Please do not update until further notice! Ubuntu SSL packages seem to cause issues.
2374 views
Skip to first unread message
Doug Burks
Jun 11, 2015, 4:47:00 PM6/11/15
to securit...@googlegroups.com
There appears to be an issue with the SSL packages that Ubuntu just
released. Please do not update your systems until further notice.
Thanks!
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
released. Please do not update your systems until further notice.
Thanks!
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jeff Nucciarone
Jun 11, 2015, 4:47:36 PM6/11/15
to securit...@googlegroups.com
boot back to a lower level?
Doug Burks
Jun 11, 2015, 4:50:23 PM6/11/15
to securit...@googlegroups.com
I'll let you know as soon as I determine the best path forward.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Jun 11, 2015, 5:01:40 PM6/11/15
to securit...@googlegroups.com
After installing the latest Ubuntu updates, the Sguil client reports:
Error: SSL channel "sock4": error: dh key too small
This error message seems related to this:
"As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 768 bits, preventing a possible downgrade
attack."
http://www.ubuntu.com/usn/usn-2639-1/
Error: SSL channel "sock4": error: dh key too small
This error message seems related to this:
"As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 768 bits, preventing a possible downgrade
attack."
http://www.ubuntu.com/usn/usn-2639-1/
Jeff Nucciarone
Jun 11, 2015, 5:25:20 PM6/11/15
to securit...@googlegroups.com
On Thursday, June 11, 2015 at 5:01:40 PM UTC-4, Doug Burks wrote:
> After installing the latest Ubuntu updates, the Sguil client reports:
>
> Error: SSL channel "sock4": error: dh key too small
>
> This error message seems related to this:
>
> "As a security improvement, this update also modifies OpenSSL behaviour to
> reject DH key sizes below 768 bits, preventing a possible downgrade
> attack."
>
> http://www.ubuntu.com/usn/usn-2639-1/
So how do we increase the strength of the key?
> After installing the latest Ubuntu updates, the Sguil client reports:
>
> Error: SSL channel "sock4": error: dh key too small
>
> This error message seems related to this:
>
> "As a security improvement, this update also modifies OpenSSL behaviour to
> reject DH key sizes below 768 bits, preventing a possible downgrade
> attack."
>
> http://www.ubuntu.com/usn/usn-2639-1/
Doug Burks
Jun 11, 2015, 5:27:32 PM6/11/15
to securit...@googlegroups.com
I'll let you know as soon as I determine the best path forward.
Doug Burks
Jun 11, 2015, 6:40:50 PM6/11/15
to securit...@googlegroups.com
I asked the following question to the Ubuntu folks:
https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051
Hope to hear back tonight.
https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051
Hope to hear back tonight.
Matt .
Jun 11, 2015, 6:46:59 PM6/11/15
to securit...@googlegroups.com
Jeff Nucciarone
Jun 11, 2015, 7:06:55 PM6/11/15
to securit...@googlegroups.com
Hopefully you get an answer soon so that this doesn't die on the vine.
Doug Burks
Jun 11, 2015, 8:25:25 PM6/11/15
to securit...@googlegroups.com
For those who've already installed the new OpenSSL 1.0.1-4ubuntu5.31
packages, here's an emergency bandaid you can try until we get a
proper fix.
Downgrade your OpenSSL packages to the previous version by running the
following command:
sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3
If that doesn't work for you, here is a longer set of steps to try.
Determine what ssl packages you have installed that need to be downgraded:
dpkg -l | grep ssl | grep "ubuntu5.31"
You will most likely have four packages:
ii libssl-dev
1.0.1-4ubuntu5.31 SSL development libraries,
header files and documentation
ii libssl-doc
1.0.1-4ubuntu5.31 SSL development documentation
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.31 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.31 Secure Socket Layer (SSL)
binary and related cryptographic tools
For each of these packages, do the following (replacing PACKAGENAME
with the actual package name) to see what versions are available:
apt-cache showpkg PACKAGENAME
For example:
apt-cache showpkg libssl-dev |more
Package: libssl-dev
Versions:
1.0.1-4ubuntu5.31
(/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-updates_main_binary-amd64_Packages)
(/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_precise-security_main_binary-amd64_Packages)
(/var/lib/dpkg/status)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e
1.0.1-4ubuntu3 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e
In this case, we see that the previous version is 1.0.1-4ubuntu3.
Downgrade all packages to the previous version using "apt-get install"
and specifying the version number. In this case, we downgrade to
1.0.1-4ubuntu3 using the following command:
sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3
On Thu, Jun 11, 2015 at 7:06 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> Hopefully you get an answer soon so that this doesn't die on the vine.
>
packages, here's an emergency bandaid you can try until we get a
proper fix.
Downgrade your OpenSSL packages to the previous version by running the
following command:
sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3
If that doesn't work for you, here is a longer set of steps to try.
Determine what ssl packages you have installed that need to be downgraded:
dpkg -l | grep ssl | grep "ubuntu5.31"
You will most likely have four packages:
ii libssl-dev
1.0.1-4ubuntu5.31 SSL development libraries,
header files and documentation
ii libssl-doc
1.0.1-4ubuntu5.31 SSL development documentation
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.31 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.31 Secure Socket Layer (SSL)
binary and related cryptographic tools
For each of these packages, do the following (replacing PACKAGENAME
with the actual package name) to see what versions are available:
apt-cache showpkg PACKAGENAME
For example:
apt-cache showpkg libssl-dev |more
Package: libssl-dev
Versions:
1.0.1-4ubuntu5.31
(/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-updates_main_binary-amd64_Packages)
(/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_precise-security_main_binary-amd64_Packages)
(/var/lib/dpkg/status)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e
1.0.1-4ubuntu3 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages)
Description Language:
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_binary-amd64_Packages
MD5: 3f77df7ec43dcb3f3b73c312168c730e
Description Language: en
File:
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise_main_i18n_Translation-en
MD5: 3f77df7ec43dcb3f3b73c312168c730e
In this case, we see that the previous version is 1.0.1-4ubuntu3.
Downgrade all packages to the previous version using "apt-get install"
and specifying the version number. In this case, we downgrade to
1.0.1-4ubuntu3 using the following command:
sudo apt-get install libssl-dev=1.0.1-4ubuntu3
libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
openssl=1.0.1-4ubuntu3
On Thu, Jun 11, 2015 at 7:06 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> Hopefully you get an answer soon so that this doesn't die on the vine.
>
Doug Burks
Jun 11, 2015, 8:38:30 PM6/11/15
to securit...@googlegroups.com
Of course, please keep in mind that this is just an emergency bandaid
and it downgrades your system to a previous version of OpenSSL that
has security vulnerabilities. But this may be an acceptable risk for
those who just need to get their sensors back up and running at least
until Ubuntu provides an updated tcltls package.
and it downgrades your system to a previous version of OpenSSL that
has security vulnerabilities. But this may be an acceptable risk for
those who just need to get their sensors back up and running at least
until Ubuntu provides an updated tcltls package.
Matt .
Jun 11, 2015, 10:17:58 PM6/11/15
to securit...@googlegroups.com
Thanks Doug,
I've done this on one server so far. The initial downgrade worked to some extent. I didn't need initially try searching for other versions. Though I did seem to need to reboot to get it going after downgrading though it didn't ask to be reboot.
Processing seems to have fully resumed, and is catching up, and SGUIL loads on the server. But it appears apache, or something related isn't working. I can't browse to the server web sites locally or remotely. Both locally and remotely the error is "Connection Refused".
But since everything else seems to be ok I can wait till tomorrow.
Attached is output for sostat -redacted in case you're interested.
Thanks,
Matt
On Thursday, June 11, 2015 at 5:25:25 PM UTC-7, Doug Burks wrote:
> For those who've already installed the new OpenSSL 1.0.1-4ubuntu5.31
> packages, here's an emergency bandaid you can try until we get a
> proper fix.
>
> Downgrade your OpenSSL packages to the previous version by running the
> following command:
> sudo apt-get install libssl-dev=1.0.1-4ubuntu3
> libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
> openssl=1.0.1-4ubuntu3
>
> If that doesn't work for you, here is a longer set of steps to try.
<deleted to save space>
I've done this on one server so far. The initial downgrade worked to some extent. I didn't need initially try searching for other versions. Though I did seem to need to reboot to get it going after downgrading though it didn't ask to be reboot.
Processing seems to have fully resumed, and is catching up, and SGUIL loads on the server. But it appears apache, or something related isn't working. I can't browse to the server web sites locally or remotely. Both locally and remotely the error is "Connection Refused".
But since everything else seems to be ok I can wait till tomorrow.
Attached is output for sostat -redacted in case you're interested.
Thanks,
Matt
On Thursday, June 11, 2015 at 5:25:25 PM UTC-7, Doug Burks wrote:
> For those who've already installed the new OpenSSL 1.0.1-4ubuntu5.31
> packages, here's an emergency bandaid you can try until we get a
> proper fix.
>
> Downgrade your OpenSSL packages to the previous version by running the
> following command:
> sudo apt-get install libssl-dev=1.0.1-4ubuntu3
> libssl-doc=1.0.1-4ubuntu3 libssl1.0.0=1.0.1-4ubuntu3
> openssl=1.0.1-4ubuntu3
>
> If that doesn't work for you, here is a longer set of steps to try.
Matt .
Jun 11, 2015, 10:21:07 PM6/11/15
to securit...@googlegroups.com
I forgot to mention that I also did try <pkg -l | grep ssl | grep "ubuntu5.31"> to see if there was something else to downgrade due to the web site issue. But it doesn't return any results.
Rehnquyst
Jun 12, 2015, 1:21:44 AM6/12/15
to securit...@googlegroups.com
FYI I did not experience this issue in regards to not being able to connect to Snorby/Suqert. Just so you know this is not univeral.
Shane Castle
Jun 12, 2015, 2:21:12 AM6/12/15
to securit...@googlegroups.com
Just so you know: after my update, here is what is installed:
ii libssl-dev
1.0.1-4ubuntu5.28 SSL development libraries,
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.28 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.28 Secure Socket Layer (SSL) binary
and related cryptographic tools
AFAICT, I am having no issues with any components. I am running a simple
unified server/sensor, in one VM. This is a system initially installed
from the 12.04.3-20130904 iso image and updated since. On login using
SSH, I see "Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-85-generic
x86_64)".
If you want me to check or research anything let me know.
Sorry you are having to deal with this issue.
On 12.06.2015 02:25, Doug Burks wrote:
> dpkg -l | grep ssl | grep "ubuntu5.31"
--
Mit besten Grüßen
Shane Castle
ii libssl-dev
1.0.1-4ubuntu5.28 SSL development libraries,
header files and documentation
ii libssl-doc
1.0.1-4ubuntu5.28 SSL development documentation
ii libssl-doc
documentation
ii libssl1.0.0
1.0.1-4ubuntu5.28 SSL shared libraries
ii openssl
1.0.1-4ubuntu5.28 Secure Socket Layer (SSL) binary
and related cryptographic tools
AFAICT, I am having no issues with any components. I am running a simple
unified server/sensor, in one VM. This is a system initially installed
from the 12.04.3-20130904 iso image and updated since. On login using
SSH, I see "Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-85-generic
x86_64)".
If you want me to check or research anything let me know.
Sorry you are having to deal with this issue.
On 12.06.2015 02:25, Doug Burks wrote:
> dpkg -l | grep ssl | grep "ubuntu5.31"
Mit besten Grüßen
Shane Castle
Shane Castle
Jun 12, 2015, 2:49:55 AM6/12/15
to securit...@googlegroups.com
But now the 1.0.1-4ubuntu5.31 versions are waiting to be installed.
Holding off for now.
Holding off for now.
Shane Castle
Jun 12, 2015, 3:57:44 AM6/12/15
to securit...@googlegroups.com
Hmm - I see you've had no answer. I suspect the real bug is the mod to
reject DH512, which seems dumb to me, and I bet lots of things besides
tcltls break because of it. I begin to understand why the OpenBSD guys
have forked their own version of OpenSSL.
I've been looking to try to see if some change can be made to permit
DH512 (was hoping the openssl.cnf file might work) but so far no joy.
On 12.06.2015 00:40, Doug Burks wrote:
> I asked the following question to the Ubuntu folks:
> https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051
>
> Hope to hear back tonight.
reject DH512, which seems dumb to me, and I bet lots of things besides
tcltls break because of it. I begin to understand why the OpenBSD guys
have forked their own version of OpenSSL.
I've been looking to try to see if some change can be made to permit
DH512 (was hoping the openssl.cnf file might work) but so far no joy.
On 12.06.2015 00:40, Doug Burks wrote:
> I asked the following question to the Ubuntu folks:
> https://answers.launchpad.net/ubuntu/+source/tcltls/+question/268051
>
> Hope to hear back tonight.
Shane Castle
Jun 12, 2015, 4:35:37 AM6/12/15
to securit...@googlegroups.com
Looking at the openssl diffs I see that the 768-bit req is hard-coded
into s3_clnt.c. This blog entry (
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
) indicates that soon they will increase the limit to 1024, and generate
2048 DH keys by default. So it seems that modifying tcltls to generate
larger DH keys (probably 2048) is the only solution.
I still think they should have permitted the 512-bit requirement to be
overridden, that this will break lots of things, and they are going to
get flamed.
I think you should change your question to a bug report for tcltls, if
that's possible. Claiming that it's an OpenSSL bug seems hopeless.
into s3_clnt.c. This blog entry (
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
) indicates that soon they will increase the limit to 1024, and generate
2048 DH keys by default. So it seems that modifying tcltls to generate
larger DH keys (probably 2048) is the only solution.
I still think they should have permitted the 512-bit requirement to be
overridden, that this will break lots of things, and they are going to
get flamed.
I think you should change your question to a bug report for tcltls, if
that's possible. Claiming that it's an OpenSSL bug seems hopeless.
Torgeir Natvig
Jun 12, 2015, 6:46:47 AM6/12/15
to securit...@googlegroups.com
If you can't downgrade, a workaround could be to force some other cipher on the sensors, like MD5.
change these lines in snort_agent.tcl and pcap_agent.tcl:
tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5
change these lines in snort_agent.tcl and pcap_agent.tcl:
tls::import $dataChannelID -ssl2 false -ssl3 false -tls1 true -cipher MD5
Doug Burks
Jun 12, 2015, 7:01:50 AM6/12/15
to securit...@googlegroups.com
Hi Matt,
I think your Apache issue is unrelated. Please start a new thread to
troubleshoot it and include any clues from the Apache logs in
/var/log/apache2/.
I think your Apache issue is unrelated. Please start a new thread to
troubleshoot it and include any clues from the Apache logs in
/var/log/apache2/.
Doug Burks
Jun 12, 2015, 7:10:38 AM6/12/15
to securit...@googlegroups.com
Doug Burks
Jun 12, 2015, 7:13:47 AM6/12/15
to securit...@googlegroups.com
Hi Torgeir,
Thanks for your feedback!
I looked at changing the cipher in the tcl agents as an option as
well. I'm hoping that Ubuntu will respond quickly with a tcltls
package update, but if that doesn't happen, I may end up having to
build new Sguil packages with updated ciphers.
Thanks for your feedback!
I looked at changing the cipher in the tcl agents as an option as
well. I'm hoping that Ubuntu will respond quickly with a tcltls
package update, but if that doesn't happen, I may end up having to
build new Sguil packages with updated ciphers.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Jeff Nucciarone
Jun 12, 2015, 9:40:02 AM6/12/15
to securit...@googlegroups.com
On Thursday, June 11, 2015 at 8:38:30 PM UTC-4, Doug Burks wrote:
> Of course, please keep in mind that this is just an emergency bandaid
> and it downgrades your system to a previous version of OpenSSL that
> has security vulnerabilities. But this may be an acceptable risk for
> those who just need to get their sensors back up and running at least
> until Ubuntu provides an updated tcltls package.
Downgraded and rebooted. pcap_agent and snort_agent seem to be running ok. sguil console starts. However no fresh alerts since the update yesterday at 19:00. Perhaps just busy trying to work thru the backlog?
> Of course, please keep in mind that this is just an emergency bandaid
> and it downgrades your system to a previous version of OpenSSL that
> has security vulnerabilities. But this may be an acceptable risk for
> those who just need to get their sensors back up and running at least
> until Ubuntu provides an updated tcltls package.
Doug Burks
Jun 12, 2015, 9:47:05 AM6/12/15
to securit...@googlegroups.com
Please send sostat output.
Jeff Nucciarone
Jun 12, 2015, 10:08:08 AM6/12/15
to securit...@googlegroups.com
On Friday, June 12, 2015 at 9:47:05 AM UTC-4, Doug Burks wrote:
> Please send sostat output.
>
tail of pcap_agent.log:
Sending sguild (sock3) LastPcapTime {2015-06-12 13:52:02}
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
tail of snort_agent.log:
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
tail of barnyard2.log:
WARNING: Ignoring bad line in SID file: 'v1'
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/REDACTED-eth2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
sguil: sensor name = REDACTED-eth2
sguil: agent port = 8000
sguil: Connected to localhost on 8000.
sostat from the master:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5239 9 12 Jun 13:21:45
proxy proxy localhost running 5423 9 12 Jun 13:21:47
SO-server-eth2-1 worker localhost running 6638 2 12 Jun 13:21:51
SO-server-eth2-2 worker localhost running 6633 2 12 Jun 13:21:51
SO-server-eth2-3 worker localhost running 6632 2 12 Jun 13:21:51
SO-server-eth2-4 worker localhost running 6634 2 12 Jun 13:21:51
SO-server-eth3-1 worker localhost running 6631 2 12 Jun 13:21:51
SO-server-eth3-2 worker localhost running 6636 2 12 Jun 13:21:51
SO-server-eth3-3 worker localhost running 6637 2 12 Jun 13:21:51
SO-server-eth3-4 worker localhost running 6635 2 12 Jun 13:21:51
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588334 errors:0 dropped:0 overruns:0 frame:0
TX packets:217391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:315714265 (315.7 MB) TX bytes:309863929 (309.8 MB)
Interrupt:36 Memory:da000000-da012800
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:91393067 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104232555193 (104.2 GB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:df2c0000-df2e0000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:41 Memory:df3c0000-df3e0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:605602 errors:0 dropped:0 overruns:0 frame:0
TX packets:605602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1769509207 (1.7 GB) TX bytes:1769509207 (1.7 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1769509207 605602 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1769509207 605602 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
315714265 588334 0 0 0 9973
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
309863929 217391 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
104232996145 91393427 0 0 0 10197
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 44G 97G 32% /
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 852K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sdb2 18T 15T 2.8T 84% /nsm
/dev/sda1 484M 300M 159M 66% /boot
/dev/sda5 29G 174M 27G 1% /tmp
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda11 19G 492M 18G 3% /home
/dev/sda7 29G 1011M 26G 4% /var
/dev/sdb1 1.0T 150G 875G 15% /var/lib/mysql
/dev/sda8 29G 5.4G 22G 20% /var/log
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 2149 avahi 12u IPv4 29912 0t0 UDP *:5353
avahi-dae 2149 avahi 13u IPv6 29913 0t0 UDP *:5353
avahi-dae 2149 avahi 14u IPv4 29914 0t0 UDP *:38898
avahi-dae 2149 avahi 15u IPv6 29915 0t0 UDP *:54578
cupsd 2151 root 8u IPv6 29931 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2151 root 9u IPv4 29932 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2161 root 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2220 root 3u IPv4 1525 0t0 TCP *:ssh_port (LISTEN)
sshd 2220 root 4u IPv6 1527 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2553 root 10u IPv4 16624 0t0 TCP X.X.X.X:59570->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2553 root 21u IPv4 10890 0t0 TCP X.X.X.X:44510->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2608 root 9u IPv4 30032 0t0 TCP *:514 (LISTEN)
syslog-ng 2608 root 10u IPv4 30033 0t0 UDP *:514
mysqld 2656 mysql 10u IPv4 25697 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2656 mysql 13u IPv4 8665 0t0 TCP X.X.X.X:3306->X.X.X.X:49211 (ESTABLISHED)
mysqld 2656 mysql 26u IPv4 23011 0t0 TCP X.X.X.X:3306->X.X.X.X:49213 (ESTABLISHED)
mysqld 2656 mysql 421u IPv4 22027 0t0 TCP X.X.X.X:3306->X.X.X.X:49209 (ESTABLISHED)
mysqld 2656 mysql 857u IPv4 28212 0t0 TCP X.X.X.X:3306->X.X.X.X:49206 (ESTABLISHED)
searchd 2669 sphinxsearch 7u IPv4 32276 0t0 TCP *:9306 (LISTEN)
searchd 2669 sphinxsearch 8u IPv4 32277 0t0 TCP *:9312 (LISTEN)
sshd 2721 SO-user 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2721 SO-user 8u IPv6 1705 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2721 SO-user 9u IPv4 1706 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2721 SO-user 10u IPv4 22026 0t0 TCP X.X.X.X:49209->X.X.X.X:3306 (ESTABLISHED)
snmpd 2882 snmp 8u IPv4 11452 0t0 UDP X.X.X.X:161
snmpd 2882 snmp 9u IPv4 32395 0t0 UDP *:39439
salt-mast 2977 root 12u IPv4 13547 0t0 TCP *:4505 (LISTEN)
salt-mast 2977 root 14u IPv4 12468 0t0 TCP X.X.X.X:4505->X.X.X.X:44510 (ESTABLISHED)
salt-mast 2977 root 15u IPv4 1806 0t0 TCP X.X.X.X:4505->X.X.X.X:34950 (ESTABLISHED)
salt-mast 2977 root 16u IPv4 13658 0t0 TCP X.X.X.X:4505->X.X.X.X:40080 (ESTABLISHED)
salt-mast 2989 root 20u IPv4 12449 0t0 TCP *:4506 (LISTEN)
salt-mast 2989 root 21u IPv4 26712 0t0 TCP X.X.X.X:4506->X.X.X.X:59570 (ESTABLISHED)
salt-mast 2989 root 23u IPv4 26701 0t0 TCP X.X.X.X:4506->X.X.X.X:40628 (ESTABLISHED)
salt-mast 2989 root 29u IPv4 28730 0t0 TCP X.X.X.X:4506->X.X.X.X:53560 (ESTABLISHED)
ntpd 3239 ntp 16u IPv4 32428 0t0 UDP *:123
ntpd 3239 ntp 17u IPv6 32429 0t0 UDP *:123
ntpd 3239 ntp 18u IPv4 32435 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 19u IPv4 32436 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 20u IPv6 32437 0t0 UDP [X.X.X.X]:123
ntpd 3239 ntp 21u IPv6 32438 0t0 UDP [X.X.X.X]:123
ossec-csy 4334 ossecm 5u IPv4 30568 0t0 UDP X.X.X.X:60485->X.X.X.X:514
sshd 4364 root 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 9u IPv6 1882 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 4517 SO-user 10u IPv4 1883 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 4517 SO-user 11u IPv4 30671 0t0 TCP X.X.X.X:49206->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 4631 root 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 4631 root 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4631 root 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4631 root 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
tclsh 4811 SO-user 13u IPv4 30661 0t0 TCP *:7734 (LISTEN)
tclsh 4811 SO-user 14u IPv4 30662 0t0 TCP *:7736 (LISTEN)
tclsh 4811 SO-user 15u IPv4 34002 0t0 TCP X.X.X.X:7736->X.X.X.X:39312 (ESTABLISHED)
tclsh 4811 SO-user 16u IPv4 34003 0t0 TCP X.X.X.X:7736->X.X.X.X:39313 (ESTABLISHED)
tclsh 4811 SO-user 17u IPv4 28211 0t0 TCP X.X.X.X:7736->X.X.X.X:34399 (ESTABLISHED)
tclsh 4811 SO-user 18u IPv4 27003 0t0 TCP X.X.X.X:7736->X.X.X.X:34400 (ESTABLISHED)
tclsh 4811 SO-user 19u IPv4 24974 0t0 TCP X.X.X.X:7736->X.X.X.X:34401 (ESTABLISHED)
tclsh 4811 SO-user 20u IPv4 22951 0t0 TCP X.X.X.X:7736->X.X.X.X:34403 (ESTABLISHED)
tclsh 4811 SO-user 21u IPv4 26022 0t0 TCP X.X.X.X:7736->X.X.X.X:44159 (ESTABLISHED)
tclsh 4811 SO-user 22u IPv4 15839 0t0 TCP X.X.X.X:7736->X.X.X.X:44160 (ESTABLISHED)
tclsh 4811 SO-user 23u IPv4 15847 0t0 TCP X.X.X.X:7736->X.X.X.X:34404 (ESTABLISHED)
tclsh 4811 SO-user 24u IPv4 72917 0t0 TCP X.X.X.X:7734->X.X.X.X:37117 (ESTABLISHED)
tclsh 4868 SO-user 3u IPv4 22950 0t0 TCP X.X.X.X:34403->X.X.X.X:7736 (ESTABLISHED)
bro 5239 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 0u IPv4 28071 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 1u IPv6 28072 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 2u IPv4 25923 0t0 TCP X.X.X.X:47761->X.X.X.X:34387 (ESTABLISHED)
bro 5255 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 251u IPv4 24917 0t0 TCP X.X.X.X:47761->X.X.X.X:34397 (ESTABLISHED)
bro 5255 SO-user 255u IPv4 26838 0t0 TCP X.X.X.X:47761->X.X.X.X:34398 (ESTABLISHED)
bro 5255 SO-user 256u IPv4 24919 0t0 TCP X.X.X.X:47761->X.X.X.X:34401 (ESTABLISHED)
bro 5255 SO-user 257u IPv4 26878 0t0 TCP X.X.X.X:47761->X.X.X.X:34402 (ESTABLISHED)
bro 5255 SO-user 258u IPv4 8569 0t0 TCP X.X.X.X:47761->X.X.X.X:34404 (ESTABLISHED)
bro 5255 SO-user 259u IPv4 11589 0t0 TCP X.X.X.X:47761->X.X.X.X:34406 (ESTABLISHED)
bro 5255 SO-user 260u IPv4 28113 0t0 TCP X.X.X.X:47761->X.X.X.X:34408 (ESTABLISHED)
bro 5255 SO-user 261u IPv4 25982 0t0 TCP X.X.X.X:47761->X.X.X.X:34410 (ESTABLISHED)
bro 5423 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 0u IPv4 9608 0t0 TCP X.X.X.X:34387->X.X.X.X:47761 (ESTABLISHED)
bro 5425 SO-user 1u IPv4 9611 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 2u IPv6 9612 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 251u IPv4 8565 0t0 TCP X.X.X.X:47762->X.X.X.X:46585 (ESTABLISHED)
bro 5425 SO-user 255u IPv4 24918 0t0 TCP X.X.X.X:47762->X.X.X.X:46588 (ESTABLISHED)
bro 5425 SO-user 256u IPv4 9666 0t0 TCP X.X.X.X:47762->X.X.X.X:46589 (ESTABLISHED)
bro 5425 SO-user 257u IPv4 15802 0t0 TCP X.X.X.X:47762->X.X.X.X:46592 (ESTABLISHED)
bro 5425 SO-user 258u IPv4 8570 0t0 TCP X.X.X.X:47762->X.X.X.X:46594 (ESTABLISHED)
bro 5425 SO-user 259u IPv4 20742 0t0 TCP X.X.X.X:47762->X.X.X.X:46596 (ESTABLISHED)
bro 5425 SO-user 260u IPv4 8571 0t0 TCP X.X.X.X:47762->X.X.X.X:46598 (ESTABLISHED)
bro 5425 SO-user 261u IPv4 12657 0t0 TCP X.X.X.X:47762->X.X.X.X:46600 (ESTABLISHED)
bro 6631 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6632 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6633 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6634 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6635 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6636 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6637 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6638 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6639 SO-user 0u IPv4 25948 0t0 TCP X.X.X.X:46585->X.X.X.X:47762 (ESTABLISHED)
bro 6639 SO-user 1u IPv4 25949 0t0 TCP X.X.X.X:34397->X.X.X.X:47761 (ESTABLISHED)
bro 6639 SO-user 2u IPv4 25952 0t0 TCP *:47767 (LISTEN)
bro 6639 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6639 SO-user 251u IPv6 25953 0t0 TCP *:47767 (LISTEN)
bro 6642 SO-user 0u IPv4 25954 0t0 TCP X.X.X.X:34398->X.X.X.X:47761 (ESTABLISHED)
bro 6642 SO-user 1u IPv4 25957 0t0 TCP X.X.X.X:46588->X.X.X.X:47762 (ESTABLISHED)
bro 6642 SO-user 2u IPv4 25960 0t0 TCP *:47765 (LISTEN)
bro 6642 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6642 SO-user 251u IPv6 25961 0t0 TCP *:47765 (LISTEN)
bro 6651 SO-user 0u IPv4 21912 0t0 TCP X.X.X.X:46589->X.X.X.X:47762 (ESTABLISHED)
bro 6651 SO-user 1u IPv4 21913 0t0 TCP X.X.X.X:34401->X.X.X.X:47761 (ESTABLISHED)
bro 6651 SO-user 2u IPv4 21916 0t0 TCP *:47766 (LISTEN)
bro 6651 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6651 SO-user 251u IPv6 21917 0t0 TCP *:47766 (LISTEN)
bro 6686 SO-user 0u IPv4 14656 0t0 TCP X.X.X.X:34402->X.X.X.X:47761 (ESTABLISHED)
bro 6686 SO-user 1u IPv4 14657 0t0 TCP X.X.X.X:46592->X.X.X.X:47762 (ESTABLISHED)
bro 6686 SO-user 2u IPv4 14660 0t0 TCP *:47769 (LISTEN)
bro 6686 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6686 SO-user 251u IPv6 14661 0t0 TCP *:47769 (LISTEN)
bro 6729 SO-user 0u IPv4 21926 0t0 TCP X.X.X.X:34404->X.X.X.X:47761 (ESTABLISHED)
bro 6729 SO-user 1u IPv4 21927 0t0 TCP X.X.X.X:46594->X.X.X.X:47762 (ESTABLISHED)
bro 6729 SO-user 2u IPv4 21930 0t0 TCP *:47764 (LISTEN)
bro 6729 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6729 SO-user 251u IPv6 21931 0t0 TCP *:47764 (LISTEN)
bro 6732 SO-user 0u IPv4 21932 0t0 TCP X.X.X.X:34406->X.X.X.X:47761 (ESTABLISHED)
bro 6732 SO-user 1u IPv4 21933 0t0 TCP X.X.X.X:46596->X.X.X.X:47762 (ESTABLISHED)
bro 6732 SO-user 2u IPv4 21936 0t0 TCP *:47763 (LISTEN)
bro 6732 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6732 SO-user 251u IPv6 21937 0t0 TCP *:47763 (LISTEN)
bro 6737 SO-user 0u IPv4 21938 0t0 TCP X.X.X.X:34408->X.X.X.X:47761 (ESTABLISHED)
bro 6737 SO-user 1u IPv4 21939 0t0 TCP X.X.X.X:46598->X.X.X.X:47762 (ESTABLISHED)
bro 6737 SO-user 2u IPv4 21942 0t0 TCP *:47768 (LISTEN)
bro 6737 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6737 SO-user 251u IPv6 21943 0t0 TCP *:47768 (LISTEN)
bro 6742 SO-user 0u IPv4 17811 0t0 TCP X.X.X.X:34410->X.X.X.X:47761 (ESTABLISHED)
bro 6742 SO-user 1u IPv4 17812 0t0 TCP X.X.X.X:46600->X.X.X.X:47762 (ESTABLISHED)
bro 6742 SO-user 2u IPv4 17815 0t0 TCP *:47770 (LISTEN)
bro 6742 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6742 SO-user 251u IPv6 17816 0t0 TCP *:47770 (LISTEN)
tclsh 6869 SO-user 3u IPv4 8623 0t0 TCP X.X.X.X:34404->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 3u IPv4 17008 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6900 SO-user 5u IPv4 14708 0t0 TCP X.X.X.X:34399->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 7u IPv4 25009 0t0 TCP X.X.X.X:8000->X.X.X.X:59239 (ESTABLISHED)
barnyard2 6951 SO-user 3u IPv4 11638 0t0 TCP X.X.X.X:59239->X.X.X.X:8000 (ESTABLISHED)
barnyard2 6951 SO-user 4u IPv4 35853 0t0 TCP X.X.X.X:49211->X.X.X.X:3306 (ESTABLISHED)
tclsh 7086 SO-user 3u IPv4 15838 0t0 TCP X.X.X.X:34400->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 3u IPv4 11088 0t0 TCP X.X.X.X:8100 (LISTEN)
tclsh 7135 SO-user 5u IPv4 11217 0t0 TCP X.X.X.X:34401->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 7u IPv4 26047 0t0 TCP X.X.X.X:8100->X.X.X.X:45801 (ESTABLISHED)
barnyard2 7219 SO-user 3u IPv4 12905 0t0 TCP X.X.X.X:45801->X.X.X.X:8100 (ESTABLISHED)
barnyard2 7219 SO-user 4u IPv4 12908 0t0 TCP X.X.X.X:49213->X.X.X.X:3306 (ESTABLISHED)
sshd 13264 root 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
sshd 13423 SO-user 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
/usr/sbin 16531 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 16531 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 16531 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 16531 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
sshd 17023 root 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 9u IPv6 68865 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 17332 SO-user 10u IPv4 68866 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 17332 SO-user 12u IPv4 68889 0t0 TCP X.X.X.X:6010->X.X.X.X:60074 (ESTABLISHED)
wish 17574 SO-user 3u IPv4 53614 0t0 TCP X.X.X.X:60074->X.X.X.X:6010 (ESTABLISHED)
wish 17574 SO-user 4u IPv4 71911 0t0 TCP X.X.X.X:37117->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 19362 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 19362 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19362 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19362 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 20451 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 20451 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20451 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20451 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22184 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22184 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22184 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22184 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22217 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22217 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22217 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22217 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22226 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22226 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22226 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22226 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 12 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
Running PulledPork.
Error 500 when fetching https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
mainX.X.X.Xmd5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2973.tar.gz....
Rules tarball download of snortrules-snapshot-2973.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Updating Snorby's sig_reference table.../usr/bin/rule-update: line 309: 9557 Segmentation fault /usr/bin/barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf > /var/log/nsm/barnyard2-snorby.log 2>&1
done.
Restarting Barnyard2.
Restarting: SO-server-eth2
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth2
* stopping: suricata (alert data)
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
27.77 23.29 16.06
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 13:51:01 up 30 min, 2 users, load average: 27.77, 23.29, 16.06
Tasks: 384 total, 25 running, 359 sleeping, 0 stopped, 0 zombie
Cpu(s): 38.4%us, 12.9%sy, 0.9%ni, 44.9%id, 1.9%wa, 0.0%hi, 1.0%si, 0.0%st
Mem: 65965188k total, 65707376k used, 257812k free, 59384k buffers
Swap: 36981308k total, 268k used, 36981040k free, 49126608k cached
%CPU %MEM COMMAND
278 0.6 /usr/sbin/mysqld
90.0 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
105 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
92.0 0.8 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
90.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
88.2 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
86.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
85.6 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
82.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
81.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
76.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
73.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
66.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
58.3 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
49.9 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
32.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.8 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo -i 1 -U
27.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
24.8 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
24.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.4 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.1 0.9 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
7.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
5.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
4.6 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.5 7.5 /usr/bin/searchd --nodetach
2.7 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.7 1.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3
1.7 0.0 /var/ossec/bin/ossec-syscheckd
1.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.7 0.1 /usr/bin/python /usr/bin/salt-master
0.6 0.0 wish /usr/bin/SO-user.tk
0.5 0.0 [flush-8:16]
0.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.4 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.3 0.0 /var/ossec/bin/ossec-analysisd
0.3 0.0 sshd: SO-user
0.3 0.1 delayed_job
0.3 0.0 [kworker/0:2]
0.2 0.0 sshd: SO-user
0.2 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.2 0.0 [xfsaild/sdb2]
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /sbin/init
0.1 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.1 0.0 [kswapd1]
0.1 0.0 [kworker/0:0]
0.1 0.0 [kworker/0:3]
0.1 0.0 [kswapd0]
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 /usr/bin/python /usr/bin/salt-minion
0.1 0.1 /usr/sbin/apache2 -k start
0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/1:0]
0.0 0.0 -bash
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.0 -bash
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/u:0]
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [xfsaild/sdb1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.8 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth3/bpf-pcap.ops
0.0 0.0 [migration/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/12:1]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [xfsbufd/sdb2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/15]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/4:2]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 Passenger spawn server
0.0 0.0 [migration/1]
0.0 0.0 [migration/2]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [migration/8]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/10]
0.0 0.0 [migration/11]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [migration/16]
0.0 0.0 [migration/17]
0.0 0.0 [migration/18]
0.0 0.0 [migration/20]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [migration/23]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [kworker/13:1]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 lightdm
0.0 0.0 cron
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/8:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/14:2]
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [kworker/5:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 PassengerHelperAgent
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [watchdog/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [watchdog/20]
0.0 0.0 [kworker/21:0]
0.0 0.0 [watchdog/21]
0.0 0.0 [kworker/22:0]
0.0 0.0 [watchdog/22]
0.0 0.0 [kworker/23:0]
0.0 0.0 [watchdog/23]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/15:1]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 [kpsmoused]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found|SO-user|SO-user/SO-user/g
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 27067858
eth3: 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 10 days
7.8T .
1000G ./2015-06-03
771G ./2015-06-04
612G ./2015-06-05
850G ./2015-06-06
1.2T ./2015-06-07
464G ./2015-06-08
862G ./2015-06-09
908G ./2015-06-10
815G ./2015-06-11
555G ./2015-06-12
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 10 days
6.0M .
1.2M ./2015-06-03
996K ./2015-06-04
100K ./2015-06-05
148K ./2015-06-06
1.0M ./2015-06-07
136K ./2015-06-08
68K ./2015-06-09
96K ./2015-06-10
1.3M ./2015-06-11
1004K ./2015-06-12
/nsm/bro/logs/ - 20 days
53G .
1.7G ./2015-05-24
1.8G ./2015-05-25
2.8G ./2015-05-26
2.7G ./2015-05-27
2.8G ./2015-05-28
2.9G ./2015-05-29
1.7G ./2015-05-30
1.9G ./2015-05-31
3.3G ./2015-06-01
3.6G ./2015-06-02
3.2G ./2015-06-03
3.3G ./2015-06-04
3.1G ./2015-06-05
1.5G ./2015-06-06
1.9G ./2015-06-07
3.4G ./2015-06-08
3.0G ./2015-06-09
3.3G ./2015-06-10
3.1G ./2015-06-11
1.4G ./2015-06-12
1.3G ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-1: 1434117062.946515 recvd=5067633 dropped=0 link=5067633
SO-server-eth2-2: 1434117063.146265 recvd=6463885 dropped=0 link=6463885
SO-server-eth2-3: 1434117063.346373 recvd=3338798 dropped=0 link=3338798
SO-server-eth2-4: 1434117062.585244 recvd=13876547 dropped=0 link=13876547
SO-server-eth3-1: 1434117063.746455 recvd=0 dropped=0 link=0
SO-server-eth3-2: 1434117063.946420 recvd=0 dropped=0 link=0
SO-server-eth3-3: 1434117064.150450 recvd=0 dropped=0 link=0
SO-server-eth3-4: 1434117064.350567 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
tcp.segment_memcap_drop | RxPFReth24 | 0
/nsm/sensor_data/SO-server-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth34 | 0
tcp.segment_memcap_drop | RxPFReth34 | 0
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 16
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/6631-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6632-eth2.2
Appl. Name : bro-eth2
Tot Packets : 3341882
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6633-eth2.5
Appl. Name : bro-eth2
Tot Packets : 6479368
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6634-eth2.3
Appl. Name : bro-eth2
Tot Packets : 14055060
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 0
/proc/net/pf_ring/6635-eth3.7
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6636-eth3.6
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6637-eth3.4
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6638-eth2.8
Appl. Name : bro-eth2
Tot Packets : 5071877
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/7192-eth2.9
Appl. Name : Suricata
Tot Packets : 3225736
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65523
/proc/net/pf_ring/7194-eth2.10
Appl. Name : Suricata
Tot Packets : 13463541
Tot Pkt Lost : 2890133
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 0
/proc/net/pf_ring/7195-eth2.11
Appl. Name : Suricata
Tot Packets : 6322912
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65318
/proc/net/pf_ring/7196-eth2.12
Appl. Name : Suricata
Tot Packets : 4960118
Tot Pkt Lost : 66309
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65342
/proc/net/pf_ring/7381-eth3.13
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7383-eth3.14
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7389-eth3.15
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7391-eth3.16
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log Processed: +559626 Lost: -309720
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150608000004 Processed: +405673 Lost: -39608
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +134665 Lost: -41651
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +199478 Lost: -56179
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +202015 Lost: -64280
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +144792 Lost: -55219
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +138168 Lost: -45614
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +145931 Lost: -79232
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142384 Lost: -93918
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +111200 Lost: -58768
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +170675 Lost: -26390
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +160829 Lost: -23526
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +220800 Lost: -98712
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +121634 Lost: -4157
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +383817 Lost: -47196
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +203344 Lost: -217257
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142529 Lost: -33740
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +243511 Lost: -5928
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +154932 Lost: -26336
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +462978 Lost: -3431
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +159543 Lost: -41148
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +185819 Lost: -25878
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +213027 Lost: -27718
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +172679 Lost: -393
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +183188 Lost: -51550
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +116575 Lost: -116274
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +81423 Lost: -8794
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +209425 Lost: -28287
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7487
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2541 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
> Please send sostat output.
>
tail of pcap_agent.log:
Sending sguild (sock3) LastPcapTime {2015-06-12 13:52:02}
Sending sguild (sock3) PING
Sensor Data Rcvd: PONG
PONG received
tail of snort_agent.log:
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
Sending sguild (sock5) PING
Sensor Data Rcvd: PONG
PONG received
tail of barnyard2.log:
WARNING: Ignoring bad line in SID file: 'v1'
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/REDACTED-eth2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
sguil: sensor name = REDACTED-eth2
sguil: agent port = 8000
sguil: Connected to localhost on 8000.
sostat from the master:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5239 9 12 Jun 13:21:45
proxy proxy localhost running 5423 9 12 Jun 13:21:47
SO-server-eth2-1 worker localhost running 6638 2 12 Jun 13:21:51
SO-server-eth2-2 worker localhost running 6633 2 12 Jun 13:21:51
SO-server-eth2-3 worker localhost running 6632 2 12 Jun 13:21:51
SO-server-eth2-4 worker localhost running 6634 2 12 Jun 13:21:51
SO-server-eth3-1 worker localhost running 6631 2 12 Jun 13:21:51
SO-server-eth3-2 worker localhost running 6636 2 12 Jun 13:21:51
SO-server-eth3-3 worker localhost running 6637 2 12 Jun 13:21:51
SO-server-eth3-4 worker localhost running 6635 2 12 Jun 13:21:51
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588334 errors:0 dropped:0 overruns:0 frame:0
TX packets:217391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:315714265 (315.7 MB) TX bytes:309863929 (309.8 MB)
Interrupt:36 Memory:da000000-da012800
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:91393067 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104232555193 (104.2 GB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:df2c0000-df2e0000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:41 Memory:df3c0000-df3e0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:605602 errors:0 dropped:0 overruns:0 frame:0
TX packets:605602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1769509207 (1.7 GB) TX bytes:1769509207 (1.7 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1769509207 605602 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1769509207 605602 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
315714265 588334 0 0 0 9973
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
309863929 217391 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
104232996145 91393427 0 0 0 10197
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 44G 97G 32% /
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 852K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sdb2 18T 15T 2.8T 84% /nsm
/dev/sda1 484M 300M 159M 66% /boot
/dev/sda5 29G 174M 27G 1% /tmp
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda11 19G 492M 18G 3% /home
/dev/sda7 29G 1011M 26G 4% /var
/dev/sdb1 1.0T 150G 875G 15% /var/lib/mysql
/dev/sda8 29G 5.4G 22G 20% /var/log
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 2149 avahi 12u IPv4 29912 0t0 UDP *:5353
avahi-dae 2149 avahi 13u IPv6 29913 0t0 UDP *:5353
avahi-dae 2149 avahi 14u IPv4 29914 0t0 UDP *:38898
avahi-dae 2149 avahi 15u IPv6 29915 0t0 UDP *:54578
cupsd 2151 root 8u IPv6 29931 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2151 root 9u IPv4 29932 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2161 root 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2220 root 3u IPv4 1525 0t0 TCP *:ssh_port (LISTEN)
sshd 2220 root 4u IPv6 1527 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2553 root 10u IPv4 16624 0t0 TCP X.X.X.X:59570->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2553 root 21u IPv4 10890 0t0 TCP X.X.X.X:44510->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2608 root 9u IPv4 30032 0t0 TCP *:514 (LISTEN)
syslog-ng 2608 root 10u IPv4 30033 0t0 UDP *:514
mysqld 2656 mysql 10u IPv4 25697 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2656 mysql 13u IPv4 8665 0t0 TCP X.X.X.X:3306->X.X.X.X:49211 (ESTABLISHED)
mysqld 2656 mysql 26u IPv4 23011 0t0 TCP X.X.X.X:3306->X.X.X.X:49213 (ESTABLISHED)
mysqld 2656 mysql 421u IPv4 22027 0t0 TCP X.X.X.X:3306->X.X.X.X:49209 (ESTABLISHED)
mysqld 2656 mysql 857u IPv4 28212 0t0 TCP X.X.X.X:3306->X.X.X.X:49206 (ESTABLISHED)
searchd 2669 sphinxsearch 7u IPv4 32276 0t0 TCP *:9306 (LISTEN)
searchd 2669 sphinxsearch 8u IPv4 32277 0t0 TCP *:9312 (LISTEN)
sshd 2721 SO-user 3u IPv4 29942 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:45197 (ESTABLISHED)
sshd 2721 SO-user 8u IPv6 1705 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2721 SO-user 9u IPv4 1706 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2721 SO-user 10u IPv4 22026 0t0 TCP X.X.X.X:49209->X.X.X.X:3306 (ESTABLISHED)
snmpd 2882 snmp 8u IPv4 11452 0t0 UDP X.X.X.X:161
snmpd 2882 snmp 9u IPv4 32395 0t0 UDP *:39439
salt-mast 2977 root 12u IPv4 13547 0t0 TCP *:4505 (LISTEN)
salt-mast 2977 root 14u IPv4 12468 0t0 TCP X.X.X.X:4505->X.X.X.X:44510 (ESTABLISHED)
salt-mast 2977 root 15u IPv4 1806 0t0 TCP X.X.X.X:4505->X.X.X.X:34950 (ESTABLISHED)
salt-mast 2977 root 16u IPv4 13658 0t0 TCP X.X.X.X:4505->X.X.X.X:40080 (ESTABLISHED)
salt-mast 2989 root 20u IPv4 12449 0t0 TCP *:4506 (LISTEN)
salt-mast 2989 root 21u IPv4 26712 0t0 TCP X.X.X.X:4506->X.X.X.X:59570 (ESTABLISHED)
salt-mast 2989 root 23u IPv4 26701 0t0 TCP X.X.X.X:4506->X.X.X.X:40628 (ESTABLISHED)
salt-mast 2989 root 29u IPv4 28730 0t0 TCP X.X.X.X:4506->X.X.X.X:53560 (ESTABLISHED)
ntpd 3239 ntp 16u IPv4 32428 0t0 UDP *:123
ntpd 3239 ntp 17u IPv6 32429 0t0 UDP *:123
ntpd 3239 ntp 18u IPv4 32435 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 19u IPv4 32436 0t0 UDP X.X.X.X:123
ntpd 3239 ntp 20u IPv6 32437 0t0 UDP [X.X.X.X]:123
ntpd 3239 ntp 21u IPv6 32438 0t0 UDP [X.X.X.X]:123
ossec-csy 4334 ossecm 5u IPv4 30568 0t0 UDP X.X.X.X:60485->X.X.X.X:514
sshd 4364 root 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 3u IPv4 1810 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41140 (ESTABLISHED)
sshd 4517 SO-user 9u IPv6 1882 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 4517 SO-user 10u IPv4 1883 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 4517 SO-user 11u IPv4 30671 0t0 TCP X.X.X.X:49206->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 4631 root 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 4631 root 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4631 root 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4631 root 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
tclsh 4811 SO-user 13u IPv4 30661 0t0 TCP *:7734 (LISTEN)
tclsh 4811 SO-user 14u IPv4 30662 0t0 TCP *:7736 (LISTEN)
tclsh 4811 SO-user 15u IPv4 34002 0t0 TCP X.X.X.X:7736->X.X.X.X:39312 (ESTABLISHED)
tclsh 4811 SO-user 16u IPv4 34003 0t0 TCP X.X.X.X:7736->X.X.X.X:39313 (ESTABLISHED)
tclsh 4811 SO-user 17u IPv4 28211 0t0 TCP X.X.X.X:7736->X.X.X.X:34399 (ESTABLISHED)
tclsh 4811 SO-user 18u IPv4 27003 0t0 TCP X.X.X.X:7736->X.X.X.X:34400 (ESTABLISHED)
tclsh 4811 SO-user 19u IPv4 24974 0t0 TCP X.X.X.X:7736->X.X.X.X:34401 (ESTABLISHED)
tclsh 4811 SO-user 20u IPv4 22951 0t0 TCP X.X.X.X:7736->X.X.X.X:34403 (ESTABLISHED)
tclsh 4811 SO-user 21u IPv4 26022 0t0 TCP X.X.X.X:7736->X.X.X.X:44159 (ESTABLISHED)
tclsh 4811 SO-user 22u IPv4 15839 0t0 TCP X.X.X.X:7736->X.X.X.X:44160 (ESTABLISHED)
tclsh 4811 SO-user 23u IPv4 15847 0t0 TCP X.X.X.X:7736->X.X.X.X:34404 (ESTABLISHED)
tclsh 4811 SO-user 24u IPv4 72917 0t0 TCP X.X.X.X:7734->X.X.X.X:37117 (ESTABLISHED)
tclsh 4868 SO-user 3u IPv4 22950 0t0 TCP X.X.X.X:34403->X.X.X.X:7736 (ESTABLISHED)
bro 5239 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 0u IPv4 28071 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 1u IPv6 28072 0t0 TCP *:47761 (LISTEN)
bro 5255 SO-user 2u IPv4 25923 0t0 TCP X.X.X.X:47761->X.X.X.X:34387 (ESTABLISHED)
bro 5255 SO-user 4u IPv4 18749 0t0 UDP X.X.X.X:37275->X.X.X.X:53
bro 5255 SO-user 251u IPv4 24917 0t0 TCP X.X.X.X:47761->X.X.X.X:34397 (ESTABLISHED)
bro 5255 SO-user 255u IPv4 26838 0t0 TCP X.X.X.X:47761->X.X.X.X:34398 (ESTABLISHED)
bro 5255 SO-user 256u IPv4 24919 0t0 TCP X.X.X.X:47761->X.X.X.X:34401 (ESTABLISHED)
bro 5255 SO-user 257u IPv4 26878 0t0 TCP X.X.X.X:47761->X.X.X.X:34402 (ESTABLISHED)
bro 5255 SO-user 258u IPv4 8569 0t0 TCP X.X.X.X:47761->X.X.X.X:34404 (ESTABLISHED)
bro 5255 SO-user 259u IPv4 11589 0t0 TCP X.X.X.X:47761->X.X.X.X:34406 (ESTABLISHED)
bro 5255 SO-user 260u IPv4 28113 0t0 TCP X.X.X.X:47761->X.X.X.X:34408 (ESTABLISHED)
bro 5255 SO-user 261u IPv4 25982 0t0 TCP X.X.X.X:47761->X.X.X.X:34410 (ESTABLISHED)
bro 5423 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 0u IPv4 9608 0t0 TCP X.X.X.X:34387->X.X.X.X:47761 (ESTABLISHED)
bro 5425 SO-user 1u IPv4 9611 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 2u IPv6 9612 0t0 TCP *:47762 (LISTEN)
bro 5425 SO-user 4u IPv4 33832 0t0 UDP X.X.X.X:54251->X.X.X.X:53
bro 5425 SO-user 251u IPv4 8565 0t0 TCP X.X.X.X:47762->X.X.X.X:46585 (ESTABLISHED)
bro 5425 SO-user 255u IPv4 24918 0t0 TCP X.X.X.X:47762->X.X.X.X:46588 (ESTABLISHED)
bro 5425 SO-user 256u IPv4 9666 0t0 TCP X.X.X.X:47762->X.X.X.X:46589 (ESTABLISHED)
bro 5425 SO-user 257u IPv4 15802 0t0 TCP X.X.X.X:47762->X.X.X.X:46592 (ESTABLISHED)
bro 5425 SO-user 258u IPv4 8570 0t0 TCP X.X.X.X:47762->X.X.X.X:46594 (ESTABLISHED)
bro 5425 SO-user 259u IPv4 20742 0t0 TCP X.X.X.X:47762->X.X.X.X:46596 (ESTABLISHED)
bro 5425 SO-user 260u IPv4 8571 0t0 TCP X.X.X.X:47762->X.X.X.X:46598 (ESTABLISHED)
bro 5425 SO-user 261u IPv4 12657 0t0 TCP X.X.X.X:47762->X.X.X.X:46600 (ESTABLISHED)
bro 6631 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6632 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6633 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6634 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6635 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6636 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6637 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6638 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6639 SO-user 0u IPv4 25948 0t0 TCP X.X.X.X:46585->X.X.X.X:47762 (ESTABLISHED)
bro 6639 SO-user 1u IPv4 25949 0t0 TCP X.X.X.X:34397->X.X.X.X:47761 (ESTABLISHED)
bro 6639 SO-user 2u IPv4 25952 0t0 TCP *:47767 (LISTEN)
bro 6639 SO-user 4u IPv4 20738 0t0 UDP X.X.X.X:37937->X.X.X.X:53
bro 6639 SO-user 251u IPv6 25953 0t0 TCP *:47767 (LISTEN)
bro 6642 SO-user 0u IPv4 25954 0t0 TCP X.X.X.X:34398->X.X.X.X:47761 (ESTABLISHED)
bro 6642 SO-user 1u IPv4 25957 0t0 TCP X.X.X.X:46588->X.X.X.X:47762 (ESTABLISHED)
bro 6642 SO-user 2u IPv4 25960 0t0 TCP *:47765 (LISTEN)
bro 6642 SO-user 4u IPv4 13902 0t0 UDP X.X.X.X:56356->X.X.X.X:53
bro 6642 SO-user 251u IPv6 25961 0t0 TCP *:47765 (LISTEN)
bro 6651 SO-user 0u IPv4 21912 0t0 TCP X.X.X.X:46589->X.X.X.X:47762 (ESTABLISHED)
bro 6651 SO-user 1u IPv4 21913 0t0 TCP X.X.X.X:34401->X.X.X.X:47761 (ESTABLISHED)
bro 6651 SO-user 2u IPv4 21916 0t0 TCP *:47766 (LISTEN)
bro 6651 SO-user 4u IPv4 26829 0t0 UDP X.X.X.X:51075->X.X.X.X:53
bro 6651 SO-user 251u IPv6 21917 0t0 TCP *:47766 (LISTEN)
bro 6686 SO-user 0u IPv4 14656 0t0 TCP X.X.X.X:34402->X.X.X.X:47761 (ESTABLISHED)
bro 6686 SO-user 1u IPv4 14657 0t0 TCP X.X.X.X:46592->X.X.X.X:47762 (ESTABLISHED)
bro 6686 SO-user 2u IPv4 14660 0t0 TCP *:47769 (LISTEN)
bro 6686 SO-user 4u IPv4 10954 0t0 UDP X.X.X.X:51922->X.X.X.X:53
bro 6686 SO-user 251u IPv6 14661 0t0 TCP *:47769 (LISTEN)
bro 6729 SO-user 0u IPv4 21926 0t0 TCP X.X.X.X:34404->X.X.X.X:47761 (ESTABLISHED)
bro 6729 SO-user 1u IPv4 21927 0t0 TCP X.X.X.X:46594->X.X.X.X:47762 (ESTABLISHED)
bro 6729 SO-user 2u IPv4 21930 0t0 TCP *:47764 (LISTEN)
bro 6729 SO-user 4u IPv4 12640 0t0 UDP X.X.X.X:44160->X.X.X.X:53
bro 6729 SO-user 251u IPv6 21931 0t0 TCP *:47764 (LISTEN)
bro 6732 SO-user 0u IPv4 21932 0t0 TCP X.X.X.X:34406->X.X.X.X:47761 (ESTABLISHED)
bro 6732 SO-user 1u IPv4 21933 0t0 TCP X.X.X.X:46596->X.X.X.X:47762 (ESTABLISHED)
bro 6732 SO-user 2u IPv4 21936 0t0 TCP *:47763 (LISTEN)
bro 6732 SO-user 4u IPv4 33890 0t0 UDP X.X.X.X:56404->X.X.X.X:53
bro 6732 SO-user 251u IPv6 21937 0t0 TCP *:47763 (LISTEN)
bro 6737 SO-user 0u IPv4 21938 0t0 TCP X.X.X.X:34408->X.X.X.X:47761 (ESTABLISHED)
bro 6737 SO-user 1u IPv4 21939 0t0 TCP X.X.X.X:46598->X.X.X.X:47762 (ESTABLISHED)
bro 6737 SO-user 2u IPv4 21942 0t0 TCP *:47768 (LISTEN)
bro 6737 SO-user 4u IPv4 16968 0t0 UDP X.X.X.X:54042->X.X.X.X:53
bro 6737 SO-user 251u IPv6 21943 0t0 TCP *:47768 (LISTEN)
bro 6742 SO-user 0u IPv4 17811 0t0 TCP X.X.X.X:34410->X.X.X.X:47761 (ESTABLISHED)
bro 6742 SO-user 1u IPv4 17812 0t0 TCP X.X.X.X:46600->X.X.X.X:47762 (ESTABLISHED)
bro 6742 SO-user 2u IPv4 17815 0t0 TCP *:47770 (LISTEN)
bro 6742 SO-user 4u IPv4 17794 0t0 UDP X.X.X.X:38584->X.X.X.X:53
bro 6742 SO-user 251u IPv6 17816 0t0 TCP *:47770 (LISTEN)
tclsh 6869 SO-user 3u IPv4 8623 0t0 TCP X.X.X.X:34404->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 3u IPv4 17008 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6900 SO-user 5u IPv4 14708 0t0 TCP X.X.X.X:34399->X.X.X.X:7736 (ESTABLISHED)
tclsh 6900 SO-user 7u IPv4 25009 0t0 TCP X.X.X.X:8000->X.X.X.X:59239 (ESTABLISHED)
barnyard2 6951 SO-user 3u IPv4 11638 0t0 TCP X.X.X.X:59239->X.X.X.X:8000 (ESTABLISHED)
barnyard2 6951 SO-user 4u IPv4 35853 0t0 TCP X.X.X.X:49211->X.X.X.X:3306 (ESTABLISHED)
tclsh 7086 SO-user 3u IPv4 15838 0t0 TCP X.X.X.X:34400->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 3u IPv4 11088 0t0 TCP X.X.X.X:8100 (LISTEN)
tclsh 7135 SO-user 5u IPv4 11217 0t0 TCP X.X.X.X:34401->X.X.X.X:7736 (ESTABLISHED)
tclsh 7135 SO-user 7u IPv4 26047 0t0 TCP X.X.X.X:8100->X.X.X.X:45801 (ESTABLISHED)
barnyard2 7219 SO-user 3u IPv4 12905 0t0 TCP X.X.X.X:45801->X.X.X.X:8100 (ESTABLISHED)
barnyard2 7219 SO-user 4u IPv4 12908 0t0 TCP X.X.X.X:49213->X.X.X.X:3306 (ESTABLISHED)
sshd 13264 root 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
sshd 13423 SO-user 3u IPv4 9060 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52489 (ESTABLISHED)
/usr/sbin 16531 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 16531 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 16531 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 16531 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
sshd 17023 root 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 3u IPv4 68784 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51178 (ESTABLISHED)
sshd 17332 SO-user 9u IPv6 68865 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 17332 SO-user 10u IPv4 68866 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 17332 SO-user 12u IPv4 68889 0t0 TCP X.X.X.X:6010->X.X.X.X:60074 (ESTABLISHED)
wish 17574 SO-user 3u IPv4 53614 0t0 TCP X.X.X.X:60074->X.X.X.X:6010 (ESTABLISHED)
wish 17574 SO-user 4u IPv4 71911 0t0 TCP X.X.X.X:37117->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 19362 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 19362 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19362 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19362 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 20451 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 20451 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20451 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20451 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22184 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22184 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22184 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22184 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22217 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22217 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22217 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22217 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
/usr/sbin 22226 www-data 4u IPv4 32639 0t0 TCP *:443 (LISTEN)
/usr/sbin 22226 www-data 5u IPv4 32642 0t0 TCP *:9876 (LISTEN)
/usr/sbin 22226 www-data 6u IPv4 32644 0t0 TCP *:3154 (LISTEN)
/usr/sbin 22226 www-data 7u IPv4 32648 0t0 TCP *:444 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 12 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
Running PulledPork.
Error 500 when fetching https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
mainX.X.X.Xmd5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/open-nogpl/suricata-2.0.8/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2973.tar.gz....
Rules tarball download of snortrules-snapshot-2973.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Updating Snorby's sig_reference table.../usr/bin/rule-update: line 309: 9557 Segmentation fault /usr/bin/barnyard2 -c /etc/nsm/barnyard2-snorby/barnyard2.conf > /var/log/nsm/barnyard2-snorby.log 2>&1
done.
Restarting Barnyard2.
Restarting: SO-server-eth2
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth2
* stopping: suricata (alert data)
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
27.77 23.29 16.06
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 13:51:01 up 30 min, 2 users, load average: 27.77, 23.29, 16.06
Tasks: 384 total, 25 running, 359 sleeping, 0 stopped, 0 zombie
Cpu(s): 38.4%us, 12.9%sy, 0.9%ni, 44.9%id, 1.9%wa, 0.0%hi, 1.0%si, 0.0%st
Mem: 65965188k total, 65707376k used, 257812k free, 59384k buffers
Swap: 36981308k total, 268k used, 36981040k free, 49126608k cached
%CPU %MEM COMMAND
278 0.6 /usr/sbin/mysqld
90.0 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
105 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
92.0 0.8 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_150
90.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
88.2 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
86.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
85.6 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
82.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
81.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
76.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
73.8 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
66.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
58.3 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
49.9 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
32.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.8 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo -i 1 -U
27.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.1 0.2 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
24.8 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
24.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.1 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.0 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.5 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.4 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.1 0.9 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
7.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
5.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
4.6 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.5 7.5 /usr/bin/searchd --nodetach
2.7 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.7 1.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3
1.7 0.0 /var/ossec/bin/ossec-syscheckd
1.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.7 0.1 /usr/bin/python /usr/bin/salt-master
0.6 0.0 wish /usr/bin/SO-user.tk
0.5 0.0 [flush-8:16]
0.5 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.4 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.3 0.0 /var/ossec/bin/ossec-analysisd
0.3 0.0 sshd: SO-user
0.3 0.1 delayed_job
0.3 0.0 [kworker/0:2]
0.2 0.0 sshd: SO-user
0.2 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.2 0.0 [xfsaild/sdb2]
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /sbin/init
0.1 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.1 0.0 [kswapd1]
0.1 0.0 [kworker/0:0]
0.1 0.0 [kworker/0:3]
0.1 0.0 [kswapd0]
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 /usr/bin/python /usr/bin/salt-minion
0.1 0.1 /usr/sbin/apache2 -k start
0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 sshd: SO-user@pts/2
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/1:0]
0.0 0.0 -bash
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.0 -bash
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/u:0]
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [xfsaild/sdb1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.8 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2015-06-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth3/bpf-pcap.ops
0.0 0.0 [migration/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [flush-8:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/12:1]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [xfsbufd/sdb2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/15]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/4:2]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 Passenger spawn server
0.0 0.0 [migration/1]
0.0 0.0 [migration/2]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/5]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [migration/8]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [migration/10]
0.0 0.0 [migration/11]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [migration/16]
0.0 0.0 [migration/17]
0.0 0.0 [migration/18]
0.0 0.0 [migration/20]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [migration/23]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [kworker/13:1]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 lightdm
0.0 0.0 cron
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/8:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/14:2]
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [kworker/5:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 PassengerHelperAgent
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [watchdog/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [watchdog/20]
0.0 0.0 [kworker/21:0]
0.0 0.0 [watchdog/21]
0.0 0.0 [kworker/22:0]
0.0 0.0 [watchdog/22]
0.0 0.0 [kworker/23:0]
0.0 0.0 [watchdog/23]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/15:1]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 [kpsmoused]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|lost+found|SO-user|SO-user/SO-user/g
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 27067858
eth3: 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 10 days
7.8T .
1000G ./2015-06-03
771G ./2015-06-04
612G ./2015-06-05
850G ./2015-06-06
1.2T ./2015-06-07
464G ./2015-06-08
862G ./2015-06-09
908G ./2015-06-10
815G ./2015-06-11
555G ./2015-06-12
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 10 days
6.0M .
1.2M ./2015-06-03
996K ./2015-06-04
100K ./2015-06-05
148K ./2015-06-06
1.0M ./2015-06-07
136K ./2015-06-08
68K ./2015-06-09
96K ./2015-06-10
1.3M ./2015-06-11
1004K ./2015-06-12
/nsm/bro/logs/ - 20 days
53G .
1.7G ./2015-05-24
1.8G ./2015-05-25
2.8G ./2015-05-26
2.7G ./2015-05-27
2.8G ./2015-05-28
2.9G ./2015-05-29
1.7G ./2015-05-30
1.9G ./2015-05-31
3.3G ./2015-06-01
3.6G ./2015-06-02
3.2G ./2015-06-03
3.3G ./2015-06-04
3.1G ./2015-06-05
1.5G ./2015-06-06
1.9G ./2015-06-07
3.4G ./2015-06-08
3.0G ./2015-06-09
3.3G ./2015-06-10
3.1G ./2015-06-11
1.4G ./2015-06-12
1.3G ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-1: 1434117062.946515 recvd=5067633 dropped=0 link=5067633
SO-server-eth2-2: 1434117063.146265 recvd=6463885 dropped=0 link=6463885
SO-server-eth2-3: 1434117063.346373 recvd=3338798 dropped=0 link=3338798
SO-server-eth2-4: 1434117062.585244 recvd=13876547 dropped=0 link=13876547
SO-server-eth3-1: 1434117063.746455 recvd=0 dropped=0 link=0
SO-server-eth3-2: 1434117063.946420 recvd=0 dropped=0 link=0
SO-server-eth3-3: 1434117064.150450 recvd=0 dropped=0 link=0
SO-server-eth3-4: 1434117064.350567 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
tcp.segment_memcap_drop | RxPFReth24 | 0
/nsm/sensor_data/SO-server-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth34 | 0
tcp.segment_memcap_drop | RxPFReth34 | 0
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 16
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/6631-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6632-eth2.2
Appl. Name : bro-eth2
Tot Packets : 3341882
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6633-eth2.5
Appl. Name : bro-eth2
Tot Packets : 6479368
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6634-eth2.3
Appl. Name : bro-eth2
Tot Packets : 14055060
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 0
/proc/net/pf_ring/6635-eth3.7
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6636-eth3.6
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6637-eth3.4
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6638-eth2.8
Appl. Name : bro-eth2
Tot Packets : 5071877
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/7192-eth2.9
Appl. Name : Suricata
Tot Packets : 3225736
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65523
/proc/net/pf_ring/7194-eth2.10
Appl. Name : Suricata
Tot Packets : 13463541
Tot Pkt Lost : 2890133
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 0
/proc/net/pf_ring/7195-eth2.11
Appl. Name : Suricata
Tot Packets : 6322912
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65318
/proc/net/pf_ring/7196-eth2.12
Appl. Name : Suricata
Tot Packets : 4960118
Tot Pkt Lost : 66309
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65342
/proc/net/pf_ring/7381-eth3.13
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7383-eth3.14
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7389-eth3.15
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
/proc/net/pf_ring/7391-eth3.16
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log Processed: +559626 Lost: -309720
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150608000004 Processed: +405673 Lost: -39608
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +134665 Lost: -41651
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +199478 Lost: -56179
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +202015 Lost: -64280
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +144792 Lost: -55219
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +138168 Lost: -45614
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +145931 Lost: -79232
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142384 Lost: -93918
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +111200 Lost: -58768
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +170675 Lost: -26390
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +160829 Lost: -23526
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +220800 Lost: -98712
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +121634 Lost: -4157
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +383817 Lost: -47196
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +203344 Lost: -217257
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612000007 Processed: +142529 Lost: -33740
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +243511 Lost: -5928
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +154932 Lost: -26336
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +462978 Lost: -3431
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +159543 Lost: -41148
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +185819 Lost: -25878
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +213027 Lost: -27718
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +172679 Lost: -393
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +183188 Lost: -51550
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +116575 Lost: -116274
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +81423 Lost: -8794
File: /var/log/nsm/SO-server-eth2/netsniff-ng.log.20150612132155 Processed: +209425 Lost: -28287
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7487
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
26732 1:2000419 ET POLICY PE EXE or DLL Windows file download
2541 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1664 1:2220006 SURICATA SMTP no server welcome message
1283 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
946 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
868 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
822 1:2015561 ET INFO PDF Using CCITTFax Filter
553 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
461 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
274 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
271 1:2001219 ET SCAN Potential SSH Scan
257 1:2013298 ET POLICY Nessus Server SSL certificate detected
230 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
213 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
201 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
153 1:2018087 ET INFO Control Panel Applet File Download
144 1:2001329 ET POLICY RDP connection request
141 1:2001330 ET POLICY RDP connection confirm
139 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
133 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
129 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
124 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
121 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
113 1:2013028 ET POLICY curl User-Agent Outbound
99 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
98 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
87 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
87 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
78 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain