Snorby takes hours to start showing data after the nightly scrips run or after a nsm-sensor restart

[Tim Krabec]

Any Idea's I'm not seeing anything in the logs.

sostat on 1 sensor
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: gingerbread-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25487 errors:0 dropped:0 overruns:0 frame:0
TX packets:4322 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12788626 (12.7 MB) TX bytes:2044274 (2.0 MB)
Interrupt:25

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:26

eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3879275 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3406693370 (3.4 GB) TX bytes:70 (70.0 B)

eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth5 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2323 errors:0 dropped:0 overruns:0 frame:0
TX packets:2323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6178766 (6.1 MB) TX bytes:6178766 (6.1 MB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
6178766 2323 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
6178766 2323 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
12788626 25487 0 0 0 322
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2044274 4322 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1
000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP ql
en 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3406723784 3879303 0 0 0 965209
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
70 1 0 0 0 0

TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOW
N qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth4: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOW
N qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth5: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOW
N qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 165G 53G 105G 34% /
udev 1.8G 4.0K 1.8G 1% /dev
tmpfs 716M 784K 715M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 1.8G 76K 1.8G 1% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1074 avahi 12u IPv4 8509 0t0 UDP *:5353
avahi-dae 1074 avahi 13u IPv6 8510 0t0 UDP *:5353
avahi-dae 1074 avahi 14u IPv4 8511 0t0 UDP *:50279
avahi-dae 1074 avahi 15u IPv6 8512 0t0 UDP *:43993
sshd 1652 root 3r IPv4 10050 0t0 TCP *:22 (LISTEN)
sshd 1652 root 4u IPv6 10052 0t0 TCP *:22 (LISTEN)
salt-mini 1752 root 15u IPv4 12696 0t0 TCP X.X.X.X:53558->X.X.X.X:4505 (ESTA
BLISHED)
syslog-ng 1763 root 9u IPv4 10857 0t0 TCP *:514 (LISTEN)
syslog-ng 1763 root 10u IPv4 10858 0t0 UDP *:514
mysqld 1898 mysql 10u IPv4 9127 0t0 TCP X.X.X.X:50000 (LISTEN)
searchd 1918 sphinxsearch 7u IPv4 12316 0t0 TCP *:9306 (LISTEN)
searchd 1918 sphinxsearch 8u IPv4 12317 0t0 TCP *:9312 (LISTEN)
ossec-csy 2040 ossecm 5u IPv4 11319 0t0 UDP X.X.X.X:36774->X.X.X.X:514
starman 2356 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
starman 2367 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
starman 2367 www-data 17u IPv4 23804 0t0 TCP X.X.X.X:51399->X.X.X.X:3154 (CLOS
E_WAIT)
starman 2370 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
starman 2370 www-data 19u IPv4 19790 0t0 TCP X.X.X.X:51285->X.X.X.X:3154 (CLOS
E_WAIT)
starman 2371 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
starman 2372 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
starman 2372 www-data 19u IPv4 30722 0t0 TCP X.X.X.X:51438->X.X.X.X:3154 (CLOS
E_WAIT)
starman 2373 www-data 5u IPv6 11168 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2462 root 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2462 root 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2462 root 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
/usr/sbin 2542 www-data 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2542 www-data 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2542 www-data 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
/usr/sbin 2545 www-data 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2545 www-data 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2545 www-data 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
/usr/sbin 2546 www-data 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2546 www-data 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2546 www-data 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
/usr/sbin 2547 www-data 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2547 www-data 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2547 www-data 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
/usr/sbin 2549 www-data 4u IPv4 13596 0t0 TCP *:443 (LISTEN)
/usr/sbin 2549 www-data 5u IPv4 13599 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2549 www-data 6u IPv4 13601 0t0 TCP *:444 (LISTEN)
ssh 3854 root 3r IPv4 16265 0t0 TCP X.X.X.X:46491->X.X.X.X:22 (ESTABL
ISHED)
ssh 3854 root 4u IPv6 16274 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3854 root 5u IPv4 16275 0t0 TCP X.X.X.X:3306 (LISTEN)
tclsh 3977 root 3u IPv4 16344 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 3977 root 5u IPv4 18625 0t0 TCP X.X.X.X:8001->X.X.X.X:33375 (ESTA
BLISHED)
barnyard2 4055 root 3u IPv4 18624 0t0 TCP X.X.X.X:33375->X.X.X.X:8001 (ESTA
BLISHED)
ntpd 4284 ntp 16u IPv4 20613 0t0 UDP *:123
ntpd 4284 ntp 17u IPv6 20614 0t0 UDP *:123
ntpd 4284 ntp 18u IPv4 20620 0t0 UDP X.X.X.X:123
ntpd 4284 ntp 19u IPv4 20621 0t0 UDP X.X.X.X:123
ntpd 4284 ntp 20u IPv6 20622 0t0 UDP [X.X.X.X]:123
ntpd 4284 ntp 21u IPv6 20623 0t0 UDP [X.X.X.X]:123
sshd 4904 root 3r IPv4 20446 0t0 TCP X.X.X.X:22->X.X.X.X:29567 (ESTABL
ISHED)
sshd 5040 tkrabec 3u IPv4 20446 0t0 TCP X.X.X.X:22->X.X.X.X:29567 (ESTABL
ISHED)

=========================================================================
CPU Usage
=========================================================================
top - 15:18:56 up 6 min, 1 user, load average: 0.90, 0.62, 0.32
Tasks: 155 total, 2 running, 153 sleeping, 0 stopped, 0 zombie
Cpu(s): 17.4%us, 3.6%sy, 0.2%ni, 76.0%id, 2.2%wa, 0.0%hi, 0.6%si, 0.0%st
Mem: 3662400k total, 2627580k used, 1034820k free, 57188k buffers
Swap: 5564696k total, 0k used, 5564696k free, 774644k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4036 sguil 20 0 666m 349m 130m R 91 9.8 2:50.03 snort
4124 sguil 20 0 111m 25m 1204 S 12 0.7 0:38.33 argus
3937 sguil 20 0 461m 416m 412m S 2 11.7 0:02.59 netsniff-ng
4072 sguil 20 0 26780 8096 3712 S 2 0.2 0:04.42 prads
5040 tkrabec 20 0 101m 1964 908 S 2 0.1 0:00.04 sshd
1 root 20 0 24696 2564 1288 S 0 0.1 0:01.58 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.03 ksoftirqd/0
4 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/0:0
5 root 20 0 0 0 0 S 0 0.0 0:00.86 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:00.25 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:00.02 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.26 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.02 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
23 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
25 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/u:1
26 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
27 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
31 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
33 root 20 0 0 0 0 S 0 0.0 0:00.83 kworker/1:1
34 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
35 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
36 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd1
37 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
38 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
39 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
40 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
41 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
49 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
51 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/3:1
70 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
71 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/3:2
198 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
200 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
280 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:2
281 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt_poll_0
282 root 0 -20 0 0 0 S 0 0.0 0:00.00 mpt/0
284 root 20 0 0 0 0 S 0 0.0 0:00.15 kworker/2:2
296 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
383 root 20 0 0 0 0 S 0 0.0 0:00.12 jbd2/sda1-8
384 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
478 root 20 0 17236 640 444 S 0 0.0 0:00.11 upstart-udev-br
480 root 20 0 22116 1892 772 S 0 0.1 0:00.11 udevd
746 root 20 0 22320 1612 324 S 0 0.0 0:00.00 udevd
747 root 20 0 22320 1640 344 S 0 0.0 0:00.00 udevd
769 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
771 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
815 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
861 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
1027 messageb 20 0 24276 1348 760 S 0 0.0 0:00.10 dbus-daemon
1052 root 20 0 21192 1684 1396 S 0 0.0 0:00.00 bluetoothd
1074 avahi 20 0 32580 1984 1372 S 0 0.1 0:00.06 avahi-daemon

[Doug Burks]

Hi Tim,

Was that the entire sostat output?

Can you also send sostat from the server?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks

[Tim Krabec]

sorry didn't realize I truncated that

continuing where it left off

1077 avahi     20   0 32184  308  140 S    0  0.0   0:00.00 avahi-daemon

 1086 root      20   0     0    0    0 S    0  0.0   0:00.12 kworker/2:3

 1125 root      10 -10     0    0    0 S    0  0.0   0:00.00 krfcommd

 1232 root      20   0  101m 2884 1988 S    0  0.1   0:00.01 cupsd

 1597 root      20   0 15192  260   88 S    0  0.0   0:00.00 upstart-socket-

 1602 root      20   0     0    0    0 S    0  0.0   0:02.44 flush-8:0

 1652 root      20   0 50036 2044 1984 S    0  0.1   0:00.00 sshd

 1739 root      20   0 20028  752  748 S    0  0.0   0:00.00 getty

 1745 root      20   0 20028  908  748 S    0  0.0   0:00.00 getty

 1752 root      20   0  431m  29m 7492 S    0  0.8   0:05.74 salt-minion

 1762 root      20   0 26784  356  164 S    0  0.0   0:00.00 syslog-ng

 1763 root      20   0 70728 3588 2172 S    0  0.1   0:01.36 syslog-ng

 1766 root      20   0 20028  912  748 S    0  0.0   0:00.00 getty

 1767 root      20   0 20028  908  748 S    0  0.0   0:00.00 getty

 1770 root      20   0 20028  916  748 S    0  0.0   0:00.00 getty

 1789 root      20   0  4464  608  524 S    0  0.0   0:00.00 acpid

 1798 sphinxse  20   0 72928 1276 1244 S    0  0.0   0:00.00 su

 1799 root      20   0 19116 1024  780 S    0  0.0   0:00.09 cron

 1800 daemon    20   0 16912  364  204 S    0  0.0   0:00.00 atd

 1802 root      20   0 2042m 2232 1180 S    0  0.1   0:00.05 console-kit-dae

 1803 root      20   0  264m 1560 1224 S    0  0.0   0:00.01 lightdm

 1873 root      20   0 15984  552  456 S    0  0.0   0:00.98 irqbalance

 1886 root      20   0  190m 2348 1272 S    0  0.1   0:00.04 polkitd

 1891 root      20   0  181m  13m 1900 S    0  0.4   0:09.77 Xorg

 1898 mysql     20   0 2205m  52m 4728 S    0  1.5   0:19.95 mysqld

 1918 sphinxse  20   0  524m 300m  79m S    0  8.4   0:13.64 searchd

 1969 root      20   0  170m 2520 1656 S    0  0.1   0:00.01 lightdm

 1972 root      20   0  118m 1852 1308 S    0  0.1   0:00.13 accounts-daemon

 2007 lightdm   20   0  4404  608  504 S    0  0.0   0:00.00 lightdm-greeter

 2012 lightdm   20   0 23952  396  140 S    0  0.0   0:00.00 dbus-daemon

 2013 lightdm   20   0  235m 5928 2696 S    0  0.2   0:11.47 lightdm-gtk-gre

 2040 ossecm    20   0 12920  588  404 S    0  0.0   0:00.05 ossec-csyslogd

 2046 lightdm   20   0 52424 1584 1184 S    0  0.0   0:00.00 gvfsd

 2048 lightdm   20   0  203m 1672 1120 S    0  0.0   0:00.00 gvfs-fuse-daemo

 2057 root      20   0 12808  500  320 S    0  0.0   0:00.00 ossec-execd

 2075 ossec     20   0 14508 2264  664 S    0  0.1   0:05.81 ossec-analysisd

 2081 root      20   0  4532  512  380 S    0  0.0   0:00.00 ossec-logcollec

 2096 root      20   0  214m 2272 1308 S    0  0.1   0:00.02 upowerd

 2260 root      20   0 94672 2016 1324 S    0  0.1   0:00.00 lightdm

 2287 root      20   0  4404  600  500 S    0  0.0   0:00.00 sh

 2288 root      20   0  209m  41m 3660 S    0  1.2   0:06.74 perl

 2298 root      20   0  5784 2072  572 S    0  0.1   0:21.66 ossec-syscheckd

 2302 ossec     20   0 13064  496  312 S    0  0.0   0:00.00 ossec-monitord

 2356 www-data  20   0 53820 9456 1908 S    0  0.3   0:00.23 starman master

 2367 www-data  20   0  312m 109m 3836 S    0  3.1   0:05.94 starman worker

 2370 www-data  20   0  311m 109m 3836 S    0  3.1   0:05.91 starman worker

 2371 www-data  20   0  312m 109m 3836 S    0  3.1   0:05.73 starman worker

 2372 www-data  20   0  312m 109m 3832 S    0  3.1   0:05.96 starman worker

 2373 www-data  20   0  312m 109m 3836 S    0  3.1   0:05.72 starman worker

 2462 root      20   0  176m 9428 3220 S    0  0.3   0:00.30 /usr/sbin/apach

 2470 root      20   0  215m 1580 1288 S    0  0.0   0:00.00 PassengerWatchd

 2490 root      20   0  288m 1712 1428 S    0  0.0   0:00.06 PassengerHelper

 2493 root      20   0  108m 6936  900 S    0  0.2   0:00.10 ruby1.9.1

 2496 nobody    20   0  165m 4076 3048 S    0  0.1   0:00.03 PassengerLoggin

 2542 www-data  20   0  176m 6524  308 S    0  0.2   0:00.01 /usr/sbin/apach

 2545 www-data  20   0  176m 6524  308 S    0  0.2   0:00.00 /usr/sbin/apach

 2546 www-data  20   0  176m 6524  308 S    0  0.2   0:00.00 /usr/sbin/apach

 2547 www-data  20   0  176m 6524  308 S    0  0.2   0:00.00 /usr/sbin/apach

2549 www-data  20   0  176m 6524  308 S    0  0.2   0:00.00 /usr/sbin/apach

 2561 root      20   0 20028  908  748 S    0  0.0   0:00.00 getty

 3852 root      20   0  4312  312  208 S    0  0.0   0:00.00 autossh

 3854 root      20   0 41668 2868 2092 S    0  0.1   0:00.73 ssh

 3901 root      20   0 34928 3508 1840 S    0  0.1   0:00.21 tclsh

 3937 sguil     20   0  426m 375m 371m S    0 10.5   0:42.12 netsniff-ng

 3958 root      20   0 32384 3084 1844 S    0  0.1   0:00.13 tclsh

 3977 root      20   0 32760 3512 1936 S    0  0.1   0:00.38 tclsh

 3979 root      20   0  4348  352  276 S    0  0.0   0:00.00 tail

 4055 root      20   0 34932 8652 1004 S    0  0.2   0:11.61 barnyard2

 4072 sguil     20   0 28364 9748 3676 S    0  0.3   1:21.10 prads

 4088 root      20   0 33808 4424 1924 S    0  0.1   0:27.44 tclsh

 4090 root      20   0  4332  352  276 S    0  0.0   0:00.05 cat

 4105 root      20   0 32372 3076 1844 S    0  0.1   0:00.19 tclsh

 4284 ntp       20   0 37776 2000 1364 S    0  0.1   0:00.33 ntpd

 4904 root      20   0  101m 3784 2732 S    0  0.1   0:00.03 sshd

 5040 tkrabec   20   0  101m 1936  864 S    0  0.1   0:01.15 sshd

 5041 tkrabec   20   0 32040 8824 1496 S    0  0.2   0:00.48 bash

 5148 tkrabec   20   0 17800 1024  780 S    0  0.0   0:00.00 tmux

 5166 tkrabec   20   0 31276 6492 1056 S    0  0.2   0:26.31 tmux

 5167 tkrabec   20   0  4404  588  488 S    0  0.0   0:00.00 sh

 5170 tkrabec   20   0 28292 5224 1628 S    0  0.1   0:00.62 bash

 7921 root      20   0     0    0    0 S    0  0.0   0:00.12 kworker/0:2

21701 root      20   0     0    0    0 S    0  0.0   0:00.00 kworker/0:0

22275 root      20   0  4404  596  492 S    0  0.0   0:00.00 sh

22278 root      20   0  4404  324  220 S    0  0.0   0:00.00 sh

22283 root      20   0  4312  348  272 S    0  0.0   0:00.00 sleep

26608 root      20   0     0    0    0 S    0  0.0   0:00.00 kworker/0:1

26673 root      20   0 78160 2312 1712 S    0  0.1   0:00.00 sudo

26674 root      20   0 16564 1436 1212 S    0  0.0   0:00.00 sostat

=========================================================================

Log Archive

=========================================================================

/nsm/sensor_data/gingerbread-eth2/dailylogs/ - 2 days

39G     .

29G     ./2014-02-20

9.8G    ./2014-02-21

/nsm/bro/logs/ - 0 days

6.7M    .

6.7M    ./stats

=========================================================================

IDS Engine (snort) packet drops

=========================================================================

/nsm/sensor_data/gingerbread-eth2/snort-1.stats last reported pkt_drop_percent as 71.342

=========================================================================

pf_ring stats

=========================================================================

PF_RING Version          : 5.6.1 ($Revision: $)

Total rings              : 1

Standard (non DNA) Options

Ring slots               : 65534

Slot version             : 15

Capture TX               : Yes [RX+TX]

IP Defragment            : No

Socket Mode              : Standard

Transparent mode         : Yes [mode 0]

Total plugins            : 0

Cluster Fragment Queue   : 0

Cluster Fragment Discard : 0

/proc/net/pf_ring/4036-eth2.1

Appl. Name         : snort-cluster-51-socket-0

Tot Packets        : 7258923

Tot Pkt Lost       : 1868558

TX: Send Errors    : 0

Reflect: Fwd Errors: 0

Min Num Slots      : 78028

Num Free Slots     : 77999

=========================================================================

Netsniff-NG - Reported Packet Loss (per interval)

=========================================================================

0 Loss

=========================================================================

ELSA

=========================================================================

Syslog-ng

Checking for process:

1762 supervising syslog-ng

1763 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid

Checking for connection:

Connection to localhost 514 port [tcp/shell] succeeded!

MySQL

Checking for process:

1898 /usr/sbin/mysqld

Checking for connection:

Connection to localhost 50000 port [tcp/*] succeeded!

Sphinx

Checking for process:

1798 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach

Checking for connection:

Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:

-rw-r--r-- 1 root root 244 Feb 21 16:47 /nsm/elsa/data/elsa/tmp/buffers/1393001239.50083

-rw-r--r-- 1 root root 679 Feb 21 16:47 /nsm/elsa/data/elsa/tmp/buffers/1393001179.47073

-rw-r--r-- 1 root root  15 Feb 21 16:47 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv

ELSA Directory Sizes:

313M    /nsm/elsa/data

1.4M    /var/lib/mysql/syslog

222M    /var/lib/mysql/syslog_data

autossh

Checking for process:

3852 /usr/lib/autossh/autossh -M 0    -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:127.0.0.1:3306 -R 50000:localhost:3154 tkr...@X.X.X.X

Checking APIKEY:

APIKEY matches server.

starman

Checking for processes:

2356 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

2367 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

2370 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

2371 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

2372 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

2373 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi

Tim Krabec
tkrabec.com

Bio

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/GvHdXm8IQag/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[Doug Burks]

Please also send sostat from the server.

[Tim Krabec]

server
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]

Status: HIDS
* ossec_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:55498993 errors:0 dropped:0 overruns:0 frame:0
TX packets:51588710 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7689583932 (7.6 GB) TX bytes:6750315044 (6.7 GB)
Interrupt:16 Memory:fa000000-fa012800

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:3546253 errors:0 dropped:0 overruns:0 frame:0
TX packets:3546253 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2829750501 (2.8 GB) TX bytes:2829750501 (2.8 GB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

2829750501 3546253 0 0 0 0

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

2829750501 3546253 0 0 0 0

TX errors: aborted fifo window heartbeat
0 0 0 0

2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000

link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

7689583932 55498993 0 0 0 420138

RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

6750315044 51588710 0 0 0 0

TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on

/dev/cciss/c0d0p1 224G 18G 195G 9% /
udev 3.0G 4.0K 3.0G 1% /dev
tmpfs 1.2G 780K 1.2G 1% /run

none 5.0M 0 5.0M 0% /run/lock

none 3.0G 84K 3.0G 1% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

avahi-dae 975 avahi 12u IPv4 8518 0t0 UDP *:5353
avahi-dae 975 avahi 13u IPv6 8519 0t0 UDP *:5353
avahi-dae 975 avahi 14u IPv4 8520 0t0 UDP *:39088
avahi-dae 975 avahi 15u IPv6 8521 0t0 UDP *:51711
cupsd 1015 root 8u IPv6 25999653 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1015 root 9u IPv4 25999654 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1133 root 3r IPv4 9410 0t0 TCP *:22 (LISTEN)
sshd 1133 root 4u IPv6 9412 0t0 TCP *:22 (LISTEN)
salt-mini 1250 root 14u IPv4 11947 0t0 TCP X.X.X.X:39714->X.X.X.X:4505 (ESTABLISHED)
salt-mast 1266 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
salt-mast 1266 root 21u IPv4 29574521 0t0 TCP X.X.X.X:4506->X.X.X.X:53781 (ESTABLISHED)
mysqld 1402 mysql 10u IPv4 12829 0t0 TCP *:3306 (LISTEN)
mysqld 1402 mysql 79u IPv4 22365 0t0 TCP X.X.X.X:3306->X.X.X.X:42215 (ESTABLISHED)
mysqld 1402 mysql 80u IPv4 22373 0t0 TCP X.X.X.X:3306->X.X.X.X:42216 (ESTABLISHED)
searchd 1428 sphinxsearch 7u IPv4 9088 0t0 TCP *:9306 (LISTEN)
searchd 1428 sphinxsearch 8u IPv4 9089 0t0 TCP *:9312 (LISTEN)
salt-mast 1460 root 27u IPv4 9948 0t0 TCP *:4505 (LISTEN)
salt-mast 1460 root 29u IPv4 28124639 0t0 TCP X.X.X.X:4505->X.X.X.X:53558 (ESTABLISHED)
salt-mast 1460 root 30u IPv4 11794 0t0 TCP X.X.X.X:4505->X.X.X.X:53669 (ESTABLISHED)
salt-mast 1460 root 31u IPv4 11948 0t0 TCP X.X.X.X:4505->X.X.X.X:39714 (ESTABLISHED)
salt-mast 1460 root 32u IPv4 310652 0t0 TCP X.X.X.X:4505->X.X.X.X:56443 (ESTABLISHED)
salt-mast 1468 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
salt-mast 1469 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
salt-mast 1472 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
salt-mast 1473 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
salt-mast 1480 root 19u IPv4 9952 0t0 TCP *:4506 (LISTEN)
ossec-csy 1533 ossecm 5u IPv4 10655 0t0 UDP X.X.X.X:48802->X.X.X.X:514
xrdp 1978 xrdp 6u IPv4 12858 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 1980 root 6u IPv4 12611 0t0 TCP X.X.X.X:3350 (LISTEN)
/usr/sbin 2069 root 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2069 root 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2069 root 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2069 root 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 2128 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2128 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2128 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2128 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 2129 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2129 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2129 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2129 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 2130 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2130 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2130 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2130 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 2131 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2131 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2131 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2131 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 2132 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 2132 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2132 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2132 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
ntpd 2347 ntp 16u IPv4 13028 0t0 UDP *:123
ntpd 2347 ntp 17u IPv6 13029 0t0 UDP *:123
ntpd 2347 ntp 18u IPv4 13035 0t0 UDP X.X.X.X:123
ntpd 2347 ntp 19u IPv4 13036 0t0 UDP X.X.X.X:123
ntpd 2347 ntp 20u IPv6 13037 0t0 UDP [X.X.X.X]:123
ntpd 2347 ntp 21u IPv6 13038 0t0 UDP [X.X.X.X]:123
syslog-ng 4964 root 9u IPv4 2491015 0t0 TCP *:514 (LISTEN)
syslog-ng 4964 root 10u IPv4 2491016 0t0 UDP *:514
/usr/sbin 5194 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 5194 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5194 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5194 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
ruby1.9.1 9483 www-data 12u IPv4 40426 0t0 TCP X.X.X.X:57530 (LISTEN)
/usr/sbin 9635 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 9635 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9635 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9635 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 9636 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 9636 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9636 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9636 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
/usr/sbin 9637 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 9637 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9637 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9637 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
sshd 11160 root 3r IPv4 313584 0t0 TCP X.X.X.X:22->X.X.X.X:45844 (ESTABLISHED)
sshd 11296 tkrabec 3u IPv4 313584 0t0 TCP X.X.X.X:22->X.X.X.X:45844 (ESTABLISHED)
sshd 11296 tkrabec 9u IPv6 313792 0t0 TCP [X.X.X.X]:50002 (LISTEN)
sshd 11296 tkrabec 10u IPv4 313793 0t0 TCP X.X.X.X:50002 (LISTEN)
sshd 11296 tkrabec 11u IPv4 948140 0t0 TCP X.X.X.X:50177->X.X.X.X:3306 (CLOSE_WAIT)
sshd 18417 root 3r IPv4 204016 0t0 TCP X.X.X.X:22->X.X.X.X:15718 (ESTABLISHED)
sshd 18699 tkrabec 3u IPv4 204016 0t0 TCP X.X.X.X:22->X.X.X.X:15718 (ESTABLISHED)
/usr/sbin 19132 www-data 4u IPv4 12518 0t0 TCP *:443 (LISTEN)
/usr/sbin 19132 www-data 5u IPv4 12521 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19132 www-data 6u IPv4 12523 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19132 www-data 7u IPv4 12527 0t0 TCP *:444 (LISTEN)
sshd 22127 root 3r IPv4 28107452 0t0 TCP X.X.X.X:22->X.X.X.X:55272 (ESTABLISHED)
sshd 22300 tkrabec 3u IPv4 28107452 0t0 TCP X.X.X.X:22->X.X.X.X:55272 (ESTABLISHED)
sshd 22300 tkrabec 9u IPv6 28107791 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 22300 tkrabec 10u IPv4 28107792 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 22300 tkrabec 11u IPv4 29650330 0t0 TCP X.X.X.X:50001->X.X.X.X:45661 (ESTABLISHED)
sshd 26603 root 3r IPv4 28133138 0t0 TCP X.X.X.X:22->X.X.X.X:46491 (ESTABLISHED)
sshd 26759 tkrabec 3u IPv4 28133138 0t0 TCP X.X.X.X:22->X.X.X.X:46491 (ESTABLISHED)
sshd 26759 tkrabec 9u IPv6 28134474 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 26759 tkrabec 10u IPv4 28134475 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 30118 root 3r IPv4 27963766 0t0 TCP X.X.X.X:22->X.X.X.X:26080 (ESTABLISHED)
sshd 30355 tkrabec 3u IPv4 27963766 0t0 TCP X.X.X.X:22->X.X.X.X:26080 (ESTABLISHED)
perl 30358 root 15u IPv4 29650329 0t0 TCP X.X.X.X:45661->X.X.X.X:50001 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Fri Feb 21 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 6 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 36 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------11
Deleted:---11
Enabled Rules:----16211
Dropped Rules:----0
Disabled Rules:---3486
Total Rules:------19697
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
top - 17:44:35 up 1 day, 2:31, 2 users, load average: 1.21, 1.25, 1.27
Tasks: 160 total, 2 running, 158 sleeping, 0 stopped, 0 zombie
Cpu(s): 42.8%us, 5.6%sy, 0.0%ni, 44.0%id, 7.1%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 6111892k total, 5653300k used, 458592k free, 68944k buffers
Swap: 9343300k total, 298960k used, 9044340k free, 900888k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

31773 root 20 0 2760m 2.6g 3380 R 100 44.2 159:50.62 tclsh
1250 root 20 0 431m 25m 3972 S 2 0.4 0:56.24 salt-minion
31403 root 20 0 17336 1280 920 R 2 0.0 0:00.01 top
1 root 20 0 24724 2272 1228 S 0 0.0 0:05.36 init
2 root 20 0 0 0 0 S 0 0.0 0:00.01 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:10.59 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.46 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:01.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.37 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:01.05 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:10.81 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.34 watchdog/1
13 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
14 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
15 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
16 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
17 root 20 0 0 0 0 S 0 0.0 0:02.74 kworker/u:1
18 root 20 0 0 0 0 S 0 0.0 0:00.27 sync_supers
19 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
23 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
25 root 20 0 0 0 0 S 0 0.0 0:04.52 kworker/1:1
26 root 20 0 0 0 0 S 0 0.0 0:00.05 khungtaskd
27 root 20 0 0 0 0 S 0 0.0 0:13.46 kswapd0
28 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
29 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
30 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
31 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
41 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
42 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
63 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
64 root 20 0 0 0 0 S 0 0.0 0:03.50 kworker/1:2
222 root 20 0 0 0 0 S 0 0.0 0:00.00 cciss_scan
236 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
240 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
325 root 20 0 0 0 0 S 0 0.0 0:35.31 jbd2/cciss!c0d0
326 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
506 root 20 0 17236 584 472 S 0 0.0 0:00.07 upstart-udev-br
537 root 20 0 22096 712 712 S 0 0.0 0:00.07 udevd
695 root 20 0 22092 272 268 S 0 0.0 0:00.00 udevd
696 root 20 0 21900 280 276 S 0 0.0 0:00.00 udevd
752 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
753 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
765 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
767 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
940 messageb 20 0 24272 1220 724 S 0 0.0 0:00.12 dbus-daemon
964 root 20 0 21192 900 900 S 0 0.0 0:00.00 bluetoothd
975 avahi 20 0 33496 2432 1088 S 0 0.0 0:18.50 avahi-daemon
976 avahi 20 0 32184 172 136 S 0 0.0 0:00.00 avahi-daemon
1009 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1015 root 20 0 101m 1768 1288 S 0 0.0 0:00.02 cupsd
1059 root 20 0 15192 392 328 S 0 0.0 0:00.00 upstart-socket-
1070 root 20 0 0 0 0 S 0 0.0 0:13.26 flush-104:0
1133 root 20 0 50036 1904 1784 S 0 0.0 0:00.01 sshd
1238 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
1243 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
1262 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
1263 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
1266 root 20 0 484m 6508 3696 S 0 0.1 0:14.88 salt-master
1267 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
1293 sphinxse 20 0 72928 1384 1384 S 0 0.0 0:00.00 su
1301 root 20 0 4464 520 516 S 0 0.0 0:00.00 acpid
1304 root 20 0 1018m 2352 1988 S 0 0.0 0:00.19 console-kit-dae
1306 root 20 0 264m 1256 1256 S 0 0.0 0:00.01 lightdm
1370 root 20 0 19116 920 780 S 0 0.0 0:01.08 cron
1371 daemon 20 0 16912 216 200 S 0 0.0 0:00.00 atd
1377 root 20 0 15984 560 468 S 0 0.0 0:11.46 irqbalance
1392 root 20 0 190m 2076 1556 S 0 0.0 0:00.08 polkitd
1393 root 20 0 155m 2180 1716 S 0 0.0 1:33.74 Xorg
1402 mysql 20 0 1325m 212m 4776 S 0 3.6 33:14.56 mysqld
1428 sphinxse 20 0 352m 59m 48m S 0 1.0 2:30.24 searchd
1448 root 20 0 170m 1696 1696 S 0 0.0 0:00.01 lightdm
1451 root 20 0 118m 1976 1612 S 0 0.0 0:01.48 accounts-daemon
1453 root 20 0 205m 5468 2760 S 0 0.1 0:00.65 salt-master
1460 root 20 0 228m 3456 1448 S 0 0.1 0:00.00 salt-master
1464 root 20 0 228m 3688 1332 S 0 0.1 0:00.13 salt-master
1468 root 20 0 614m 28m 3320 S 0 0.5 9:30.61 salt-master
1469 root 20 0 612m 26m 3336 S 0 0.4 9:34.40 salt-master
1472 root 20 0 614m 27m 3336 S 0 0.5 10:05.79 salt-master
1473 root 20 0 614m 28m 3336 S 0 0.5 9:40.97 salt-master
1480 root 20 0 614m 28m 3336 S 0 0.5 9:57.57 salt-master
1533 ossecm 20 0 12920 464 400 S 0 0.0 0:00.67 ossec-csyslogd
1561 root 20 0 12808 352 328 S 0 0.0 0:00.02 ossec-execd
1588 ossec 20 0 14508 2004 688 S 0 0.0 0:07.34 ossec-analysisd
1598 root 20 0 4528 464 400 S 0 0.0 0:07.19 ossec-logcollec
1606 lightdm 20 0 4404 504 500 S 0 0.0 0:00.00 lightdm-greeter
1613 lightdm 20 0 23952 264 264 S 0 0.0 0:00.00 dbus-daemon
1614 lightdm 20 0 236m 4488 3056 S 0 0.1 2:44.03 lightdm-gtk-gre
1622 lightdm 20 0 52424 1320 1320 S 0 0.0 0:00.00 gvfsd
1626 lightdm 20 0 203m 1268 1268 S 0 0.0 0:00.00 gvfs-fuse-daemo
1640 root 20 0 214m 1812 1416 S 0 0.0 0:00.13 upowerd
1724 root 20 0 5928 2168 604 S 0 0.0 1:04.62 ossec-syscheckd
1731 ossec 20 0 13072 640 432 S 0 0.0 0:00.10 ossec-monitord
1750 root 20 0 94672 1340 1336 S 0 0.0 0:00.00 lightdm
1978 xrdp 20 0 18920 136 136 S 0 0.0 0:00.00 xrdp
1980 root 20 0 29384 292 292 S 0 0.0 0:00.00 xrdp-sesman
2069 root 20 0 176m 4908 3868 S 0 0.1 0:03.19 /usr/sbin/apach
2072 root 20 0 215m 1076 1008 S 0 0.0 0:00.00 PassengerWatchd
2077 root 20 0 929m 1908 1452 S 0 0.0 1:42.33 PassengerHelper
2079 root 20 0 108m 5468 1952 S 0 0.1 0:00.10 ruby1.9.1
2084 nobody 20 0 165m 1728 1716 S 0 0.0 0:00.20 PassengerLoggin
2128 www-data 20 0 387m 20m 5888 S 0 0.3 0:11.37 /usr/sbin/apach
2129 www-data 20 0 387m 108m 5844 S 0 1.8 0:11.33 /usr/sbin/apach
2130 www-data 20 0 387m 78m 5844 S 0 1.3 0:11.36 /usr/sbin/apach
2131 www-data 20 0 387m 38m 5836 S 0 0.6 0:11.31 /usr/sbin/apach
2132 www-data 20 0 387m 108m 5844 S 0 1.8 0:11.51 /usr/sbin/apach
2145 root 20 0 20028 764 760 S 0 0.0 0:00.00 getty
2347 ntp 20 0 37776 1552 1396 S 0 0.0 0:05.76 ntpd
4963 root 20 0 26784 404 164 S 0 0.0 0:00.00 syslog-ng
4964 root 20 0 70844 3760 2164 S 0 0.1 0:09.83 syslog-ng
4975 root 20 0 4404 612 508 S 0 0.0 0:00.00 sh
4976 root 20 0 216m 42m 3788 S 0 0.7 0:23.93 perl
5162 root 19 -1 14892 356 296 S 0 0.0 0:07.68 dema
5194 www-data 20 0 387m 108m 5696 S 0 1.8 0:11.06 /usr/sbin/apach
5587 www-data 20 0 431m 100m 3324 S 0 1.7 8:36.92 ruby
6359 root 20 0 125m 3416 524 S 0 0.1 0:00.00 tclsh
9483 www-data 20 0 292m 96m 3128 S 0 1.6 1:11.23 ruby1.9.1
9635 www-data 20 0 387m 108m 5836 S 0 1.8 0:10.92 /usr/sbin/apach
9636 www-data 20 0 387m 108m 5848 S 0 1.8 0:11.16 /usr/sbin/apach
9637 www-data 20 0 387m 108m 5840 S 0 1.8 0:11.33 /usr/sbin/apach
11160 root 20 0 101m 3656 2620 S 0 0.1 0:00.01 sshd
11296 tkrabec 20 0 102m 2092 760 S 0 0.0 0:05.18 sshd
16468 root 20 0 0 0 0 S 0 0.0 0:00.17 kworker/0:1
18417 root 20 0 101m 3732 2672 S 0 0.1 0:00.18 sshd
18699 tkrabec 20 0 101m 1908 836 S 0 0.0 0:11.52 sshd
18705 tkrabec 20 0 32092 8292 912 S 0 0.1 0:00.49 bash
18824 tkrabec 20 0 17800 960 720 S 0 0.0 0:00.00 tmux
18842 tkrabec 20 0 30456 5756 1136 S 0 0.1 4:40.94 tmux
18843 tkrabec 20 0 4404 604 504 S 0 0.0 0:00.00 sh
18847 tkrabec 20 0 28252 5140 1584 S 0 0.1 0:00.33 bash
19132 www-data 20 0 387m 108m 5896 S 0 1.8 0:10.79 /usr/sbin/apach
22127 root 20 0 101m 4380 3340 S 0 0.1 0:00.01 sshd
22260 root 20 0 0 0 0 S 0 0.0 0:00.28 kworker/0:0
22300 tkrabec 20 0 102m 2452 912 S 0 0.0 0:01.14 sshd
24272 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:2
24650 root 20 0 4344 556 456 S 0 0.0 0:00.00 tail
26603 root 20 0 101m 4376 3340 S 0 0.1 0:00.00 sshd
26759 tkrabec 20 0 102m 2420 916 S 0 0.0 0:00.90 sshd
27082 root 20 0 125m 3400 508 S 0 0.1 0:00.00 tclsh
30118 root 20 0 101m 4420 3356 S 0 0.1 0:00.03 sshd
30353 root 20 0 68924 1884 1332 S 0 0.0 0:00.00 cron
30354 root 20 0 4404 608 508 S 0 0.0 0:00.00 sh
30355 tkrabec 20 0 101m 2116 1040 S 0 0.0 0:01.34 sshd
30356 tkrabec 20 0 32092 8964 1616 S 0 0.1 0:00.51 bash
30358 root 20 0 293m 91m 5572 S 0 1.5 0:03.78 perl
30490 tkrabec 20 0 17800 1172 932 S 0 0.0 0:00.03 tmux
31305 root 20 0 78160 2368 1768 S 0 0.0 0:00.00 sudo
31306 root 20 0 16552 1352 1140 S 0 0.0 0:00.00 sostat-redacted
31307 root 20 0 16568 1488 1256 S 0 0.0 0:00.00 sostat
31308 root 20 0 15744 820 696 S 0 0.0 0:00.00 sed
31309 root 20 0 15744 820 692 S 0 0.0 0:00.00 sed
31310 root 20 0 16420 1344 748 S 0 0.0 0:00.00 sed
31855 root 20 0 42044 4500 2664 S 0 0.1 0:00.38 tclsh
32340 root 20 0 125m 3644 752 S 0 0.1 0:00.43 tclsh
32341 root 20 0 125m 3436 540 S 0 0.1 0:00.00 tclsh


=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1463615

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
50603 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
46675 1:2101411 GPL SNMP public access udp
8732 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
3161 1:2017873 ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server
Response
2437 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1762 1:2010100 ET TROJAN Palevo/BFBot/Mariposa client join attempt
735 1:2009966 ET P2P KuGoo P2P Connection
302 1:2100366 GPL ICMP_INFO PING *NIX
294 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
226 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
183 10000:2 PADS Changed Asset - unknown @https
164 1:2012648 ET POLICY Dropbox Client Broadcasting
154 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
122 1:2100587 GPL RPC portmap status request UDP
116 1:2522321 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 161
116 1:2000369 ET P2P BitTorrent Announce
103 1:2000419 ET POLICY PE EXE or DLL Windows file download
82 1:2000357 ET P2P BitTorrent Traffic
60 10000:2 PADS Changed Asset - unknown @imaps
55 1:2102180 GPL P2P BitTorrent announce request
54 1:2522643 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 322
51 1:2009785 ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)
46 1:2014703 �DNS Protocol Violation Reserved Bit Set Possible C&C�
38 1:100000235 GPL CHAT Jabber/Google Talk Logon Success
36 1:2003317 ET P2P Edonkey Search Request (any type file)
34 1:2003310 ET P2P Edonkey Publicize File
32 1:2000334 ET P2P BitTorrent peer sync
29 1:2009971 ET P2P eMule KAD Network Hello Request (2)
25 1:2009702 ET POLICY DNS Update From External net
25 1:2522645 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 323
25 1:2102924 GPL NETBIOS SMB-DS repeated logon failure
24 1:2406249 ET RBN Known Russian Business Network IP UDP group 125
23 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
21 1:2002192 ET CHAT MSN status change
20 10000:1 PADS New Asset - unknown @domain
20 1:2003320 ET P2P Edonkey Search Results
19 1:2007695 ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
19 1:648 GPL SHELLCODE x86 NOOP
15 1:2101201 GPL WEB_SERVER 403 Forbidden
14 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 5.00; Windows 98; SoDA)
13 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/32.0.1700.107 Safari/537.36
11 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
9 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
9 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Fire
fox/27.0
9 1:2003315 ET P2P Edonkey Search Reply
8 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
7 1:2001330 ET POLICY RDP connection confirm
7 1:2008581 ET P2P BitTorrent DHT ping request
7 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
6 1:2001329 ET POLICY RDP connection request
6 10000:2 PADS Changed Asset - smb Windows SMB
6 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/32.0.1700.107 Safari/537.36
6 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely
Kazy
6 10000:2 PADS Changed Asset - unknown @microsoft-ds
6 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Tride
nt/6.0)
6 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
6 1:2003313 ET P2P Edonkey Connect Reply and Server List
6 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
6 1:2102181 GPL P2P BitTorrent transfer
6 10000:1 PADS New Asset - http Shockwave Flash
6 1:2406707 ET RBN Known Russian Business Network IP UDP group 354
5 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like G
ecko
5 10000:2 PADS Changed Asset - unknown @domain
5 1:2406043 ET RBN Known Russian Business Network IP UDP group 22
5 1:2016104 ET TROJAN DNS Reply for unallocated address space - Potentially Malicious X.X.X.X/
24
4 1:2012390 ET P2P Libtorrent User-Agent
4 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
4 1:2009970 ET P2P eMule Kademlia Hello Request
4 1:2406269 ET RBN Known Russian Business Network IP UDP group 135
4 1:2010144 ET P2P Vuze BT UDP Connection (5)
4 1:2001219 ET SCAN Potential SSH Scan
4 1:2406777 ET RBN Known Russian Business Network IP UDP group 389
3 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/
27.0
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gec
ko) Chrome/32.0.1700.107 Safari/537.36
3 1:2017910 ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR
3 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.7
3.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11
3 1:2001240 ET POLICY Cisco Device New Config Built
3 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.1 (KHTML, li
ke Gecko) Chrome/21.0.1180.89 Safari/537.1
3 10000:2 PADS Changed Asset - domain DNS SQR No Error
3 10000:2 PADS Changed Asset - unknown @pop3s
3 1:2016360 ET INFO JAVA - ClassID
3 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
3 10000:1 PADS New Asset - smb Windows SMB
3 1:2406757 ET RBN Known Russian Business Network IP UDP group 379
3 1:2016853 ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013
3 10000:2 PADS Changed Asset - http Windows-Update (Agent)
3 10000:2 PADS Changed Asset - ssl Generic TLS 1.0 SSL
2 10000:1 PADS New Asset - unknown @snmp
2 10000:1 PADS New Asset - http Hay%20Day/X.X.X.X CFNetwork/672.0.8 Darwin/14.0.0
2 1:2522931 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 466
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWeb
Kit/537.51.1 (KHTML, like Gecko) Mobile/11B554a
2 10000:2 PADS Changed Asset - http Microsoft-IIS 8.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.
0
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Triden
t/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2;
.NET4.0C)
2 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
2 10000:2 PADS Changed Asset - http Mozilla/5.0 yuncheng_ppweb/0.0.23 sh_162-1270104 (4412421)
2 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/32.0.1700.107 Safari/537.36
2 1:2008583 ET P2P BitTorrent DHT nodes reply
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Tride
nt/6.0)
2 1:2406379 ET RBN Known Russian Business Network IP UDP group 190
2 1:2406703 ET RBN Known Russian Business Network IP UDP group 352
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Fire
fox/27.0
2 10000:1 PADS New Asset - unknown @ntp
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.5
9.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
2 1:2406753 ET RBN Known Russian Business Network IP UDP group 377
2 10000:2 PADS Changed Asset - smtp Generic SMTP (2.0.0)
2 1:2003410 ET POLICY FTP Login Successful
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gec
ko) Chrome/32.0.1700.107 Safari/537.36
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.7
3.11 (KHTML, like Gecko) Version/6.1.1 Safari/537.73.11
2 1:2102452 GPL CHAT Yahoo IM ping
2 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2 10000:2 PADS Changed Asset - ssh OpenSSH 4.3 (Protocol 2.0)
2 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/2010
0101 Firefox/26.0
2 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:27.0) Gecko/2010
0101 Firefox/27.0
2 1:2402000 ET DROP Dshield Block Listed Source group 1
1 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1 1:2406377 ET RBN Known Russian Business Network IP UDP group 189
1 1:2008585 ET P2P BitTorrent DHT announce_peers request
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/2010
0101 Firefox/26.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/32.0.1700.107 Safari/537.36
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/29.0.1547.76 Safari/537.36
1 10000:1 PADS New Asset - unknown @sunrpc
1 1:2002878 ET POLICY iTunes User Agent
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.107 Safari/537.36
1 10000:2 PADS Changed Asset - unknown @imap2
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Fire
fox/24.0
1 10000:1 PADS New Asset - http Firefox%20Plugin%20Process/1.0 CFNetwork/673.0.3 Darwin/13.0.0 (x86_
64) (MacBookPro5%2C1)
1 1:2017652 ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013
1 10000:2 PADS Changed Asset - http Firefox%20Plugin%20Process/1.0 CFNetwork/454.12.4 Darwin/10.8.0
(i386) (MacBookPro5%2C3)
1 1:2014701 �DNS Protocol Violation Opcode 6 or 7 set Possible C&C�
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.3
6 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
1 1:2406613 ET RBN Known Russian Business Network IP UDP group 307
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (K
HTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
1 10000:1 PADS New Asset - unknown @ftp
1 10000:2 PADS Changed Asset - http Firefox%20Plugin%20Process/1.0 CFNetwork/673.0.3 Darwin/13.0.0 (
x86_64) (MacBookPro9%2C2)
1 1:2003319 ET P2P Edonkey Search Request (search by name)
1 1:2101991 GPL CHAT MSN login attempt
1 1:2406185 ET RBN Known Russian Business Network IP UDP group 93
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_2 like Mac OS X) AppleWeb
Kit/537.51.1 (KHTML, like Gecko) Mobile/11A501
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Triden
t/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .
NET4.0E)
1 10000:2 PADS Changed Asset - unknown @ssh
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
GTB7.5; InfoPath.1; .NET CLR 2.0.50727; AskTbWCL2/5.12.2.16749; yie8)
1 10000:1 PADS New Asset - unknown @smtp
1 1:2406351 ET RBN Known Russian Business Network IP UDP group 176
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; InfoPath.3)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like G
ecko
1 10000:2 PADS Changed Asset - unknown @smtp
1 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/2010
0101 Firefox/20.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/2010
0101 Firefox/25.0
1 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; ICP 42_1.11.0.5)
1 1:2009968 ET P2P eMule KAD Network Connection Request(2)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Linux; Android 4.1.2; XT907 Build/9.8.1Q-94 (1) AppleWe
bKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.3
6 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.7
3.11 (KHTML, like Gecko) Version/6.1.1 Safari/537.73.11
1 10000:2 PADS Changed Asset - http Shockwave Flash
1 10000:1 PADS New Asset - dns TCP DNS Server
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
1 1:2406003 ET RBN Known Russian Business Network IP UDP group 2
1 10000:2 PADS Changed Asset - http Microsoft-IIS 6.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; SCH (I535 4G Build/
IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.
0
1 1:2406731 ET RBN Known Russian Business Network IP UDP group 366
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14
(KHTML, like Gecko) Version/6.0.1 Safari/536.26.14
1 10000:2 PADS Changed Asset - ssh PuTTY Release_0.62 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SGH (T999 Build/JZO
54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
1 1:2406539 ET RBN Known Russian Business Network IP UDP group 270
1 10000:1 PADS New Asset - unknown @microsoft-ds
1 1:2406275 ET RBN Known Russian Business Network IP UDP group 138
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/32.0.1700.76 Safari/537.36
1 1:2003286 ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
1 1:2009969 ET P2P eMule KAD Network Firewalled Request
1 10000:2 PADS Changed Asset - http Opera/9.80 (Windows NT 6.1; WOW64; Edition IBIS) Presto/2.12.388
Version/12.16
1 10000:2 PADS Changed Asset - ssh OpenSSH 5.9 (Protocol 2.0)
1 1:2014703 DNS Protocol Violation Reserved Bit Set Possible C&C
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gec
ko) Chrome/20.0.1132.11 TaoBrowser/3.5 Safari/536.11
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gec
ko) Chrome/33.0.1750.117 Safari/537.36
1 10000:1 PADS New Asset - unknown @nfs
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.
0)
1 10000:2 PADS Changed Asset - http PluginProcess/6534.59.10 CFNetwork/454.12.4 Darwin/10.8.0 (i386)
(iMac11%2C3)
1 10000:2 PADS Changed Asset - http stagefright/1.2 (Linux;Android 4.1.2;motorola XT907 Build/9.8.1Q
-94 (1))
1 1:2406199 ET RBN Known Russian Business Network IP UDP group 100
1 1:2406303 ET RBN Known Russian Business Network IP UDP group 152
1 10000:2 PADS Changed Asset - http NSPlayer/10.0.0.3702 WMFSDK/10.0
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; Android 4.4; XT1030 Build/SU2 (3) AppleWebKi
t/537.36 (KHTML, like Gecko) Version/4.0 Chrome/X.X.X.X Mobile Safari/537.36)
1 10000:1 PADS New Asset - http qvod_iphone
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/6.
0)
1 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 1:2406369 ET RBN Known Russian Business Network IP UDP group 185
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gec
ko) Chrome/25.0.1364.172 Safari/537.22
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Triden
t/5.0)
1 10000:1 PADS New Asset - http Jurassic%20Park/4.0.9 CFNetwork/672.0.8 Darwin/14.0.0
1 1:2406305 ET RBN Known Russian Business Network IP UDP group 153
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Triden
t/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; MALNJS)
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 10000:1 PADS New Asset - unknown @openvpn
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; GT (N8013 Build/JZO
54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30)
1 1:2014906 ET INFO .exe File requested over FTP
1 1:2406767 ET RBN Known Russian Business Network IP UDP group 384
Total
117047

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
872449 1:2101411 GPL SNMP public access udp
81092 1:2010100 ET TROJAN Palevo/BFBot/Mariposa client join attempt
68785 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
67405 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
63050 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
18933 1:2014726 ET POLICY Outdated Windows Flash Version IE
17691 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
16615 1:2015561 ET INFO PDF Using CCITTFax Filter
13040 1:2000345 ET TROJAN IRC Nick change on non-standard port
11981 1:2009024 ET TROJAN Downadup/Conficker A or B Worm reporting
10857 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely
Kazy
8722 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set -
Likely Kazy
8304 1:2000357 ET P2P BitTorrent Traffic
8201 1:2100366 GPL ICMP_INFO PING *NIX
8011 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
7585 1:2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0
7284 1:2017873 ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server
Response
5867 1:2014997 ET POLICY Pandora Usage
5805 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
5728 1:2009966 ET P2P KuGoo P2P Connection
5537 1:2012648 ET POLICY Dropbox Client Broadcasting
5340 1:100000230 GPL CHAT MISC Jabber/Google Talk Outgoing Traffic
5198 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
5196 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
5181 1:2000369 ET P2P BitTorrent Announce
4989 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
4699 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
4571 1:100000232 GPL CHAT Google Talk Logon
4117 1:2102461 GPL CHAT Yahoo IM conference watch
3788 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
3597 1:2000419 ET POLICY PE EXE or DLL Windows file download
3495 10000:2 PADS Changed Asset - unknown @https
3343 1:2011295 ET TROJAN Butterfly/Mariposa Bot client init connection
3080 1:2009970 ET P2P eMule Kademlia Hello Request
2803 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
2776 1:2014701 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely
Kazy
2693 1:2002157 ET CHAT Skype User-Agent detected
2240 1:2011507 ET WEB_CLIENT PDF With Embedded File
1977 1:2002383 ET SCAN Potential FTP Brute-Force attempt
1969 10000:2 PADS Changed Asset - ssl SSL 2.0 Client Hello
1900 1:2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
1895 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
1763 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
1707 10000:1 PADS New Asset - unknown @https
1661 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
1608 1:2102180 GPL P2P BitTorrent announce request
1379 1:2000334 ET P2P BitTorrent peer sync
1361 1:2003310 ET P2P Edonkey Publicize File
1323 1:2002166 ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar)
1291 1:2008500 ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup)
Total
1462388

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
50603 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
46677 1:2101411 GPL SNMP public access udp
8733 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
3161 1:2017873 ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server
Response
2437 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1762 1:2010100 ET TROJAN Palevo/BFBot/Mariposa client join attempt
735 1:2009966 ET P2P KuGoo P2P Connection
302 1:2100366 GPL ICMP_INFO PING *NIX
294 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
164 1:2012648 ET POLICY Dropbox Client Broadcasting
122 1:2100587 GPL RPC portmap status request UDP
116 1:2000369 ET P2P BitTorrent Announce
103 1:2000419 ET POLICY PE EXE or DLL Windows file download
89 1:2522321 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 161
82 1:2000357 ET P2P BitTorrent Traffic
55 1:2102180 GPL P2P BitTorrent announce request
54 1:2522643 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 322
53 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely
Kazy
51 1:2009785 ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)
38 1:100000235 GPL CHAT Jabber/Google Talk Logon Success
36 1:2003317 ET P2P Edonkey Search Request (any type file)
34 1:2003310 ET P2P Edonkey Publicize File
32 1:2000334 ET P2P BitTorrent peer sync
29 1:2009971 ET P2P eMule KAD Network Hello Request (2)
27 1:2522321 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 161
25 1:2522645 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 323
25 1:2009702 ET POLICY DNS Update From External net
25 1:2102924 GPL NETBIOS SMB-DS repeated logon failure
21 1:2002192 ET CHAT MSN status change
20 1:2003320 ET P2P Edonkey Search Results
20 1:2406249 ET RBN Known Russian Business Network IP UDP group 125
19 1:648 GPL SHELLCODE x86 NOOP
19 1:2007695 ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
15 1:2101201 GPL WEB_SERVER 403 Forbidden
11 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
9 1:2003315 ET P2P Edonkey Search Reply
9 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
8 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
7 1:2008581 ET P2P BitTorrent DHT ping request
7 1:2001330 ET POLICY RDP connection confirm
7 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
6 1:2003313 ET P2P Edonkey Connect Reply and Server List
6 1:2001329 ET POLICY RDP connection request
6 1:2102181 GPL P2P BitTorrent transfer
6 1:2406707 ET RBN Known Russian Business Network IP UDP group 354
6 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
5 1:2406043 ET RBN Known Russian Business Network IP UDP group 22
5 1:2016104 ET TROJAN DNS Reply for unallocated address space - Potentially Malicious X.X.X.X/
24
4 1:2001219 ET SCAN Potential SSH Scan
4 1:2406269 ET RBN Known Russian Business Network IP UDP group 135
4 1:2009970 ET P2P eMule Kademlia Hello Request
4 1:2406249 ET RBN Known Russian Business Network IP UDP group 125
4 1:2012390 ET P2P Libtorrent User-Agent
4 1:2406777 ET RBN Known Russian Business Network IP UDP group 389
4 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
4 1:2010144 ET P2P Vuze BT UDP Connection (5)
3 1:2001240 ET POLICY Cisco Device New Config Built
3 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3 1:2406757 ET RBN Known Russian Business Network IP UDP group 379
3 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
3 1:2016360 ET INFO JAVA - ClassID
3 1:2017910 ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR
3 1:2016853 ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013
2 1:2102475 GPL NETBIOS SMB-DS ADMIN$ unicode share access
2 1:2406703 ET RBN Known Russian Business Network IP UDP group 352
2 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2 1:2522931 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 466
2 1:2406379 ET RBN Known Russian Business Network IP UDP group 190
2 1:2008583 ET P2P BitTorrent DHT nodes reply
2 1:2102452 GPL CHAT Yahoo IM ping
2 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2 1:2406753 ET RBN Known Russian Business Network IP UDP group 377
2 1:2003410 ET POLICY FTP Login Successful
2 1:2402000 ET DROP Dshield Block Listed Source group 1
1 1:2406731 ET RBN Known Russian Business Network IP UDP group 366
1 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 1:2009968 ET P2P eMule KAD Network Connection Request(2)
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2003319 ET P2P Edonkey Search Request (search by name)
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2101991 GPL CHAT MSN login attempt
1 1:2406351 ET RBN Known Russian Business Network IP UDP group 176
1 1:2406275 ET RBN Known Russian Business Network IP UDP group 138
1 1:2406185 ET RBN Known Russian Business Network IP UDP group 93
1 1:2014701 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely
Kazy
1 1:2406369 ET RBN Known Russian Business Network IP UDP group 185
1 1:2406003 ET RBN Known Russian Business Network IP UDP group 2
1 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1 1:2406199 ET RBN Known Russian Business Network IP UDP group 100
1 1:2406377 ET RBN Known Russian Business Network IP UDP group 189
1 1:2014906 ET INFO .exe File requested over FTP
1 1:2406613 ET RBN Known Russian Business Network IP UDP group 307
1 1:2008585 ET P2P BitTorrent DHT announce_peers request
1 1:2003286 ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
1 1:2406303 ET RBN Known Russian Business Network IP UDP group 152
1 1:2002878 ET POLICY iTunes User Agent
1 1:2009969 ET P2P eMule KAD Network Firewalled Request
1 1:2406767 ET RBN Known Russian Business Network IP UDP group 384
1 1:2406305 ET RBN Known Russian Business Network IP UDP group 153
1 1:2017652 ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013
1 1:2406539 ET RBN Known Russian Business Network IP UDP group 270
1 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
116179

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
669430 1:2101411 GPL SNMP public access udp
67416 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
53805 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
53075 1:2010100 ET TROJAN Palevo/BFBot/Mariposa client join attempt
51190 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
8383 1:2000345 ET TROJAN IRC Nick change on non-standard port
7845 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
7318 1:2000357 ET P2P BitTorrent Traffic
7284 1:2017873 ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server
Response
6694 1:2100366 GPL ICMP_INFO PING *NIX
6419 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely
Kazy
5707 1:2009966 ET P2P KuGoo P2P Connection
4775 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set -
Likely Kazy
4117 1:2102461 GPL CHAT Yahoo IM conference watch
4005 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
3863 1:2012648 ET POLICY Dropbox Client Broadcasting
3309 1:2000369 ET P2P BitTorrent Announce
2395 1:2009970 ET P2P eMule Kademlia Hello Request
1977 1:2002383 ET SCAN Potential FTP Brute-Force attempt
1538 1:2014701 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely
Kazy
1309 1:2102180 GPL P2P BitTorrent announce request
1242 1:2000334 ET P2P BitTorrent peer sync
1230 1:2011295 ET TROJAN Butterfly/Mariposa Bot client init connection
1171 1:2003310 ET P2P Edonkey Publicize File
927 1:2014472 ET INFO JAVA - Java Archive Download
906 1:2002327 ET CHAT Google Talk (Jabber) Client Login
831 1:2010819 ET CHAT Facebook Chat using XMPP
804 1:100000230 GPL CHAT MISC Jabber/Google Talk Outgoing Traffic
773 1:2003317 ET P2P Edonkey Search Request (any type file)
766 1:2000419 ET POLICY PE EXE or DLL Windows file download
732 1:2009971 ET P2P eMule KAD Network Hello Request (2)
687 1:2002334 ET CHAT Google IM traffic Jabber client sign-on
664 1:100000232 GPL CHAT Google Talk Logon
646 1:2009702 ET POLICY DNS Update From External net
570 1:2003320 ET P2P Edonkey Search Results
499 1:2101201 GPL WEB_SERVER 403 Forbidden
487 1:2001298 ET P2P eDonkey Server Status Request
462 1:2406271 ET RBN Known Russian Business Network IP UDP group 136
442 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
395 1:100000236 GPL CHAT Jabber/Google Talk Incoming Message
390 1:2522331 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 166
375 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
373 1:2007695 ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
359 1:2406067 ET RBN Known Russian Business Network IP UDP group 34
321 1:2016870 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
314 1:2522551 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 276
309 1:2522311 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 156
307 1:2003315 ET P2P Edonkey Search Reply
302 1:2003313 ET P2P Edonkey Connect Reply and Server List
299 1:2522329 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 165
Total
999317

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:

4963 supervising syslog-ng
4964 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid

Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:

1402 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1293 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:

Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:

1402 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1293 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach

Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:

-rw-r--r-- 1 root root 4530 Feb 21 17:44 /nsm/elsa/data/elsa/tmp/buffers/1393004628.25101
-rw-r--r-- 1 root root 15 Feb 21 17:44 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv

ELSA Directory Sizes:
261M /nsm/elsa/data
1.7M /var/lib/mysql/syslog
67M /var/lib/mysql/syslog_data

ELSA Log Node SSH Tunnels:
50000 X.X.X.X tkrabec
50001 X.X.X.X tkrabec
50002 X.X.X.X tkrabec

[Doug Burks]

On Fri, Feb 21, 2014 at 12:51 PM, Tim Krabec <tkr...@gmail.com> wrote:

> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 1463615

Sguil does a daily purge and then starts back up. When it starts, it
has to load any uncategorized events into memory. Having this many
uncategorized events means that it takes a long time before Sguil is
fully initialized and ready to accept data.

What is the output of the following commands?

grep "Loading access list" /var/log/nsm/securityonion/sguild.log

grep "Sguild Initialized" /var/log/nsm/securityonion/sguild.log

The first should show the time that sguild startup began. The second
should show the time that sguild completed loading uncategorized
events into memory and was ready to accept data.
--
Doug Burks

[Tim Krabec]

From the 1st only

2014-02-21 14:57:57 pid(31773)  Loading access list: /etc/nsm/securityonion/sguild.access

next is blank

[Doug Burks]

That probably means that it's not done loading uncategorized events
into memory yet.

What's the output of the following?
tail -5 /var/log/nsm/securityonion/sguild.log

[Tim Krabec]

2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:02} 23 22730 {PADS Changed Asset - ssl Generic TLS 1.0 SSL} X.X.X.X x.x.x.x 6 53765 8194 10000 2 1 22730 22730

2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 2 attempted-dos donkey-eth1-1 {2014-02-18 11:42:02} 9 77321 {ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03} 65.32.59.85 192.26.251.65 17 80 123 1 2017919 2 2776 2776

2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:03} 23 22731 {PADS Changed Asset - unknown @microsoft-ds} x.x.x.x. x.x.x.x.6 53775 445 10000 2 1 22731 22731

2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:04} 23 22732 {PADS Changed Asset - unknown @microsoft-ds} x.x.x.x.x.x.x.x.6 53796 445 10000 2 1 22732 22732

2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 1 policy-violation Gingerbread-eth2-1 {2014-02-18 11:42:06} 21 933337 {ET POLICY DNS Update From External net} x.x.x.x x.x.x.x.17 52868 53 1 2009702 5 3616 3616

Tim Krabec
tkrabec.com

Bio

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/GvHdXm8IQag/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

[David Vasil]

On Friday, February 21, 2014 12:36:26 PM UTC-6, Tim Krabec wrote:
> 2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:02} 23 22730 {PADS Changed Asset - ssl Generic TLS 1.0 SSL} X.X.X.X x.x.x.x 6 53765 8194 10000 2 1 22730 22730
>
> 2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 2 attempted-dos donkey-eth1-1 {2014-02-18 11:42:02} 9 77321 {ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03} 65.32.59.85 192.26.251.65 17 80 123 1 2017919 2 2776 2776
>
> 2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:03} 23 22731 {PADS Changed Asset - unknown @microsoft-ds} x.x.x.x. x.x.x.x.6 53775 445 10000 2 1 22731 22731
>
> 2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 5 changed-asset Gingerbread-eth2 {2014-02-18 11:42:04} 23 22732 {PADS Changed Asset - unknown @microsoft-ds} x.x.x.x.x.x.x.x.6 53796 445 10000 2 1 22732 22732
> 2014-02-21 18:35:09 pid(31773)  Archived Alert: 0 1 policy-violation Gingerbread-eth2-1 {2014-02-18 11:42:06} 21 933337 {ET POLICY DNS Update From External net} x.x.x.x x.x.x.x.17 52868 53 1 2009702 5 3616 3616

Looks like sguild is still trying to load your alerts. You might have a large number of uncategorized events; you can check by issuing this on your SO backend:

mysql -uroot -Dsecurityonion_db -e "SELECT COUNT(*) FROM event WHERE status=0"

If that number is high (in the thousands) you might want to look at this for keeping that number down:

http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html

[Doug Burks]

Yep, you may want to do the following to get your uncategorized events
under control:

edit /etc/nsm/securityonion.conf and set DAYSTOKEEP to a smaller number like 7

sudo sguil-db-purge

This will delete anything in the database older than 7 days, which
should dramatically lower your uncategorized events, making sguild
start much faster.

[Tim Krabec]

1,463,615 hmm a tad over thousands

Tim Krabec
tkrabec.com

Bio

[Doug Burks]

On Fri, Feb 21, 2014 at 1:46 PM, Tim Krabec <tkr...@gmail.com> wrote:
> 1,463,615 hmm a tad over thousands

Yes, this is the "Sguil Uncategorized Events" number that we're trying
to lower :)

[Tim Krabec]

Working through that now using this http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html as a guide

as my problem is not securata

Tim Krabec
tkrabec.com

Bio

[Doug Burks]

You could also try the steps I previously sent:

you may want to do the following to get your uncategorized events
under control:

edit /etc/nsm/securityonion.conf and set DAYSTOKEEP to a smaller number like 7

sudo sguil-db-purge

This will delete anything in the database older than 7 days, which
should dramatically lower your uncategorized events, making sguild
start much faster.

> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks

[David Vasil]

On Friday, February 21, 2014 12:57:32 PM UTC-6, Tim Krabec wrote:
> Working through that now using this http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html as a guide
> as my problem is not securata

Definitely check out the autocat.conf portion of Richard's blog post. The post is applicable to sguil and uncategorized events in general; your system could be using snort or suricata and it should work fine.

[Tim Krabec]

I'm down to 266k events

It looks like I have much tuning to do.

Tim Krabec
tkrabec.com

Bio

[Tim Krabec]

Doug and David Thank you very much.

Tim Krabec
tkrabec.com

Bio

[Michal Purzynski]

On 2/21/14, 8:08 PM, Tim Krabec wrote:
> Doug and David Thank you very much.
>
>

In the future you might want to reverse your approach - disable all SIDs
and enable those you are interested in, by categories, while dropping
out the noisy ones that stay. I so wish pulledpork had a two stage
disable-enable-disable but it's not the case (there are workarounds with
dropsid, etc).