only receiving system/cron logs for alerts

394 views
Skip to first unread message

adrian fernandez

unread,
May 27, 2015, 12:28:11 PM5/27/15
to securit...@googlegroups.com
Hey everyone,

I have an SO IDS that it either picking up traffic and not sending the alerts to our syslog server (which i do not think is the case since we are getting syslogs from the server, just no ET POLICY alerts of any kind), or just not picking up/sniffing traffic at all. I tried a few things that have worked in the past for other IDS's that had the same issue, and so far nothing as worked:

1. restarted the IDS
2. sudo service nsm restart
3. sudo service syslog-ng restart
4. sudo apt-get update
5. sudo apt-get update && sudo apt-get dist-upgrade
6. sudo apt-get install --reinstall securityonion-pfring-module
7. ran sudo sostat | less to check on disk usage for logs, and i have plenty of space avaialable. All services up and running.


Trying to see what else i can look at to determine cause of issue. Any help would be appreciated.

Thanks

Heine Lysemose

unread,
May 27, 2015, 1:36:24 PM5/27/15
to securit...@googlegroups.com

Hi

Please run sudo sostat-redacted and attach the output here.

Thanks,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

adrian fernandez

unread,
May 28, 2015, 5:12:22 PM5/28/15
to securit...@googlegroups.com
Attached is the sostat output. Thanks.
sostat 5-28-2015.txt

Heine Lysemose

unread,
May 29, 2015, 5:39:19 AM5/29/15
to securit...@googlegroups.com
Hi

Your output looks fine from what I can see but could add some more RAM since you are swapping a tiny bit.

Does you Bro data look fine? Can you search from ELSA?
Have you ever had any alerts from Snort?
When have it stopped working, any changes made at that time?
How are you getting for data, TAP or SPAN?
Are you using any BPF filters on Snort?
Are you using any thresholds, suppression, enablesid, disablesid configurations?
How many rules have you enabled in your downloaded.rules?

Regards,
Lysemose

adrian fernandez

unread,
May 29, 2015, 12:17:27 PM5/29/15
to securit...@googlegroups.com
Does you Bro data look fine? Can you search from ELSA?
How do i check if my Bro data is good? How do i use ELSA to search?

Have you ever had any alerts from Snort?
Yes

When have it stopped working, any changes made at that time?
It stopped working on 4/23/2015, and no changes have been made to this device.

How are you getting for data, TAP or SPAN?
SPAN

Are you using any BPF filters on Snort?
No

Are you using any thresholds, suppression, enablesid, disablesid configurations?
How do i check this?

How many rules have you enabled in your downloaded.rules?
I do not see any rules enabled in there.

Heine Lysemose

unread,
May 29, 2015, 1:31:50 PM5/29/15
to securit...@googlegroups.com

Hi

See my replies inline...
In general I would encourage you to look through the basic documentation and see the videos Doug has posted...

Regards,
Lysemose

On May 29, 2015 18:17, "adrian fernandez" <cisco...@gmail.com> wrote:
>
> Does you Bro data look fine? Can you search from ELSA?
> How do i check if my Bro data is good?  How do i use ELSA to search?
>

You can access the  ELSA web interface from SecurityOnion index page on the SecurityOnion server. From there you have links to the basic stuff.

> Have you ever had any alerts from Snort?
> Yes
>

From your sostat output your Snort output doesn't look very consistent. You have large gaps in the dates.

> When have it stopped working, any changes made at that time?
> It stopped working on 4/23/2015, and no changes have been made to this device.
>

Have any changes been made to the SPAN port of the switch/router?

> How are you getting for data, TAP or SPAN?
> SPAN
>

Are you doing any filtering on the SPAN port?

> Are you using any BPF filters on Snort?
> No
>
> Are you using any thresholds, suppression, enablesid, disablesid configurations?
> How do i check this?
>

You have those files under /etc/pulledpork/ if I remember correctly.

> How many rules have you enabled in your downloaded.rules?

Do you have Internet access from the server?
Can you run sudo rule-update and post the output?

adrian fernandez

unread,
May 29, 2015, 2:23:08 PM5/29/15
to securit...@googlegroups.com
For the last item, here you go:
sudo rule-update
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.

local_rules.xml 0% 0 0.0KB/s --:-- ETA
local_rules.xml 100% 1735 1.7KB/s 00:00
Copying rules from 10.55.56.158.

downloaded.rules 0% 0 0.0KB/s --:-- ETA
downloaded.rules 13% 2992KB 2.9MB/s 00:06 ETA
downloaded.rules 26% 5872KB 2.9MB/s 00:05 ETA
downloaded.rules 44% 9888KB 3.0MB/s 00:04 ETA
downloaded.rules 50% 11MB 2.8MB/s 00:03 ETA
downloaded.rules 72% 16MB 3.0MB/s 00:01 ETA
downloaded.rules 97% 21MB 3.3MB/s 00:00 ETA
downloaded.rules 100% 22MB 3.6MB/s 00:06

local.rules 0% 0 0.0KB/s --:-- ETA
local.rules 100% 5999 5.9KB/s 00:00

sid-msg.map 0% 0 0.0KB/s --:-- ETA
sid-msg.map 69% 4560KB 4.5MB/s 00:00 ETA
sid-msg.map 100% 6550KB 6.4MB/s 00:01

threshold.conf 0% 0 0.0KB/s --:-- ETA
threshold.conf 100% 217KB 216.8KB/s 00:00

bpf.conf 100% 0 0.0KB/s 00:00

so_rules.rules 100% 0 0.0KB/s 00:00
scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory
Restarting Barnyard2.

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m

[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m

[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m

[0;34m* [0;39m stopping: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: barnyard2-1 (spooler, unified2 format)
[237C [8D [0;39m[ [1;32m OK [0;39m]
Restarting IDS Engine.

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth1 [0;39m [0;39m

[0;34m* [0;39m stopping: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth2 [0;39m [0;39m

[0;34m* [0;39m stopping: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[1;34mRestarting: crewsstatebank-wauchula-so-ids-eth3 [0;39m [0;39m

[0;34m* [0;39m stopping: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

[0;34m* [0;39m starting: snort-1 (alert data)
[237C [8D [0;39m[ [1;32m OK [0;39m]

Heine Lysemose

unread,
May 29, 2015, 2:28:55 PM5/29/15
to securit...@googlegroups.com

Okay, so this is a sensor installation.
Can you show me the output from sudo sostat-redacted on the server too?

Regards,
Lysemose

adrian fernandez

unread,
Jun 1, 2015, 11:16:17 AM6/1/15
to securit...@googlegroups.com
Here you go:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.06.01 11:13:21 =~=~=~=~=~=~=~=~=~=~=~=
sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:309979594 errors:0 dropped:0 overruns:0 frame:0
TX packets:291567256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:133062571420 (133.0 GB) TX bytes:296418310430 (296.4 GB)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:81247129 errors:0 dropped:0 overruns:0 frame:0
TX packets:81247129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:296472114781 (296.4 GB) TX bytes:296472114781 (296.4 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
296472114781 81247129 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
296472114781 81247129 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
133062571420 309979594 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
296418310430 291567256 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 977G 239G 689G 26% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 799M 752K 798M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 108K 3.9G 1% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1199 avahi 12u IPv4 8446 0t0 UDP *:5353
avahi-dae 1199 avahi 13u IPv6 8447 0t0 UDP *:5353
avahi-dae 1199 avahi 14u IPv4 8448 0t0 UDP *:45238
avahi-dae 1199 avahi 15u IPv6 8449 0t0 UDP *:60159
cupsd 1201 root 8u IPv6 46994955 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1201 root 9u IPv4 46994956 0t0 TCP X.X.X.X:631 (LISTEN)
syslog-ng 1609 root 9u IPv4 46742943 0t0 TCP *:514 (LISTEN)
syslog-ng 1609 root 10u IPv4 46742944 0t0 UDP *:514
sshd 1645 root 3r IPv4 9297 0t0 TCP *:ssh_port (LISTEN)
sshd 1645 root 4u IPv6 9299 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1759 root 10u IPv4 15738 0t0 TCP X.X.X.X:39610->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1759 root 27u IPv4 15822 0t0 TCP X.X.X.X:38274->X.X.X.X:4505 (ESTABLISHED)
searchd 1832 sphinxsearch 7u IPv4 12619 0t0 TCP *:9306 (LISTEN)
searchd 1832 sphinxsearch 8u IPv4 12838 0t0 TCP *:9312 (LISTEN)
mysqld 2024 mysql 10u IPv4 15493 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2024 mysql 92u IPv4 28698630 0t0 TCP X.X.X.X:3306->X.X.X.X:58495 (ESTABLISHED)
mysqld 2024 mysql 254u IPv4 47039664 0t0 TCP X.X.X.X:3306->X.X.X.X:40270 (ESTABLISHED)
mysqld 2024 mysql 259u IPv4 47025826 0t0 TCP X.X.X.X:3306->X.X.X.X:40122 (ESTABLISHED)
mysqld 2024 mysql 260u IPv4 47186340 0t0 TCP X.X.X.X:3306->X.X.X.X:45912 (ESTABLISHED)
mysqld 2024 mysql 269u IPv4 47012427 0t0 TCP X.X.X.X:3306->X.X.X.X:40097 (ESTABLISHED)
mysqld 2024 mysql 270u IPv4 47181509 0t0 TCP X.X.X.X:3306->X.X.X.X:45798 (ESTABLISHED)
mysqld 2024 mysql 274u IPv4 47181213 0t0 TCP X.X.X.X:3306->X.X.X.X:45762 (ESTABLISHED)
mysqld 2024 mysql 275u IPv4 47012429 0t0 TCP X.X.X.X:3306->X.X.X.X:40098 (ESTABLISHED)
mysqld 2024 mysql 278u IPv4 47181223 0t0 TCP X.X.X.X:3306->X.X.X.X:45763 (ESTABLISHED)
mysqld 2024 mysql 281u IPv4 47012379 0t0 TCP X.X.X.X:3306->X.X.X.X:40076 (ESTABLISHED)
mysqld 2024 mysql 284u IPv4 47012460 0t0 TCP X.X.X.X:3306->X.X.X.X:40099 (ESTABLISHED)
mysqld 2024 mysql 287u IPv4 47012469 0t0 TCP X.X.X.X:3306->X.X.X.X:40100 (ESTABLISHED)
mysqld 2024 mysql 290u IPv4 47012478 0t0 TCP X.X.X.X:3306->X.X.X.X:40101 (ESTABLISHED)
mysqld 2024 mysql 299u IPv4 47023853 0t0 TCP X.X.X.X:3306->X.X.X.X:40103 (ESTABLISHED)
sshd 3583 root 3r IPv4 19923479 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55934 (ESTABLISHED)
sshd 3739 SO-user 3u IPv4 19923479 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55934 (ESTABLISHED)
sshd 3739 SO-user 9u IPv6 19923719 0t0 TCP [X.X.X.X]:50017 (LISTEN)
sshd 3739 SO-user 10u IPv4 19923720 0t0 TCP X.X.X.X:50017 (LISTEN)
xrdp 3851 xrdp 6u IPv4 13782 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 3853 root 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
salt-mast 3892 root 12u IPv4 13718 0t0 TCP *:4505 (LISTEN)
salt-mast 3892 root 14u IPv4 13789 0t0 TCP X.X.X.X:4505->X.X.X.X:34776 (ESTABLISHED)
salt-mast 3892 root 15u IPv4 14031 0t0 TCP X.X.X.X:4505->X.X.X.X:37088 (ESTABLISHED)
salt-mast 3892 root 16u IPv4 14289 0t0 TCP X.X.X.X:4505->X.X.X.X:54904 (ESTABLISHED)
salt-mast 3892 root 17u IPv4 14680 0t0 TCP X.X.X.X:4505->X.X.X.X:47224 (ESTABLISHED)
salt-mast 3892 root 18u IPv4 14681 0t0 TCP X.X.X.X:4505->X.X.X.X:46758 (ESTABLISHED)
salt-mast 3892 root 19u IPv4 14699 0t0 TCP X.X.X.X:4505->X.X.X.X:52163 (ESTABLISHED)
salt-mast 3892 root 20u IPv4 13911702 0t0 TCP X.X.X.X:4505->X.X.X.X:49727 (ESTABLISHED)
salt-mast 3892 root 21u IPv4 14938 0t0 TCP X.X.X.X:4505->X.X.X.X:41421 (ESTABLISHED)
salt-mast 3892 root 22u IPv4 15823 0t0 TCP X.X.X.X:4505->X.X.X.X:38274 (ESTABLISHED)
salt-mast 3892 root 23u IPv4 14616493 0t0 TCP X.X.X.X:4505->X.X.X.X:57899 (ESTABLISHED)
salt-mast 3892 root 24u IPv4 4987892 0t0 TCP X.X.X.X:4505->X.X.X.X:48979 (ESTABLISHED)
salt-mast 3892 root 25u IPv4 15522571 0t0 TCP X.X.X.X:4505->X.X.X.X:45522 (ESTABLISHED)
salt-mast 3892 root 26u IPv4 7894812 0t0 TCP X.X.X.X:4505->X.X.X.X:59102 (ESTABLISHED)
salt-mast 3892 root 27u IPv4 10787643 0t0 TCP X.X.X.X:4505->X.X.X.X:45773 (ESTABLISHED)
salt-mast 3892 root 28u IPv4 10789020 0t0 TCP X.X.X.X:4505->X.X.X.X:53916 (ESTABLISHED)
salt-mast 3892 root 29u IPv4 12700809 0t0 TCP X.X.X.X:4505->X.X.X.X:38928 (ESTABLISHED)
salt-mast 3892 root 30u IPv4 16029761 0t0 TCP X.X.X.X:4505->X.X.X.X:55746 (ESTABLISHED)
salt-mast 3892 root 31u IPv4 13115951 0t0 TCP X.X.X.X:4505->X.X.X.X:53792 (ESTABLISHED)
salt-mast 3892 root 32u IPv4 13116045 0t0 TCP X.X.X.X:4505->X.X.X.X:43646 (ESTABLISHED)
salt-mast 3892 root 33u IPv4 15886861 0t0 TCP X.X.X.X:4505->X.X.X.X:41800 (ESTABLISHED)
salt-mast 3892 root 34u IPv4 15887507 0t0 TCP X.X.X.X:4505->X.X.X.X:50501 (ESTABLISHED)
salt-mast 3892 root 35u IPv4 15888085 0t0 TCP X.X.X.X:4505->X.X.X.X:36573 (ESTABLISHED)
salt-mast 3892 root 36u IPv4 15888281 0t0 TCP X.X.X.X:4505->X.X.X.X:43283 (ESTABLISHED)
salt-mast 3892 root 37u IPv4 42216532 0t0 TCP X.X.X.X:4505->X.X.X.X:35373 (ESTABLISHED)
salt-mast 3892 root 38u IPv4 16033752 0t0 TCP X.X.X.X:4505->X.X.X.X:43594 (ESTABLISHED)
salt-mast 3892 root 39u IPv4 16034754 0t0 TCP X.X.X.X:4505->X.X.X.X:47178 (ESTABLISHED)
salt-mast 3892 root 40u IPv4 21985176 0t0 TCP X.X.X.X:4505->X.X.X.X:42068 (ESTABLISHED)
salt-mast 3892 root 41u IPv4 35430430 0t0 TCP X.X.X.X:4505->X.X.X.X:41877 (ESTABLISHED)
salt-mast 3892 root 42u IPv4 44883488 0t0 TCP X.X.X.X:4505->X.X.X.X:42310 (ESTABLISHED)
salt-mast 3892 root 43u IPv4 25878364 0t0 TCP X.X.X.X:4505->X.X.X.X:53747 (ESTABLISHED)
salt-mast 3892 root 44u IPv4 18403365 0t0 TCP X.X.X.X:4505->X.X.X.X:39178 (ESTABLISHED)
salt-mast 3892 root 45u IPv4 18836380 0t0 TCP X.X.X.X:4505->X.X.X.X:52028 (ESTABLISHED)
salt-mast 3892 root 46u IPv4 19403585 0t0 TCP X.X.X.X:4505->X.X.X.X:54801 (ESTABLISHED)
salt-mast 3892 root 47u IPv4 19420371 0t0 TCP X.X.X.X:4505->X.X.X.X:50368 (ESTABLISHED)
salt-mast 3892 root 48u IPv4 19422892 0t0 TCP X.X.X.X:4505->X.X.X.X:44570 (ESTABLISHED)
salt-mast 3892 root 49u IPv4 19444309 0t0 TCP X.X.X.X:4505->X.X.X.X:45449 (ESTABLISHED)
salt-mast 3892 root 50u IPv4 31290329 0t0 TCP X.X.X.X:4505->X.X.X.X:48757 (ESTABLISHED)
salt-mast 3892 root 51u IPv4 19919344 0t0 TCP X.X.X.X:4505->X.X.X.X:42642 (ESTABLISHED)
salt-mast 3892 root 52u IPv4 21341168 0t0 TCP X.X.X.X:4505->X.X.X.X:37259 (ESTABLISHED)
salt-mast 3892 root 53u IPv4 21342548 0t0 TCP X.X.X.X:4505->X.X.X.X:60323 (ESTABLISHED)
salt-mast 3892 root 54u IPv4 22222973 0t0 TCP X.X.X.X:4505->X.X.X.X:48649 (ESTABLISHED)
salt-mast 3892 root 55u IPv4 47258851 0t0 TCP X.X.X.X:4505->X.X.X.X:33428 (ESTABLISHED)
salt-mast 3892 root 56u IPv4 29246097 0t0 TCP X.X.X.X:4505->X.X.X.X:37147 (ESTABLISHED)
salt-mast 3892 root 57u IPv4 44658176 0t0 TCP X.X.X.X:4505->X.X.X.X:40262 (ESTABLISHED)
salt-mast 3892 root 58u IPv4 37039664 0t0 TCP X.X.X.X:4505->X.X.X.X:41704 (ESTABLISHED)
salt-mast 3892 root 59u IPv4 37039671 0t0 TCP X.X.X.X:4505->X.X.X.X:56363 (ESTABLISHED)
salt-mast 3892 root 60u IPv4 37319678 0t0 TCP X.X.X.X:4505->X.X.X.X:43714 (ESTABLISHED)
salt-mast 3936 root 20u IPv4 13763 0t0 TCP *:4506 (LISTEN)
salt-mast 3936 root 22u IPv4 15739 0t0 TCP X.X.X.X:4506->X.X.X.X:39610 (ESTABLISHED)
salt-mast 3936 root 23u IPv4 34880102 0t0 TCP X.X.X.X:4506->X.X.X.X:37978 (ESTABLISHED)
salt-mast 3936 root 29u IPv4 44587286 0t0 TCP X.X.X.X:4506->X.X.X.X:37632 (ESTABLISHED)
salt-mast 3936 root 30u IPv4 16023376 0t0 TCP X.X.X.X:4506->X.X.X.X:35252 (ESTABLISHED)
salt-mast 3936 root 31u IPv4 31152737 0t0 TCP X.X.X.X:4506->X.X.X.X:37419 (ESTABLISHED)
salt-mast 3936 root 32u IPv4 18531707 0t0 TCP X.X.X.X:4506->X.X.X.X:52564 (ESTABLISHED)
salt-mast 3936 root 33u IPv4 34212659 0t0 TCP X.X.X.X:4506->X.X.X.X:35218 (ESTABLISHED)
salt-mast 3936 root 34u IPv4 27149247 0t0 TCP X.X.X.X:4506->X.X.X.X:33549 (ESTABLISHED)
salt-mast 3936 root 35u IPv4 21329438 0t0 TCP X.X.X.X:4506->X.X.X.X:59142 (ESTABLISHED)
salt-mast 3936 root 36u IPv4 22981457 0t0 TCP X.X.X.X:4506->X.X.X.X:43013 (ESTABLISHED)
salt-mast 3936 root 37u IPv4 47259465 0t0 TCP X.X.X.X:4506->X.X.X.X:57023 (ESTABLISHED)
salt-mast 3936 root 38u IPv4 25470420 0t0 TCP X.X.X.X:4506->X.X.X.X:53709 (ESTABLISHED)
salt-mast 3936 root 39u IPv4 27193113 0t0 TCP X.X.X.X:4506->X.X.X.X:33557 (ESTABLISHED)
salt-mast 3936 root 40u IPv4 37309272 0t0 TCP X.X.X.X:4506->X.X.X.X:35982 (ESTABLISHED)
salt-mast 3936 root 41u IPv4 37028532 0t0 TCP X.X.X.X:4506->X.X.X.X:35909 (ESTABLISHED)
salt-mast 3936 root 42u IPv4 37309939 0t0 TCP X.X.X.X:4506->X.X.X.X:41015 (ESTABLISHED)
salt-mast 3936 root 43u IPv4 47257528 0t0 TCP X.X.X.X:4506->X.X.X.X:41445 (ESTABLISHED)
salt-mast 3936 root 45u IPv4 47258840 0t0 TCP X.X.X.X:4506->X.X.X.X:37957 (ESTABLISHED)
sshd 4587 root 3r IPv4 42216650 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39770 (ESTABLISHED)
sshd 4743 SO-user 3u IPv4 42216650 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39770 (ESTABLISHED)
sshd 4743 SO-user 9u IPv6 42216892 0t0 TCP [X.X.X.X]:50015 (LISTEN)
sshd 4743 SO-user 10u IPv4 42216893 0t0 TCP X.X.X.X:50015 (LISTEN)
sshd 4743 SO-user 11u IPv4 42216982 0t0 TCP X.X.X.X:50015->X.X.X.X:50263 (CLOSE_WAIT)
sshd 4743 SO-user 12u IPv4 42218984 0t0 TCP X.X.X.X:50015->X.X.X.X:50303 (CLOSE_WAIT)
sshd 4743 SO-user 13u IPv4 42221050 0t0 TCP X.X.X.X:50015->X.X.X.X:50343 (CLOSE_WAIT)
sshd 4743 SO-user 14u IPv4 42222273 0t0 TCP X.X.X.X:50015->X.X.X.X:50390 (CLOSE_WAIT)
sshd 4743 SO-user 15u IPv4 42230191 0t0 TCP X.X.X.X:50015->X.X.X.X:50431 (CLOSE_WAIT)
sshd 4743 SO-user 16u IPv4 42233320 0t0 TCP X.X.X.X:50015->X.X.X.X:50476 (CLOSE_WAIT)
sshd 4743 SO-user 17u IPv4 42235619 0t0 TCP X.X.X.X:50015->X.X.X.X:50516 (CLOSE_WAIT)
sshd 4743 SO-user 18u IPv4 42237454 0t0 TCP X.X.X.X:50015->X.X.X.X:50556 (CLOSE_WAIT)
sshd 4743 SO-user 19u IPv4 42239261 0t0 TCP X.X.X.X:50015->X.X.X.X:50600 (CLOSE_WAIT)
sshd 4743 SO-user 20u IPv4 42241609 0t0 TCP X.X.X.X:50015->X.X.X.X:50641 (CLOSE_WAIT)
sshd 4743 SO-user 21u IPv4 42243169 0t0 TCP X.X.X.X:50015->X.X.X.X:50682 (CLOSE_WAIT)
sshd 4743 SO-user 22u IPv4 42248142 0t0 TCP X.X.X.X:50015->X.X.X.X:50728 (CLOSE_WAIT)
sshd 4743 SO-user 23u IPv4 42249676 0t0 TCP X.X.X.X:50015->X.X.X.X:50769 (CLOSE_WAIT)
sshd 4743 SO-user 24u IPv4 42251454 0t0 TCP X.X.X.X:50015->X.X.X.X:50813 (CLOSE_WAIT)
sshd 4743 SO-user 25u IPv4 42252692 0t0 TCP X.X.X.X:50015->X.X.X.X:50856 (CLOSE_WAIT)
sshd 4743 SO-user 26u IPv4 42253873 0t0 TCP X.X.X.X:50015->X.X.X.X:50897 (CLOSE_WAIT)
sshd 4743 SO-user 27u IPv4 42258158 0t0 TCP X.X.X.X:50015->X.X.X.X:50940 (CLOSE_WAIT)
sshd 4743 SO-user 29u IPv4 42267558 0t0 TCP X.X.X.X:50015->X.X.X.X:51020 (CLOSE_WAIT)
sshd 4743 SO-user 30u IPv4 42269370 0t0 TCP X.X.X.X:50015->X.X.X.X:51066 (CLOSE_WAIT)
sshd 4743 SO-user 31u IPv4 42270856 0t0 TCP X.X.X.X:50015->X.X.X.X:51110 (CLOSE_WAIT)
sshd 4743 SO-user 33u IPv4 42276278 0t0 TCP X.X.X.X:50015->X.X.X.X:51196 (CLOSE_WAIT)
sshd 4743 SO-user 34u IPv4 42278333 0t0 TCP X.X.X.X:50015->X.X.X.X:51236 (CLOSE_WAIT)
sshd 4743 SO-user 35u IPv4 42280419 0t0 TCP X.X.X.X:50015->X.X.X.X:51283 (CLOSE_WAIT)
sshd 4743 SO-user 36u IPv4 42281944 0t0 TCP X.X.X.X:50015->X.X.X.X:51323 (CLOSE_WAIT)
sshd 4743 SO-user 37u IPv4 42285187 0t0 TCP X.X.X.X:50015->X.X.X.X:51369 (CLOSE_WAIT)
sshd 4743 SO-user 38u IPv4 42287873 0t0 TCP X.X.X.X:50015->X.X.X.X:51410 (CLOSE_WAIT)
sshd 4743 SO-user 39u IPv4 42289579 0t0 TCP X.X.X.X:50015->X.X.X.X:51449 (CLOSE_WAIT)
sshd 4743 SO-user 40u IPv4 42291478 0t0 TCP X.X.X.X:50015->X.X.X.X:51495 (CLOSE_WAIT)
sshd 4743 SO-user 42u IPv4 42294493 0t0 TCP X.X.X.X:50015->X.X.X.X:51576 (CLOSE_WAIT)
sshd 4743 SO-user 43u IPv4 42298610 0t0 TCP X.X.X.X:50015->X.X.X.X:51619 (CLOSE_WAIT)
sshd 4743 SO-user 44u IPv4 42306504 0t0 TCP X.X.X.X:50015->X.X.X.X:51660 (CLOSE_WAIT)
sshd 4743 SO-user 46u IPv4 42310910 0t0 TCP X.X.X.X:50015->X.X.X.X:51749 (CLOSE_WAIT)
sshd 4743 SO-user 47u IPv4 42312167 0t0 TCP X.X.X.X:50015->X.X.X.X:51791 (CLOSE_WAIT)
sshd 4743 SO-user 48u IPv4 42316274 0t0 TCP X.X.X.X:50015->X.X.X.X:51835 (CLOSE_WAIT)
sshd 4743 SO-user 49u IPv4 42318086 0t0 TCP X.X.X.X:50015->X.X.X.X:51876 (CLOSE_WAIT)
sshd 4743 SO-user 50u IPv4 42320127 0t0 TCP X.X.X.X:50015->X.X.X.X:51921 (CLOSE_WAIT)
sshd 4743 SO-user 53u IPv4 42326666 0t0 TCP X.X.X.X:50015->X.X.X.X:52045 (CLOSE_WAIT)
sshd 4743 SO-user 54u IPv4 42329082 0t0 TCP X.X.X.X:50015->X.X.X.X:52086 (CLOSE_WAIT)
sshd 4743 SO-user 55u IPv4 42330862 0t0 TCP X.X.X.X:50015->X.X.X.X:52125 (CLOSE_WAIT)
sshd 4743 SO-user 56u IPv4 42333095 0t0 TCP X.X.X.X:50015->X.X.X.X:52174 (CLOSE_WAIT)
sshd 4743 SO-user 57u IPv4 42334507 0t0 TCP X.X.X.X:50015->X.X.X.X:52213 (CLOSE_WAIT)
sshd 4743 SO-user 59u IPv4 42347496 0t0 TCP X.X.X.X:50015->X.X.X.X:52301 (CLOSE_WAIT)
sshd 4743 SO-user 61u IPv4 42351481 0t0 TCP X.X.X.X:50015->X.X.X.X:52387 (CLOSE_WAIT)
sshd 4743 SO-user 62u IPv4 42352772 0t0 TCP X.X.X.X:50015->X.X.X.X:52428 (CLOSE_WAIT)
sshd 4743 SO-user 64u IPv4 42358467 0t0 TCP X.X.X.X:50015->X.X.X.X:52515 (CLOSE_WAIT)
sshd 4743 SO-user 65u IPv4 42360324 0t0 TCP X.X.X.X:50015->X.X.X.X:52555 (CLOSE_WAIT)
sshd 4743 SO-user 66u IPv4 42361847 0t0 TCP X.X.X.X:50015->X.X.X.X:52599 (CLOSE_WAIT)
sshd 4743 SO-user 67u IPv4 42363065 0t0 TCP X.X.X.X:50015->X.X.X.X:52642 (CLOSE_WAIT)
sshd 4743 SO-user 68u IPv4 42364182 0t0 TCP X.X.X.X:50015->X.X.X.X:52682 (CLOSE_WAIT)
sshd 4743 SO-user 69u IPv4 42368242 0t0 TCP X.X.X.X:50015->X.X.X.X:52726 (CLOSE_WAIT)
sshd 4743 SO-user 70u IPv4 42370285 0t0 TCP X.X.X.X:50015->X.X.X.X:52768 (CLOSE_WAIT)
sshd 4743 SO-user 71u IPv4 42373006 0t0 TCP X.X.X.X:50015->X.X.X.X:52813 (CLOSE_WAIT)
sshd 4743 SO-user 73u IPv4 42382651 0t0 TCP X.X.X.X:50015->X.X.X.X:52900 (CLOSE_WAIT)
sshd 4743 SO-user 74u IPv4 42387025 0t0 TCP X.X.X.X:50015->X.X.X.X:52945 (CLOSE_WAIT)
sshd 4743 SO-user 76u IPv4 42391127 0t0 TCP X.X.X.X:50015->X.X.X.X:53030 (CLOSE_WAIT)
sshd 4743 SO-user 77u IPv4 42392590 0t0 TCP X.X.X.X:50015->X.X.X.X:53074 (CLOSE_WAIT)
sshd 4743 SO-user 78u IPv4 42393813 0t0 TCP X.X.X.X:50015->X.X.X.X:53115 (CLOSE_WAIT)
sshd 4743 SO-user 79u IPv4 42397927 0t0 TCP X.X.X.X:50015->X.X.X.X:53159 (CLOSE_WAIT)
sshd 4743 SO-user 80u IPv4 42399998 0t0 TCP X.X.X.X:50015->X.X.X.X:53200 (CLOSE_WAIT)
sshd 4743 SO-user 82u IPv4 42403907 0t0 TCP X.X.X.X:50015->X.X.X.X:53288 (CLOSE_WAIT)
sshd 4743 SO-user 83u IPv4 42405080 0t0 TCP X.X.X.X:50015->X.X.X.X:53327 (CLOSE_WAIT)
sshd 4743 SO-user 84u IPv4 42409070 0t0 TCP X.X.X.X:50015->X.X.X.X:53372 (CLOSE_WAIT)
sshd 4743 SO-user 85u IPv4 42411097 0t0 TCP X.X.X.X:50015->X.X.X.X:53413 (CLOSE_WAIT)
sshd 4743 SO-user 86u IPv4 42413368 0t0 TCP X.X.X.X:50015->X.X.X.X:53455 (CLOSE_WAIT)
sshd 4743 SO-user 87u IPv4 42421360 0t0 TCP X.X.X.X:50015->X.X.X.X:53505 (CLOSE_WAIT)
sshd 4743 SO-user 88u IPv4 42422763 0t0 TCP X.X.X.X:50015->X.X.X.X:53545 (CLOSE_WAIT)
sshd 4743 SO-user 89u IPv4 42426487 0t0 TCP X.X.X.X:50015->X.X.X.X:53592 (CLOSE_WAIT)
sshd 4743 SO-user 90u IPv4 42428524 0t0 TCP X.X.X.X:50015->X.X.X.X:53631 (CLOSE_WAIT)
sshd 4743 SO-user 92u IPv4 42434585 0t0 TCP X.X.X.X:50015->X.X.X.X:53718 (CLOSE_WAIT)
sshd 4743 SO-user 93u IPv4 42436130 0t0 TCP X.X.X.X:50015->X.X.X.X:53758 (CLOSE_WAIT)
sshd 4743 SO-user 94u IPv4 42437424 0t0 TCP X.X.X.X:50015->X.X.X.X:53800 (CLOSE_WAIT)
sshd 4743 SO-user 95u IPv4 42442451 0t0 TCP X.X.X.X:50015->X.X.X.X:53845 (CLOSE_WAIT)
sshd 4743 SO-user 96u IPv4 42444595 0t0 TCP X.X.X.X:50015->X.X.X.X:53887 (CLOSE_WAIT)
sshd 4743 SO-user 97u IPv4 42446252 0t0 TCP X.X.X.X:50015->X.X.X.X:53932 (CLOSE_WAIT)
sshd 4743 SO-user 98u IPv4 42447635 0t0 TCP X.X.X.X:50015->X.X.X.X:53974 (CLOSE_WAIT)
sshd 4743 SO-user 100u IPv4 42456645 0t0 TCP X.X.X.X:50015->X.X.X.X:54060 (CLOSE_WAIT)
sshd 4743 SO-user 101u IPv4 42464761 0t0 TCP X.X.X.X:50015->X.X.X.X:54101 (CLOSE_WAIT)
sshd 4743 SO-user 102u IPv4 42472237 0t0 TCP X.X.X.X:50015->X.X.X.X:54146 (CLOSE_WAIT)
sshd 4743 SO-user 103u IPv4 42474086 0t0 TCP X.X.X.X:50015->X.X.X.X:54187 (CLOSE_WAIT)
sshd 4743 SO-user 104u IPv4 42475496 0t0 TCP X.X.X.X:50015->X.X.X.X:54226 (CLOSE_WAIT)
sshd 4743 SO-user 105u IPv4 42479489 0t0 TCP X.X.X.X:50015->X.X.X.X:54272 (CLOSE_WAIT)
sshd 4743 SO-user 106u IPv4 42481354 0t0 TCP X.X.X.X:50015->X.X.X.X:54313 (CLOSE_WAIT)
sshd 4743 SO-user 107u IPv4 42483348 0t0 TCP X.X.X.X:50015->X.X.X.X:54352 (CLOSE_WAIT)
sshd 4743 SO-user 108u IPv4 42485030 0t0 TCP X.X.X.X:50015->X.X.X.X:54400 (CLOSE_WAIT)
sshd 4743 SO-user 109u IPv4 42487254 0t0 TCP X.X.X.X:50015->X.X.X.X:54441 (CLOSE_WAIT)
sshd 4743 SO-user 110u IPv4 42491021 0t0 TCP X.X.X.X:50015->X.X.X.X:54486 (CLOSE_WAIT)
sshd 4743 SO-user 111u IPv4 42492997 0t0 TCP X.X.X.X:50015->X.X.X.X:54525 (CLOSE_WAIT)
sshd 4743 SO-user 112u IPv4 42495119 0t0 TCP X.X.X.X:50015->X.X.X.X:54566 (CLOSE_WAIT)
sshd 4743 SO-user 113u IPv4 42496696 0t0 TCP X.X.X.X:50015->X.X.X.X:54610 (CLOSE_WAIT)
sshd 4743 SO-user 114u IPv4 42498240 0t0 TCP X.X.X.X:50015->X.X.X.X:54650 (CLOSE_WAIT)
sshd 4743 SO-user 115u IPv4 42501415 0t0 TCP X.X.X.X:50015->X.X.X.X:54694 (CLOSE_WAIT)
sshd 4743 SO-user 116u IPv4 42511397 0t0 TCP X.X.X.X:50015->X.X.X.X:54740 (CLOSE_WAIT)
sshd 4743 SO-user 117u IPv4 42513196 0t0 TCP X.X.X.X:50015->X.X.X.X:54782 (CLOSE_WAIT)
sshd 4743 SO-user 119u IPv4 42516557 0t0 TCP X.X.X.X:50015->X.X.X.X:54871 (CLOSE_WAIT)
sshd 4743 SO-user 120u IPv4 42517678 0t0 TCP X.X.X.X:50015->X.X.X.X:54911 (CLOSE_WAIT)
sshd 4743 SO-user 121u IPv4 42521412 0t0 TCP X.X.X.X:50015->X.X.X.X:54955 (CLOSE_WAIT)
sshd 4743 SO-user 122u IPv4 42523208 0t0 TCP X.X.X.X:50015->X.X.X.X:54995 (CLOSE_WAIT)
sshd 4743 SO-user 123u IPv4 42525016 0t0 TCP X.X.X.X:50015->X.X.X.X:55035 (CLOSE_WAIT)
sshd 4743 SO-user 124u IPv4 42526542 0t0 TCP X.X.X.X:50015->X.X.X.X:55079 (CLOSE_WAIT)
sshd 4743 SO-user 125u IPv4 42529070 0t0 TCP X.X.X.X:50015->X.X.X.X:55120 (CLOSE_WAIT)
sshd 4743 SO-user 126u IPv4 42531772 0t0 TCP X.X.X.X:50015->X.X.X.X:55164 (CLOSE_WAIT)
sshd 4743 SO-user 127u IPv4 42534799 0t0 TCP X.X.X.X:50015->X.X.X.X:55204 (CLOSE_WAIT)
sshd 4743 SO-user 128u IPv4 42536937 0t0 TCP X.X.X.X:50015->X.X.X.X:55245 (CLOSE_WAIT)
sshd 4743 SO-user 129u IPv4 42538607 0t0 TCP X.X.X.X:50015->X.X.X.X:55293 (CLOSE_WAIT)
sshd 4743 SO-user 130u IPv4 42546600 0t0 TCP X.X.X.X:50015->X.X.X.X:55333 (CLOSE_WAIT)
sshd 4743 SO-user 131u IPv4 42548105 0t0 TCP X.X.X.X:50015->X.X.X.X:55375 (CLOSE_WAIT)
sshd 4743 SO-user 132u IPv4 42552298 0t0 TCP X.X.X.X:50015->X.X.X.X:55419 (CLOSE_WAIT)
sshd 4743 SO-user 133u IPv4 42554278 0t0 TCP X.X.X.X:50015->X.X.X.X:55461 (CLOSE_WAIT)
sshd 4743 SO-user 134u IPv4 42555793 0t0 TCP X.X.X.X:50015->X.X.X.X:55504 (CLOSE_WAIT)
sshd 4743 SO-user 135u IPv4 42556956 0t0 TCP X.X.X.X:50015->X.X.X.X:55544 (CLOSE_WAIT)
sshd 4743 SO-user 136u IPv4 42558163 0t0 TCP X.X.X.X:50015->X.X.X.X:55584 (CLOSE_WAIT)
sshd 4743 SO-user 137u IPv4 42561476 0t0 TCP X.X.X.X:50015->X.X.X.X:55628 (CLOSE_WAIT)
sshd 4743 SO-user 138u IPv4 42563603 0t0 TCP X.X.X.X:50015->X.X.X.X:55669 (CLOSE_WAIT)
sshd 4743 SO-user 139u IPv4 42565179 0t0 TCP X.X.X.X:50015->X.X.X.X:55709 (CLOSE_WAIT)
sshd 4840 root 3r IPv4 15828 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39940 (ESTABLISHED)
sshd 5005 SO-user 3u IPv4 15828 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:39940 (ESTABLISHED)
sshd 5005 SO-user 9u IPv6 16115 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 5005 SO-user 10u IPv4 16116 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 5005 SO-user 12u IPv4 47186339 0t0 TCP X.X.X.X:45912->X.X.X.X:3306 (ESTABLISHED)
tclsh 5330 SO-user 3u IPv4 47142695 0t0 TCP X.X.X.X:58840->X.X.X.X:7736 (ESTABLISHED)
sendmail- 5679 root 4u IPv4 26602 0t0 TCP *:25 (LISTEN)
sendmail- 5679 root 5u IPv4 26603 0t0 TCP *:587 (LISTEN)
/usr/sbin 5778 root 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 5778 root 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5778 root 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5778 root 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
monit 5850 root 6u IPv4 19317 0t0 TCP *:2812 (LISTEN)
xrdp-sess 7137 root 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
ck-launch 7138 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
Xvnc 7139 SO-user 1u IPv6 44637380 0t0 TCP *:5911 (LISTEN)
Xvnc 7139 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xrdp-chan 7146 root 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
ssh-agent 7171 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
sh 7180 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
dbus-laun 7183 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
dbus-daem 7203 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfconfd 7364 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xscreensa 7370 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfce4-ses 7372 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfwm4 7406 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfce4-pan 7408 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
Thunar 7410 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfdesktop 7412 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfsd 7418 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gconfd-2 7636 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 7848 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-gdu- 7851 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 7853 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-gpho 7873 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 7884 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-afc- 7894 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
sshd 7972 root 3r IPv4 37319842 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43752 (ESTABLISHED)
sshd 8114 root 3r IPv4 31290470 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35087 (ESTABLISHED)
sshd 8123 SO-user 3u IPv4 37319842 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:43752 (ESTABLISHED)
sshd 8123 SO-user 9u IPv6 37320083 0t0 TCP [X.X.X.X]:50006 (LISTEN)
sshd 8123 SO-user 10u IPv4 37320084 0t0 TCP X.X.X.X:50006 (LISTEN)
sshd 8123 SO-user 12u IPv4 47025825 0t0 TCP X.X.X.X:40122->X.X.X.X:3306 (ESTABLISHED)
sshd 8264 SO-user 3u IPv4 31290470 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35087 (ESTABLISHED)
sshd 8264 SO-user 9u IPv6 31290710 0t0 TCP [X.X.X.X]:50018 (LISTEN)
sshd 8264 SO-user 10u IPv4 31290711 0t0 TCP X.X.X.X:50018 (LISTEN)
sshd 10065 root 3r IPv4 19442540 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51364 (ESTABLISHED)
wish 10067 SO-user 4u IPv4 47262842 0t0 TCP X.X.X.X:36840->X.X.X.X:7734 (ESTABLISHED)
dconf-ser 10161 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
sshd 10217 SO-user 3u IPv4 19442540 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51364 (ESTABLISHED)
sshd 10217 SO-user 9u IPv6 19442793 0t0 TCP [X.X.X.X]:50019 (LISTEN)
sshd 10217 SO-user 10u IPv4 19442794 0t0 TCP X.X.X.X:50019 (LISTEN)
gnome-key 10427 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
sshd 10722 root 3r IPv4 47063781 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59107 (ESTABLISHED)
sshd 10872 SO-user 3u IPv4 47063781 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59107 (ESTABLISHED)
sshd 10872 SO-user 9u IPv6 47064022 0t0 TCP [X.X.X.X]:50003 (LISTEN)
sshd 10872 SO-user 10u IPv4 47064023 0t0 TCP X.X.X.X:50003 (LISTEN)
sshd 10872 SO-user 11u IPv4 47181212 0t0 TCP X.X.X.X:45762->X.X.X.X:3306 (ESTABLISHED)
sshd 10872 SO-user 12u IPv4 47181508 0t0 TCP X.X.X.X:45798->X.X.X.X:3306 (ESTABLISHED)
sshd 10872 SO-user 13u IPv4 47181222 0t0 TCP X.X.X.X:45763->X.X.X.X:3306 (ESTABLISHED)
sshd 12958 root 3r IPv4 35791362 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35604 (ESTABLISHED)
sshd 13108 SO-user 3u IPv4 35791362 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35604 (ESTABLISHED)
sshd 13108 SO-user 9u IPv6 35791604 0t0 TCP [X.X.X.X]:50008 (LISTEN)
sshd 13108 SO-user 10u IPv4 35791605 0t0 TCP X.X.X.X:50008 (LISTEN)
sshd 13108 SO-user 11u IPv4 47012459 0t0 TCP X.X.X.X:40099->X.X.X.X:3306 (ESTABLISHED)
sshd 13108 SO-user 12u IPv4 47012468 0t0 TCP X.X.X.X:40100->X.X.X.X:3306 (ESTABLISHED)
sshd 13108 SO-user 13u IPv4 47012477 0t0 TCP X.X.X.X:40101->X.X.X.X:3306 (ESTABLISHED)
sshd 13587 root 3r IPv4 16029972 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37827 (ESTABLISHED)
sshd 13830 root 3r IPv4 44658352 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38540 (ESTABLISHED)
sshd 13982 SO-user 3u IPv4 44658352 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38540 (ESTABLISHED)
sshd 13982 SO-user 9u IPv6 44658595 0t0 TCP [X.X.X.X]:50005 (LISTEN)
sshd 13982 SO-user 10u IPv4 44658596 0t0 TCP X.X.X.X:50005 (LISTEN)
sshd 13982 SO-user 11u IPv4 47012378 0t0 TCP X.X.X.X:40076->X.X.X.X:3306 (ESTABLISHED)
sshd 13982 SO-user 12u IPv4 47012426 0t0 TCP X.X.X.X:40097->X.X.X.X:3306 (ESTABLISHED)
sshd 13982 SO-user 13u IPv4 47012428 0t0 TCP X.X.X.X:40098->X.X.X.X:3306 (ESTABLISHED)
sshd 14501 root 3r IPv4 16031599 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55255 (ESTABLISHED)
apt-cache 14657 www-data 4u IPv6 46994919 0t0 TCP *:3142 (LISTEN)
sshd 15105 SO-user 3u IPv4 16029972 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37827 (ESTABLISHED)
sshd 15105 SO-user 9u IPv6 16032566 0t0 TCP [X.X.X.X]:50011 (LISTEN)
sshd 15105 SO-user 10u IPv4 16032567 0t0 TCP X.X.X.X:50011 (LISTEN)
sshd 15105 SO-user 11u IPv4 47039663 0t0 TCP X.X.X.X:40270->X.X.X.X:3306 (ESTABLISHED)
sshd 15157 root 3r IPv4 47262858 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41862 (ESTABLISHED)
sshd 15308 SO-user 3u IPv4 47262858 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:41862 (ESTABLISHED)
sshd 15308 SO-user 9u IPv6 47263098 0t0 TCP [X.X.X.X]:50013 (LISTEN)
sshd 15308 SO-user 10u IPv4 47263099 0t0 TCP X.X.X.X:50013 (LISTEN)
sshd 15399 root 3r IPv4 47263355 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:25397 (ESTABLISHED)
sshd 15549 SO-user 3u IPv4 47263355 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:25397 (ESTABLISHED)
sshd 15725 SO-user 3u IPv4 16031599 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55255 (ESTABLISHED)
sshd 15725 SO-user 9u IPv6 16033524 0t0 TCP [X.X.X.X]:50002 (LISTEN)
sshd 15725 SO-user 10u IPv4 16033525 0t0 TCP X.X.X.X:50002 (LISTEN)
sshd 15725 SO-user 11u IPv4 28698629 0t0 TCP X.X.X.X:58495->X.X.X.X:3306 (ESTABLISHED)
xrdp-sess 19750 root 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
ck-launch 19751 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
Xvnc 19752 SO-user 1u IPv6 14552077 0t0 TCP *:5910 (LISTEN)
Xvnc 19752 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xrdp-chan 19780 root 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
ssh-agent 19807 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
sh 19816 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
dbus-laun 19819 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
dbus-daem 19820 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfconfd 19827 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xscreensa 19834 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfce4-ses 19836 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfwm4 19842 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
Thunar 19846 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfsd 19848 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfce4-pan 19852 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfdesktop 19854 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
xfce4-pow 19857 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 19918 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 19920 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
indicator 19922 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-gdu- 19924 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-gpho 19939 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gconfd-2 19942 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfs-afc- 19952 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
tclsh 20616 SO-user 13u IPv4 46916756 0t0 TCP *:7734 (LISTEN)
tclsh 20616 SO-user 14u IPv4 46916757 0t0 TCP *:7736 (LISTEN)
tclsh 20616 SO-user 15u IPv4 47175866 0t0 TCP X.X.X.X:7736->X.X.X.X:50656 (ESTABLISHED)
tclsh 20616 SO-user 16u IPv4 46916759 0t0 TCP X.X.X.X:7736->X.X.X.X:48058 (ESTABLISHED)
tclsh 20616 SO-user 17u IPv4 47181323 0t0 TCP X.X.X.X:7736->X.X.X.X:41889 (ESTABLISHED)
tclsh 20616 SO-user 18u IPv4 47175537 0t0 TCP X.X.X.X:7736->X.X.X.X:54289 (ESTABLISHED)
tclsh 20616 SO-user 19u IPv4 47175534 0t0 TCP X.X.X.X:7736->X.X.X.X:54286 (ESTABLISHED)
tclsh 20616 SO-user 20u IPv4 47175536 0t0 TCP X.X.X.X:7736->X.X.X.X:54287 (ESTABLISHED)
tclsh 20616 SO-user 21u IPv4 46916764 0t0 TCP X.X.X.X:7736->X.X.X.X:50323 (ESTABLISHED)
tclsh 20616 SO-user 22u IPv4 47176006 0t0 TCP X.X.X.X:7736->X.X.X.X:45377 (ESTABLISHED)
tclsh 20616 SO-user 23u IPv4 46924495 0t0 TCP X.X.X.X:7736->X.X.X.X:36205 (ESTABLISHED)
tclsh 20616 SO-user 24u IPv4 46924497 0t0 TCP X.X.X.X:7736->X.X.X.X:36207 (ESTABLISHED)
tclsh 20616 SO-user 25u IPv4 46924499 0t0 TCP X.X.X.X:7736->X.X.X.X:36208 (ESTABLISHED)
tclsh 20616 SO-user 26u IPv4 47175865 0t0 TCP X.X.X.X:7736->X.X.X.X:50655 (ESTABLISHED)
tclsh 20616 SO-user 27u IPv4 47175867 0t0 TCP X.X.X.X:7736->X.X.X.X:50658 (ESTABLISHED)
tclsh 20616 SO-user 28u IPv4 47257198 0t0 TCP X.X.X.X:7736->X.X.X.X:48812 (ESTABLISHED)
tclsh 20616 SO-user 29u IPv4 47176331 0t0 TCP X.X.X.X:7736->X.X.X.X:42999 (ESTABLISHED)
tclsh 20616 SO-user 30u IPv4 47181413 0t0 TCP X.X.X.X:7736->X.X.X.X:37902 (ESTABLISHED)
tclsh 20616 SO-user 31u IPv4 46942129 0t0 TCP X.X.X.X:7736->X.X.X.X:50506 (ESTABLISHED)
tclsh 20616 SO-user 32u IPv4 47233504 0t0 TCP X.X.X.X:7736->X.X.X.X:52733 (ESTABLISHED)
tclsh 20616 SO-user 33u IPv4 46924442 0t0 TCP X.X.X.X:7736->X.X.X.X:36197 (ESTABLISHED)
tclsh 20616 SO-user 34u IPv4 46937896 0t0 TCP X.X.X.X:7736->X.X.X.X:50461 (ESTABLISHED)
tclsh 20616 SO-user 35u IPv4 46976362 0t0 TCP X.X.X.X:7736->X.X.X.X:48144 (ESTABLISHED)
tclsh 20616 SO-user 36u IPv4 47257892 0t0 TCP X.X.X.X:7736->X.X.X.X:48819 (ESTABLISHED)
tclsh 20616 SO-user 37u IPv4 46976345 0t0 TCP X.X.X.X:7736->X.X.X.X:48138 (ESTABLISHED)
tclsh 20616 SO-user 38u IPv4 46976347 0t0 TCP X.X.X.X:7736->X.X.X.X:48141 (ESTABLISHED)
tclsh 20616 SO-user 39u IPv4 46943173 0t0 TCP X.X.X.X:7736->X.X.X.X:50523 (ESTABLISHED)
tclsh 20616 SO-user 40u IPv4 47181129 0t0 TCP X.X.X.X:7736->X.X.X.X:37896 (ESTABLISHED)
tclsh 20616 SO-user 41u IPv4 46976368 0t0 TCP X.X.X.X:7736->X.X.X.X:48146 (ESTABLISHED)
tclsh 20616 SO-user 42u IPv4 47209022 0t0 TCP X.X.X.X:7736->X.X.X.X:52576 (ESTABLISHED)
tclsh 20616 SO-user 43u IPv4 47181080 0t0 TCP X.X.X.X:7736->X.X.X.X:37886 (ESTABLISHED)
tclsh 20616 SO-user 44u IPv4 46941418 0t0 TCP X.X.X.X:7736->X.X.X.X:50500 (ESTABLISHED)
tclsh 20616 SO-user 45u IPv4 47257884 0t0 TCP X.X.X.X:7736->X.X.X.X:48817 (ESTABLISHED)
tclsh 20616 SO-user 46u IPv4 46941654 0t0 TCP X.X.X.X:7736->X.X.X.X:50503 (ESTABLISHED)
tclsh 20616 SO-user 47u IPv4 47167788 0t0 TCP X.X.X.X:7736->X.X.X.X:52250 (ESTABLISHED)
tclsh 20616 SO-user 48u IPv4 47142696 0t0 TCP X.X.X.X:7736->X.X.X.X:58840 (ESTABLISHED)
tclsh 20616 SO-user 49u IPv4 47154631 0t0 TCP X.X.X.X:7736->X.X.X.X:52143 (ESTABLISHED)
tclsh 20616 SO-user 50u IPv4 47146225 0t0 TCP X.X.X.X:7736->X.X.X.X:52116 (ESTABLISHED)
tclsh 20616 SO-user 51u IPv4 47068717 0t0 TCP X.X.X.X:7736->X.X.X.X:37037 (ESTABLISHED)
tclsh 20616 SO-user 52u IPv4 47181118 0t0 TCP X.X.X.X:7736->X.X.X.X:37895 (ESTABLISHED)
tclsh 20616 SO-user 53u IPv4 47153889 0t0 TCP X.X.X.X:7736->X.X.X.X:52135 (ESTABLISHED)
tclsh 20616 SO-user 54u IPv4 47156625 0t0 TCP X.X.X.X:7736->X.X.X.X:52157 (ESTABLISHED)
tclsh 20616 SO-user 55u IPv4 47157456 0t0 TCP X.X.X.X:7736->X.X.X.X:52162 (ESTABLISHED)
tclsh 20616 SO-user 56u IPv4 47229454 0t0 TCP X.X.X.X:7736->X.X.X.X:52718 (ESTABLISHED)
tclsh 20616 SO-user 57u IPv4 47157514 0t0 TCP X.X.X.X:7736->X.X.X.X:52165 (ESTABLISHED)
tclsh 20616 SO-user 58u IPv4 47154321 0t0 TCP X.X.X.X:7736->X.X.X.X:52138 (ESTABLISHED)
tclsh 20616 SO-user 59u IPv4 47155773 0t0 TCP X.X.X.X:7736->X.X.X.X:52149 (ESTABLISHED)
tclsh 20616 SO-user 60u IPv4 47155997 0t0 TCP X.X.X.X:7736->X.X.X.X:52152 (ESTABLISHED)
tclsh 20616 SO-user 61u IPv4 47157802 0t0 TCP X.X.X.X:7736->X.X.X.X:52168 (ESTABLISHED)
tclsh 20616 SO-user 62u IPv4 47209422 0t0 TCP X.X.X.X:7736->X.X.X.X:52588 (ESTABLISHED)
tclsh 20616 SO-user 63u IPv4 47161321 0t0 TCP X.X.X.X:7736->X.X.X.X:52184 (ESTABLISHED)
tclsh 20616 SO-user 64u IPv4 47176044 0t0 TCP X.X.X.X:7736->X.X.X.X:34726 (ESTABLISHED)
tclsh 20616 SO-user 65u IPv4 47181224 0t0 TCP X.X.X.X:7736->X.X.X.X:41885 (ESTABLISHED)
tclsh 20616 SO-user 66u IPv4 47237513 0t0 TCP X.X.X.X:7736->X.X.X.X:52781 (ESTABLISHED)
tclsh 20616 SO-user 67u IPv4 47257158 0t0 TCP X.X.X.X:7736->X.X.X.X:48809 (ESTABLISHED)
tclsh 20616 SO-user 68u IPv4 47236201 0t0 TCP X.X.X.X:7736->X.X.X.X:52765 (ESTABLISHED)
tclsh 20616 SO-user 69u IPv4 47261345 0t0 TCP X.X.X.X:7736->X.X.X.X:52989 (ESTABLISHED)
tclsh 20616 SO-user 70u IPv4 47246599 0t0 TCP X.X.X.X:7736->X.X.X.X:52843 (ESTABLISHED)
tclsh 20616 SO-user 71u IPv4 47263861 0t0 TCP X.X.X.X:7736->X.X.X.X:60620 (ESTABLISHED)
tclsh 20616 SO-user 72u IPv4 47263341 0t0 TCP X.X.X.X:7736->X.X.X.X:60577 (ESTABLISHED)
tclsh 20616 SO-user 73u IPv4 47262843 0t0 TCP X.X.X.X:7734->X.X.X.X:36840 (ESTABLISHED)
tclsh 20616 SO-user 74u IPv4 47178418 0t0 TCP X.X.X.X:7736->X.X.X.X:52337 (ESTABLISHED)
tclsh 20616 SO-user 75u IPv4 47260010 0t0 TCP X.X.X.X:7736->X.X.X.X:52972 (ESTABLISHED)
tclsh 20616 SO-user 76u IPv4 47176262 0t0 TCP X.X.X.X:7736->X.X.X.X:59522 (ESTABLISHED)
tclsh 20616 SO-user 77u IPv4 47229931 0t0 TCP X.X.X.X:7736->X.X.X.X:52722 (ESTABLISHED)
tclsh 20616 SO-user 78u IPv4 47263862 0t0 TCP X.X.X.X:7736->X.X.X.X:60621 (ESTABLISHED)
tclsh 20616 SO-user 79u IPv4 47263161 0t0 TCP X.X.X.X:7736->X.X.X.X:60563 (ESTABLISHED)
tclsh 20616 SO-user 80u IPv4 47263890 0t0 TCP X.X.X.X:7736->X.X.X.X:60624 (ESTABLISHED)
tclsh 20616 SO-user 81u IPv4 47263891 0t0 TCP X.X.X.X:7736->X.X.X.X:60623 (ESTABLISHED)
tclsh 20616 SO-user 82u IPv4 47244547 0t0 TCP X.X.X.X:7736->X.X.X.X:52839 (ESTABLISHED)
tclsh 20616 SO-user 83u IPv4 47263892 0t0 TCP X.X.X.X:7736->X.X.X.X:60626 (ESTABLISHED)
tclsh 20616 SO-user 84u IPv4 47263893 0t0 TCP X.X.X.X:7736->X.X.X.X:60627 (ESTABLISHED)
tclsh 20616 SO-user 85u IPv4 47263896 0t0 TCP X.X.X.X:7736->X.X.X.X:60628 (ESTABLISHED)
tclsh 20616 SO-user 86u IPv4 47264131 0t0 TCP X.X.X.X:7736->X.X.X.X:60629 (ESTABLISHED)
sshd 23052 root 3r IPv4 44883938 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49937 (ESTABLISHED)
sshd 23202 SO-user 3u IPv4 44883938 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49937 (ESTABLISHED)
sshd 23202 SO-user 9u IPv6 44884190 0t0 TCP [X.X.X.X]:50012 (LISTEN)
sshd 23202 SO-user 10u IPv4 44884191 0t0 TCP X.X.X.X:50012 (LISTEN)
sshd 23202 SO-user 11u IPv4 47023852 0t0 TCP X.X.X.X:40103->X.X.X.X:3306 (ESTABLISHED)
gvfsd-smb 25391 SO-user 9w IPv4 178067 0t0 TCP X.X.X.X:51178->X.X.X.X:139 (CLOSE_WAIT)
/usr/sbin 25912 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25912 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25912 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25912 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
/usr/sbin 25913 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25913 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25913 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25913 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
/usr/sbin 25914 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25914 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25914 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25914 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
/usr/sbin 25915 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25915 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25915 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25915 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
/usr/sbin 25916 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25916 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25916 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25916 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
/usr/sbin 25917 www-data 4u IPv4 18994 0t0 TCP *:443 (LISTEN)
/usr/sbin 25917 www-data 5u IPv4 18997 0t0 TCP *:9876 (LISTEN)
/usr/sbin 25917 www-data 6u IPv4 18999 0t0 TCP *:3154 (LISTEN)
/usr/sbin 25917 www-data 7u IPv4 19003 0t0 TCP *:444 (LISTEN)
gnome-key 29889 SO-user 6u IPv4 13688 0t0 TCP X.X.X.X:3350 (LISTEN)
gvfsd-smb 32174 SO-user 9u IPv4 26699563 0t0 TCP X.X.X.X:35008->X.X.X.X:139 (CLOSE_WAIT)

=========================================================================
IDS Rules Update
=========================================================================
Mon Jun 1 07:01:01 BST 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2970.tar.gz for work....
Done!
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 9 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 36 rules
Done
Setting Flowbit State....
Enabled 78 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------47
Deleted:---16
Enabled Rules:----25647
Dropped Rules:----0
Disabled Rules:---21046
Total Rules:------46693
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table

=========================================================================
CPU Usage
=========================================================================
top - 16:14:44 up 53 days, 23:28, 2 users, load average: 2.31, 1.34, 0.76
Tasks: 347 total, 2 running, 344 sleeping, 0 stopped, 1 zombie
Cpu(s): 25.4%us, 1.4%sy, 0.1%ni, 70.8%id, 2.2%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 8178708k total, 7057900k used, 1120808k free, 150208k buffers
Swap: 37641732k total, 759100k used, 36882632k free, 2600712k cached

%CPU %MEM COMMAND
61.8 3.5 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_81
15.3 10.5 /usr/bin/python /usr/bin/salt-master
4.1 0.6 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
2.4 2.3 /usr/sbin/mysqld
1.1 0.3 wish /usr/bin/SO-user.tk
0.4 0.1 -bash
0.3 0.0 xscreensaver -no-splash
0.2 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.3 3.2 delayed_job
0.1 0.0 bash
0.1 6.5 /usr/bin/searchd --nodetach
0.1 0.2 Xvnc :11 -geometry 1920x1080 -depth 16 -rfbauth /home/SO-user/.vnc/sesman_SO-user_passwd -bs -ac -nolisten tcp
0.0 0.8 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 5.4 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.0 xscreensaver -no-splash
0.0 0.1 xfce4-terminal
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 sshd: SO-user
0.0 0.1 Xvnc :10 -geometry 1680x1050 -depth 16 -rfbauth /home/SO-user/.vnc/sesman_SO-user_passwd -bs -ac -nolisten tcp
0.0 0.1 xfdesktop
0.0 0.1 /usr/bin/python /usr/bin/salt-minion
0.0 0.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 [kworker/0:0]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [flush-8:0]
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/0:1]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.1 sshd: SO-user
0.0 0.1 sshd: SO-user
0.0 0.1 /usr/bin/python /usr/bin/update-manager
0.0 0.0 sshd: SO-user
0.0 0.0 [ksoftirqd/0]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/bin/monit -c /etc/monit/monitrc
0.0 0.0 sshd: SO-user
0.0 0.1 xfdesktop --display :10.0 --sm-client-id 2be3a8c9a-a508-41e6-bca2-6d53b76b9fe6
0.0 0.0 [kworker/0:2]
0.0 0.0 [watchdog/0]
0.0 1.4 /usr/sbin/apache2 -k start
0.0 1.4 /usr/sbin/apache2 -k start
0.0 1.4 /usr/sbin/apache2 -k start
0.0 1.4 /usr/sbin/apache2 -k start
0.0 1.4 /usr/sbin/apache2 -k start
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user
0.0 0.1 xfdesktop --display :0.0 --sm-client-id 2bb3d19ed-7095-4905-9fdb-e9937adc5a8b
0.0 0.0 xfce4-power-manager
0.0 0.3 xfce4-power-manager --restart --sm-client-id 28b2bcf30-5f7f-4dbd-9fe6-0124bd48e9c2
0.0 0.3 xfce4-power-manager --restart --sm-client-id 20a771640-bcde-4364-ab17-4f982e61e982
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /sbin/init
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 sendmail: MTA: accepting connections
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 update-notifier
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 update-notifier
0.0 0.0 /usr/sbin/system-tools-backends
0.0 0.1 update-notifier
0.0 0.1 xfce4-panel --display :0.0 --sm-client-id 2c995a8ed-1c4f-4547-846c-6e1cee260571
0.0 0.0 wish /usr/bin/SO-user.tk
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 [kworker/u:2]
0.0 0.1 xfce4-panel --display :10.0 --sm-client-id 23987bf39-184f-49d2-88b3-501769696868
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/bin/perl /usr/share/system-tools-backends-2.0/scripts/SystemToolsBackends.pl -m Platform
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 16777250 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 cron
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 20971555 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 18874402 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 sshd: SO-user
0.0 0.0 PassengerHelperAgent
0.0 0.0 xscreensaver -no-splash
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 [kswapd0]
0.0 0.1 nm-applet
0.0 0.1 xfce4-panel
0.0 0.0 nm-applet
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 nm-applet
0.0 0.0 /usr/bin/ssh-agent /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 [sync_supers]
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 //bin/dbus-daemon --fork --print-pid 10 --print-address 12 --session
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.1 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/bin/ssh-agent /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 //bin/dbus-daemon --fork --print-pid 10 --print-address 12 --session
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.9 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.9 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 xfwm4
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.1 /usr/bin/perl /usr/sbin/apt-cacher -R 3 -d -p /var/run/apt-cacher.pid
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 18874401 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 20971554 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 16777249 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 /usr/bin/python /usr/lib/update-notifier/backend_helper.py show_updates
0.0 0.0 xfwm4 --display :10.0 --sm-client-id 27d1b4621-f09b-4748-9fdf-411792c9d018
0.0 0.0 xfce4-settings-helper --display :0.0 --sm-client-id 217a7160f-29e3-4aa3-ab8e-a309f95e91db
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 18874400 systray Notification Area Area where notification icons appear
0.0 0.0 Passenger spawn server
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 20971553 systray Notification Area Area where notification icons appear
0.0 0.0 xfce4-volumed
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 16777248 systray Notification Area Area where notification icons appear
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 18874415 thunar-tpa Trash Applet Display the trash can
0.0 0.0 xfce4-session
0.0 0.0 xfce4-session
0.0 0.0 xfwm4 --replace --display :0.0 --sm-client-id 24eaf2fc6-8e58-48d4-b582-7d11eb96c4b4
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 18874408 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 xfce4-volumed
0.0 0.0 xfce4-volumed
0.0 0.0 xfsettingsd --force
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 16777263 thunar-tpa Trash Applet Display the trash can
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 20971561 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 20971568 thunar-tpa Trash Applet Display the trash can
0.0 0.0 Thunar --daemon
0.0 0.0 Thunar --sm-client-id 25db1eecf-a1b2-4f54-807f-012d0f1b25b7 --daemon
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 16777256 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 Thunar --sm-client-id 2b43c5c5f-e27f-41ec-8fc6-9f348ebdf070 --daemon
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 [kthreadd]
0.0 0.0 [migration/0]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [devfreq_wq]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm
0.0 0.0 atd
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.9 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 xfce4-power-manager
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/sbin/xrdp-sessvc 7139 7138
0.0 0.0 /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 xrdp-chansrv
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/u:0]
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/lib/dconf/dconf-service
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/lib/dconf/dconf-service
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 [xfce4-terminal] <defunct>
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/sbin/xrdp-sessvc 19752 19751
0.0 0.0 /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 xrdp-chansrv
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/dbus-launch --exit-with-session x-session-manager
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.9 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.9 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 /usr/lib/gvfs/gvfsd-smb-browse --spawner :1.9 /org/gtk/gvfs/exec_spaw/2
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 PassengerWatchdog
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.9 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 /usr/lib/gvfs/gvfsd-smb-browse --spawner :1.9 /org/gtk/gvfs/exec_spaw/2
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
30567

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
3346 1:2019003 ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
3081 1:2017968 ET INFO Suspicious Possible Process Dump in POST body
662 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
620 1:2016101 ET TROJAN DNS Reply Sinkhole - Microsoft - X.X.X.X/24
268 1:2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
215 1:2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
135 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
110 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
104 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
102 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
101 1:2002910 ET SCAN Potential VNC Scan 5800-5820
83 1:2000418 ET POLICY Executable and linking format (ELF) file download
70 1:2001219 ET SCAN Potential SSH Scan
50 1:2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
48 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
35 128:1 ssh: Gobbles exploit
32 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
31 1:2100227 GPL SNMP SNMP trap Format String detected
30 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
30 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
30 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
30 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
25 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
24 1:2102650 GPL SQL user name buffer overflow attempt
21 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
19 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
18 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
16 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
16 1:2402000 ET DROP Dshield Block Listed Source group 1
15 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
15 1:2002911 ET SCAN Potential VNC Scan 5900-5920
14 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
14 1:33594 MALWARE-CNC Win.Trojan.Upatre variant outbound connection
12 1:2014573 ET TROJAN DNS Query for a known malware domain (sektori.org)
12 124:2 smtp: Attempted data header buffer overflow
10 1:2000355 ET CHAT IRC authorization message
7 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
7 129:11 stream5: TCP Data with no TCP Flags set
7 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
6 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
5 133:31 dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
4 1:2003615 ET INFO WinUpack Modified PE Header Outbound
4 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
4 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
4 1:32609 MALWARE-CNC Win.Trojan.NetWiredRC variant registration message
4 1:2003614 ET INFO WinUpack Modified PE Header Inbound
4 1:2102924 GPL NETBIOS SMB-DS repeated logon failure
4 1:2101413 GPL SNMP private access udp
4 1:2000334 ET P2P BitTorrent peer sync
4 124:3 smtp: Attempted response buffer overflow
2 1:2010794 ET WEB_SERVER DFind w00tw00t GET-Requests
2 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
2 133:33 dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
2 145:1 dnp3: DNP3 Link-Layer Frame contains bad CRC.
2 1:2001294 ET POLICY Dameware Remote Control Service Install
2 1:2003310 ET P2P Edonkey Publicize File
1 1:2101960 GPL RPC portmap NFS request TCP
1 1:2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 1:2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
1 125:2 ftp_pp: Invalid FTP command
1 1:100000429 GPL WEB_SERVER WEB-MISC JBoss web-console access
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2019389 ET EXPLOIT Possible Postfix CVE-2014-6271 attempt
1 1:2403318 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 10
1 1:2101616 GPL DNS named version attempt
1 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1 1:2021117 ET TROJAN Win32/Rallovs.A CnC Beacon
1 1:2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
Total
9537

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
11245 1:2017968 ET INFO Suspicious Possible Process Dump in POST body
10732 1:2019003 ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
6124 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2167 1:2016101 ET TROJAN DNS Reply Sinkhole - Microsoft - X.X.X.X/24
735 1:2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
649 1:2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
493 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
452 1:32458 BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt
442 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
347 1:2000418 ET POLICY Executable and linking format (ELF) file download
330 1:2002910 ET SCAN Potential VNC Scan 5800-5820
298 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
295 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
232 1:2001219 ET SCAN Potential SSH Scan
161 1:2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
153 1:2100227 GPL SNMP SNMP trap Format String detected
149 1:2015483 ET INFO Java .jar request to dotted-quad domain
137 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
102 1:2102650 GPL SQL user name buffer overflow attempt
97 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
97 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
94 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
94 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
86 1:2013867 ET POLICY Bomgar Remote Assistance Tool Download
85 128:1 ssh: Gobbles exploit
85 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
71 1:33594 MALWARE-CNC Win.Trojan.Upatre variant outbound connection
66 1:2015657 ET CURRENT_EVENTS Possible Metasploit Java Payload
58 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
54 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
52 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
50 1:2002911 ET SCAN Potential VNC Scan 5900-5920
49 1:2402000 ET DROP Dshield Block Listed Source group 1
49 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
48 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
43 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
39 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
39 124:3 smtp: Attempted response buffer overflow
38 1:2014573 ET TROJAN DNS Query for a known malware domain (sektori.org)
37 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
35 1:24155 FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt
33 133:31 dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
28 129:11 stream5: TCP Data with no TCP Flags set
27 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
26 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
24 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
24 124:2 smtp: Attempted data header buffer overflow
22 1:2000355 ET CHAT IRC authorization message
20 1:2001294 ET POLICY Dameware Remote Control Service Install
19 140:20 sip: Invite replay attack
Total
37200

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
3346 1:2019003 ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
3081 1:2017968 ET INFO Suspicious Possible Process Dump in POST body
663 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
620 1:2016101 ET TROJAN DNS Reply Sinkhole - Microsoft - X.X.X.X/24
268 1:2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
215 1:2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
135 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
110 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
104 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
102 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
101 1:2002910 ET SCAN Potential VNC Scan 5800-5820
83 1:2000418 ET POLICY Executable and linking format (ELF) file download
70 1:2001219 ET SCAN Potential SSH Scan
50 1:2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
48 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
35 128:1 ssh: Gobbles exploit
32 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
31 1:2100227 GPL SNMP SNMP trap Format String detected
30 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
30 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
30 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
30 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
25 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
24 1:2102650 GPL SQL user name buffer overflow attempt
21 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
19 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
18 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
16 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
15 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
15 1:2002911 ET SCAN Potential VNC Scan 5900-5920
14 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
14 1:33594 MALWARE-CNC Win.Trojan.Upatre variant outbound connection
12 1:2014573 ET TROJAN DNS Query for a known malware domain (sektori.org)
12 124:2 smtp: Attempted data header buffer overflow
11 1:2402000 ET DROP Dshield Block Listed Source group 1
10 1:2000355 ET CHAT IRC authorization message
7 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
7 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
7 129:11 stream5: TCP Data with no TCP Flags set
6 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
5 133:31 dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
4 1:32609 MALWARE-CNC Win.Trojan.NetWiredRC variant registration message
4 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
4 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
4 124:3 smtp: Attempted response buffer overflow
4 1:2101413 GPL SNMP private access udp
4 1:2000334 ET P2P BitTorrent peer sync
4 1:2402000 ET DROP Dshield Block Listed Source group 1
4 1:2003615 ET INFO WinUpack Modified PE Header Outbound
4 1:2003614 ET INFO WinUpack Modified PE Header Inbound
4 1:2102924 GPL NETBIOS SMB-DS repeated logon failure
2 1:2003310 ET P2P Edonkey Publicize File
2 133:33 dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
2 1:2001294 ET POLICY Dameware Remote Control Service Install
2 145:1 dnp3: DNP3 Link-Layer Frame contains bad CRC.
2 1:2008038 ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))
2 1:2010794 ET WEB_SERVER DFind w00tw00t GET-Requests
1 1:2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
1 1:2019389 ET EXPLOIT Possible Postfix CVE-2014-6271 attempt
1 1:2101960 GPL RPC portmap NFS request TCP
1 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1 125:2 ftp_pp: Invalid FTP command
1 1:2403318 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 10
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 1:2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2019203 ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
1 1:2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
1 1:100000429 GPL WEB_SERVER WEB-MISC JBoss web-console access
1 1:2021117 ET TROJAN Win32/Rallovs.A CnC Beacon
1 1:2101616 GPL DNS named version attempt
1 1:2402001 ET DROP Dshield Block Listed Source group 1
Total
9538

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
281881 1:2100371 GPL ICMP_INFO PING Cisco Type.x
65299 1:2017968 ET INFO Suspicious Possible Process Dump in POST body
52647 1:2019003 ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
17111 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
12795 1:32458 BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt
11791 1:2016101 ET TROJAN DNS Reply Sinkhole - Microsoft - X.X.X.X/24
8326 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
4824 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
3755 1:2014617 ET POLICY Cisco IOS Self Signed Certificate Served to External Host
3101 1:2100227 GPL SNMP SNMP trap Format String detected
2921 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
2374 1:2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
2191 1:2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2053 1:2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
1758 1:2002910 ET SCAN Potential VNC Scan 5800-5820
1477 1:2019415 ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack
1327 1:6700 FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt
1315 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1235 1:2000418 ET POLICY Executable and linking format (ELF) file download
1226 1:2001219 ET SCAN Potential SSH Scan
980 1:2003337 ET MALWARE Suspicious User Agent (Autoupdate)
968 1:2001582 ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection
825 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
719 1:2021117 ET TROJAN Win32/Rallovs.A CnC Beacon
680 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
546 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
545 1:2017910 ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR
535 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
501 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
492 128:1 ssh: Gobbles exploit
492 1:33594 MALWARE-CNC Win.Trojan.Upatre variant outbound connection
436 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
432 1:24155 FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt
414 1:2102650 GPL SQL user name buffer overflow attempt
403 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
394 1:2002911 ET SCAN Potential VNC Scan 5900-5920
357 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
351 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
343 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
329 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
306 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
301 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
276 1:2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
251 1:2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
248 1:2018427 ET TROJAN Netwire RAT Check-in
247 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
247 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
228 1:2015483 ET INFO Java .jar request to dotted-quad domain
228 1:2020084 ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
215 1:2010517 ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)
Total
499502

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1608 supervising syslog-ng
1609 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
2024 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1805 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
15700 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_81
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
-rw-r--r-- 1 root root 1286 Jun 1 16:14 /nsm/elsa/data/elsa/tmp/buffers/1433171640.15385
-rw-r--r-- 1 root root 32 Jun 1 16:14 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv

ELSA Directory Sizes:
212G /nsm/elsa/data
40M /var/lib/mysql/syslog
978M /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
2014-08-12 14:40:26 2015-06-01 16:13:35

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node DISCONNECTED
50002 SO-node X.X.X.X
50003 SO-node X.X.X.X
50004 SO-node DISCONNECTED
50005 SO-node X.X.X.X
50006 SO-node X.X.X.X
50007 SO-node DISCONNECTED
50008 SO-node X.X.X.X
50009 SO-node DISCONNECTED
50010 SO-node DISCONNECTED
50011 SO-node X.X.X.X
50012 SO-node X.X.X.X
50013 SO-node X.X.X.X
50014 SO-node DISCONNECTED
50015 SO-node X.X.X.X
50016 SO-node DISCONNECTED
50017 SO-node X.X.X.X
50018 SO-node X.X.X.X
50019 SO-node X.X.X.X
50020 SO-node DISCONNECTED
50021 SO-node DISCONNECTED
]0;infosight@StarfishPrime: ~ infosight@StarfishPrime:~$

Heine Lysemose

unread,
Jun 1, 2015, 1:25:30 PM6/1/15
to securit...@googlegroups.com

Hi

If you run tcpdump against the interface you expect to see traffic on are then seeing the traffic you're expecting?

Have you made any changes to snort.conf?

Did you check the configuration files for pulledpork?

Regards,
Lysemose

adrian fernandez

unread,
Jun 1, 2015, 4:20:48 PM6/1/15
to securit...@googlegroups.com
Hey Lysemose,


If you run tcpdump against the interface you expect to see traffic on are then seeing the traffic you're expecting? I did the tcp dump, and here is the output. not sure how to tell what is expected or not.....
sudo tcpdump -nnvvAi eth1 -s0 | grep
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
9 packets captured
470 packets received by filter
429 packets dropped by kernel


Have you made any changes to snort.conf?
No i have not.

Did you check the configuration files for pulledpork?
I didn't. What should i look for?

Heine Lysemose

unread,
Jun 2, 2015, 5:11:10 AM6/2/15
to securit...@googlegroups.com
Hi

I can't tell what is/is not expected on your network. But typically you would see see DHCP/DNS/HTTP/HTTPS traffic.
It looks like your dropping a lot of packets from the output from TCPDUMP.

Regards,
Lysemose


Reply all
Reply to author
Forward
0 new messages