sostats (and yeah, it's a bit unhealty. pcap keeps reasserting itself, which fills the disk in less than two hours. ) I understand the desire for full packet capture, but there's a HUGE gap between budget and Storage Requirements for that.
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager XXXXXXXXXXXXX running 12363 3 10 May 20:52:20
proxy proxy XXXXXXXXXXXXX running 12515 3 10 May 20:52:22
IDS0-eth2-1 worker XXXXXXXXXXXXX running 12629 2 10 May 20:52:24
IDS0-eth2-2 worker XXXXXXXXXXXXX running 12631 2 10 May 20:52:24
Status: IDS0-eth2
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (sguil)[ FAIL ]
* snort_agent-1 (sguil)[ OK ]
* snort_agent-2 (sguil)[ OK ]
* snort_agent-3 (sguil)[ OK ]
* snort_agent-4 (sguil)[ OK ]
* snort_agent-5 (sguil)[ OK ]
* snort_agent-6 (sguil)[ OK ]
* snort-1 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* snort-5 (alert data)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort-6 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
* barnyard2-5 (spooler, unified2 format)[ OK ]
* barnyard2-6 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth2 Link encap:Ethernet HWaddr 00:22:64:2d:98:8c
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:32098863146 errors:179917251 dropped:3465 overruns:0 frame:179917251
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22349865581307 (22.3 TB) TX bytes:0 (0.0 B)
Interrupt:31 Memory:dc000000-dc012800
eth3 Link encap:Ethernet HWaddr 00:22:64:2d:98:8e
inet addr:XXXXXXXXXXXXX Bcast:XXXXXXXXX.255 Mask:255.255.255.192
inet6 addr: fe80::222:64ff:fe2d:988e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:263360 errors:0 dropped:0 overruns:0 frame:0
TX packets:319330 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:136558866 (136.5 MB) TX bytes:47631282 (47.6 MB)
Interrupt:32 Memory:da000000-da012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:90290532 errors:0 dropped:0 overruns:0 frame:0
TX packets:90290532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:562509199702 (562.5 GB) TX bytes:562509199702 (562.5 GB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/cciss/c0d0p1 373G 55G 300G 16% /
udev 16G 4.0K 16G 1% /dev
tmpfs 6.3G 836K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 16G 16K 16G 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 303 root 3u IPv4 94511532 0t0 TCP 127.0.0.1:8005->
127.0.0.1:57415 (CLOSE_WAIT)
tclsh 303 root 4u IPv4 64422603 0t0 TCP
127.0.0.1:8005 (LISTEN)
tclsh 361 root 4u IPv4 64424367 0t0 TCP
127.0.0.1:8006 (LISTEN)
tclsh 361 root 6u IPv4 81265474 0t0 TCP 127.0.0.1:8006->
127.0.0.1:53623 (CLOSE_WAIT)
avahi-dae 920 avahi 12u IPv4 10587 0t0 UDP *:5353
avahi-dae 920 avahi 13u IPv6 10588 0t0 UDP *:5353
avahi-dae 920 avahi 14u IPv4 10589 0t0 UDP *:51573
avahi-dae 920 avahi 15u IPv6 10590 0t0 UDP *:58561
cupsd 995 root 8u IPv6 95036078 0t0 TCP [::1]:631 (LISTEN)
cupsd 995 root 9u IPv4 95036079 0t0 TCP
127.0.0.1:631 (LISTEN)
sshd 1371 root 3u IPv4 8759 0t0 TCP *:22 (LISTEN)
sshd 1371 root 4u IPv6 8761 0t0 TCP *:22 (LISTEN)
mysqld 1515 mysql 10u IPv4 13630 0t0 TCP
127.0.0.1:3306 (LISTEN)
syslog-ng 1521 root 16u IPv4 14341 0t0 TCP *:514 (LISTEN)
syslog-ng 1521 root 17u IPv4 14342 0t0 UDP *:514
searchd 1717 sphinxsearch 7u IPv4 13633 0t0 TCP *:9306 (LISTEN)
searchd 1717 sphinxsearch 8u IPv4 13634 0t0 TCP *:9312 (LISTEN)
ntpd 3212 ntp 16u IPv4 19541 0t0 UDP *:123
ntpd 3212 ntp 17u IPv6 19542 0t0 UDP *:123
ntpd 3212 ntp 18u IPv4 19548 0t0 UDP
127.0.0.1:123
ntpd 3212 ntp 19u IPv4 19549 0t0 UDP XXXXXXXXXXXXXXXX:123
ntpd 3212 ntp 20u IPv6 19550 0t0 UDP [fe80::222:64ff:fe2d:988e]:123
ntpd 3212 ntp 21u IPv6 19551 0t0 UDP [::1]:123
bash 5508 root 4u IPv4 11379848 0t0 UDP XXXXXXXXXXXXXXXX:54381->XXXXXXXXXXXX.10:53
bro 12363 root 4u IPv4 11379848 0t0 UDP XXXXXXXXXXXXXXXX:54381->XXXXXXXXXXXX.10:53
bro 12383 root 0u IPv4 68453404 0t0 TCP *:47761 (LISTEN)
bro 12383 root 1u IPv6 68452064 0t0 TCP *:47761 (LISTEN)
bro 12383 root 2u IPv4 68447796 0t0 TCP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (ESTABLISHED)
bro 12383 root 4u IPv4 11379848 0t0 UDP XXXXXXXXXXXXX:54381->XXXXXXXXXXXX:53
bro 12383 root 8u IPv4 68453453 0t0 TCP XXXXXXXXXXXXX:47761->XXXXXXXXXXXXX:36990 (ESTABLISHED)
bro 12383 root 10u IPv4 68453454 0t0 TCP XXXXXXXXXXXXX:47761->XXXXXXXXXXXXX:36991 (ESTABLISHED)
bro 12383 root 11u IPv4 68453455 0t0 TCP XXXXXXXXXXXXX:47761->XXXXXXXXXXXXX:36992 (ESTABLISHED)
bro 12383 root 12u IPv4 68453456 0t0 TCP XXXXXXXXXXXXX:47761->XXXXXXXXXXXXX:36993 (ESTABLISHED)
bro 12383 root 13u IPv4 68453467 0t0 TCP XXXXXXXXXXXXX:47761->XXXXXXXXXXXXX:36999 (ESTABLISHED)
bro 12515 root 4u IPv4 11378036 0t0 UDP XXXXXXXXXXXXX:49161->XXXXXXXXXXXX:53
bro 12531 root 0u IPv4 68453450 0t0 TCP XXXXXXXXXXXXXXXX:36990->XXXXXXXXXXXXXXXX:47761 (ESTABLISHED)
bro 12531 root 4u IPv4 11378036 0t0 UDP XXXXXXXXXXXXXXXX:49161->XXXXXXXXXXXX.10:53
bro 12629 root 4u IPv4 11377124 0t0 UDP XXXXXXXXXXXXXXXX:38387->XXXXXXXXXXXX.10:53
bro 12631 root 4u IPv4 11379090 0t0 UDP XXXXXXXXXXXXXXXX:45689->XXXXXXXXXXXX.10:53
bro 12641 root 0u IPv4 11375437 0t0 TCP XXXXXXXXXXXXXXXX:54067->XXXXXXXXXXXXXXXX:47762 (ESTABLISHED)
bro 12641 root 1u IPv4 68450900 0t0 TCP XXXXXXXXXXXXXXXX:36993->XXXXXXXXXXXXXXXX:47761 (ESTABLISHED)
bro 12641 root 4u IPv4 11377124 0t0 UDP XXXXXXXXXXXXXXXX:38387->XXXXXXXXXXXX.10:53
bro 12652 root 0u IPv4 11378121 0t0 TCP XXXXXXXXXXXXXXXX:54069->XXXXXXXXXXXXXXXX:47762 (ESTABLISHED)
bro 12652 root 1u IPv4 68453451 0t0 TCP XXXXXXXXXXXXXXXX:36991->XXXXXXXXXXXXXXXX:47761 (ESTABLISHED)
bro 12652 root 4u IPv4 11379090 0t0 UDP XXXXXXXXXXXXXXXX:45689->XXXXXXXXXXXX.10:53
gzip 14120 root 4u IPv4 11379848 0t0 UDP XXXXXXXXXXXXXXXX:54381->XXXXXXXXXXXX.10:53
bro 16798 root 4u IPv4 11238195 0t0 UDP XXXXXXXXXXXXXXXX:38481->XXXXXXXXXXXX.10:53
bro 16829 root 0u IPv4 68448552 0t0 TCP XXXXXXXXXXXX:36989->XXXXXXXXXXXX.20:47761 (ESTABLISHED)
bro 16829 root 1u IPv4 11242891 0t0 TCP *:47762 (LISTEN)
bro 16829 root 2u IPv6 11242892 0t0 TCP *:47762 (LISTEN)
bro 16829 root 4u IPv4 11238195 0t0 UDP XXXXXXXXXXXXXXXX:38481->XXXXXXXXXXXX.10:53
bro 16829 root 7u IPv4 11248254 0t0 TCP XXXXXXXXXXXXXXXX:47762->XXXXXXXXXXXXXXXX:53398 (ESTABLISHED)
bro 16829 root 9u IPv4 11246262 0t0 TCP XXXXXXXXXXXXXXXX:47762->XXXXXXXXXXXXXXXX:53399 (ESTABLISHED)
bro 16829 root 10u IPv4 11377132 0t0 TCP XXXXXXXXXXXXXXXX:47762->XXXXXXXXXXXXXXXX:54067 (ESTABLISHED)
bro 16829 root 11u IPv4 11379104 0t0 TCP XXXXXXXXXXXXXXXX:47762->XXXXXXXXXXXXXXXX:54069 (ESTABLISHED)
bro 16959 root 4u IPv4 11248230 0t0 UDP XXXXXXXXXXXXXXXX:45193->XXXXXXXXXXXX.10:53
bro 16960 root 4u IPv4 11243020 0t0 UDP XXXXXXXXXXXXXXXX:48890->XXXXXXXXXXXX.10:53
bro 16991 root 0u IPv4 68453452 0t0 TCP XXXXXXXXXXXXXXXX:36992->XXXXXXXXXXXXXXXX:47761 (ESTABLISHED)
bro 16991 root 1u IPv4 11248253 0t0 TCP XXXXXXXXXXXXXXXX:53398->XXXXXXXXXXXXXXXX:47762 (ESTABLISHED)
bro 16991 root 2u IPv4 11248257 0t0 TCP *:47763 (LISTEN)
bro 16991 root 4u IPv4 11248230 0t0 UDP XXXXXXXXXXXXXXXX:45193->XXXXXXXXXXXX.10:53
bro 16991 root 8u IPv6 11248258 0t0 TCP *:47763 (LISTEN)
bro 17008 root 0u IPv4 11243034 0t0 TCP XXXXXXXXXXXXXXXX:53399->XXXXXXXXXXXXXXXX:47762 (ESTABLISHED)
bro 17008 root 1u IPv4 68450905 0t0 TCP XXXXXXXXXXXXXXXX:36999->XXXXXXXXXXXXXXXX:47761 (ESTABLISHED)
bro 17008 root 2u IPv4 11243038 0t0 TCP *:47764 (LISTEN)
bro 17008 root 4u IPv4 11243020 0t0 UDP XXXXXXXXXXXXXXXX:48890->XXXXXXXXXXXX.10:53
bro 17008 root 8u IPv6 11243039 0t0 TCP *:47764 (LISTEN)
exim4 18069 Debian-exim 4u IPv4 1557586 0t0 TCP
127.0.0.1:25 (LISTEN)
exim4 18069 Debian-exim 5u IPv6 1557587 0t0 TCP [::1]:25 (LISTEN)
sshd 18936 root 3r IPv4 98568690 0t0 TCP XXXXXXXXXXXXXXXX:22->XXXXXXXXXXXX.43:55614 (ESTABLISHED)
sshd 19392 mike 3u IPv4 98568690 0t0 TCP XXXXXXXXXXXXXXXX:22->XXXXXXXXXXXX.43:55614 (ESTABLISHED)
/usr/sbin 23715 root 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 23715 root 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23715 root 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23715 root 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
barnyard2 25449 root 3u IPv4 98326582 0t0 TCP 127.0.0.1:60979->
127.0.0.1:8001 (ESTABLISHED)
barnyard2 25508 root 3u IPv4 98326444 0t0 TCP 127.0.0.1:46204->
127.0.0.1:8002 (ESTABLISHED)
barnyard2 25572 root 3u IPv4 98326576 0t0 TCP 127.0.0.1:52601->
127.0.0.1:8003 (ESTABLISHED)
barnyard2 25634 root 3u IPv4 98317082 0t0 TCP 127.0.0.1:60387->
127.0.0.1:8004 (ESTABLISHED)
barnyard2 25681 root 3u IPv4 98324680 0t0 TCP 127.0.0.1:40433->
127.0.0.1:8005 (ESTABLISHED)
barnyard2 25729 root 3u IPv4 98330651 0t0 TCP 127.0.0.1:54004->
127.0.0.1:8006 (ESTABLISHED)
/usr/sbin 26912 www-data 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 26912 www-data 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 26912 www-data 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 26912 www-data 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
/usr/sbin 26913 www-data 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 26913 www-data 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 26913 www-data 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 26913 www-data 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
/usr/sbin 26914 www-data 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 26914 www-data 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 26914 www-data 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 26914 www-data 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
/usr/sbin 26915 www-data 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 26915 www-data 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 26915 www-data 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 26915 www-data 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
/usr/sbin 26916 www-data 4u IPv4 114759 0t0 TCP *:443 (LISTEN)
/usr/sbin 26916 www-data 5u IPv4 114762 0t0 TCP *:9876 (LISTEN)
/usr/sbin 26916 www-data 6u IPv4 114764 0t0 TCP *:3154 (LISTEN)
/usr/sbin 26916 www-data 7u IPv4 114768 0t0 TCP *:444 (LISTEN)
tclsh 32532 root 3u IPv4 94510214 0t0 TCP 127.0.0.1:8001->
127.0.0.1:49703 (CLOSE_WAIT)
tclsh 32532 root 4u IPv4 64416596 0t0 TCP
127.0.0.1:8001 (LISTEN)
tclsh 32594 root 4u IPv4 64421822 0t0 TCP
127.0.0.1:8002 (LISTEN)
tclsh 32594 root 6u IPv4 98570447 0t0 TCP 127.0.0.1:8002->
127.0.0.1:46204 (ESTABLISHED)
tclsh 32654 root 3u IPv4 98564665 0t0 TCP 127.0.0.1:8003->
127.0.0.1:52601 (ESTABLISHED)
tclsh 32654 root 4u IPv4 64422504 0t0 TCP
127.0.0.1:8003 (LISTEN)
tclsh 32714 root 4u IPv4 64416758 0t0 TCP
127.0.0.1:8004 (LISTEN)
tclsh 32714 root 6u IPv4 98564978 0t0 TCP 127.0.0.1:8004->
127.0.0.1:60387 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Thu May 16 07:01:01 UTC 2013
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_
cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2941.tar.gz....
They Match
Done!
Prepping rules from snortrules-snapshot-2941.tar.gz for work....
Done!
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 53 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------11
Deleted:---5
Enabled Rules:----18397
Dropped Rules:----0
Disabled Rules:---16571
Total Rules:------34968
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: IDS0-eth2
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-5 (spooler, unified2 format)[ OK ]
* starting: barnyard2-5 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-6 (spooler, unified2 format)[ OK ]
* starting: barnyard2-6 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: IDS0-eth2
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data) (not running)[ WARN ]
- stale PID file found, deleting!
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]
* stopping: snort-5 (alert data)[ OK ]
* starting: snort-5 (alert data)[ OK ]
* stopping: snort-6 (alert data)[ FAIL ]
* starting: snort-6 (alert data) (already running)[ WARN ]
=========================================================================
CPU Usage
=========================================================================
top - 16:13:17 up 6 days, 23:09, 1 user, load average: 21.11, 19.88, 18.21
Tasks: 219 total, 23 running, 196 sleeping, 0 stopped, 0 zombie
Cpu(s): 50.6%us, 14.8%sy, 2.3%ni, 26.3%id, 3.0%wa, 0.0%hi, 2.9%si, 0.0%st
Mem: 32948080k total, 32749372k used, 198708k free, 20636k buffers
Swap: 50024368k total, 22857288k used, 27167080k free, 515544k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
57 root 20 0 0 0 0 R 98 0.0 322:31.97 kswapd0
58 root 20 0 0 0 0 R 90 0.0 412:52.08 kswapd1
16959 root 20 0 1517m 1.2g 72m R 67 3.7 4508:24 bro
12631 root 20 0 1403m 1.2g 72m R 59 3.7 4525:03 bro
29311 sguil 20 0 3503m 2.9g 616 S 57 9.3 395:37.56 argus
12629 root 20 0 1394m 1.2g 72m R 51 3.7 4518:34 bro
16960 root 20 0 1436m 1.2g 72m R 49 3.8 4501:04 bro
16963 sguil 20 0 34.5g 16g 3260 R 33 51.1 647:24.36 prads
17478 sguil 20 0 716m 348m 11m R 33 1.1 0:45.84 snort
17327 sguil 20 0 716m 351m 11m R 31 1.1 0:49.06 snort
1521 root 20 0 289m 64m 888 S 14 0.2 589:47.66 syslog-ng
12363 root 20 0 4011m 543m 1284 R 14 1.7 766:48.41 bro
12383 root 25 5 145m 5784 316 R 12 0.0 911:20.90 bro
16829 root 25 5 72128 516 304 R 12 0.0 1290:26 bro
14120 root 30 10 8808 664 436 R 10 0.0 1:40.21 gzip
12531 root 25 5 65592 632 432 R 8 0.0 832:15.81 bro
20736 root 20 0 200m 36m 3556 S 8 0.1 0:01.02 perl
1515 mysql 20 0 4401m 79m 2860 S 6 0.2 606:06.46 mysqld
17394 sguil 20 0 716m 352m 11m R 6 1.1 0:49.79 snort
12641 root 25 5 154m 69m 64m R 4 0.2 741:09.69 bro
1717 sphinxse 20 0 611m 12m 4276 S 2 0.0 693:37.93 searchd
12515 root 20 0 275m 1056 420 R 2 0.0 89:33.00 bro
16798 root 20 0 276m 2440 808 R 2 0.0 89:39.75 bro
1 root 20 0 24596 1524 576 S 0 0.0 54:44.37 init
2 root 20 0 0 0 0 S 0 0.0 0:30.63 kthreadd
3 root 20 0 0 0 0 S 0 0.0 1:31.51 ksoftirqd/0
6 root RT 0 0 0 0 S 0 0.0 0:12.04 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:04.36 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:09.50 migration/1
10 root 20 0 0 0 0 S 0 0.0 1:18.59 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:05.04 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:13.80 migration/2
15 root 20 0 0 0 0 S 0 0.0 1:32.26 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:01.93 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:13.82 migration/3
19 root 20 0 0 0 0 S 0 0.0 1:22.88 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:02.40 watchdog/3
21 root RT 0 0 0 0 S 0 0.0 0:12.16 migration/4
23 root 20 0 0 0 0 S 0 0.0 1:33.29 ksoftirqd/4
24 root RT 0 0 0 0 S 0 0.0 0:03.40 watchdog/4
25 root RT 0 0 0 0 S 0 0.0 0:15.08 migration/5
27 root 20 0 0 0 0 S 0 0.0 1:23.66 ksoftirqd/5
28 root RT 0 0 0 0 S 0 0.0 0:02.82 watchdog/5
29 root RT 0 0 0 0 S 0 0.0 0:10.60 migration/6
31 root 20 0 0 0 0 S 0 0.0 1:32.19 ksoftirqd/6
32 root RT 0 0 0 0 S 0 0.0 0:02.80 watchdog/6
33 root RT 0 0 0 0 S 0 0.0 0:10.64 migration/7
35 root 20 0 0 0 0 S 0 0.0 1:24.83 ksoftirqd/7
36 root RT 0 0 0 0 S 0 0.0 0:02.36 watchdog/7
37 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
38 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
39 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
42 root 20 0 0 0 0 S 0 0.0 0:01.39 sync_supers
43 root 20 0 0 0 0 S 0 0.0 0:00.04 bdi-default
44 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
45 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
46 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
47 root 20 0 0 0 0 S 0 0.0 0:00.02 khubd
48 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
56 root 20 0 0 0 0 S 0 0.0 0:00.48 khungtaskd
59 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
60 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
61 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
62 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
63 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
71 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
90 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
289 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
293 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
298 root 20 0 0 0 0 S 0 0.0 0:00.00 cciss_scan
303 root 20 0 40672 536 504 S 0 0.0 2:17.48 tclsh
306 root 20 0 11436 0 0 S 0 0.0 0:00.16 tail
324 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
333 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
361 root 20 0 40604 396 392 S 0 0.0 2:18.73 tclsh
366 root 20 0 11436 4 0 S 0 0.0 0:00.02 tail
418 root 20 0 0 0 0 S 0 0.0 26:34.52 jbd2/cciss!c0d0
419 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
435 root 20 0 0 0 0 S 0 0.0 15:30.56 flush-104:0
453 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:2
543 root 20 0 17612 108 108 S 0 0.0 0:02.99 upstart-udev-br
645 root 20 0 21936 4 4 S 0 0.0 0:00.19 udevd
714 messageb 20 0 24716 1000 436 S 0 0.0 0:04.88 dbus-daemon
766 root 20 0 21932 8 4 S 0 0.0 0:00.00 udevd
853 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
883 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
887 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
890 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
920 avahi 20 0 32304 336 248 S 0 0.0 0:00.11 avahi-daemon
921 avahi 20 0 32180 4 0 S 0 0.0 0:00.00 avahi-daemon
922 root 20 0 21260 4 4 S 0 0.0 0:00.00 bluetoothd
985 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
995 root 20 0 101m 444 408 S 0 0.0 0:00.18 cupsd
1286 root 20 0 15188 96 96 S 0 0.0 0:01.50 upstart-socket-
1371 root 20 0 50032 204 152 S 0 0.0 0:04.66 sshd
1458 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
1464 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
1482 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
1483 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
1486 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
1495 root 20 0 4460 4 0 S 0 0.0 0:00.00 acpid
1501 root 20 0 19112 376 280 S 0 0.0 2:48.83 cron
1502 daemon 20 0 16908 20 0 S 0 0.0 0:00.01 atd
1509 root 20 0 15980 344 240 S 0 0.0 6:14.59 irqbalance
1513 root 20 0 280m 4 4 S 0 0.0 0:00.10 lightdm
1520 root 20 0 26780 32 0 S 0 0.0 0:00.00 syslog-ng
1554 sphinxse 20 0 72916 0 0 S 0 0.0 0:00.01 su
1598 root 20 0 4090m 1376 1184 S 0 0.0 0:00.55 console-kit-dae
1686 root 20 0 207m 1056 640 S 0 0.0 0:00.56 polkitd
1722 root 20 0 132m 996 696 S 0 0.0 0:13.36 accounts-daemon
1732 root 20 0 12804 8 0 S 0 0.0 0:00.93 ossec-execd
1745 ossec 20 0 14896 1640 300 S 0 0.0 0:11.04 ossec-analysisd
1749 root 20 0 4528 252 188 S 0 0.0 0:09.65 ossec-logcollec
1767 root 20 0 5784 1196 280 S 0 0.0 4:48.57 ossec-syscheckd
1773 ossec 20 0 13068 132 88 S 0 0.0 0:10.16 ossec-monitord
1852 root 20 0 214m 972 644 S 0 0.0 0:00.30 upowerd
2170 root 20 0 20024 8 4 S 0 0.0 0:00.00 getty
2501 root 20 0 116m 1008 652 S 0 0.0 0:00.60 udisks-daemon
2503 root 20 0 45516 4 0 S 0 0.0 0:00.00 udisks-daemon
2566 rtkit 21 1 164m 0 0 S 0 0.0 0:05.46 rtkit-daemon
3212 ntp 20 0 37772 616 468 S 0 0.0 0:45.10 ntpd
3540 root 20 0 0 0 0 S 0 0.0 0:03.23 kworker/1:1
4140 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
4504 root 20 0 0 0 0 S 0 0.0 0:00.65 kworker/7:2
4616 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:0
5437 root 20 0 0 0 0 S 0 0.0 0:00.40 kworker/0:1
5463 root 20 0 0 0 0 S 0 0.0 0:00.59 kworker/6:1
5508 root 20 0 16572 1216 976 S 0 0.0 0:00.00 bash
5682 root 20 0 46788 2516 760 S 0 0.0 0:44.45 tclsh
5871 root 20 0 11440 16 16 S 0 0.0 0:00.00 tail
6801 root 20 0 125m 136 132 S 0 0.0 0:00.00 tclsh
7207 root 20 0 125m 152 148 S 0 0.0 0:00.00 tclsh
8178 root 20 0 125m 140 136 S 0 0.0 0:00.00 tclsh
9789 root 20 0 4400 604 500 S 0 0.0 0:00.00 sh
9792 root 20 0 4400 320 216 S 0 0.0 0:00.00 sh
9798 root 20 0 4308 352 276 S 0 0.0 0:00.00 sleep
9911 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/7:0
10883 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
11291 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
11614 root 20 0 0 0 0 S 0 0.0 0:00.74 kworker/3:0
12306 root 20 0 16576 8 4 S 0 0.0 0:00.00 bash
12454 root 20 0 16572 8 4 S 0 0.0 0:00.00 bash
12590 root 20 0 16576 8 4 S 0 0.0 0:00.00 bash
12601 root 20 0 16576 8 4 S 0 0.0 0:00.00 bash
12652 root 25 5 156m 68m 64m R 0 0.2 741:23.43 bro
12686 root 20 0 0 0 0 S 0 0.0 0:00.84 kworker/0:2
12775 root 20 0 46788 2484 756 S 0 0.0 0:47.49 tclsh
12854 root 20 0 11440 0 0 S 0 0.0 0:00.01 tail
12906 root 20 0 0 0 0 S 0 0.0 0:06.81 kworker/1:0
13560 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
13683 root 20 0 125m 220 216 S 0 0.0 0:00.00 tclsh
14339 root 20 0 11440 0 0 S 0 0.0 0:00.00 tail
14363 root 20 0 21932 4 0 S 0 0.0 0:00.00 udevd
14588 root 20 0 39672 1212 616 S 0 0.0 2:01.78 tclsh
14591 root 20 0 11420 28 12 S 0 0.0 0:03.09 cat
14716 root 20 0 203m 1124 628 S 0 0.0 34:25.37 Xorg
14763 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
14771 root 20 0 185m 0 0 S 0 0.0 0:00.03 lightdm
14798 lightdm 20 0 4400 4 0 S 0 0.0 0:00.00 lightdm-greeter
14804 lightdm 20 0 23948 0 0 S 0 0.0 0:00.00 dbus-daemon
14805 lightdm 20 0 244m 3168 1756 S 0 0.0 18:05.37 lightdm-gtk-gre
14812 lightdm 20 0 52420 4 0 S 0 0.0 0:00.00 gvfsd
14819 lightdm 20 0 215m 0 0 S 0 0.0 0:00.01 gvfs-fuse-daemo
14840 root 20 0 94656 4 0 S 0 0.0 0:00.00 lightdm
14898 mike 20 0 303m 0 0 S 0 0.0 0:00.02 gnome-keyring-d
14936 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:2
15233 root 20 0 0 0 0 S 0 0.0 0:06.45 kworker/7:1
16738 root 20 0 16572 8 4 S 0 0.0 0:00.00 bash
16894 root 20 0 16576 8 4 S 0 0.0 0:00.00 bash
16902 root 20 0 16576 8 4 S 0 0.0 0:00.00 bash
16991 root 25 5 127m 66m 64m R 0 0.2 799:42.68 bro
17008 root 25 5 127m 66m 64m R 0 0.2 800:56.78 bro
18069 Debian-e 20 0 47472 128 64 S 0 0.0 0:00.28 exim4
18812 root 20 0 0 0 0 S 0 0.0 0:05.32 kworker/4:1
18936 root 20 0 101m 4388 3252 S 0 0.0 0:00.03 sshd
19392 mike 20 0 101m 2036 900 S 0 0.0 0:00.10 sshd
19396 mike 20 0 32740 9704 1656 S 0 0.0 0:03.95 bash
19730 root 20 0 125m 136 132 S 0 0.0 0:00.00 tclsh
20735 root 20 0 4400 612 508 S 0 0.0 0:00.01 sh
20780 root 20 0 78152 2320 1708 S 0 0.0 0:00.00 sudo
20782 root 20 0 16556 1420 1196 S 0 0.0 0:00.00 sostat
21027 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/6:2
21266 root 20 0 17480 1284 868 R 0 0.0 0:00.00 top
21291 root 20 0 101m 6640 2980 R 0 0.0 0:00.00 indexer
22517 root 20 0 0 0 0 S 0 0.0 0:01.75 kworker/5:1
22850 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:0
23288 root 20 0 0 0 0 S 0 0.0 0:00.26 kworker/4:0
23715 root 20 0 176m 40 0 S 0 0.0 0:18.39 /usr/sbin/apach
25003 root 20 0 0 0 0 S 0 0.0 0:03.26 kworker/u:2
25449 root 20 0 38204 11m 964 S 0 0.0 0:43.33 barnyard2
25508 root 20 0 38208 11m 964 S 0 0.0 0:43.17 barnyard2
25572 root 20 0 38204 11m 964 S 0 0.0 0:41.54 barnyard2
25634 root 20 0 38232 11m 964 S 0 0.0 0:36.07 barnyard2
25681 root 20 0 38212 11m 964 S 0 0.0 0:40.33 barnyard2
25729 root 20 0 38200 11m 964 S 0 0.0 0:44.97 barnyard2
25736 www-data 20 0 452m 98m 1512 S 0 0.3 17:11.16 ruby
26433 root 20 0 0 0 0 S 0 0.0 0:07.41 kworker/2:0
26890 root 20 0 215m 36 28 S 0 0.0 0:00.02 PassengerWatchd
26896 root 20 0 288m 56 4 S 0 0.0 0:05.58 PassengerHelper
26898 root 20 0 108m 448 316 S 0 0.0 0:01.48 ruby1.9.1
26902 nobody 20 0 165m 20 0 S 0 0.0 0:02.95 PassengerLoggin
26912 www-data 20 0 177m 28 20 S 0 0.0 0:01.47 /usr/sbin/apach
26913 www-data 20 0 176m 12 0 S 0 0.0 0:00.00 /usr/sbin/apach
26914 www-data 20 0 176m 4 0 S 0 0.0 0:00.00 /usr/sbin/apach
26915 www-data 20 0 176m 4 0 S 0 0.0 0:00.00 /usr/sbin/apach
26916 www-data 20 0 176m 4 0 S 0 0.0 0:00.00 /usr/sbin/apach
29516 root 20 0 39484 1692 1384 S 0 0.0 0:16.60 tclsh
31610 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
32517 root 20 0 47764 1092 588 S 0 0.0 2:56.12 tclsh
32532 root 20 0 40604 524 496 S 0 0.0 2:28.34 tclsh
32543 root 20 0 11436 0 0 S 0 0.0 0:00.03 tail
32594 root 20 0 40604 1480 768 S 0 0.0 1:55.52 tclsh
32603 root 20 0 11436 0 0 S 0 0.0 0:00.24 tail
32654 root 20 0 40552 1468 764 S 0 0.0 2:24.06 tclsh
32662 root 20 0 11436 0 0 S 0 0.0 0:00.03 tail
32701 root 20 0 125m 4 0 S 0 0.0 0:00.00 tclsh
32714 root 20 0 40604 1472 772 S 0 0.0 2:18.08 tclsh
32720 root 20 0 11436 4 0 S 0 0.0 0:00.03 tail
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/IDS0-eth2/dailylogs/
92K .
88K ./2013-05-16
/nsm/bro/logs/
15G .
15G ./2013-05-16
3.8M ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/IDS0-eth2/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/IDS0-eth2/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/IDS0-eth2/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/IDS0-eth2/snort-4.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/IDS0-eth2/snort-5.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/IDS0-eth2/snort-6.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>
Tot Packets :
6415844915
Tot Pkt Lost : 831271072
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets :
6412621696
Tot Pkt Lost : 784856587
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets :
6169605877
Tot Pkt Lost : 825473735
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets : 6244284798
Tot Pkt Lost : 781215840
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 1554383
Tot Pkt Lost : 1236291
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 1998633
Tot Pkt Lost : 1609096
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 906463
Tot Pkt Lost : 715654
TX: Send Errors : 0
Reflect: Fwd Errors: 0
=========================================================================
Sguil Uncategorized Events
=========================================================================
=========================================================================
Sguil events summary for yesterday
=========================================================================
=========================================================================
Top 50 All time Sguil Events
=========================================================================
=========================================================================
Top 50 URLs for yesterday
=========================================================================
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
607772 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
362205 129:15 stream5: Reset outside window
66260 119:19 http_inspect: LONG HEADER
64303 123:8 frag3: Fragmentation overlap
51982 129:4 stream5: TCP Timestamp is outside of PAWS window
36510 139:1 sensitive_data: sensitive data global threshold exceeded
35006 129:12 stream5: TCP Small Segment Threshold Exceeded
21083 120:8 http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
10128 120:6 http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
8771 128:4 ssh: Protocol mismatch
5375 119:32 http_inspect: SIMPLE REQUEST
4947 119:31 http_inspect: UNKNOWN METHOD
3782 124:1 smtp: Attempted command buffer overflow
3525 129:7 stream5: Limit on number of overlapping TCP packets reached
2645 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
2563 119:15 http_inspect: OVERSIZE REQUEST-URI DIRECTORY
2136 137:1 ssp_ssl: Invalid Client HELLO after Server HELLO Detected
2014 129:14 stream5: TCP Timestamp is missing
1757 120:7 http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
1172 129:2 stream5: Data on SYN packet
620 124:3 smtp: Attempted response buffer overflow
249 124:7 smtp: Attempted header name buffer overflow
196 129:3 stream5: Data sent on stream not accepting data
169 145:2 dnp3: DNP3 Link-Layer Frame was dropped.
156 120:9 http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
145 125:1 ftp_pp: Telnet command on FTP command channel
109 129:8 stream5: Data sent on stream after TCP Reset
85 123:12 frag3: Number of overlapping fragments exceed configured limit
61 140:27 sip: Maximum dialogs in a session reached
57 123:2 frag3: Teardrop attack
49 120:4 http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
47 120:10 http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
22 141:1 imap: Unknown IMAP4 command
19 119:14 http_inspect: NON-RFC DEFINED CHAR
18 119:28 http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
18 124:2 smtp: Attempted data header buffer overflow
14 142:2 pop: Unknown POP3 response
14 141:2 imap: Unknown IMAP4 response
10 120:11 http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
9 125:2 ftp_pp: Invalid FTP command
9 142:1 pop: Unknown POP3 command
9 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
4 140:3 sip: URI is too long
3 124:10 smtp: Base64 Decoding failed
3 129:19 stream5: TCP window closed before receiving data
2 1:2404075 ET CNC Shadowserver Reported CnC Server UDP (group 38)
1 129:13 stream5: TCP 4-way handshake detected
1 120:2 http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
1 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
1 1:2404075 ET CNC Shadowserver Reported CnC Server UDP (group 38)
Total
1296040