Fresh install and Salt doesn't seem to make rule-update occur every 15 mins for sensor
Samson H
I have just created a new Master Server and Sensor environment (1 Master + 1 Sensor). I have enabled Salt on both devices. From what I understand, salt is supposed to perform the duties of the rule-update script every 15 minutes 'automagically'; however it does not seem to be doing this. Below are the 'sostat' output of the master server. Couldn't get the sostat redacted command to work so my output is kinda ghetto...
Any help with this would be much appreciated!
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr x:x:x:x:x:x
inet addr:x.x.x.x Bcast:x.x.x.x Mask:x.x.x.x
inet6 addr: xx::x:x:x:x/x 6Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1460828 errors:0 dropped:0 overruns:0 frame:0
TX packets:338810 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1684950716 (1.6 GB) TX bytes:300652615 (300.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2654255 errors:0 dropped:0 overruns:0 frame:0
TX packets:2654255 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5246130502 (5.2 GB) TX bytes:5246130502 (5.2 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
5246130502 2654255 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
5246130502 2654255 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether x:x:x:x:x:x brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1684950896 1460831 0 0 0 44633
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
300655023 338822 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 977G 4.1G 923G 1% /
udev 16G 4.0K 16G 1% /dev
tmpfs 6.3G 724K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 16G 84K 16G 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1009 avahi 12u IPv4 1904 0t0 UDP *:5353
avahi-dae 1009 avahi 13u IPv6 1905 0t0 UDP *:5353
avahi-dae 1009 avahi 14u IPv4 1906 0t0 UDP *:45117
avahi-dae 1009 avahi 15u IPv6 1907 0t0 UDP *:56423
cupsd 1028 root 8u IPv6 3084285 0t0 TCP [::1]:631 (LISTEN)
cupsd 1028 root 9u IPv4 3084286 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 1071 root 3r IPv4 1950 0t0 TCP *:22 (LISTEN)
sshd 1071 root 4u IPv6 1952 0t0 TCP *:22 (LISTEN)
mysqld 1342 mysql 10u IPv4 11775 0t0 TCP 127.0.0.1:3306 (LISTEN)
mysqld 1342 mysql 30u IPv4 3460514 0t0 TCP 127.0.0.1:3306->127.0.0.1:47617 (ESTABLISHED)
/usr/sbin 2034 root 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 2034 root 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2034 root 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 2034 root 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
ntpd 2144 ntp 16u IPv4 12376 0t0 UDP *:123
ntpd 2144 ntp 17u IPv6 12377 0t0 UDP *:123
ntpd 2144 ntp 18u IPv4 12383 0t0 UDP 127.0.0.1:123
ntpd 2144 ntp 19u IPv4 12384 0t0 UDP x.x.x.x:123
ntpd 2144 ntp 20u IPv6 12385 0t0 UDP [fe80::250:56ff:feb6:3836]:123
ntpd 2144 ntp 21u IPv6 12386 0t0 UDP [::1]:123
ossec-csy 9671 ossecm 5u IPv4 160097 0t0 UDP 127.0.0.1:47819->127.0.0.1:514
salt-mast 11432 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
salt-mini 11458 root 14u IPv4 165224 0t0 TCP 127.0.0.1:38368->127.0.0.1:4505 (ESTABLISHED)
salt-mast 11473 root 27u IPv4 163359 0t0 TCP *:4505 (LISTEN)
salt-mast 11473 root 29u IPv4 166201 0t0 TCP 127.0.0.1:4505->127.0.0.1:38368 (ESTABLISHED)
salt-mast 11473 root 30u IPv4 177741 0t0 TCP x.x.x.x:4505->x.x.x.x:39834 (ESTABLISHED)
salt-mast 11479 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
salt-mast 11480 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
salt-mast 11483 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
salt-mast 11486 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
salt-mast 11487 root 19u IPv4 166042 0t0 TCP *:4506 (LISTEN)
searchd 12261 sphinxsearch 7u IPv4 165451 0t0 TCP *:9306 (LISTEN)
searchd 12261 sphinxsearch 8u IPv4 165452 0t0 TCP *:9312 (LISTEN)
sshd 13877 root 3r IPv4 3208658 0t0 TCP x.x.x.x:22->x.x.x.x:52871 (ESTABLISHED)
sshd 14059 onion 3u IPv4 3208658 0t0 TCP x.x.x.x:22->x.x.x.x:52871 (ESTABLISHED)
sshd 16305 root 3r IPv4 177628 0t0 TCP x.x.x.x:22->x.x.x.x:40864 (ESTABLISHED)
sshd 16573 computerxxxx 3u IPv4 177628 0t0 TCP x.x.x.x:22->x.x.x.x:40864 (ESTABLISHED)
sshd 16573 computerxxxx 9u IPv6 179687 0t0 TCP [::1]:50000 (LISTEN)
sshd 16573 computerxxxx 10u IPv4 179688 0t0 TCP 127.0.0.1:50000 (LISTEN)
sshd 16573 computerxxxx 11u IPv4 3460513 0t0 TCP 127.0.0.1:47617->127.0.0.1:3306 (ESTABLISHED)
/usr/sbin 18045 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 18045 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18045 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 18045 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18046 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 18046 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18046 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 18046 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18047 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 18047 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18047 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 18047 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18048 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 18048 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18048 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 18048 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18049 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 18049 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18049 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 18049 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19311 www-data 4u IPv4 11871 0t0 TCP *:443 (LISTEN)
/usr/sbin 19311 www-data 5u IPv4 11874 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19311 www-data 6u IPv4 11876 0t0 TCP *:444 (LISTEN)
/usr/sbin 19311 www-data 7u IPv4 167654 0t0 TCP *:3154 (LISTEN)
syslog-ng 22613 root 9u IPv4 2934235 0t0 TCP *:514 (LISTEN)
syslog-ng 22613 root 10u IPv4 2934236 0t0 UDP *:514
tclsh 23242 root 3u IPv4 3157546 0t0 TCP 127.0.0.1:37148->127.0.0.1:7736 (ESTABLISHED)
tclsh 29532 root 13u IPv4 3023114 0t0 TCP *:7734 (LISTEN)
tclsh 29532 root 14u IPv4 3023115 0t0 TCP *:7736 (LISTEN)
tclsh 29532 root 15u IPv4 3158566 0t0 TCP x.x.x.x:7736->x.x.x.x:50584 (ESTABLISHED)
tclsh 29532 root 16u IPv4 3158488 0t0 TCP x.x.x.x:7736->x.x.x.x:50564 (ESTABLISHED)
tclsh 29532 root 17u IPv4 3156694 0t0 TCP 127.0.0.1:7736->127.0.0.1:37148 (ESTABLISHED)
tclsh 29532 root 18u IPv4 3156700 0t0 TCP x.x.x.x:7736->x.x.x.x:50531 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Tue Aug 5 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 9137 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 108 flowbits
Enabled 3 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------218
Deleted:---6
Enabled Rules:----7326
Dropped Rules:----0
Disabled Rules:---12627
Total Rules:------19953
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
=========================================================================
CPU Usage
=========================================================================
top - 19:43:42 up 5 days, 3:59, 2 users, load average: 0.08, 0.10, 0.07
Tasks: 186 total, 1 running, 184 sleeping, 0 stopped, 1 zombie
Cpu(s): 1.4%us, 0.2%sy, 0.0%ni, 98.3%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 32950860k total, 3759668k used, 29191192k free, 211744k buffers
Swap: 50027808k total, 0k used, 50027808k free, 1337144k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 24604 2588 1368 S 0 0.0 0:13.71 init
2 root 20 0 0 0 0 S 0 0.0 0:00.02 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:03.41 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.26 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:02.46 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:02.82 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:02.59 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:02.96 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:02.03 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:02.44 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:03.33 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:04.42 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:02.22 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:02.69 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:02.26 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
23 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
25 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:1
26 root 20 0 0 0 0 S 0 0.0 0:00.94 sync_supers
27 root 20 0 0 0 0 S 0 0.0 0:00.02 bdi-default
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
31 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
34 root 20 0 0 0 0 S 0 0.0 0:00.21 khungtaskd
35 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
36 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
37 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
38 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
48 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
49 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
50 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
72 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
210 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
216 root 0 -20 0 0 0 S 0 0.0 0:00.00 vmw_pvscsi_wq_2
251 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
349 root 20 0 0 0 0 S 0 0.0 6:44.90 jbd2/sda1-8
350 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
470 root 20 0 17236 636 452 S 0 0.0 0:00.05 upstart-udev-br
475 root 20 0 22040 1860 820 S 0 0.0 0:00.11 udevd
676 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
751 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
765 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
777 root 20 0 15192 388 196 S 0 0.0 0:00.00 upstart-socket-
861 root 20 0 22036 1448 396 S 0 0.0 0:00.00 udevd
862 root 20 0 22036 1432 380 S 0 0.0 0:00.00 udevd
965 messageb 20 0 24724 1772 836 S 0 0.0 0:03.60 dbus-daemon
990 root 20 0 21328 1712 1432 S 0 0.0 0:00.04 bluetoothd
1009 avahi 20 0 32312 1752 1440 S 0 0.0 0:08.90 avahi-daemon
1011 avahi 20 0 32184 468 212 S 0 0.0 0:00.00 avahi-daemon
1016 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1028 root 20 0 101m 4156 3092 S 0 0.0 0:00.03 cupsd
1071 root 20 0 50036 2924 2320 S 0 0.0 0:00.04 sshd
1164 root 20 0 20012 980 812 S 0 0.0 0:00.00 getty
1171 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1184 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1186 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1191 root 20 0 20012 972 812 S 0 0.0 0:00.00 getty
1205 root 20 0 4464 820 560 S 0 0.0 0:00.00 acpid
1210 root 20 0 280m 4328 3524 S 0 0.0 0:00.02 lightdm
1216 daemon 20 0 16912 372 216 S 0 0.0 0:00.00 atd
1233 root 20 0 15984 696 520 S 0 0.0 0:43.09 irqbalance
1248 root 20 0 2042m 4040 2856 S 0 0.0 0:02.86 console-kit-dae
1342 mysql 20 0 2343m 103m 8564 S 0 0.3 12:55.51 mysqld
1351 root 20 0 208m 5836 3640 S 0 0.0 0:07.00 polkitd
1373 root 20 0 189m 31m 11m S 0 0.1 0:13.59 Xorg
1493 root 20 0 0 0 0 S 0 0.0 0:00.03 kworker/2:1
1537 root 20 0 132m 4468 3720 S 0 0.0 0:05.79 accounts-daemon
1649 root 20 0 214m 4328 3372 S 0 0.0 0:00.26 upowerd
1825 root 20 0 0 0 0 S 0 0.0 7:47.70 flush-8:0
1846 root 20 0 185m 4940 3924 S 0 0.0 0:00.01 lightdm
1890 root 20 0 0 0 0 S 0 0.0 0:06.70 kworker/1:1
2034 root 20 0 176m 15m 8784 S 0 0.0 0:11.83 /usr/sbin/apach
2097 root 20 0 20012 980 812 S 0 0.0 0:00.00 getty
2144 ntp 20 0 37776 2248 1612 S 0 0.0 0:18.25 ntpd
2410 onion 20 0 4404 696 576 S 0 0.0 0:00.01 sh
2442 onion 20 0 12572 320 0 S 0 0.0 0:01.46 ssh-agent
2445 onion 20 0 26564 792 484 S 0 0.0 0:00.00 dbus-launch
2446 onion 20 0 25528 1916 628 S 0 0.0 0:00.94 dbus-daemon
2454 onion 20 0 47608 2748 2196 S 0 0.0 0:04.99 xfconfd
2459 onion 20 0 63852 2660 2036 S 0 0.0 0:02.59 xscreensaver
2461 onion 20 0 158m 6576 5180 S 0 0.0 0:00.62 xfce4-session
2467 onion 20 0 154m 10m 8176 S 0 0.0 0:02.34 xfwm4
2469 onion 20 0 296m 19m 10m S 0 0.1 0:01.72 xfce4-panel
2471 onion 20 0 233m 7632 6160 S 0 0.0 0:00.24 Thunar
2473 onion 20 0 305m 17m 11m S 0 0.1 0:10.78 xfdesktop
2476 onion 20 0 128m 3912 2680 S 0 0.0 0:00.18 xfsettingsd
2478 onion 20 0 379m 15m 11m S 0 0.0 0:00.18 nm-applet
2480 onion 20 0 52408 2456 2056 S 0 0.0 0:00.01 gvfsd
2482 onion 20 0 215m 3604 2988 S 0 0.0 0:00.00 gvfs-fuse-daemo
2489 onion 20 0 413m 14m 10m S 0 0.0 0:05.85 update-notifier
2491 onion 20 0 186m 5720 4596 S 0 0.0 0:00.26 polkit-gnome-au
2496 onion 20 0 57112 2708 1980 S 0 0.0 0:00.60 gconfd-2
2500 root 20 0 116m 3568 2856 S 0 0.0 0:00.32 udisks-daemon
2505 root 20 0 45520 800 448 S 0 0.0 0:00.00 udisks-daemon
2507 onion 20 0 213m 4720 3228 S 0 0.0 0:01.21 xfce4-power-man
2509 onion 20 0 577m 31m 14m S 0 0.1 0:00.19 blueman-applet
2510 onion 20 0 529m 9008 6152 S 0 0.0 0:00.77 xfce4-volumed
2520 onion 20 0 257m 23m 11m S 0 0.1 0:00.85 applet.py
2521 onion 20 0 150m 3840 2448 S 0 0.0 0:00.80 xfce4-settings-
2528 onion 20 0 270m 3988 2804 S 0 0.0 0:00.08 pulseaudio
2530 rtkit 21 1 164m 1344 1096 S 0 0.0 0:03.93 rtkit-daemon
2540 onion 20 0 80668 4252 3480 S 0 0.0 0:00.04 gvfs-gdu-volume
2550 onion 20 0 138m 2524 2028 S 0 0.0 0:00.00 gvfs-afc-volume
2555 onion 20 0 60332 2412 1920 S 0 0.0 0:00.00 gvfs-gphoto2-vo
2560 onion 20 0 69552 3900 3288 S 0 0.0 0:00.04 gvfsd-trash
2561 onion 20 0 149m 7088 5556 S 0 0.0 0:00.31 panel-4-systray
2568 onion 20 0 409m 13m 10m S 0 0.0 0:00.26 xfce4-indicator
2570 onion 20 0 57812 2620 2164 S 0 0.0 0:00.00 obex-data-serve
2571 onion 20 0 148m 8744 6980 S 0 0.0 0:10.81 panel-7-datetim
2572 onion 20 0 169m 9.8m 7304 S 0 0.0 0:00.36 panel-9-xfsm-lo
2575 onion 20 0 190m 10m 7584 S 0 0.0 0:00.34 panel-24-thunar
2581 onion 20 0 524m 7552 5944 S 0 0.0 0:00.08 indicator-sound
2583 onion 20 0 339m 5080 4008 S 0 0.0 0:00.05 indicator-appli
2585 onion 20 0 642m 6764 5192 S 0 0.0 0:00.04 indicator-messa
3216 root 20 0 0 0 0 S 0 0.0 0:00.13 kworker/2:0
4036 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:2
4565 root 20 0 16556 1500 1264 S 0 0.0 0:00.00 sostat
4640 root 20 0 17336 1332 944 R 0 0.0 0:00.00 top
9671 ossecm 20 0 12920 636 456 S 0 0.0 0:02.74 ossec-csyslogd
9677 root 20 0 12808 528 348 S 0 0.0 0:00.09 ossec-execd
9681 ossec 20 0 14508 2416 816 S 0 0.0 0:04.07 ossec-analysisd
9685 root 20 0 4528 560 432 S 0 0.0 0:23.56 ossec-logcollec
9697 root 20 0 5900 2176 652 S 0 0.0 1:46.76 ossec-syscheckd
9700 ossec 20 0 13072 872 588 S 0 0.0 0:00.47 ossec-monitord
11212 www-data 20 0 429m 102m 3892 S 0 0.3 6:45.83 ruby
11378 root 19 -1 14892 1928 304 S 0 0.0 0:25.72 dema
11432 root 20 0 484m 21m 5440 S 0 0.1 0:03.87 salt-master
11458 root 20 0 432m 31m 7644 S 0 0.1 3:35.85 salt-minion
11466 root 20 0 205m 27m 5328 S 0 0.1 0:05.27 salt-master
11473 root 20 0 228m 17m 1668 S 0 0.1 0:00.00 salt-master
11474 root 20 0 228m 17m 1548 S 0 0.1 0:00.17 salt-master
11479 root 20 0 758m 31m 5980 S 0 0.1 0:54.80 salt-master
11480 root 20 0 758m 31m 5980 S 0 0.1 0:55.32 salt-master
11483 root 20 0 758m 31m 5980 S 0 0.1 0:54.82 salt-master
11486 root 20 0 758m 31m 5980 S 0 0.1 0:54.83 salt-master
11487 root 20 0 758m 31m 5980 S 0 0.1 0:54.81 salt-master
11832 www-data 20 0 427m 103m 3676 S 0 0.3 6:57.98 ruby
12245 sphinxse 20 0 72928 2040 1468 S 0 0.0 0:00.00 su
12261 sphinxse 20 0 508m 236m 15m S 0 0.7 9:14.49 searchd
12341 root 20 0 19116 1040 796 S 0 0.0 0:03.10 cron
12385 onion 20 0 303m 5000 4168 S 0 0.0 0:00.03 gnome-keyring-d
13877 root 20 0 101m 4484 3352 S 0 0.0 0:00.02 sshd
14059 onion 20 0 101m 2172 1040 S 0 0.0 0:00.32 sshd
14060 onion 20 0 31976 9008 1716 S 0 0.0 0:00.23 bash
14166 root 20 0 78144 2368 1772 S 0 0.0 0:00.00 sudo
14167 root 20 0 28068 5156 1768 S 0 0.0 0:00.30 bash
15360 root 20 0 0 0 0 S 0 0.0 0:00.51 kworker/0:1
15922 root 20 0 11428 712 608 S 0 0.0 0:00.00 tail
16305 root 20 0 101m 4380 3344 S 0 0.0 0:00.00 sshd
16573 nsmesxi0 20 0 102m 2532 932 S 0 0.0 0:32.37 sshd
17194 onion 20 0 259m 14m 10m S 0 0.0 0:00.09 xfce4-terminal
17195 onion 20 0 0 0 0 Z 0 0.0 0:00.00 xfce4-terminal <defunct>
17196 onion 20 0 28020 5016 1680 S 0 0.0 0:00.11 bash
17257 root 20 0 78144 2376 1776 S 0 0.0 0:00.00 sudo
17258 root 20 0 28052 5140 1764 S 0 0.0 0:00.12 bash
18013 root 20 0 215m 2072 1792 S 0 0.0 0:00.00 PassengerWatchd
18020 root 20 0 288m 2296 2012 S 0 0.0 0:01.69 PassengerHelper
18028 root 20 0 108m 8204 2164 S 0 0.0 0:00.04 ruby1.9.1
18032 nobody 20 0 165m 4672 3644 S 0 0.0 0:00.40 PassengerLoggin
18045 www-data 20 0 388m 114m 6252 S 0 0.4 0:18.26 /usr/sbin/apach
18046 www-data 20 0 388m 114m 6252 S 0 0.4 0:17.86 /usr/sbin/apach
18047 www-data 20 0 388m 114m 6252 S 0 0.4 0:17.76 /usr/sbin/apach
18048 www-data 20 0 388m 114m 6216 S 0 0.4 0:18.05 /usr/sbin/apach
18049 www-data 20 0 388m 114m 6216 S 0 0.4 0:18.11 /usr/sbin/apach
18827 root 20 0 11424 708 608 S 0 0.0 0:00.00 tail
19299 root 20 0 0 0 0 S 0 0.0 0:01.12 kworker/1:2
19311 www-data 20 0 388m 114m 6216 S 0 0.4 0:17.66 /usr/sbin/apach
20699 root 20 0 11424 716 608 S 0 0.0 0:00.00 tail
22612 root 20 0 26784 436 200 S 0 0.0 0:00.00 syslog-ng
22613 root 20 0 70856 4520 2896 S 0 0.0 0:07.37 syslog-ng
22614 root 20 0 4404 612 508 S 0 0.0 0:00.00 sh
22616 root 20 0 216m 42m 3812 S 0 0.1 0:13.63 perl
23242 root 20 0 42060 4852 3028 S 0 0.0 0:00.03 tclsh
23244 root 20 0 11420 604 516 S 0 0.0 0:00.00 tail
28268 root 20 0 0 0 0 S 0 0.0 0:06.73 kworker/3:2
29532 root 20 0 127m 8340 3816 S 0 0.0 0:00.46 tclsh
29535 root 20 0 125m 3496 776 S 0 0.0 0:01.47 tclsh
29536 root 20 0 125m 3284 552 S 0 0.0 0:00.00 tclsh
29986 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:1
30371 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/0:0
=========================================================================
Sguil Uncategorized Events
=========================================================================
+----------+
| COUNT(*) |
+----------+
| 318 |
+----------+
=========================================================================
Sguil events summary for yesterday
=========================================================================
+--------+-------------+--------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+--------------------------------------------------------------------------------------------------+
| 8 | 1:2009971 | ET P2P eMule KAD Network Hello Request (2) |
| 2 | 1:2018378 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) |
| 2 | 1:2018377 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server) |
| 2 | 1:99990018 | FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response |
| 1 | 1:99990009 | ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted |
+--------+-------------+--------------------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 15 |
+-------+
=========================================================================
Top 50 All time Sguil Events
=========================================================================
+--------+-------------+--------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+--------------------------------------------------------------------------------------------------+
| 206 | 1:2010935 | ET POLICY Suspicious inbound to MSSQL port 1433 |
| 141 | 1:2101411 | GPL SNMP public access udp |
| 137 | 1:2102466 | GPL NETBIOS SMB-DS IPC$ unicode share access |
| 42 | 1:2001219 | ET SCAN Potential SSH Scan |
| 40 | 1:2100366 | GPL ICMP_INFO PING *NIX |
| 40 | 1:2100368 | GPL ICMP_INFO PING BSDtype |
| 32 | 1:2009971 | ET P2P eMule KAD Network Hello Request (2) |
| 26 | 1:2006435 | ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool |
| 24 | 1:2018689 | ET SCAN LibSSH2 Based SSH Connection - Often used as a BruteForce Tool |
| 23 | 1:2014702 | ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy |
| 23 | 1:2014703 | ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy |
| 19 | 1:2006546 | ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! |
| 16 | 1:2010515 | ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source) |
| 16 | 1:2101201 | GPL WEB_SERVER 403 Forbidden |
| 9 | 1:2103003 | GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt |
| 8 | 1:2500086 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 44 |
| 8 | 1:99990018 | FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response |
| 7 | 1:99990009 | ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted |
| 6 | 1:2100538 | GPL NETBIOS SMB IPC$ unicode share access |
| 5 | 1:2402000 | ET DROP Dshield Block Listed Source group 1 |
| 4 | 1:2006402 | ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted |
| 4 | 1:2500014 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 8 |
| 4 | 1:2500084 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 43 |
| 4 | 1:2012648 | ET POLICY Dropbox Client Broadcasting |
| 3 | 1:2500088 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 45 |
| 3 | 1:2018377 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server) |
| 3 | 1:2500016 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 9 |
| 2 | 1:2013028 | ET POLICY curl User-Agent Outbound |
| 2 | 1:2018378 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) |
| 2 | 1:2500090 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 46 |
| 2 | 1:2003068 | ET SCAN Potential SSH Scan OUTBOUND |
| 1 | 1:2001583 | ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection |
+--------+-------------+--------------------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 862 |
+-------+
=========================================================================
Top 50 URLs for yesterday
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
+--------+-------------+--------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | SignatureName |
+--------+-------------+--------------------------------------------------------------------------------------------------+
| 8 | 1:2009971 | ET P2P eMule KAD Network Hello Request (2) |
| 2 | 1:2018378 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) |
| 2 | 1:2018377 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server) |
| 2 | 1:99990018 | FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response |
| 1 | 1:99990009 | ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted |
+--------+-------------+--------------------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 15 |
+-------+
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
+--------+-------------+--------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | SignatureName |
+--------+-------------+--------------------------------------------------------------------------------------------------+
| 206 | 1:2010935 | ET POLICY Suspicious inbound to MSSQL port 1433 |
| 141 | 1:2101411 | GPL SNMP public access udp |
| 137 | 1:2102466 | GPL NETBIOS SMB-DS IPC$ unicode share access |
| 42 | 1:2001219 | ET SCAN Potential SSH Scan |
| 40 | 1:2100368 | GPL ICMP_INFO PING BSDtype |
| 40 | 1:2100366 | GPL ICMP_INFO PING *NIX |
| 32 | 1:2009971 | ET P2P eMule KAD Network Hello Request (2) |
| 26 | 1:2006435 | ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool |
| 24 | 1:2018689 | ET SCAN LibSSH2 Based SSH Connection - Often used as a BruteForce Tool |
| 23 | 1:2014703 | ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy |
| 23 | 1:2014702 | ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy |
| 19 | 1:2006546 | ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! |
| 16 | 1:2010515 | ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source) |
| 16 | 1:2101201 | GPL WEB_SERVER 403 Forbidden |
| 9 | 1:2103003 | GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt |
| 8 | 1:2500086 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 44 |
| 8 | 1:99990018 | FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response |
| 7 | 1:99990009 | ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted |
| 6 | 1:2100538 | GPL NETBIOS SMB IPC$ unicode share access |
| 5 | 1:2402000 | ET DROP Dshield Block Listed Source group 1 |
| 4 | 1:2012648 | ET POLICY Dropbox Client Broadcasting |
| 4 | 1:2006402 | ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted |
| 4 | 1:2500084 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 43 |
| 4 | 1:2500014 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 8 |
| 3 | 1:2500016 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 9 |
| 3 | 1:2500088 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 45 |
| 3 | 1:2018377 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server) |
| 2 | 1:2013028 | ET POLICY curl User-Agent Outbound |
| 2 | 1:2003068 | ET SCAN Potential SSH Scan OUTBOUND |
| 2 | 1:2500090 | ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 46 |
| 2 | 1:2018378 | ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) |
| 1 | 1:2001583 | ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection |
+--------+-------------+--------------------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 862 |
+-------+
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
22612 supervising syslog-ng
22613 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1342 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
12245 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 4801 Aug 5 19:43 /nsm/elsa/data/elsa/tmp/buffers/1407267776.66605
-rw-r--r-- 1 root root 48 Aug 5 19:43 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
ELSA Directory Sizes:
107M /nsm/elsa/data
488K /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Log Node SSH Tunnels:
50000 x.x.x.x computerxxxx
root@computerxxxx:/var/log/salt#
David Vasil
> Hello all,
>
> I have just created a new Master Server and Sensor environment (1 Master + 1 Sensor). I have enabled Salt on both devices. From what I understand, salt is supposed to perform the duties of the rule-update script every 15 minutes 'automagically'; however it does not seem to be doing this. Below are the 'sostat' output of the master server. Couldn't get the sostat redacted command to work so my output is kinda ghetto...
>
> Any help with this would be much appreciated!
What is the indicator that suggests that your rules are not being updated? Salt should disable the cron job that runs rule-update as the salt state file "/opt/onionsalt/salt/sensor/init.sls" with the below rules handles the file copying and service restarts:
# Watch the Rules and restart when needed
rule-sync:
file.recurse:
- name: /etc/nsm/rules
# Don't mess with maxdepth or you will go on a recursed loop of pain
- maxdepth: 0
- source: salt://sensor/rules
restart-ids:
cmd.wait:
- name: /usr/sbin/nsm_sensor_ps-restart --only-snort-alert
- cwd: /
- watch:
- file: /etc/nsm/rules
restart-barnyard:
cmd.wait:
- name: /usr/sbin/nsm_sensor_ps-restart --only-barnyard2
- cwd: /
- watch:
- file: /etc/nsm/rules
# Sync Bro Rules
bro-rules-sync:
file.recurse:
- name: /opt/bro/share/bro/policy
- source: salt://sensor/bro/policy
By default, salt is run every 15 minutes on the minions out of /etc/cron.d/salt-update
-david vasil
Samson H
>What is the indicator that suggests that your rules are not being updated?
I tested by removing 2 variables from my 'local.rules' file on the sensor, then saved and exited the file. I then waited for about 30+ minutes, then checked the sensor and the variables had still not been added back into the 'local.rules' file even though they do repopulate the moment I manually do a 'rule-update' on the sensor.
>Salt should disable the cron job that runs rule-update as the salt state file...
Do you know how I can verify if my 'rule-update' cron job is in fact disabled?
For what it's worth the "rule-update" entry still exists in my /etc/cron.d/ directory with contents:
# /etc/cron.d/rule-update
#
# crontab entry to update IDS rules via PulledPork
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
01 7 * * * root date >> /var/log/nsm/pulledpork.log ; /usr/bin/rule-update >> /var/log/nsm/pulledpork.log
Doug Burks
> Hey David Thanks for replying!
>
>>What is the indicator that suggests that your rules are not being updated?
>
> I tested by removing 2 variables from my 'local.rules' file on the sensor, then saved and exited the file. I then waited for about 30+ minutes, then checked the sensor and the variables had still not been added back into the 'local.rules' file even though they do repopulate the moment I manually do a 'rule-update' on the sensor.
>
>>Salt should disable the cron job that runs rule-update as the salt state file...
>
> Do you know how I can verify if my 'rule-update' cron job is in fact disabled?
> For what it's worth the "rule-update" entry still exists in my /etc/cron.d/ directory with contents:
>
> # /etc/cron.d/rule-update
Are you sure you enabled salt when running Setup on the sensor?
What is the output of the following?
pgrep -lf salt
sudo salt-call state.highstate
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Samson H
> Are you sure you enabled salt when running Setup on the sensor?
>
>
>
> What is the output of the following?
>
> pgrep -lf salt
>
root@computerxx:~# pgrep -lf salt
7017 su -c salt-master
7025 /usr/bin/python /usr/bin/salt-master
7055 su -c salt-minion
7063 /usr/bin/python /usr/bin/salt-minion
7075 /usr/bin/python /usr/bin/salt-master
7083 /usr/bin/python /usr/bin/salt-master
7084 /usr/bin/python /usr/bin/salt-master
7087 /usr/bin/python /usr/bin/salt-master
7091 /usr/bin/python /usr/bin/salt-master
7092 /usr/bin/python /usr/bin/salt-master
7094 /usr/bin/python /usr/bin/salt-master
7095 /usr/bin/python /usr/bin/salt-master
output on Sensor =
root@computerxx:~# pgrep -lf salt
13637 su -c salt-minion
13646 /usr/bin/python /usr/bin/salt-minion
> sudo salt-call state.highstate
>
output of salt-call state.highstate on Master =
root@computerxx:~# salt-call state.highstate
[INFO ] Loading fresh modules for state activity
[INFO ] Fetching file from saltenv 'base', ** skipped ** latest already in ca che 'salt://top.sls'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/modules'
[INFO ] Syncing modules for environment 'base'
[INFO ] Loading cache from salt://_modules, for base)
[INFO ] Caching directory '_modules/' for environment 'base'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/states'
[INFO ] Syncing states for environment 'base'
[INFO ] Loading cache from salt://_states, for base)
[INFO ] Caching directory '_states/' for environment 'base'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/grains'
[INFO ] Syncing grains for environment 'base'
[INFO ] Loading cache from salt://_grains, for base)
[INFO ] Caching directory '_grains/' for environment 'base'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/renderers'
[INFO ] Syncing renderers for environment 'base'
[INFO ] Loading cache from salt://_renderers, for base)
[INFO ] Caching directory '_renderers/' for environment 'base'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/returners'
[INFO ] Syncing returners for environment 'base'
[INFO ] Loading cache from salt://_returners, for base)
[INFO ] Caching directory '_returners/' for environment 'base'
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/outputters'
[INFO ] Syncing outputters for environment 'base'
[INFO ] Loading cache from salt://_outputters, for base)
[INFO ] Caching directory '_outputters/' for environment 'base'
[INFO ] Loading fresh modules for state activity
[INFO ] Fetching file from saltenv 'base', ** skipped ** latest already in ca che 'salt://users/init.sls'
[INFO ] Fetching file from saltenv 'base', ** skipped ** latest already in ca che 'salt://sudo/init.sls'
[INFO ] Fetching file from saltenv 'base', ** skipped ** latest already in ca che 'salt://backend/init.sls'
[INFO ] Running state [/etc/sudoers] at time 13:17:40.864353
[INFO ] Executing state file.append for /etc/sudoers
[INFO ] Appended 0 lines
[INFO ] Completed state [/etc/sudoers] at time 13:17:40.866037
[INFO ] Running state [deb http://ppa.launchpad.net/securityonion/stable/ubun tu precise main] at time 13:17:40.866208
[INFO ] Executing state pkgrepo.managed for deb http://ppa.launchpad.net/secu rityonion/stable/ubuntu precise main
[INFO ] Package repo 'deb http://ppa.launchpad.net/securityonion/stable/ubunt u precise main' already configured
[INFO ] Completed state [deb http://ppa.launchpad.net/securityonion/stable/ub untu precise main] at time 13:17:40.897760
[INFO ] Running state [securityonion-all] at time 13:17:40.898018
[INFO ] Executing state pkg.installed for securityonion-all
[INFO ] Executing command "dpkg-query --showformat='${Status} ${Package} ${Ve rsion} ${Architecture}\n' -W" in directory '/home/onion'
[INFO ] Executing command 'grep-available -F Provides -s Package,Provides -e "^.+$"' in directory '/home/onion'
[INFO ] Package securityonion-all is already installed
[INFO ] Completed state [securityonion-all] at time 13:17:41.009128
[INFO ] Running state [/opt/onionsalt/salt/sensor/rules] at time 13:17:41.009 399
[INFO ] Executing state file.symlink for /opt/onionsalt/salt/sensor/rules
[INFO ] Symlink /opt/onionsalt/salt/sensor/rules is present and owned by root :root
[INFO ] Completed state [/opt/onionsalt/salt/sensor/rules] at time 13:17:41.0 11238
[INFO ] Running state [/opt/onionsalt/salt/sensor/bro] at time 13:17:41.01142 6
[INFO ] Executing state file.directory for /opt/onionsalt/salt/sensor/bro
[INFO ] Directory /opt/onionsalt/salt/sensor/bro is in the correct state
[INFO ] Completed state [/opt/onionsalt/salt/sensor/bro] at time 13:17:41.012 362
[INFO ] Running state [/opt/onionsalt/salt/sensor/bro/policy] at time 13:17:4 1.012522
[INFO ] Executing state file.symlink for /opt/onionsalt/salt/sensor/bro/polic y
[INFO ] Symlink /opt/onionsalt/salt/sensor/bro/policy is present and owned by root:root
[INFO ] Completed state [/opt/onionsalt/salt/sensor/bro/policy] at time 13:17 :41.014070
[INFO ] Running state [/etc/nsm/rules/bro] at time 13:17:41.014226
[INFO ] Executing state file.symlink for /etc/nsm/rules/bro
[INFO ] Symlink /etc/nsm/rules/bro is present and owned by root:root
[INFO ] Completed state [/etc/nsm/rules/bro] at time 13:17:41.015744
[INFO ] Running state [/opt/onionsalt/salt/sensor/ossec] at time 13:17:41.015 935
[INFO ] Executing state file.symlink for /opt/onionsalt/salt/sensor/ossec
[INFO ] Symlink /opt/onionsalt/salt/sensor/ossec is present and owned by root :root
[INFO ] Completed state [/opt/onionsalt/salt/sensor/ossec] at time 13:17:41.0 17385
[INFO ] Running state [/etc/cron.d/salt-update] at time 13:17:41.017557
[INFO ] Executing state file.managed for /etc/cron.d/salt-update
[INFO ] File /etc/cron.d/salt-update is in the correct state
[INFO ] Completed state [/etc/cron.d/salt-update] at time 13:17:41.268024
local:
----------
ID: sudoers
Function: file.append
Name: /etc/sudoers
Result: True
Comment: Appended 0 lines
Changes:
----------
ID: backend
Function: pkgrepo.managed
Name: deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise m ain
Result: True
Comment: Package repo 'deb http://ppa.launchpad.net/securityonion/stable/ub untu precise main' already configured
Changes:
----------
ID: securityonion-all
Function: pkg.installed
Result: True
Comment: Package securityonion-all is already installed
Changes:
----------
ID: /opt/onionsalt/salt/sensor/rules
Function: file.symlink
Result: True
Comment: Symlink /opt/onionsalt/salt/sensor/rules is present and owned by r oot:root
Changes:
----------
ID: brosync
Function: file.directory
Name: /opt/onionsalt/salt/sensor/bro
Result: True
Comment: Directory /opt/onionsalt/salt/sensor/bro is in the correct state
Changes:
----------
ID: bropolicysync
Function: file.symlink
Name: /opt/onionsalt/salt/sensor/bro/policy
Result: True
Comment: Symlink /opt/onionsalt/salt/sensor/bro/policy is present and owned by root:root
Changes:
----------
ID: easyrules
Function: file.symlink
Name: /etc/nsm/rules/bro
Result: True
Comment: Symlink /etc/nsm/rules/bro is present and owned by root:root
Changes:
----------
ID: ossecsync
Function: file.symlink
Name: /opt/onionsalt/salt/sensor/ossec
Result: True
Comment: Symlink /opt/onionsalt/salt/sensor/ossec is present and owned by r oot:root
Changes:
----------
ID: backendcron
Function: file.managed
Name: /etc/cron.d/salt-update
Result: True
Comment: File /etc/cron.d/salt-update is in the correct state
Changes:
Summary
------------
Succeeded: 9
Failed: 0
------------
Total: 9
output of salt-call state.highstate on Sensor =
root@computerxx:~# salt-call state.hightstate
Function state.hightstate is not available
Samson H
> output of salt-call state.highstate on Sensor =
>
root@computerxx:~# salt-call state.highstate
[INFO ] Loading fresh modules for state activity
[INFO ] Fetching file from saltenv 'base', ** done ** 'top.sls'
[INFO ] Fetching file from saltenv 'base', ** done ** 'users/init.sls'
[INFO ] Fetching file from saltenv 'base', ** done ** 'sudo/init.sls'
[INFO ] Fetching file from saltenv 'base', ** done ** 'sensor/init.sls'
[INFO ] Running state [/etc/sudoers] at time 13:22:35.430150
[INFO ] Executing state file.append for /etc/sudoers
[INFO ] File changed:
---
+++
@@ -27,3 +27,4 @@
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
+%sudo ALL=(ALL) NOPASSWD: ALL
[INFO ] Completed state [/etc/sudoers] at time 13:22:35.432153
[INFO ] Running state [deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main] at time 13:22:35.432317
[INFO ] Executing state pkgrepo.managed for deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main
[INFO ] Package repo 'deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main' already configured
[INFO ] Completed state [deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main] at time 13:22:35.523594
[INFO ] Running state [securityonion-sensor] at time 13:22:35.523933
[INFO ] Executing state pkg.installed for securityonion-sensor
[INFO ] Executing command "dpkg-query --showformat='${Status} ${Package} ${Version} ${Architecture}\n' -W" in directory '/home/onion'
[INFO ] Executing command 'grep-available -F Provides -s Package,Provides -e "^.+$"' in directory '/home/onion'
[INFO ] Package securityonion-sensor is already installed
[INFO ] Completed state [securityonion-sensor] at time 13:22:35.695147
[INFO ] Running state [/etc/nsm/rules] at time 13:22:35.695393
[INFO ] Executing state file.recurse for /etc/nsm/rules
[INFO ] The directory /etc/nsm/rules is in the correct state
[INFO ] Completed state [/etc/nsm/rules] at time 13:22:36.169336
[INFO ] Running state [/usr/sbin/nsm_sensor_ps-restart --only-snort-alert] at time 13:22:36.169771
[INFO ] Executing state cmd.wait for /usr/sbin/nsm_sensor_ps-restart --only-snort-alert
[INFO ] No changes made for /usr/sbin/nsm_sensor_ps-restart --only-snort-alert
[INFO ] Completed state [/usr/sbin/nsm_sensor_ps-restart --only-snort-alert] at time 13:22:36.170656
[INFO ] Running state [/usr/sbin/nsm_sensor_ps-restart --only-barnyard2] at time 13:22:36.170870
[INFO ] Executing state cmd.wait for /usr/sbin/nsm_sensor_ps-restart --only-barnyard2
[INFO ] No changes made for /usr/sbin/nsm_sensor_ps-restart --only-barnyard2
[INFO ] Completed state [/usr/sbin/nsm_sensor_ps-restart --only-barnyard2] at time 13:22:36.171717
[INFO ] Running state [/opt/bro/share/bro/policy] at time 13:22:36.171872
[INFO ] Executing state file.recurse for /opt/bro/share/bro/policy
[INFO ] The directory /opt/bro/share/bro/policy is in the correct state
[INFO ] Completed state [/opt/bro/share/bro/policy] at time 13:22:36.563291
[INFO ] Running state [/var/ossec/rules] at time 13:22:36.563494
[INFO ] Executing state file.recurse for /var/ossec/rules
[INFO ] The directory /var/ossec/rules is in the correct state
[INFO ] Completed state [/var/ossec/rules] at time 13:22:36.767640
[INFO ] Running state [service ossec-hids-server restart] at time 13:22:36.768137
[INFO ] Executing state cmd.wait for service ossec-hids-server restart
[INFO ] No changes made for service ossec-hids-server restart
[INFO ] Completed state [service ossec-hids-server restart] at time 13:22:36.769204
[INFO ] Running state [/etc/cron.d/rule-update] at time 13:22:36.769404
[INFO ] Executing state file.absent for /etc/cron.d/rule-update
[INFO ] {'removed': '/etc/cron.d/rule-update'}
[INFO ] Completed state [/etc/cron.d/rule-update] at time 13:22:36.770506
[INFO ] Running state [/etc/cron.d/salt-update] at time 13:22:36.770707
[INFO ] Executing state file.managed for /etc/cron.d/salt-update
[INFO ] Fetching file from saltenv 'base', ** done ** 'sensor/cron/salt-update'
[INFO ] File changed:
New file
[INFO ] Completed state [/etc/cron.d/salt-update] at time 13:22:36.777261
local:
----------
ID: sudoers
Function: file.append
Name: /etc/sudoers
Result: True
Comment: Appended 1 lines
Changes:
----------
diff:
---
+++
@@ -27,3 +27,4 @@
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
+%sudo ALL=(ALL) NOPASSWD: ALL
----------
ID: sensor
Function: pkgrepo.managed
Name: deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main
Result: True
Comment: Package repo 'deb http://ppa.launchpad.net/securityonion/stable/ubuntu precise main' already configured
Changes:
----------
ID: securityonion-sensor
Function: pkg.installed
Result: True
Comment: Package securityonion-sensor is already installed
Changes:
----------
ID: rule-sync
Function: file.recurse
Name: /etc/nsm/rules
Result: True
Comment: The directory /etc/nsm/rules is in the correct state
Changes:
----------
ID: restart-ids
Function: cmd.wait
Name: /usr/sbin/nsm_sensor_ps-restart --only-snort-alert
Result: True
Comment:
Changes:
----------
ID: restart-barnyard
Function: cmd.wait
Name: /usr/sbin/nsm_sensor_ps-restart --only-barnyard2
Result: True
Comment:
Changes:
----------
ID: bro-rules-sync
Function: file.recurse
Name: /opt/bro/share/bro/policy
Result: True
Comment: The directory /opt/bro/share/bro/policy is in the correct state
Changes:
----------
ID: ossec-sync
Function: file.recurse
Name: /var/ossec/rules
Result: True
Comment: The directory /var/ossec/rules is in the correct state
Changes:
----------
ID: restart-ossec
Function: cmd.wait
Name: service ossec-hids-server restart
Result: True
Comment:
Changes:
----------
ID: /etc/cron.d/rule-update
Function: file.absent
Result: True
Comment: Removed file /etc/cron.d/rule-update
Changes:
----------
removed:
/etc/cron.d/rule-update
----------
ID: cron-update-salt-checkin
Function: file.managed
Name: /etc/cron.d/salt-update
Result: True
Comment: File /etc/cron.d/salt-update updated
Changes:
----------
diff:
New file
mode:
0644
Summary
-------------
Succeeded: 11
Failed: 0
-------------
Total: 11
Doug Burks
On Wed, Aug 6, 2014 at 9:24 AM, Samson H <this.is...@gmail.com> wrote:
> ID: /etc/cron.d/rule-update
> Function: file.absent
> Result: True
> Comment: Removed file /etc/cron.d/rule-update
> Changes:
> ----------
> removed:
> /etc/cron.d/rule-update
> ----------
> ID: cron-update-salt-checkin
> Function: file.managed
> Name: /etc/cron.d/salt-update
> Result: True
> Comment: File /etc/cron.d/salt-update updated
> Changes:
> ----------
> diff:
> New file
> mode:
> 0644
Samson H
root@computerxx:~# ls -l /etc/cron.d/
total 44
-rw-r--r-- 1 root root 288 Jun 20 2010 anacron
-rw-r--r-- 1 root root 188 Dec 5 2012 bro
-rw-r--r-- 1 root root 224 Jan 1 2014 capme
-rw-r--r-- 1 root root 209 Jul 31 16:56 elsa
-rw-r--r-- 1 root root 308 May 25 2013 nsm-watchdog
-rw-r--r-- 1 root root 544 Sep 12 2012 php5
-rw-r--r-- 1 root root 384 Aug 6 13:22 salt-update
-rw-r--r-- 1 root root 236 Dec 30 2013 sensor-clean
-rw-r--r-- 1 root root 823 Jun 18 00:04 sensor-newday
-rw-r--r-- 1 root root 248 Oct 19 2012 sguil-db-purge
-rw-r--r-- 1 root root 403 Oct 13 2013 squert-ip2c
So I'm assuming the /etc/cron.d/salt-update replaced the original /etc/cron.d/rule-update job?
Doug Burks
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Samson H
Thanks for the help!