 0t0 TCP X.X.X.X:47761->X.X.X.X:37202 (ESTABLISHED)
bro 3753 SO-user 4u IPv4 23453 0t0 UDP X.X.X.X:51972->X.X.X.X:53
bro 3753 SO-user 271u IPv4 15622 0t0 TCP X.X.X.X:47761->X.X.X.X:37203 (ESTABLISHED)
bro 3753 SO-user 276u IPv4 20799 0t0 TCP X.X.X.X:47761->X.X.X.X:37205 (ESTABLISHED)
bro 3753 SO-user 281u IPv4 17887 0t0 TCP X.X.X.X:47761->X.X.X.X:37207 (ESTABLISHED)
bro 3787 SO-user 4u IPv4 25657 0t0 UDP X.X.X.X:42847->X.X.X.X:53
bro 3796 SO-user 0u IPv4 9654 0t0 TCP X.X.X.X:37202->X.X.X.X:47761 (ESTABLISHED)
bro 3796 SO-user 4u IPv4 25657 0t0 UDP X.X.X.X:42847->X.X.X.X:53
bro 3796 SO-user 269u IPv4 9659 0t0 TCP *:47762 (LISTEN)
bro 3796 SO-user 270u IPv6 9660 0t0 TCP *:47762 (LISTEN)
bro 3796 SO-user 271u IPv4 9668 0t0 TCP X.X.X.X:47762->X.X.X.X:45807 (ESTABLISHED)
bro 3796 SO-user 276u IPv4 19738 0t0 TCP X.X.X.X:47762->X.X.X.X:45809 (ESTABLISHED)
bro 3796 SO-user 281u IPv4 17896 0t0 TCP X.X.X.X:47762->X.X.X.X:45811 (ESTABLISHED)
bro 3862 SO-user 4u IPv4 25721 0t0 UDP X.X.X.X:42010->X.X.X.X:53
bro 3871 SO-user 4u IPv4 17778 0t0 UDP X.X.X.X:38582->X.X.X.X:53
bro 3872 SO-user 4u IPv4 15616 0t0 UDP X.X.X.X:52789->X.X.X.X:53
bro 3879 SO-user 0u IPv4 20789 0t0 TCP X.X.X.X:37203->X.X.X.X:47761 (ESTABLISHED)
bro 3879 SO-user 4u IPv4 15616 0t0 UDP X.X.X.X:52789->X.X.X.X:53
bro 3879 SO-user 269u IPv4 20792 0t0 TCP X.X.X.X:45807->X.X.X.X:47762 (ESTABLISHED)
bro 3879 SO-user 274u IPv4 20797 0t0 TCP *:47764 (LISTEN)
bro 3879 SO-user 275u IPv6 20798 0t0 TCP *:47764 (LISTEN)
bro 3880 SO-user 0u IPv4 25727 0t0 TCP X.X.X.X:37205->X.X.X.X:47761 (ESTABLISHED)
bro 3880 SO-user 4u IPv4 25721 0t0 UDP X.X.X.X:42010->X.X.X.X:53
bro 3880 SO-user 269u IPv4 25730 0t0 TCP X.X.X.X:45809->X.X.X.X:47762 (ESTABLISHED)
bro 3880 SO-user 274u IPv4 25735 0t0 TCP *:47765 (LISTEN)
bro 3880 SO-user 275u IPv6 25736 0t0 TCP *:47765 (LISTEN)
bro 3883 SO-user 0u IPv4 17883 0t0 TCP X.X.X.X:37207->X.X.X.X:47761 (ESTABLISHED)
bro 3883 SO-user 4u IPv4 17778 0t0 UDP X.X.X.X:38582->X.X.X.X:53
bro 3883 SO-user 269u IPv4 17886 0t0 TCP X.X.X.X:45811->X.X.X.X:47762 (ESTABLISHED)
bro 3883 SO-user 274u IPv4 17894 0t0 TCP *:47763 (LISTEN)
bro 3883 SO-user 275u IPv6 17895 0t0 TCP *:47763 (LISTEN)
tclsh 4114 SO-user 3u IPv4 9694 0t0 TCP X.X.X.X:55790->X.X.X.X:7736 (ESTABLISHED)
tclsh 4158 SO-user 3u IPv4 21961 0t0 TCP X.X.X.X:55788->X.X.X.X:7736 (ESTABLISHED)
tclsh 4158 SO-user 4u IPv4 23523 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 4201 SO-user 3u IPv4 23520 0t0 TCP X.X.X.X:55787->X.X.X.X:7736 (ESTABLISHED)
tclsh 4201 SO-user 4u IPv4 21962 0t0 TCP X.X.X.X:8102 (LISTEN)
tclsh 4255 SO-user 3u IPv4 18850 0t0 TCP X.X.X.X:55791->X.X.X.X:7736 (ESTABLISHED)
tclsh 4255 SO-user 4u IPv4 23531 0t0 TCP X.X.X.X:8103 (LISTEN)
tclsh 4358 SO-user 3u IPv4 10596 0t0 TCP X.X.X.X:55794->X.X.X.X:7736 (ESTABLISHED)
tclsh 4358 SO-user 4u IPv4 23549 0t0 TCP X.X.X.X:8104 (LISTEN)
tclsh 4436 SO-user 3u IPv4 13906 0t0 TCP X.X.X.X:55796->X.X.X.X:7736 (ESTABLISHED)
tclsh 4436 SO-user 4u IPv4 9703 0t0 TCP X.X.X.X:8105 (LISTEN)
tclsh 4508 SO-user 3u IPv4 13990 0t0 TCP X.X.X.X:55799->X.X.X.X:7736 (ESTABLISHED)
tclsh 4508 SO-user 4u IPv4 26010 0t0 TCP X.X.X.X:8106 (LISTEN)
sshd 6468 root 3r IPv4 10035 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:47985 (ESTABLISHED)
sshd 6746 SO-user 3u IPv4 10035 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:47985 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Thu Dec 15 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 60 minutes to allow master time to download new rules.
Copying rules from X.X.X.X.
scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory
Restarting Barnyard2.
Restarting: SO-server-eth1
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-5 (spooler, unified2 format)[ OK ]
* starting: barnyard2-5 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-6 (spooler, unified2 format)[ OK ]
* starting: barnyard2-6 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth1
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data)[ OK ]
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]
* stopping: snort-5 (alert data)[ OK ]
* starting: snort-5 (alert data)[ OK ]
* stopping: snort-6 (alert data)[ OK ]
* starting: snort-6 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
5.24 4.83 3.36
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 19:24:02 up 17 min, 2 users, load average: 5.24, 4.83, 3.36
Tasks: 269 total, 6 running, 263 sleeping, 0 stopped, 0 zombie
Cpu(s): 25.1%us, 1.3%sy, 0.0%ni, 71.0%id, 1.7%wa, 0.0%hi, 0.8%si, 0.0%st
Mem: 198050596k total, 32449496k used, 165601100k free, 212180k buffers
Swap: 291025292k total, 0k used, 291025292k free, 15652924k cached

%CPU %MEM COMMAND
73.7 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
73.1 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
66.1 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.9 0.5 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2016-12-15/ --user 1002 --group 1002 -s --prefix snort.log. --verbose --ring-size 1024 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth1/bpf-pcap.ops
19.6 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-6 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-6.stats -U
11.7 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
11.1 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-4.stats -U
10.5 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-6 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-6.stats -U
9.8 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-5 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-5.stats -U
9.5 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
8.3 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-3.stats -U
7.9 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-4.stats -U
7.8 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-3.stats -U
7.7 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-2.stats -U
7.7 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-5 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-5.stats -U
7.6 0.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-2.stats -U
3.7 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
3.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
2.9 1.3 /usr/bin/searchd --nodetach
2.8 0.0 splunkd -p 8089 start
1.8 0.0 /usr/bin/dumpcap -i eth1 -b duration:1200 -b files:100 -Z none -B 1 -f udp port 3001 -w /home/SO-user/dev_traffic/current/udp_3001
1.2 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
1.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-4 -i 4 -U
1.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-2 -i 2 -U
1.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
1.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-2 -i 2 -U
1.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-5.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-5 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-5 -i 5 -U
1.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-3 -i 3 -U
1.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-3 -i 3 -U
0.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-6.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-6 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-6 -i 6 -U
0.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-5.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-5 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-5 -i 5 -U
0.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-4 -i 4 -U
0.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-6.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-6 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-6 -i 6 -U
0.6 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.3 0.0 /sbin/init
0.2 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.2 0.0 [flush-8:0]
0.1 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.1 0.0 /usr/sbin/apache2 -k start
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.3 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.3 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.3 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 critical-stack-intel --debug pull --loop
0.0 0.0 /usr/bin/redis-server /etc/redis/redis.conf
0.0 0.0 [migration/11]
0.0 0.0 [migration/10]
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [migration/9]
0.0 0.0 [migration/8]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [migration/5]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/2]
0.0 0.0 [migration/0]
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 -bash
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 -bash
0.0 0.0 [kworker/0:1]
0.0 0.0 tshark -f udp port 3001 -i eth1 -b duration:1200 -b files:100 -w /home/SO-user/dev_traffic/current/udp_3001 -q
0.0 0.0 /bin/bash
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.0 0.0 [ksoftirqd/12]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 [kworker/0:0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [kworker/1:0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [kworker/12:1]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [kworker/1:2]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-6.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-3.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [jbd2/sda6-8]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-5.conf
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 Passenger spawn server
0.0 0.0 [kworker/3:1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/13:2]
0.0 0.0 [kworker/10:2]
0.0 0.0 [jbd2/sda3-8]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/15:1]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [watchdog/4]
0.0 0.0 [kworker/5:0]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [kworker/14:0]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [watchdog/14]
0.0 0.0 [kworker/15:0]
0.0 0.0 [watchdog/15]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [vmstat]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [kworker/u:4]
0.0 0.0 [kworker/u:5]
0.0 0.0 [kworker/10:1]
0.0 0.0 [devfreq_wq]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 cron
0.0 0.0 atd
0.0 0.0 lightdm
0.0 0.0 supervising syslog-ng
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 [splunkd pid=2428] splunkd -p 8089 start [process-runner]
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 sudo -b tshark -f udp port 3001 -i eth1 -b duration:1200 -b files:100 -w /home/SO-user/dev_traffic/current/udp_3001 -q
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 slave...@X.X.X.X
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 slave...@X.X.X.X
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-2.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-3.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-4.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-5.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-5.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-6.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-6.stats
0.0 0.0 sshd: SO-user@pts/3
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.0 0.0 sh -c /usr/bin/byobu-shell
0.0 0.0 [kworker/0:2]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 133142901

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 8 days
6.9T .
899G ./2016-12-08
929G ./2016-12-09
928G ./2016-12-10
934G ./2016-12-11
894G ./2016-12-12
896G ./2016-12-13
881G ./2016-12-14
694G ./2016-12-15

/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/snortsyslog.log/dailylogs/ - 0 days
444K .
4.0K ./.cache
192K ./.config
80K ./Desktop
88K ./.gconf
8.0K ./.gnome2
32K ./.local

/nsm/bro/logs/ - 15 days
54G .
1.6G ./2016-12-01
4.6G ./2016-12-02
4.6G ./2016-12-03
3.5G ./2016-12-04
3.5G ./2016-12-05
3.6G ./2016-12-06
2.5G ./2016-12-07
2.7G ./2016-12-08
3.4G ./2016-12-09
4.5G ./2016-12-10
3.6G ./2016-12-11
3.6G ./2016-12-12
4.7G ./2016-12-13
3.7G ./2016-12-14
3.2G ./2016-12-15
733M ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

SO-server-eth1-1: 1481829808.899185 recvd=13463564 dropped=0 link=13463564
SO-server-eth1-2: 1481829841.343716 recvd=16062767 dropped=0 link=16062767
SO-server-eth1-3: 1481829842.057713 recvd=13912280 dropped=0 link=13912280

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth1/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth1/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth1/snort-4.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth1/snort-5.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth1/snort-6.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 15

Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/3862-eth1.3
Appl. Name : bro-eth1
Tot Packets : 13953716
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 47155

/proc/net/pf_ring/3871-eth1.1
Appl. Name : bro-eth1
Tot Packets : 14012261
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 0

/proc/net/pf_ring/3872-eth1.2
Appl. Name : bro-eth1
Tot Packets : 16125934
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 26783

/proc/net/pf_ring/4572-eth1.6
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3322186
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65484

/proc/net/pf_ring/4596-eth1.5
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3560142
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65522

/proc/net/pf_ring/4617-eth1.4
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 2971594
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65501

/proc/net/pf_ring/4641-eth1.8
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3155265
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65434

/proc/net/pf_ring/4662-eth1.7
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3108307
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65436

/proc/net/pf_ring/4689-eth1.10
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3334264
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65426

/proc/net/pf_ring/4710-eth1.9
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3145979
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65439

/proc/net/pf_ring/4734-eth1.13
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 4090534
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65411

/proc/net/pf_ring/4755-eth1.11
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3017048
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65488

/proc/net/pf_ring/4782-eth1.15
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3450702
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65463

/proc/net/pf_ring/4801-eth1.12
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 3445727
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65421

/proc/net/pf_ring/4833-eth1.14
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 5699423
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65450

=========================================================================
Snorby Events Summary for yesterday
=========================================================================

=========================================================================
Top 50 All Time Snorby Events
=========================================================================

=========================================================================
Last update
=========================================================================
Start-Date: 2016-12-15 18:59:08
Commandline: apt-get install -y mysql-server mysql-server-core-5.5 mysql-server-5.5
Upgrade: mysql-server:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), mysql-server-core-5.5:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), mysql-common:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), mysql-server-5.5:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), mysql-client-5.5:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1)
End-Date: 2016-12-15 18:59:26

Start-Date: 2016-12-15 18:59:34
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.2.0-118-generic:amd64 (3.2.0-118.161, automatic), linux-image-3.2.0-118-generic:amd64 (3.2.0-118.161, automatic), linux-headers-3.2.0-118:amd64 (3.2.0-118.161, automatic)
Upgrade: sbsigntool:amd64 (0.6-0ubuntu4~12.04.1, 0.6-0ubuntu4~12.04.2), libpurple0:amd64 (2.10.3-0ubuntu1.6, 2.10.3-0ubuntu1.7), apt-transport-https:amd64 (0.8.16~exp12ubuntu10.26, 0.8.16~exp12ubuntu10.27), openssh-server:amd64 (5.9p1-5ubuntu1.9, 5.9p1-5ubuntu1.10), libc-bin:amd64 (2.15-0ubuntu10.13, 2.15-0ubuntu10.15), vim-common:amd64 (7.3.429-2ubuntu2.1, 7.3.429-2ubuntu2.2), libpurple-bin:amd64 (2.10.3-0ubuntu1.6, 2.10.3-0ubuntu1.7), bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), libidn11:amd64 (1.23-2, 1.23-2ubuntu0.1), libnss3:amd64 (3.21-0ubuntu0.12.04.3, 3.23-0ubuntu0.12.04.1), python3.2-minimal:amd64 (3.2.3-0ubuntu3.7, 3.2.3-0ubuntu3.8), thunderbird-locale-en-us:amd64 (38.8.0+build1-0ubuntu0.12.04.1, 45.5.1+build1-0ubuntu0.12.04.1), libmagickcore4:amd64 (X.X.X.X-5ubuntu3.3, X.X.X.X-5ubuntu3.6), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), chromium-browser:amd64 (37.0.2062.120-0ubuntu0.12.04.2, 37.0.2062.120-0ubuntu0.12.04.3), fonts-opensymbol:amd64 (102.2+LibO3.5.7-0ubuntu10, 102.2+LibO3.5.7-0ubuntu12), libdbus-1-3:amd64 (1.4.18-1ubuntu1.7, 1.4.18-1ubuntu1.8), php5:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), thunderbird:amd64 (38.8.0+build1-0ubuntu0.12.04.1, 45.5.1+build1-0ubuntu0.12.04.1), libpython2.7:amd64 (2.7.3-0ubuntu3.8, 2.7.3-0ubuntu3.9), ghostscript-cups:amd64 (9.05~dfsg-0ubuntu4.3, 9.05~dfsg-0ubuntu4.4), python-imaging:amd64 (1.1.7-4ubuntu0.12.04.1, 1.1.7-4ubuntu0.12.04.2), libmagickwand4:amd64 (X.X.X.X-5ubuntu3.3, X.X.X.X-5ubuntu3.6), linux-generic:amd64 (X.X.X.X.118, X.X.X.X.133), firefox-globalmenu:amd64 (46.0.1+build1-0ubuntu0.12.04.2, 50.1.0+build2-0ubuntu0.12.04.1), php5-sqlite:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), dosfstools:amd64 (3.0.12-1ubuntu1.2, 3.0.12-1ubuntu1.3), libmagickcore4-extra:amd64 (X.X.X.X-5ubuntu3.3, X.X.X.X-5ubuntu3.6), libgs9-common:amd64 (9.05~dfsg-0ubuntu4.3, 9.05~dfsg-0ubuntu4.4), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), libavahi-glib1:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), libapt-inst1.4:amd64 (0.8.16~exp12ubuntu10.26, 0.8.16~exp12ubuntu10.27), apport:amd64 (2.0.1-0ubuntu17.13, 2.0.1-0ubuntu17.15), psmisc:amd64 (22.15-2ubuntu1.1, 22.15-2ubuntu1.2), apache2-mpm-prefork:amd64 (2.2.22-1ubuntu1.10, 2.2.22-1ubuntu1.11), pidgin-data:amd64 (2.10.3-0ubuntu1.6, 2.10.3-0ubuntu1.7), python2.7:amd64 (2.7.3-0ubuntu3.8, 2.7.3-0ubuntu3.9), php5-gd:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), python3.2:amd64 (3.2.3-0ubuntu3.7, 3.2.3-0ubuntu3.8), grub-pc:amd64 (1.99-21ubuntu3.19, 1.99-21ubuntu3.20), libarchive12:amd64 (3.0.3-6ubuntu1.2, 3.0.3-6ubuntu1.3), libmysqlclient18:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), libexpat1:amd64 (2.0.1-7.2ubuntu1.3, 2.0.1-7.2ubuntu1.4), avahi-utils:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), gstreamer0.10-plugins-good:amd64 (0.10.31-1ubuntu1.2, 0.10.31-1ubuntu1.4), apache2-utils:amd64 (2.2.22-1ubuntu1.10, 2.2.22-1ubuntu1.11), apt-utils:amd64 (0.8.16~exp12ubuntu10.26, 0.8.16~exp12ubuntu10.27), vim-tiny:amd64 (7.3.429-2ubuntu2.1, 7.3.429-2ubuntu2.2), apache2:amd64 (2.2.22-1ubuntu1.10, 2.2.22-1ubuntu1.11), update-manager:amd64 (X.X.X.X, X.X.X.X), update-manager-core:amd64 (X.X.X.X, X.X.X.X), fontconfig:amd64 (2.8.0-3ubuntu9.1, 2.8.0-3ubuntu9.2), libavahi-common-data:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), libavahi-core7:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), libgdk-pixbuf2.0-0:amd64 (2.26.1-1ubuntu1.3, 2.26.1-1ubuntu1.5), dbus:amd64 (1.4.18-1ubuntu1.7, 1.4.18-1ubuntu1.8), apache2.2-common:amd64 (2.2.22-1ubuntu1.10, 2.2.22-1ubuntu1.11), apt:amd64 (0.8.16~exp12ubuntu10.26, 0.8.16~exp12ubuntu10.27), firefox:amd64 (46.0.1+build1-0ubuntu0.12.04.2, 50.1.0+build2-0ubuntu0.12.04.1), imagemagick-common:amd64 (X.X.X.X-5ubuntu3.3, X.X.X.X-5ubuntu3.6), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), chromium-browser-l10n:amd64 (37.0.2062.120-0ubuntu0.12.04.2, 37.0.2062.120-0ubuntu0.12.04.3), chromium-codecs-ffmpeg:amd64 (37.0.2062.120-0ubuntu0.12.04.2, 37.0.2062.120-0ubuntu0.12.04.3), libcurl3:amd64 (7.22.0-3ubuntu4.15, 7.22.0-3ubuntu4.17), openssh-client:amd64 (5.9p1-5ubuntu1.9, 5.9p1-5ubuntu1.10), multiarch-support:amd64 (2.15-0ubuntu10.13, 2.15-0ubuntu10.15), fontconfig-config:amd64 (2.8.0-3ubuntu9.1, 2.8.0-3ubuntu9.2), mysql-client-core-5.5:amd64 (5.5.49-0ubuntu0.12.04.1, 5.5.53-0ubuntu0.12.04.1), libssl-dev:amd64 (1.0.1-4ubuntu5.36, 1.0.1-4ubuntu5.38), python-problem-report:amd64 (2.0.1-0ubuntu17.13, 2.0.1-0ubuntu17.15), libssl-doc:amd64 (1.0.1-4ubuntu5.36, 1.0.1-4ubuntu5.38), apache2.2-bin:amd64 (2.2.22-1ubuntu1.10, 2.2.22-1ubuntu1.11), libgcrypt11:amd64 (1.5.0-3ubuntu0.5, 1.5.0-3ubuntu0.6), linux-headers-generic:amd64 (X.X.X.X.118, X.X.X.X.133), dpkg:amd64 (1.16.1.2ubuntu7.7, 1.16.1.2ubuntu7.8), libdbd-mysql-perl:amd64 (4.020-1build2, 4.020-1ubuntu0.1), libxml2:amd64 (2.7.8.dfsg-5.1ubuntu4.14, 2.7.8.dfsg-5.1ubuntu4.15), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), linux-image-generic:amd64 (X.X.X.X.118, X.X.X.X.133), wget:amd64 (1.13.4-2ubuntu1.3, 1.13.4-2ubuntu1.4), curl:amd64 (7.22.0-3ubuntu4.15, 7.22.0-3ubuntu4.17), libapt-pkg4.12:amd64 (0.8.16~exp12ubuntu10.26, 0.8.16~exp12ubuntu10.27), ntp:amd64 (4.2.6.p3+dfsg-1ubuntu3.9, 4.2.6.p3+dfsg-1ubuntu3.11), firefox-locale-en:amd64 (46.0.1+build1-0ubuntu0.12.04.2, 50.1.0+build2-0ubuntu0.12.04.1), isc-dhcp-client:amd64 (4.1.ESV-R4-0ubuntu5.10, 4.1.ESV-R4-0ubuntu5.11), ghostscript-x:amd64 (9.05~dfsg-0ubuntu4.3, 9.05~dfsg-0ubuntu4.4), gstreamer0.10-pulseaudio:amd64 (0.10.31-1ubuntu1.2, 0.10.31-1ubuntu1.4), libnspr4:amd64 (4.10.10-0ubuntu0.12.04.1, 4.12-0ubuntu0.12.04.1), tar:amd64 (1.26-4ubuntu1, 1.26-4ubuntu1.1), libgd2-xpm:amd64 (2.0.36~rc1~dfsg-6ubuntu2, 2.0.36~rc1~dfsg-6ubuntu2.3), grub-pc-bin:amd64 (1.99-21ubuntu3.19, 1.99-21ubuntu3.20), libgs9:amd64 (9.05~dfsg-0ubuntu4.3, 9.05~dfsg-0ubuntu4.4), gimp:amd64 (2.6.12-1ubuntu1.3, 2.6.12-1ubuntu1.4), vim:amd64 (7.3.429-2ubuntu2.1, 7.3.429-2ubuntu2.2), libgimp2.0:amd64 (2.6.12-1ubuntu1.3, 2.6.12-1ubuntu1.4), gir1.2-gdkpixbuf-2.0:amd64 (2.26.1-1ubuntu1.3, 2.26.1-1ubuntu1.5), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), libc-ares2:amd64 (1.7.5-1, 1.7.5-1ubuntu0.1), libc6-dev:amd64 (2.15-0ubuntu10.13, 2.15-0ubuntu10.15), tzdata:amd64 (2016d-0ubuntu0.12.04, 2016j-0ubuntu0.12.04), avahi-daemon:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), ghostscript:amd64 (9.05~dfsg-0ubuntu4.3, 9.05~dfsg-0ubuntu4.4), gpgv:amd64 (1.4.11-3ubuntu2.9, 1.4.11-3ubuntu2.10), vim-runtime:amd64 (7.3.429-2ubuntu2.1, 7.3.429-2ubuntu2.2), libavahi-client3:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), pidgin:amd64 (2.10.3-0ubuntu1.6, 2.10.3-0ubuntu1.7), python2.7-minimal:amd64 (2.7.3-0ubuntu3.8, 2.7.3-0ubuntu3.9), thunderbird-globalmenu:amd64 (38.8.0+build1-0ubuntu0.12.04.1, 45.5.1+build1-0ubuntu0.12.04.1), ntpdate:amd64 (4.2.6.p3+dfsg-1ubuntu3.9, 4.2.6.p3+dfsg-1ubuntu3.11), libpq5:amd64 (9.1.22-0ubuntu0.12.04, 9.1.24-0ubuntu0.12.04), python-apport:amd64 (2.0.1-0ubuntu17.13, 2.0.1-0ubuntu17.15), libfontconfig1:amd64 (2.8.0-3ubuntu9.1, 2.8.0-3ubuntu9.2), imagemagick:amd64 (X.X.X.X-5ubuntu3.3, X.X.X.X-5ubuntu3.6), openssl:amd64 (1.0.1-4ubuntu5.36, 1.0.1-4ubuntu5.38), php5-mysql:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), libcurl3-gnutls:amd64 (7.22.0-3ubuntu4.15, 7.22.0-3ubuntu4.17), linux-libc-dev:amd64 (3.2.0-102.142, 3.2.0-118.161), grub-common:amd64 (1.99-21ubuntu3.19, 1.99-21ubuntu3.20), php5-cli:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), grub2-common:amd64 (1.99-21ubuntu3.19, 1.99-21ubuntu3.20), isc-dhcp-common:amd64 (4.1.ESV-R4-0ubuntu5.10, 4.1.ESV-R4-0ubuntu5.11), dbus-x11:amd64 (1.4.18-1ubuntu1.7, 1.4.18-1ubuntu1.8), libc-dev-bin:amd64 (2.15-0ubuntu10.13, 2.15-0ubuntu10.15), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.16, 9.8.1.dfsg.P1-4ubuntu0.19), libc6:amd64 (2.15-0ubuntu10.13, 2.15-0ubuntu10.15), gimp-data:amd64 (2.6.12-1ubuntu1.3, 2.6.12-1ubuntu1.4), binutils:amd64 (2.22-6ubuntu1.3, 2.22-6ubuntu1.4), avahi-autoipd:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), apport-gtk:amd64 (2.0.1-0ubuntu17.13, 2.0.1-0ubuntu17.15), libavahi-common3:amd64 (0.6.30-5ubuntu2.1, 0.6.30-5ubuntu2.2), php5-common:amd64 (5.3.10-1ubuntu3.22, 5.3.10-1ubuntu3.25), libnss3-1d:amd64 (3.21-0ubuntu0.12.04.3, 3.23-0ubuntu0.12.04.1), thunderbird-locale-en:amd64 (38.8.0+build1-0ubuntu0.12.04.1, 45.5.1+build1-0ubuntu0.12.04.1), python-libxml2:amd64 (2.7.8.dfsg-5.1ubuntu4.14, 2.7.8.dfsg-5.1ubuntu4.15), libgdk-pixbuf2.0-common:amd64 (2.26.1-1ubuntu1.3, 2.26.1-1ubuntu1.5), libssl1.0.0:amd64 (1.0.1-4ubuntu5.36, 1.0.1-4ubuntu5.38), gnupg:amd64 (1.4.11-3ubuntu2.9, 1.4.11-3ubuntu2.10)
End-Date: 2016-12-15 19:02:20

Wes

unread,

Dec 15, 2016, 5:41:45 PM12/15/16

to security-onion

Chris,

Have you tried checking the mysql log(s) in /var/log/mysql/ for clues?

Thanks,
Wes

Chris Green

unread,

Dec 16, 2016, 10:17:42 AM12/16/16

to security-onion

Hello Wes,

Thanks for the suggestion. After checking the MySQL logs, it would appear that there are two SSH processes running on the MySQL port (3306). I tried rebooting the sensor, and these processes are persistent. Below is the content from the MySQL log, and a portion of netstat to show the current processes using port 3306.

MySQL Error Log:

161215 19:32:03 [ERROR] Can't start server: Bind on TCP/IP port: Address already in use
161215 19:32:03 [ERROR] Do you already have another mysqld server running on port: 3306 ?
161215 19:32:03 [ERROR] Aborting

Netstat:

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3514/ssh

tcp6 0 0 ::1:3306 :::* LISTEN 3514/ssh

Wes Lambert

unread,

Dec 16, 2016, 11:53:21 AM12/16/16

to securit...@googlegroups.com

I just noticed this...are you running Security Onion 12.04?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Wes Lambert

unread,

Dec 16, 2016, 11:54:35 AM12/16/16

to securit...@googlegroups.com

If so, I would recommend upgrading before going any further:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04

Thanks,
Wes

On Dec 16, 2016 11:53 AM, "Wes Lambert" <wlamb...@gmail.com> wrote:

I just noticed this...are you running Security Onion 12.04?

On Dec 16, 2016 10:17 AM, "Chris Green" <christoph...@gmail.com> wrote:

Hello Wes,

Thanks for the suggestion. After checking the MySQL logs, it would appear that there are two SSH processes running on the MySQL port (3306). I tried rebooting the sensor, and these processes are persistent. Below is the content from the MySQL log, and a portion of netstat to show the current processes using port 3306.

MySQL Error Log:

161215 19:32:03 [ERROR] Can't start server: Bind on TCP/IP port: Address already in use
161215 19:32:03 [ERROR] Do you already have another mysqld server running on port: 3306 ?
161215 19:32:03 [ERROR] Aborting

Netstat:

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3514/ssh

tcp6 0 0 ::1:3306 :::* LISTEN 3514/ssh

> Chris,
>
> Have you tried checking the mysql log(s) in /var/log/mysql/ for clues?
>
> Thanks,
> Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Chris Green

unread,

Dec 16, 2016, 12:18:48 PM12/16/16

to security-onion

Wes,

Yes, I'm still on the older version. Current circumstances won't allow me to go forward with an upgrade yet, but I am anticipating doing that ASAP. Looking for a workaround for this issue in the meantime.

Chris Green

unread,

Dec 16, 2016, 2:27:31 PM12/16/16

to security-onion

Hey Wes,

I found out the culprit. There was a startup script in init that was initiating a connection using that port. Thanks for your suggestions, I appreciate it.

Reply all

Reply to author

Forward