Introduction to Security Onion - so-import-pcap and data exfil

437 views

Skip to first unread message

Doug Burks

unread,

Feb 4, 2020, 12:43:04 PM2/4/20

to securit...@googlegroups.com

https://youtu.be/t7E0DPVa5t0

Doug Burks
CEO
Security Onion Solutions, LLC

James Smith

unread,

Feb 6, 2020, 5:35:29 PM2/6/20

to security-onion

Doug,

Thanks! I love the Security Onion distribution. I work with it daily. With the ability to import PCAPs like this I have set up a VMWare Instance of SecOnion as a stand alone analysis machine.

Question up front: Is there a way (automated outside of Scapy) to fix broken dates in PCAPs from MTA?

I grabbed the latest PCAP from MTA: https://www.malware-traffic-analysis.net/2020/01/30/index.html

I got the PCAP out and tried to import it with so-import-pcap.

It immediately threw an error out that there were problems with the dates... which obviously immediately broke key parts of importing it.

This happened with another pcap as well.

It works flawlessly with samples in the samples folder. Any advice on this is much appreciated. Thanks in advance to the community for the help.

Doug Burks

unread,

Feb 7, 2020, 5:58:20 AM2/7/20

to securit...@googlegroups.com

Hi James,

I just ran so-import-pcap against 2020-01-30-traffic-analysis-exercise.pcap and it appears to be working for me. Are you using the latest ISO image (16.04.6.3)?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/93af89d4-8c4c-4fba-96ef-c0668a117577%40googlegroups.com.

James Smith

unread,

Feb 7, 2020, 8:43:42 AM2/7/20

to securit...@googlegroups.com

Doug,

Thanks for the quick reply. It is 16.04.6.3 and I ran sudo soup to be sure. I’m traveling currently and can’t check the hash on that PCAP; would you mind sharing yours with me so I can compare? I have downloaded twice but maybe I’m mangling it some other way.

I also remember another PCAP (maybe the December one) doing something similar. I really appreciate the help and quick response. Thanks for everything you do.

Best Regards,

James

From: securit...@googlegroups.com on behalf of Doug Burks <doug....@securityonionsolutions.com>
Sent: Friday, February 7, 2020 3:58 AM
To: securit...@googlegroups.com
Subject: Re: [EXTERNAL] [security-onion] Re: Introduction to Security Onion - so-import-pcap and data exfil

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWADTUB0Rgs-npx1uDQ4v57JdRL1UiRAYZHQhZqk4qSdaQ%40mail.gmail.com.

Doug Burks

unread,

Feb 7, 2020, 10:48:11 AM2/7/20

to securit...@googlegroups.com

Here's what I get:

sha256sum *
51c84227023072a05ed3b4cae03662c7df80780551b6119c8af97301472642d4 2020-01-30-traffic-analysis-exercise.pcap
6aa8f7339f382c5e0b6812a06f4ff985c7775762634b304f223193d994ee4add 2020-01-30-traffic-analysis-exercise.pcap.zip

If you haven't already, you might try downloading the file from within your Security Onion VM itself to try to avoid any host AV interference. You might also try downloading via a different Internet connection.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/BN8PR04MB598858553E94C13E20B3C6D0A81C0%40BN8PR04MB5988.namprd04.prod.outlook.com.

James Smith

unread,

Feb 7, 2020, 2:16:52 PM2/7/20

to securit...@googlegroups.com

Thanks, Doug. I will try both of those and report back.

Cheers,

James

From: securit...@googlegroups.com on behalf of Doug Burks <doug....@securityonionsolutions.com>

Sent: Friday, February 7, 2020 10:48 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWB%2BRc5yRCjartgfarZ2YBvdVXGkiM9GKwCXVYCzSJ9oPw%40mail.gmail.com.

James Smith

unread,

Feb 7, 2020, 8:02:30 PM2/7/20

to security-onion

Doug,

The Sha256 for the PCAP matched. It still breaks. Perhaps a sudo soup broke it somehow?

Screenshot for clarity. Note the cascade effect of the date some how getting broken.

Any help would be greatly appreciated. Please let me know if there is anything else I can pull for you from the system.

Cheers,

James

James Smith

unread,

Feb 7, 2020, 8:37:34 PM2/7/20

to security-onion

sostat-redacted:

=========================================================================

Service Status

=========================================================================

Status: securityonion

* SO-user server[ OK ]

Status: onionstation-import

* pcap_agent (SO-user)[ OK ]

* snort_agent-1 (SO-user)[ OK ]

* barnyard2-1 (spooler, unified2 format)[ OK ]

Status: Elastic stack

* so-elasticsearch OK ]

* so-logstash OK ]

* so-kibana OK ]

* so-freqserver OK ]

* so-domainstats OK ]

=========================================================================

Interface Status

=========================================================================

br-debdf0de1aee Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7 errors:0 dropped:0 overruns:0 frame:0

TX packets:33 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:196 (196.0 B) TX bytes:3066 (3.0 KB)

docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:800 errors:0 dropped:0 overruns:0 frame:0

TX packets:911 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:67474 (67.4 KB) TX bytes:595897 (595.8 KB)

ens33 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9185 errors:0 dropped:0 overruns:0 frame:0

TX packets:5042 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:9822956 (9.8 MB) TX bytes:384708 (384.7 KB)

ens34 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1

RX packets:28 errors:0 dropped:0 overruns:0 frame:0

TX packets:1 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:3030 (3.0 KB) TX bytes:70 (70.0 B)

lo Link encap:Local Loopback

inet addr:X.X.X.X Mask:X.X.X.X

inet6 addr: X.X.X.X/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:5299 errors:0 dropped:0 overruns:0 frame:0

TX packets:5299 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1391422 (1.3 MB) TX bytes:1391422 (1.3 MB)

so-logstash

-------------------------------------------------------------------------

(eth0)

veth53327f3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:268 errors:0 dropped:0 overruns:0 frame:0

TX packets:293 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:34442 (34.4 KB) TX bytes:16445 (16.4 KB)

(eth1)

veth1df96b2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:504 errors:0 dropped:0 overruns:0 frame:0

TX packets:352 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:281466 (281.4 KB) TX bytes:81448 (81.4 KB)

so-elasticsearch

-------------------------------------------------------------------------

(eth0)

vethcf83f0c Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:291 errors:0 dropped:0 overruns:0 frame:0

TX packets:370 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:27434 (27.4 KB) TX bytes:140446 (140.4 KB)

(eth1)

vethfd446a8 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:10352 errors:0 dropped:0 overruns:0 frame:0

TX packets:16526 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1498877 (1.4 MB) TX bytes:2115829 (2.1 MB)

so-kibana

-------------------------------------------------------------------------

(eth0)

veth5302cb8 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:14 errors:0 dropped:0 overruns:0 frame:0

TX packets:60 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1008 (1.0 KB) TX bytes:4880 (4.8 KB)

(eth1)

veth825284e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:16924 errors:0 dropped:0 overruns:0 frame:0

TX packets:10689 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1952323 (1.9 MB) TX bytes:1530987 (1.5 MB)

so-domainstats

-------------------------------------------------------------------------

(eth0)

veth7ba6b8a Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:51 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:4166 (4.1 KB)

(eth1)

veth0a736fd Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:54 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:4260 (4.2 KB)

so-freqserver

-------------------------------------------------------------------------

(eth0)

veth9efbc91 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:69 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:5538 (5.5 KB)

(eth1)

vethba8812c Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM

inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:60 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:4776 (4.7 KB)

=========================================================================

Link Statistics

=========================================================================

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

1391681 5301 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

1391681 5301 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 0

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

9822956 9185 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

384708 5042 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 16

3: ens34: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

3090 29 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

70 1 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

67474 800 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

595897 911 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

5: br-debdf0de1aee: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM

RX: bytes packets errors dropped overrun mcast

196 7 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

3066 33 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 4

7: veth9efbc91@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

5538 69 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

9: vethba8812c@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-debdf0de1aee state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

4776 60 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

11: veth7ba6b8a@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

4166 51 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

13: veth0a736fd@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-debdf0de1aee state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

4260 54 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

19: veth5302cb8@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

RX: bytes packets errors dropped overrun mcast

1008 14 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

4880 60 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

21: veth825284e@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-debdf0de1aee state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3

RX: bytes packets errors dropped overrun mcast

1954023 16938 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

1532273 10697 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

35: vethcf83f0c@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast

27434 291 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

140446 370 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

37: vethfd446a8@if36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-debdf0de1aee state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2

RX: bytes packets errors dropped overrun mcast

1500872 10365 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

2118445 16548 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

39: veth53327f3@if38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5

RX: bytes packets errors dropped overrun mcast

34442 268 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

16445 293 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

41: veth1df96b2@if40: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-debdf0de1aee state UP mode DEFAULT group default

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 5

RX: bytes packets errors dropped overrun mcast

282623 506 0 0 0 0

RX errors: length crc frame fifo missed

0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

81817 353 0 0 0 0

TX errors: aborted fifo window heartbeat transns

0 0 0 0 2

=========================================================================

Disk Usage

=========================================================================

Filesystem Size Used Avail Use% Mounted on

udev 3.9G 0 3.9G 0% /dev

tmpfs 796M 9.8M 786M 2% /run

/dev/mapper/securityonion--vg-root 38G 7.8G 28G 22% /

tmpfs 3.9G 612K 3.9G 1% /dev/shm

tmpfs 5.0M 4.0K 5.0M 1% /run/lock

tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup

/dev/sda1 720M 137M 547M 20% /boot

overlay 38G 7.8G 28G 22% /var/lib/docker/overlay2/5fa32dfcf8613bd0ac210f1e68ec0bdeeb49a1a790051015d1bbc57ded51ef3e/merged

tmpfs 796M 16K 796M 1% /run/user/1000

overlay 38G 7.8G 28G 22% /var/lib/docker/overlay2/deb94697cdc38d61ad67d5756867f91f33108d9eb9dd4576b07887604cb5a0dc/merged

overlay 38G 7.8G 28G 22% /var/lib/docker/overlay2/8b6559062e034a6ae4c3372bbae41a8da0f5e19af258ae53e8ccfc72cb93388a/merged

overlay 38G 7.8G 28G 22% /var/lib/docker/overlay2/271775d0608e60fc721c8d2554f2f97c8be9e2700d9065ebed8e2ee5247327bd/merged

overlay 38G 7.8G 28G 22% /var/lib/docker/overlay2/4292b662bd4be3d30f9399c718880de1fc0d417b4bc4670cf9b3700e3dd845bc/merged

=========================================================================

Network Sockets

=========================================================================

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

syslog-ng 1100 root 7u IPv4 24059 0t0 TCP *:514 (LISTEN)

syslog-ng 1100 root 8u IPv4 24060 0t0 UDP *:514

dhclient 1462 root 6u IPv4 24271 0t0 UDP *:68

ossec-aut 1510 root 3u IPv4 28674 0t0 TCP *:1515 (LISTEN)

ossec-rem 1641 ossecr 4u IPv4 27700 0t0 UDP *:1514

sshd 1694 root 3u IPv4 33828 0t0 TCP *:ssh_port (LISTEN)

sshd 1694 root 4u IPv6 33830 0t0 TCP *:ssh_port (LISTEN)

mysqld 1817 mysql 29u IPv4 28324 0t0 TCP X.X.X.X:3306 (LISTEN)

apache2 2109 root 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

apache2 2126 www-data 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

apache2 2127 www-data 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

apache2 2128 www-data 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

apache2 2130 www-data 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

apache2 2131 www-data 4u IPv6 30373 0t0 TCP *:443 (LISTEN)

ntpd 3093 ntp 16u IPv6 33171 0t0 UDP *:123

ntpd 3093 ntp 17u IPv4 33174 0t0 UDP *:123

ntpd 3093 ntp 18u IPv4 33179 0t0 UDP X.X.X.X:123

ntpd 3093 ntp 19u IPv4 1007379 0t0 UDP X.X.X.X:123

ntpd 3093 ntp 20u IPv6 33183 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 21u IPv6 1007384 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 23u IPv6 703977 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 24u IPv6 704064 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 25u IPv4 40618 0t0 UDP X.X.X.X:123

ntpd 3093 ntp 26u IPv4 40620 0t0 UDP X.X.X.X:123

ntpd 3093 ntp 27u IPv6 40624 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 28u IPv6 40626 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 29u IPv6 40628 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 30u IPv6 40630 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 31u IPv6 40632 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 32u IPv6 41928 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 33u IPv6 739835 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 34u IPv6 739837 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 35u IPv6 83048 0t0 UDP [X.X.X.X]:123

ntpd 3093 ntp 36u IPv6 83050 0t0 UDP [X.X.X.X]:123

docker-pr 5425 root 4u IPv4 51863 0t0 TCP X.X.X.X:5601 (LISTEN)

tclsh 15837 SO-user 3u IPv4 596613 0t0 TCP X.X.X.X:40783->X.X.X.X:7736 (ESTABLISHED)

tclsh 15886 SO-user 3u IPv4 600248 0t0 TCP X.X.X.X:40289->X.X.X.X:7736 (ESTABLISHED)

tclsh 15886 SO-user 4u IPv4 596264 0t0 TCP X.X.X.X:7901 (LISTEN)

tclsh 15886 SO-user 5u IPv4 603219 0t0 TCP X.X.X.X:7901->X.X.X.X:43138 (ESTABLISHED)

barnyard2 15948 SO-user 3u IPv4 595895 0t0 TCP X.X.X.X:43138->X.X.X.X:7901 (ESTABLISHED)

tclsh 16093 SO-user 13u IPv4 591755 0t0 TCP *:7734 (LISTEN)

tclsh 16093 SO-user 14u IPv6 591756 0t0 TCP *:7734 (LISTEN)

tclsh 16093 SO-user 15u IPv4 591759 0t0 TCP *:7736 (LISTEN)

tclsh 16093 SO-user 16u IPv6 591760 0t0 TCP *:7736 (LISTEN)

tclsh 16093 SO-user 17u IPv4 600249 0t0 TCP X.X.X.X:7736->X.X.X.X:40783 (ESTABLISHED)

tclsh 16093 SO-user 18u IPv4 600250 0t0 TCP X.X.X.X:7736->X.X.X.X:40289 (ESTABLISHED)

docker-pr 18239 root 4u IPv4 603622 0t0 TCP X.X.X.X:9300 (LISTEN)

docker-pr 18272 root 4u IPv4 604862 0t0 TCP X.X.X.X:9200 (LISTEN)

docker-pr 19050 root 4u IPv6 683896 0t0 TCP *:9600 (LISTEN)

docker-pr 19098 root 4u IPv6 732100 0t0 TCP *:6053 (LISTEN)

docker-pr 19121 root 4u IPv6 738945 0t0 TCP *:6052 (LISTEN)

docker-pr 19135 root 4u IPv6 704411 0t0 TCP *:6051 (LISTEN)

docker-pr 19148 root 4u IPv6 738971 0t0 TCP *:6050 (LISTEN)

docker-pr 19162 root 4u IPv6 683928 0t0 TCP *:5044 (LISTEN)

=========================================================================

IDS Rules Update

=========================================================================

CPU Usage

=========================================================================

Load average for the last 1, 5, and 15 minutes:

1.15 0.49 0.32

Processing units: 4

If load average is higher than processing units,

then tune until load average is lower than processing units.

top - 01:34:41 up 1:32, 1 user, load average: 1.15, 0.49, 0.32

Tasks: 277 total, 1 running, 189 sleeping, 0 stopped, 0 zombie

%Cpu(s): 9.6 us, 2.6 sy, 0.0 ni, 86.6 id, 0.8 wa, 0.0 hi, 0.4 si, 0.0 st

KiB Mem : 8144716 total, 564316 free, 2662340 used, 4918060 buff/cache

KiB Swap: 1003516 total, 900092 free, 103424 used. 4816824 avail Mem

%CPU %MEM COMMAND

25.9 6.5 /bin/java -Xms200m -Xmx200m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -Djruby.regexp.interruptible=true -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -Xss16M -Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ -cp /usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.9.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.9.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.9.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/javassist-3.22.0-GA.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash

4.5 0.0 /var/ossec/bin/ossec-syscheckd

2.5 11.4 /opt/jdk-13.0.1+9/bin/java -Xms400m -Xmx400m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch-25182655403972704 -XX:+HeapDumpOnOutOfMemoryError -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Djava.locale.providers=COMPAT -Des.cgroups.hierarchy.override=/ -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=docker -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -Ebootstrap.memory_lock=true -Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X

0.5 1.4 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e

0.4 0.1 barnyard2 -c /etc/nsm/onionstation-import/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/onionstation-import/snort-1 -f snort.unified2 -w /etc/nsm/onionstation-import/barnyard2.waldo-1 -i onionstation-import-1 -U

0.3 0.0 [kswapd0]

0.3 0.0 /var/ossec/bin/ossec-remoted

0.3 1.0 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

0.3 1.6 /usr/bin/gnome-shell

0.2 0.1 /usr/bin/vmtoolsd

0.2 0.6 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

0.2 0.1 /usr/bin/pulseaudio --start --log-target=syslog

0.2 3.1 /usr/bin/python /opt/domain_stats/domain_stats.py -ip X.X.X.X 20000 -a /opt/domain_stats/top-1m.csv --preload 0

0.2 0.3 /usr/bin/vmtoolsd -n vmusr --blockFd 3

0.2 0.0 /bin/bash /usr/sbin/sostat

0.1 0.0 /var/ossec/bin/wazuh-db

0.1 0.1 /var/ossec/bin/ossec-analysisd

0.1 0.0 /var/ossec/bin/ossec-logcollector

0.1 0.1 /usr/bin/python /opt/freq_server/freq/freq_server.py -s 0 -ip X.X.X.X 10004 /opt/freq_server/freq/freqtable2018.freq

0.1 0.7 nautilus -n

0.1 0.0 [kworker/0:1]

0.1 0.0 [kworker/3:2]

0.0 0.0 /sbin/init splash

0.0 0.0 [kthreadd]

0.0 0.0 [kworker/0:0H]

0.0 0.0 [mm_percpu_wq]

0.0 0.0 [ksoftirqd/0]

0.0 0.0 [rcu_sched]

0.0 0.0 [rcu_bh]

0.0 0.0 [migration/0]

0.0 0.0 [watchdog/0]

0.0 0.0 [cpuhp/0]

0.0 0.0 [cpuhp/1]

0.0 0.0 [watchdog/1]

0.0 0.0 [migration/1]

0.0 0.0 [ksoftirqd/1]

0.0 0.0 [kworker/1:0H]

0.0 0.0 [cpuhp/2]

0.0 0.0 [watchdog/2]

0.0 0.0 [migration/2]

0.0 0.0 [ksoftirqd/2]

0.0 0.0 [kworker/2:0H]

0.0 0.0 [cpuhp/3]

0.0 0.0 [watchdog/3]

0.0 0.0 [migration/3]

0.0 0.0 [ksoftirqd/3]

0.0 0.0 [kworker/3:0H]

0.0 0.0 [kdevtmpfs]

0.0 0.0 [netns]

0.0 0.0 [rcu_tasks_kthre]

0.0 0.0 [kauditd]

0.0 0.0 [khungtaskd]

0.0 0.0 [oom_reaper]

0.0 0.0 [writeback]

0.0 0.0 [kcompactd0]

0.0 0.0 [ksmd]

0.0 0.0 [khugepaged]

0.0 0.0 [crypto]

0.0 0.0 [kintegrityd]

0.0 0.0 [kblockd]

0.0 0.0 [ata_sff]

0.0 0.0 [md]

0.0 0.0 [edac-poller]

0.0 0.0 [devfreq_wq]

0.0 0.0 [watchdogd]

0.0 0.0 [kworker/u257:0]

0.0 0.0 [ecryptfs-kthrea]

0.0 0.0 [kthrotld]

0.0 0.0 [acpi_thermal_pm]

0.0 0.0 [scsi_eh_0]

0.0 0.0 [scsi_tmf_0]

0.0 0.0 [scsi_eh_1]

0.0 0.0 [scsi_tmf_1]

0.0 0.0 [ipv6_addrconf]

0.0 0.0 [kstrp]

0.0 0.0 [charger_manager]

0.0 0.0 [mpt_poll_0]

0.0 0.0 [mpt/0]

0.0 0.0 [scsi_eh_2]

0.0 0.0 [scsi_tmf_2]

0.0 0.0 [scsi_eh_3]

0.0 0.0 [scsi_tmf_3]

0.0 0.0 [scsi_eh_4]

0.0 0.0 [scsi_tmf_4]

0.0 0.0 [scsi_eh_5]

0.0 0.0 [scsi_tmf_5]

0.0 0.0 [scsi_eh_6]

0.0 0.0 [scsi_tmf_6]

0.0 0.0 [scsi_eh_7]

0.0 0.0 [scsi_tmf_7]

0.0 0.0 [scsi_eh_8]

0.0 0.0 [scsi_tmf_8]

0.0 0.0 [scsi_eh_9]

0.0 0.0 [scsi_tmf_9]

0.0 0.0 [scsi_eh_10]

0.0 0.0 [scsi_tmf_10]

0.0 0.0 [scsi_eh_11]

0.0 0.0 [scsi_tmf_11]

0.0 0.0 [scsi_eh_12]

0.0 0.0 [scsi_tmf_12]

0.0 0.0 [scsi_eh_13]

0.0 0.0 [scsi_tmf_13]

0.0 0.0 [scsi_eh_14]

0.0 0.0 [scsi_tmf_14]

0.0 0.0 [scsi_eh_15]

0.0 0.0 [scsi_tmf_15]

0.0 0.0 [scsi_eh_16]

0.0 0.0 [scsi_tmf_16]

0.0 0.0 [scsi_eh_17]

0.0 0.0 [scsi_tmf_17]

0.0 0.0 [scsi_eh_18]

0.0 0.0 [scsi_tmf_18]

0.0 0.0 [scsi_eh_19]

0.0 0.0 [scsi_tmf_19]

0.0 0.0 [scsi_eh_20]

0.0 0.0 [scsi_tmf_20]

0.0 0.0 [scsi_eh_21]

0.0 0.0 [scsi_tmf_21]

0.0 0.0 [scsi_eh_22]

0.0 0.0 [scsi_tmf_22]

0.0 0.0 [scsi_eh_23]

0.0 0.0 [scsi_tmf_23]

0.0 0.0 [scsi_eh_24]

0.0 0.0 [scsi_tmf_24]

0.0 0.0 [scsi_eh_25]

0.0 0.0 [scsi_tmf_25]

0.0 0.0 [scsi_eh_26]

0.0 0.0 [scsi_tmf_26]

0.0 0.0 [scsi_eh_27]

0.0 0.0 [scsi_tmf_27]

0.0 0.0 [scsi_eh_28]

0.0 0.0 [scsi_tmf_28]

0.0 0.0 [scsi_eh_29]

0.0 0.0 [scsi_tmf_29]

0.0 0.0 [scsi_eh_30]

0.0 0.0 [scsi_tmf_30]

0.0 0.0 [scsi_eh_31]

0.0 0.0 [scsi_tmf_31]

0.0 0.0 [scsi_eh_32]

0.0 0.0 [scsi_tmf_32]

0.0 0.0 [ttm_swap]

0.0 0.0 [irq/16-vmwgfx]

0.0 0.0 [kworker/2:1H]

0.0 0.0 [kworker/1:1H]

0.0 0.0 [kworker/0:1H]

0.0 0.0 [raid5wq]

0.0 0.0 [kdmflush]

0.0 0.0 [bioset]

0.0 0.0 [kworker/3:1H]

0.0 0.0 [jbd2/dm-0-8]

0.0 0.0 [ext4-rsv-conver]

0.0 0.0 /lib/systemd/systemd-journald

0.0 0.0 [iscsi_eh]

0.0 0.0 [ib-comp-wq]

0.0 0.0 [ib-comp-unb-wq]

0.0 0.0 [ib_mcast]

0.0 0.0 [ib_nl_sa_wq]

0.0 0.0 [rdma_cm]

0.0 0.0 /sbin/lvmetad -f

0.0 0.0 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid

0.0 0.0 /lib/systemd/systemd-udevd

0.0 0.0 [kdmflush]

0.0 0.0 [bioset]

0.0 0.0 [ext4-rsv-conver]

0.0 0.0 /lib/systemd/systemd-logind

0.0 0.0 /usr/sbin/acpid

0.0 0.0 /usr/sbin/syslog-ng -F

0.0 0.0 /usr/sbin/cron -f

0.0 0.0 /usr/sbin/atd -f

0.0 0.0 /usr/lib/accountsservice/accounts-daemon

0.0 0.1 /usr/bin/VGAuthService

0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

0.0 0.1 /usr/sbin/NetworkManager --no-daemon

0.0 0.0 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog

0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug

0.0 0.0 /sbin/dhclient -1 -v -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33

0.0 0.0 /var/ossec/bin/ossec-authd

0.0 0.0 /var/ossec/bin/ossec-execd

0.0 0.1 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

0.0 0.0 /usr/sbin/sshd -D

0.0 0.3 /usr/bin/containerd

0.0 0.0 /var/ossec/bin/ossec-monitord

0.0 0.0 /var/ossec/bin/wazuh-modulesd

0.0 0.0 /sbin/iscsid

0.0 2.1 /usr/sbin/mysqld

0.0 0.0 /usr/sbin/lightdm

0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid

0.0 0.0 /sbin/agetty --noclear tty1 linux

0.0 0.3 /usr/sbin/apache2 -k start

0.0 0.1 /usr/sbin/apache2 -k start

0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118

0.0 0.0 lightdm --session-child 12 21

0.0 0.0 /lib/systemd/systemd --user

0.0 0.0 (sd-pam)

0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/4ac9b64e4eeaf6ded399446f3db6ba7a87e7c73d1f0cec6e29c8a8e81c41209a -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 /bin/sh /usr/bin/gnome-session-classic

0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic

0.0 0.0 /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic

0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session

0.0 0.0 /usr/bin/ibus-daemon --daemonize --xim --address unix:tmpdir=/tmp/ibus

0.0 0.1 /usr/lib/gnome-session/gnome-session-binary --session gnome-classic

0.0 0.0 /usr/lib/gvfs/gvfsd

0.0 0.0 /usr/lib/ibus/ibus-dconf

0.0 0.3 /usr/lib/ibus/ibus-ui-gtk3

0.0 0.2 /usr/lib/ibus/ibus-x11 --kill-daemon

0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher

0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3

0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session

0.0 0.5 /usr/bin/gnome-screensaver --no-daemon

0.0 0.0 /usr/lib/ibus/ibus-engine-simple

0.0 0.4 /usr/lib/gnome-settings-daemon/gnome-settings-daemon

0.0 0.0 /usr/lib/rtkit/rtkit-daemon

0.0 0.1 /usr/lib/upower/upowerd

0.0 0.1 /usr/lib/colord/colord

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/99fb6ca903c5fc843bd1c6547aa7a2474c2b87933982dd7dbb38b067d0e2972b -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.1 /usr/lib/gnome-shell/gnome-shell-calendar-server

0.0 0.2 /usr/lib/evolution/evolution-source-registry

0.0 0.1 /usr/lib/telepathy/mission-control-5

0.0 0.1 /usr/lib/gvfs/gvfs-udisks2-volume-monitor

0.0 0.1 /usr/lib/udisks2/udisksd --no-debug

0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor

0.0 0.0 /usr/lib/gvfs/gvfs-goa-volume-monitor

0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service

0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.1 /org/gtk/gvfs/exec_spaw/0

0.0 0.6 /usr/lib/evolution/evolution-calendar-factory

0.0 0.5 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx4479x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/4479/2

0.0 0.1 /usr/lib/evolution/evolution-addressbook-factory

0.0 0.5 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx4479x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/4479/3

0.0 0.1 /usr/lib/evolution/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx4626x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/4626/2

0.0 0.0 /usr/lib/gvfs/gvfsd-metadata

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5601 -container-ip X.X.X.X -container-port 5601

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/cd82356f4ba4ab6b73084364eac8d7bb6bf8a7a8333092a27cd3e22f5042e003 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.1 /org/gtk/gvfs/exec_spaw/1

0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.1 /org/gtk/gvfs/exec_spaw/4

0.0 0.0 /usr/lib/dconf/dconf-service

0.0 0.0 /lib/systemd/systemd-networkd

0.0 0.4 /usr/lib/gnome-terminal/gnome-terminal-server

0.0 0.0 bash

0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/onionstation-import/pcap_agent.conf

0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/onionstation-import/pcap_agent.conf

0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/onionstation-import/snort_agent-1.conf

0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/onionstation-import/snort_agent-1.conf

0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9300 -container-ip X.X.X.X -container-port 9300

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9200 -container-ip X.X.X.X -container-port 9200

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/993c5d41f8b9e4473b1e18d266d500a5399135c930059dc71b4189e8433d7119 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9600 -container-ip X.X.X.X -container-port 9600

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6053 -container-ip X.X.X.X -container-port 6053

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6052 -container-ip X.X.X.X -container-port 6052

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6051 -container-ip X.X.X.X -container-port 6051

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6050 -container-ip X.X.X.X -container-port 6050

0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5044 -container-ip X.X.X.X -container-port 5044

0.0 0.0 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/2b182282ddefeb655f0a0d7ac0bf1caf4cbd8599faac2f0f9d439ffa216905e8 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc

0.0 0.0 [kworker/3:0]

0.0 0.0 [kworker/1:0]

0.0 0.0 [kworker/0:2]

0.0 0.0 [kworker/2:1]

0.0 0.0 [kworker/1:2]

0.0 0.0 [kworker/2:0]

0.0 0.0 [kworker/u256:0]

0.0 0.0 [kworker/u256:1]

0.0 0.0 [kworker/u256:2]

0.0 0.0 sudo sostat-redacted

0.0 0.0 /bin/bash /usr/sbin/sostat-redacted

0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================

Packets received during last monitoring interval (600 seconds)

=========================================================================

ens34: 25

=========================================================================

Packet Loss Stats

=========================================================================

NIC:

ens34:

RX packets:29 dropped:0 TX packets:1 dropped:0

-------------------------------------------------------------------------

pf_ring:

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

ERROR: No stats found in /nsm/sensor_data/onionstation-ens34/snort-1.stats

-------------------------------------------------------------------------

Zeek:

Average packet loss as percent across all Zeek workers: No packets seen.

zeek: <error: no running instances of Zeek>

No capture loss reported.

-------------------------------------------------------------------------

Netsniff-NG:

0 Loss

=========================================================================

PF_RING

=========================================================================

PF_RING Version : 6.6.0 (unknown)

Total rings : 0

Standard (non ZC) Options

Ring slots : 4096

Slot version : 16

Capture TX : Yes [RX+TX]

IP Defragment : No

Socket Mode : Standard

Cluster Fragment Queue : 0

Cluster Fragment Discard : 0

=========================================================================

Log Archive

=========================================================================

/nsm/sensor_data/onionstation-ens33/dailylogs/ - 0 days

4.0K .

/nsm/sensor_data/onionstation-ens34/dailylogs/ - 2 days

28K .

16K ./2020-02-05

8.0K ./2020-02-06

/nsm/sensor_data/onionstation-import/dailylogs/ - 2 days

16K .

4.0K ./2020-02-06

8.0K ./n

/nsm/zeek/logs/ - 2 days

156K .

84K ./2020-02-05

48K ./2020-02-06

20K ./stats

=========================================================================

Sguil Uncategorized Events

=========================================================================

COUNT(*)

1020

=========================================================================

Sguil events summary for yesterday

=========================================================================

Total

=========================================================================

Top 50 All time Sguil Events

=========================================================================

Total

=========================================================================

Last update

=========================================================================

Requested-By: SO-user (1000)

Install: linux-headers-4.15.0-76-generic:amd64 (4.15.0-76.86~16.04.1, automatic), linux-modules-extra-4.15.0-76-generic:amd64 (4.15.0-76.86~16.04.1, automatic), linux-modules-4.15.0-76-generic:amd64 (4.15.0-76.86~16.04.1, automatic), linux-headers-4.15.0-76:amd64 (4.15.0-76.86~16.04.1, automatic), linux-image-4.15.0-76-generic:amd64 (4.15.0-76.86~16.04.1, automatic)

Upgrade: securityonion-onionsalt:amd64 (20140917-0ubuntu0securityonion27, 20140917-0ubuntu0securityonion28), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion208, 20120724-0ubuntu0securityonion225), libcomerr2:amd64 (1.42.13-1ubuntu1.1, 1.42.13-1ubuntu1.2), dbus-x11:amd64 (1.10.6-1ubuntu3.4, 1.10.6-1ubuntu3.5), intel-microcode:amd64 (3.20191115.1ubuntu0.16.04.1, 3.20191115.1ubuntu0.16.04.2), libdbus-1-3:amd64 (1.10.6-1ubuntu3.4, 1.10.6-1ubuntu3.5), uuid-runtime:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), libfdisk1:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), securityonion-setup:amd64 (20120912-0ubuntu0securityonion316, 20120912-0ubuntu0securityonion325), python-samba:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), libsasl2-modules-db:amd64 (2.1.26.dfsg1-14ubuntu0.1, 2.1.26.dfsg1-14ubuntu0.2), linux-libc-dev:amd64 (4.4.0-169.198, 4.4.0-173.203), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion103, 20141015-0ubuntu0securityonion105), php7.0-cli:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), libnss3-nssdb:amd64 (2:3.28.4-0ubuntu0.16.04.6, 2:3.28.4-0ubuntu0.16.04.10), libgnutls-openssl27:amd64 (3.4.10-4ubuntu1.5, 3.4.10-4ubuntu1.7), libwbclient0:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), git-man:amd64 (1:2.7.4-0ubuntu1.6, 1:2.7.4-0ubuntu1.7), libsystemd0:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), php7.0-gd:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), linux-image-generic-hwe-16.04:amd64 (X.X.X.X.90, X.X.X.X.96), dbus:amd64 (1.10.6-1ubuntu3.4, 1.10.6-1ubuntu3.5), securityonion-bro-scripts:amd64 (20121004-0ubuntu0securityonion73, 20121004-0ubuntu0securityonion100), libmount1:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), tcpdump:amd64 (4.9.2-0ubuntu0.16.04.1, 4.9.3-0ubuntu0.16.04.1), libsqlite3-0:amd64 (3.11.0-1ubuntu1.2, 3.11.0-1ubuntu1.3), mysql-client:amd64 (5.7.28-0ubuntu0.16.04.2, 5.7.29-0ubuntu0.16.04.1), python3-aptdaemon.gtk3widgets:amd64 (1.1.1+bzr982-0ubuntu14.1, 1.1.1+bzr982-0ubuntu14.2), libbsd0:amd64 (0.8.2-1, 0.8.2-1ubuntu0.1), php7.0-opcache:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), e2fsprogs:amd64 (1.42.13-1ubuntu1.1, 1.42.13-1ubuntu1.2), php7.0:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), zlib1g:amd64 (1:1.2.8.dfsg-2ubuntu4.1, 1:1.2.8.dfsg-2ubuntu4.3), linux-generic-hwe-16.04:amd64 (X.X.X.X.90, X.X.X.X.96), sudo:amd64 (1.8.16-0ubuntu1.8, 1.8.16-0ubuntu1.9), util-linux:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), php7.0-common:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), python-apt-common:amd64 (1.1.0~beta1ubuntu0.16.04.5, 1.1.0~beta1ubuntu0.16.04.8), securityonion-bro-afpacket:amd64 (1.3.0-1ubuntu1securityonion13, 1.3.0-1ubuntu1securityonion17), git:amd64 (1:2.7.4-0ubuntu1.6, 1:2.7.4-0ubuntu1.7), udev:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), securityonion-elastic:amd64 (20190510-1ubuntu1securityonion69, 20190510-1ubuntu1securityonion83), libsasl2-2:amd64 (2.1.26.dfsg1-14ubuntu0.1, 2.1.26.dfsg1-14ubuntu0.2), e2fslibs:amd64 (1.42.13-1ubuntu1.1, 1.42.13-1ubuntu1.2), securityonion-samples-bro:amd64 (20170824-1ubuntu1securityonion3, 20170824-1ubuntu1securityonion4), libnss3-1d:amd64 (2:3.28.4-0ubuntu0.16.04.6, 2:3.28.4-0ubuntu0.16.04.10), securityonion-snort:amd64 (X.X.X.X-1ubuntu1securityonion1, X.X.X.X-1ubuntu1securityonion1), libudev1:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), libss2:amd64 (1.42.13-1ubuntu1.1, 1.42.13-1ubuntu1.2), mount:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), ntp:amd64 (1:4.2.8p4+dfsg-3ubuntu5.9, 1:4.2.8p4+dfsg-3ubuntu5.10), samba-libs:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), ntpdate:amd64 (1:4.2.8p4+dfsg-3ubuntu5.9, 1:4.2.8p4+dfsg-3ubuntu5.10), libblkid1:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), mysql-client-core-5.7:amd64 (5.7.28-0ubuntu0.16.04.2, 5.7.29-0ubuntu0.16.04.1), securityonion-suricata:amd64 (4.1.5-1ubuntu1securityonion4, 4.1.6-1ubuntu1securityonion2), php7.0-json:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), libsasl2-modules:amd64 (2.1.26.dfsg1-14ubuntu0.1, 2.1.26.dfsg1-14ubuntu0.2), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion136, 20120722-0ubuntu0securityonion141), chromium-browser:amd64 (78.0.3904.108-0ubuntu0.16.04.1, 79.0.3945.130-0ubuntu0.16.04.1), php7.0-readline:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), libnss-myhostname:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), samba-common:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), systemd-sysv:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), php7.0-curl:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), libuuid1:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), chromium-codecs-ffmpeg-extra:amd64 (78.0.3904.108-0ubuntu0.16.04.1, 79.0.3945.130-0ubuntu0.16.04.1), libgcrypt20:amd64 (1.6.5-2ubuntu0.5, 1.6.5-2ubuntu0.6), python-apt:amd64 (1.1.0~beta1ubuntu0.16.04.5, 1.1.0~beta1ubuntu0.16.04.8), libpam-systemd:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), systemd:amd64 (229-4ubuntu21.22, 229-4ubuntu21.27), libsmartcols1:amd64 (2.27.1-6ubuntu3.9, 2.27.1-6ubuntu3.10), libssh-gcrypt-4:amd64 (0.6.3-4.3ubuntu0.2, 0.6.3-4.3ubuntu0.5), mysql-common:amd64 (5.7.28-0ubuntu0.16.04.2, 5.7.29-0ubuntu0.16.04.1), libsmbclient:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), samba-common-bin:amd64 (2:4.3.11+dfsg-0ubuntu0.16.04.23, 2:4.3.11+dfsg-0ubuntu0.16.04.25), aptdaemon-data:amd64 (1.1.1+bzr982-0ubuntu14.1, 1.1.1+bzr982-0ubuntu14.2), libmysqlclient20:amd64 (5.7.28-0ubuntu0.16.04.2, 5.7.29-0ubuntu0.16.04.1), bsdutils:amd64 (1:2.27.1-6ubuntu3.9, 1:2.27.1-6ubuntu3.10), python3-aptdaemon.pkcompat:amd64 (1.1.1+bzr982-0ubuntu14.1, 1.1.1+bzr982-0ubuntu14.2), python3-aptdaemon:amd64 (1.1.1+bzr982-0ubuntu14.1, 1.1.1+bzr982-0ubuntu14.2), securityonion-tcpudpflow:amd64 (001-0ubuntu0securityonion7, 001-0ubuntu0securityonion10), libgnutls30:amd64 (3.4.10-4ubuntu1.5, 3.4.10-4ubuntu1.7), unattended-upgrades:amd64 (1.1ubuntu1.18.04.7~16.04.4, 1.1ubuntu1.18.04.7~16.04.5), libnss3:amd64 (2:3.28.4-0ubuntu0.16.04.6, 2:3.28.4-0ubuntu0.16.04.10), libpcap0.8:amd64 (1.7.4-2, 1.7.4-2ubuntu0.1), securityonion-bro:amd64 (2.6.4-1ubuntu1securityonion1, 3.0.1-1ubuntu1securityonion10), linux-headers-generic-hwe-16.04:amd64 (X.X.X.X.90, X.X.X.X.96), aptdaemon:amd64 (1.1.1+bzr982-0ubuntu14.1, 1.1.1+bzr982-0ubuntu14.2), chromium-browser-l10n:amd64 (78.0.3904.108-0ubuntu0.16.04.1, 79.0.3945.130-0ubuntu0.16.04.1), libexiv2-14:amd64 (0.25-2.1ubuntu16.04.5, 0.25-2.1ubuntu16.04.6), libapache2-mod-php7.0:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9), python3-apt:amd64 (1.1.0~beta1ubuntu0.16.04.5, 1.1.0~beta1ubuntu0.16.04.8), php7.0-mysql:amd64 (7.0.33-0ubuntu0.16.04.7, 7.0.33-0ubuntu0.16.04.9)

End-Date: 2020-02-05 22:21:33

Start-Date: 2020-02-05 22:29:37

Commandline: apt install open-vm-tools open-vm-tools-desktop

Requested-By: SO-user (1000)

Install: open-vm-tools-desktop:amd64 (2:10.2.0-3~ubuntu0.16.04.1), open-vm-tools:amd64 (2:10.2.0-3~ubuntu0.16.04.1)

End-Date: 2020-02-05 22:29:42

=========================================================================

Elasticsearch

=========================================================================

Elasticsearch is running.

Cluster Name: "onionstation"

Cluster Status: "green"

Total Nodes: 1

Failed Nodes: 0

Total Indices: 6

Total Shards: 26

Total Documents: 588

Total Size: 1MB

Free Memory: 6%

Total Number of Events: 588

Avg. Event Size (In Bytes): 3264

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

993c5d41f8b9 so-elasticsearch 0.24% 753.2MiB / 7.767GiB 9.47% 2.27MB / 1.65MB 173MB / 13.2MB 56

=========================================================================

Logstash

=========================================================================

Logstash is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

2b182282ddef so-logstash 23.94% 525.4MiB / 7.767GiB 6.61% 104kB / 393kB 133MB / 26.6MB 69

Logstash Queue Stats:

Queue Type: memory

Queue settings can be modified in /etc/logstash/logstash.yml.

Event Summary (since restart):

Events In: 444

Events Out: 444

=========================================================================

Kibana

=========================================================================

Kibana is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

cd82356f4ba4 so-kibana 2.14% 108.7MiB / 7.767GiB 1.37% 1.54MB / 1.96MB 133MB / 24.6kB 11

=========================================================================

Freq Server

=========================================================================

Freq_server is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

4ac9b64e4eea so-freqserver 0.00% 9.129MiB / 7.767GiB 0.11% 10.4kB / 0B 42.3MB / 0B 1

Testing freq_server now...

Freq Server is working.

=========================================================================

Domain Stats

=========================================================================

Domain_stats is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

99fb6ca903c5 so-domainstats 0.13% 247.5MiB / 7.767GiB 3.11% 8.54kB / 0B 81.9MB / 0B 2

Testing domain_stats now...

Domain_stats is working.

=========================================================================

syslog-ng stats

=========================================================================

SourceName;SourceId;SourceInstance;State;Type;Number

destination;d_syslog;;a;processed;1025

destination;d_console_all;;a;processed;94

dst.tcp;d_logstash#0;tcp,X.X.X.X:6050;a;processed;2550

dst.tcp;d_logstash#0;tcp,X.X.X.X:6050;a;stored;163

destination;d_cron;;a;processed;535

destination;d_error;;a;processed;93

center;;queued;a;processed;6092

destination;d_auth;;a;processed;1184

destination;d_user;;a;processed;65

destination;d_daemon;;a;processed;425

global;payload_reallocs;;a;processed;27

destination;d_messages;;a;processed;2

destination;d_xconsole;;a;processed;94

destination;d_debug;;a;processed;25

destination;d_logstash;;a;processed;2550

=========================================================================

Version Information

=========================================================================

Ubuntu 16.04.6 LTS

securityonion-sostat 20120722-0ubuntu0securityonion141

James Smith

unread,

Feb 7, 2020, 8:57:57 PM2/7/20

to security-onion

AH HA!

I figured it out!!

OK. So if the pcap resides in a directory that has a space in it... it breaks so-import-pcap!

I moved the pcap to a different directory and it solved the issue. I tested it a couple of times and it definitely seems to be the cause.

Cheers!

James

...

Doug Burks

unread,

Feb 8, 2020, 3:49:22 AM2/8/20

to securit...@googlegroups.com

Hi James,

Nice catch!

I've created Issue 1714 for this:

https://github.com/Security-Onion-Solutions/security-onion/issues/1714

Thanks!

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/f62d6180-13c5-4ab5-beca-eab5309f3675%40googlegroups.com.

James Smith

unread,

Feb 11, 2020, 5:29:55 PM2/11/20

to security-onion

Thanks, Doug! Glad I could find an answer rather than just supplying the question.

Its working great keeping it inside dirs with no whitespace in it... I know very anti-linux like of me.... Anyhow it works great! Thanks!

Cheers,

James

...

Reply all

Reply to author

Forward

0 new messages