Upgrade form 12.04 to 14.04 and Elsa is only showing the left side menu

106 views

Skip to first unread message

doug....@juiceplus.com

unread,

Apr 20, 2016, 5:41:24 PM4/20/16

to security-onion

I'm new to SecurityOnion and performed a upgrade from 12 to 14 and noticed ELSA wasn't showing any information. I can access Sguil and Squirt with no issues.

I receive a : Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /elsa-query/.

Reason: Error reading from remote server

Apache/2.4.7 (Ubuntu) Server at 172.16.2.131 Port 443

I've checked with our networking dept to ensure no ports are being blocked.

I also added 3154 to ufw.

sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
514 ALLOW Anywhere
1514/udp ALLOW Anywhere
443/tcp ALLOW Anywhere
444/tcp ALLOW Anywhere
7734/tcp ALLOW Anywhere
7736/tcp ALLOW Anywhere
Salt ALLOW Anywhere
4505,4506/tcp ALLOW 172.16.2.132
4505,4506/tcp ALLOW 172.16.2.133
4505,4506/tcp ALLOW 172.16.2.134
5666/tcp ALLOW Anywhere
25 ALLOW Anywhere
3154 ALLOW Anywhere
3154/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
514 (v6) ALLOW Anywhere (v6)
1514/udp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
444/tcp (v6) ALLOW Anywhere (v6)
7734/tcp (v6) ALLOW Anywhere (v6)
7736/tcp (v6) ALLOW Anywhere (v6)
Salt (v6) ALLOW Anywhere (v6)
5666/tcp (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
3154 (v6) ALLOW Anywhere (v6)
3154/tcp (v6) ALLOW Anywhere (v6)

Here's sostat

=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 78:da:6e:0e:da:ab
inet addr:172.16.2.131 Bcast:172.16.2.255 Mask:255.255.255.0
inet6 addr: fe80::7ada:6eff:fe0e:daab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:111117 errors:0 dropped:0 overruns:0 frame:0
TX packets:177556 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:45720657 (45.7 MB) TX bytes:137255426 (137.2 MB)

eth2 Link encap:Ethernet HWaddr c0:67:af:71:49:70
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:df000000-df100000

eth3 Link encap:Ethernet HWaddr c0:67:af:71:49:71
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:def00000-df000000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:15025 errors:0 dropped:0 overruns:0 frame:0
TX packets:15025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19888309 (19.8 MB) TX bytes:19888309 (19.8 MB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
19888309 15025 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
19888309 15025 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 78:da:6e:0e:da:ab brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
45720861 111120 0 0 0 28
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
137257934 177562 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 78:da:6e:0e:da:ac brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether c0:67:af:71:49:70 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether c0:67:af:71:49:71 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 63G 4.0K 63G 1% /dev
tmpfs 13G 1.6M 13G 1% /run
/dev/sda5 502G 5.2G 472G 2% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 63G 172K 63G 1% /run/shm
none 100M 40K 100M 1% /run/user
/dev/sda1 184M 43M 133M 25% /boot
/dev/sdb5 550G 43G 479G 9% /nsm
/dev/sdb1 550G 112G 410G 22% /var

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1161 root 6u IPv4 10679 0t0 UDP *:111
rpcbind 1161 root 7u IPv4 10682 0t0 UDP *:870
rpcbind 1161 root 8u IPv4 10683 0t0 TCP *:111 (LISTEN)
rpcbind 1161 root 9u IPv6 10684 0t0 UDP *:111
rpcbind 1161 root 10u IPv6 10685 0t0 UDP *:870
rpcbind 1161 root 11u IPv6 10686 0t0 TCP *:111 (LISTEN)
avahi-dae 1507 avahi 12u IPv4 10768 0t0 UDP *:5353
avahi-dae 1507 avahi 13u IPv6 10770 0t0 UDP *:5353
avahi-dae 1507 avahi 14u IPv4 10772 0t0 UDP *:39678
avahi-dae 1507 avahi 15u IPv6 10773 0t0 UDP *:53212
sshd 1579 root 3r IPv4 22716 0t0 TCP *:22 (LISTEN)
sshd 1579 root 4u IPv6 22718 0t0 TCP *:22 (LISTEN)
cups-brow 1618 root 6u IPv6 20167 0t0 TCP [::1]:49694->[::1]:631 (CLOSE_WAIT)
cups-brow 1618 root 8u IPv4 8898 0t0 UDP *:631
syslog-ng 1694 root 9u IPv4 21647 0t0 TCP *:514 (LISTEN)
syslog-ng 1694 root 10u IPv4 21648 0t0 UDP *:514
syslog-ng 1694 root 12u IPv4 21655 0t0 UDP 172.16.2.131:46959->172.16.2.21:514
syslog-ng 1694 root 15u IPv4 21656 0t0 UDP 172.16.2.131:44216->172.16.2.21:514
syslog-ng 1694 root 16u IPv4 21657 0t0 UDP 172.16.2.131:42206->172.16.2.21:514
mysqld 1703 mysql 10u IPv4 22836 0t0 TCP 127.0.0.1:3306 (LISTEN)
searchd 1828 sphinxsearch 7u IPv4 7421 0t0 TCP *:9306 (LISTEN)
searchd 1828 sphinxsearch 8u IPv4 7422 0t0 TCP *:9312 (LISTEN)
nrpe 1849 nagios 4u IPv4 11703 0t0 TCP *:5666 (LISTEN)
nrpe 1849 nagios 5u IPv6 11704 0t0 TCP *:5666 (LISTEN)
salt-mini 1870 root 13u IPv4 18657 0t0 TCP 127.0.0.1:44329->127.0.0.1:4506 (ESTABLISHED)
salt-mini 1870 root 24u IPv4 11736 0t0 TCP 127.0.0.1:56733->127.0.0.1:4505 (ESTABLISHED)
ossec-csy 1908 ossecm 5u IPv4 14514 0t0 UDP 127.0.0.1:59261->127.0.0.1:514
salt-mast 1957 root 12u IPv4 11722 0t0 TCP *:4505 (LISTEN)
salt-mast 1957 root 14u IPv4 15528 0t0 TCP 127.0.0.1:4505->127.0.0.1:56733 (ESTABLISHED)
salt-mast 1957 root 15u IPv4 23920 0t0 TCP 172.16.2.131:4505->172.16.2.134:59431 (ESTABLISHED)
salt-mast 1957 root 16u IPv4 7563 0t0 TCP 172.16.2.131:4505->172.16.2.132:41259 (ESTABLISHED)
salt-mast 1957 root 17u IPv4 17741 0t0 TCP 172.16.2.131:4505->172.16.2.135:58183 (ESTABLISHED)
salt-mast 1957 root 18u IPv4 24143 0t0 TCP 172.16.2.131:4505->172.16.2.133:37952 (ESTABLISHED)
salt-mast 1976 root 20u IPv4 14518 0t0 TCP *:4506 (LISTEN)
salt-mast 1976 root 22u IPv4 13669 0t0 TCP 127.0.0.1:4506->127.0.0.1:44329 (ESTABLISHED)
salt-mast 1976 root 28u IPv4 23916 0t0 TCP 172.16.2.131:4506->172.16.2.133:57821 (ESTABLISHED)
salt-mast 1976 root 29u IPv4 23924 0t0 TCP 172.16.2.131:4506->172.16.2.135:39033 (ESTABLISHED)
salt-mast 1976 root 30u IPv4 23933 0t0 TCP 172.16.2.131:4506->172.16.2.132:44557 (ESTABLISHED)
salt-mast 1976 root 31u IPv4 23934 0t0 TCP 172.16.2.131:4506->172.16.2.134:52327 (ESTABLISHED)
ossec-rem 2340 ossecr 4u IPv4 13608 0t0 UDP *:1514
ntpd 2418 ntp 16u IPv4 8594 0t0 UDP *:123
ntpd 2418 ntp 17u IPv6 8595 0t0 UDP *:123
ntpd 2418 ntp 18u IPv4 8601 0t0 UDP 127.0.0.1:123
ntpd 2418 ntp 19u IPv4 8602 0t0 UDP 172.16.2.131:123
ntpd 2418 ntp 20u IPv6 8603 0t0 UDP [fe80::7ada:6eff:fe0e:daab]:123
ntpd 2418 ntp 21u IPv6 8604 0t0 UDP [::1]:123
sendmail- 2806 root 3u IPv4 14569 0t0 TCP 127.0.0.1:25 (LISTEN)
sendmail- 2806 root 5u IPv4 14570 0t0 TCP 127.0.0.1:587 (LISTEN)
sshd 3224 root 3r IPv4 7549 0t0 TCP 172.16.2.131:22->172.16.2.134:56379 (ESTABLISHED)
sshd 3727 idssensor4 3u IPv4 7549 0t0 TCP 172.16.2.131:22->172.16.2.134:56379 (ESTABLISHED)
sshd 3727 idssensor4 10u IPv6 12046 0t0 TCP [::1]:50003 (LISTEN)
sshd 3727 idssensor4 11u IPv4 12047 0t0 TCP 127.0.0.1:50003 (LISTEN)
sshd 3727 idssensor4 12u IPv4 25001 0t0 TCP 127.0.0.1:50003->127.0.0.1:42272 (CLOSE_WAIT)
sshd 3727 idssensor4 13u IPv4 32091 0t0 TCP 127.0.0.1:50003->127.0.0.1:42302 (CLOSE_WAIT)
sshd 3727 idssensor4 14u IPv4 48211 0t0 TCP 127.0.0.1:50003->127.0.0.1:42318 (CLOSE_WAIT)
sshd 3727 idssensor4 15u IPv4 166851 0t0 TCP 127.0.0.1:50003->127.0.0.1:42349 (CLOSE_WAIT)
sshd 3727 idssensor4 16u IPv4 208335 0t0 TCP 127.0.0.1:50003->127.0.0.1:42389 (CLOSE_WAIT)
sshd 3727 idssensor4 17u IPv4 208711 0t0 TCP 127.0.0.1:50003->127.0.0.1:42477 (CLOSE_WAIT)
sshd 3727 idssensor4 18u IPv4 208737 0t0 TCP 127.0.0.1:50003->127.0.0.1:42498 (CLOSE_WAIT)
sshd 3727 idssensor4 19u IPv4 376422 0t0 TCP 127.0.0.1:50003->127.0.0.1:42620 (CLOSE_WAIT)
sshd 3727 idssensor4 20u IPv4 376424 0t0 TCP 127.0.0.1:50003->127.0.0.1:42628 (CLOSE_WAIT)
sshd 3727 idssensor4 21u IPv4 384739 0t0 TCP 127.0.0.1:50003->127.0.0.1:42636 (CLOSE_WAIT)
sshd 3727 idssensor4 22u IPv4 376436 0t0 TCP 127.0.0.1:50003->127.0.0.1:42647 (CLOSE_WAIT)
sshd 3727 idssensor4 23u IPv4 376441 0t0 TCP 127.0.0.1:50003->127.0.0.1:42655 (CLOSE_WAIT)
sshd 3727 idssensor4 24u IPv4 386518 0t0 TCP 127.0.0.1:50003->127.0.0.1:42663 (CLOSE_WAIT)
sshd 3727 idssensor4 25u IPv4 386520 0t0 TCP 127.0.0.1:50003->127.0.0.1:42671 (CLOSE_WAIT)
sshd 3727 idssensor4 26u IPv4 376459 0t0 TCP 127.0.0.1:50003->127.0.0.1:42681 (CLOSE_WAIT)
sshd 3727 idssensor4 27u IPv4 376468 0t0 TCP 127.0.0.1:50003->127.0.0.1:42690 (CLOSE_WAIT)
sshd 3727 idssensor4 28u IPv4 376482 0t0 TCP 127.0.0.1:50003->127.0.0.1:42699 (CLOSE_WAIT)
sshd 3727 idssensor4 29u IPv4 376486 0t0 TCP 127.0.0.1:50003->127.0.0.1:42708 (CLOSE_WAIT)
sshd 3727 idssensor4 30u IPv4 383805 0t0 TCP 127.0.0.1:50003->127.0.0.1:42724 (CLOSE_WAIT)
sshd 3727 idssensor4 31u IPv4 386786 0t0 TCP 127.0.0.1:50003->127.0.0.1:42779 (CLOSE_WAIT)
sshd 3727 idssensor4 32u IPv4 395728 0t0 TCP 127.0.0.1:50003->127.0.0.1:42904 (CLOSE_WAIT)
sshd 3727 idssensor4 33u IPv4 411990 0t0 TCP 127.0.0.1:50003->127.0.0.1:42963 (CLOSE_WAIT)
sshd 3727 idssensor4 34u IPv4 411993 0t0 TCP 127.0.0.1:50003->127.0.0.1:42968 (CLOSE_WAIT)
sshd 3727 idssensor4 35u IPv4 412009 0t0 TCP 127.0.0.1:50003->127.0.0.1:42981 (CLOSE_WAIT)
sshd 3727 idssensor4 36u IPv4 413211 0t0 TCP 127.0.0.1:50003->127.0.0.1:42991 (CLOSE_WAIT)
sshd 3731 root 3r IPv4 24144 0t0 TCP 172.16.2.131:22->172.16.2.132:54272 (ESTABLISHED)
sshd 3771 idssensor2 3u IPv4 24144 0t0 TCP 172.16.2.131:22->172.16.2.132:54272 (ESTABLISHED)
sshd 3771 idssensor2 10u IPv6 1837 0t0 TCP [::1]:50004 (LISTEN)
sshd 3771 idssensor2 11u IPv4 1838 0t0 TCP 127.0.0.1:50004 (LISTEN)
sshd 3771 idssensor2 12u IPv4 25000 0t0 TCP 127.0.0.1:50004->127.0.0.1:54415 (CLOSE_WAIT)
sshd 3771 idssensor2 13u IPv4 32093 0t0 TCP 127.0.0.1:50004->127.0.0.1:54449 (CLOSE_WAIT)
sshd 3771 idssensor2 14u IPv4 42197 0t0 TCP 127.0.0.1:50004->127.0.0.1:54460 (CLOSE_WAIT)
sshd 3771 idssensor2 15u IPv4 166850 0t0 TCP 127.0.0.1:50004->127.0.0.1:54492 (CLOSE_WAIT)
sshd 3771 idssensor2 16u IPv4 208337 0t0 TCP 127.0.0.1:50004->127.0.0.1:54535 (CLOSE_WAIT)
sshd 3771 idssensor2 17u IPv4 231198 0t0 TCP 127.0.0.1:50004->127.0.0.1:54624 (CLOSE_WAIT)
sshd 3771 idssensor2 18u IPv4 229069 0t0 TCP 127.0.0.1:50004->127.0.0.1:54643 (CLOSE_WAIT)
sshd 3771 idssensor2 19u IPv4 376416 0t0 TCP 127.0.0.1:50004->127.0.0.1:54760 (CLOSE_WAIT)
sshd 3771 idssensor2 20u IPv4 384725 0t0 TCP 127.0.0.1:50004->127.0.0.1:54770 (CLOSE_WAIT)
sshd 3771 idssensor2 21u IPv4 384740 0t0 TCP 127.0.0.1:50004->127.0.0.1:54781 (CLOSE_WAIT)
sshd 3771 idssensor2 22u IPv4 384741 0t0 TCP 127.0.0.1:50004->127.0.0.1:54787 (CLOSE_WAIT)
sshd 3771 idssensor2 23u IPv4 384743 0t0 TCP 127.0.0.1:50004->127.0.0.1:54797 (CLOSE_WAIT)
sshd 3771 idssensor2 24u IPv4 384746 0t0 TCP 127.0.0.1:50004->127.0.0.1:54808 (CLOSE_WAIT)
sshd 3771 idssensor2 25u IPv4 384747 0t0 TCP 127.0.0.1:50004->127.0.0.1:54818 (CLOSE_WAIT)
sshd 3771 idssensor2 26u IPv4 376460 0t0 TCP 127.0.0.1:50004->127.0.0.1:54826 (CLOSE_WAIT)
sshd 3771 idssensor2 27u IPv4 376469 0t0 TCP 127.0.0.1:50004->127.0.0.1:54835 (CLOSE_WAIT)
sshd 3771 idssensor2 28u IPv4 376483 0t0 TCP 127.0.0.1:50004->127.0.0.1:54844 (CLOSE_WAIT)
sshd 3771 idssensor2 29u IPv4 376488 0t0 TCP 127.0.0.1:50004->127.0.0.1:54855 (CLOSE_WAIT)
sshd 3771 idssensor2 30u IPv4 376489 0t0 TCP 127.0.0.1:50004->127.0.0.1:54864 (CLOSE_WAIT)
sshd 3771 idssensor2 31u IPv4 376607 0t0 TCP 127.0.0.1:50004->127.0.0.1:54921 (CLOSE_WAIT)
sshd 3771 idssensor2 32u IPv4 405587 0t0 TCP 127.0.0.1:50004->127.0.0.1:55046 (CLOSE_WAIT)
sshd 3771 idssensor2 33u IPv4 411988 0t0 TCP 127.0.0.1:50004->127.0.0.1:55105 (CLOSE_WAIT)
sshd 3771 idssensor2 34u IPv4 413183 0t0 TCP 127.0.0.1:50004->127.0.0.1:55114 (CLOSE_WAIT)
sshd 3771 idssensor2 35u IPv4 413200 0t0 TCP 127.0.0.1:50004->127.0.0.1:55123 (CLOSE_WAIT)
sshd 3771 idssensor2 36u IPv4 413210 0t0 TCP 127.0.0.1:50004->127.0.0.1:55133 (CLOSE_WAIT)
cupsd 4005 root 10u IPv6 24210 0t0 TCP [::1]:631 (LISTEN)
cupsd 4005 root 11u IPv4 24211 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 4292 root 3r IPv4 23124 0t0 TCP 172.16.2.131:22->172.16.2.135:54567 (ESTABLISHED)
sshd 4331 secids 3u IPv4 23124 0t0 TCP 172.16.2.131:22->172.16.2.135:54567 (ESTABLISHED)
sshd 4331 secids 10u IPv6 25850 0t0 TCP [::1]:50000 (LISTEN)
sshd 4331 secids 11u IPv4 25851 0t0 TCP 127.0.0.1:50000 (LISTEN)
sshd 4402 root 3r IPv4 23140 0t0 TCP 172.16.2.131:22->172.16.2.133:35314 (ESTABLISHED)
sshd 4441 idssensor3 3u IPv4 23140 0t0 TCP 172.16.2.131:22->172.16.2.133:35314 (ESTABLISHED)
sshd 4441 idssensor3 10u IPv6 25926 0t0 TCP [::1]:50002 (LISTEN)
sshd 4441 idssensor3 11u IPv4 25927 0t0 TCP 127.0.0.1:50002 (LISTEN)
sshd 4441 idssensor3 12u IPv4 9020 0t0 TCP 127.0.0.1:50002->127.0.0.1:45016 (CLOSE_WAIT)
sshd 4441 idssensor3 13u IPv4 25363 0t0 TCP 127.0.0.1:50002->127.0.0.1:45050 (CLOSE_WAIT)
sshd 4441 idssensor3 14u IPv4 42198 0t0 TCP 127.0.0.1:50002->127.0.0.1:45063 (CLOSE_WAIT)
sshd 4441 idssensor3 15u IPv4 166849 0t0 TCP 127.0.0.1:50002->127.0.0.1:45093 (CLOSE_WAIT)
sshd 4441 idssensor3 16u IPv4 185325 0t0 TCP 127.0.0.1:50002->127.0.0.1:45138 (CLOSE_WAIT)
sshd 4441 idssensor3 17u IPv4 208712 0t0 TCP 127.0.0.1:50002->127.0.0.1:45225 (CLOSE_WAIT)
sshd 4441 idssensor3 18u IPv4 208736 0t0 TCP 127.0.0.1:50002->127.0.0.1:45243 (CLOSE_WAIT)
sshd 4441 idssensor3 19u IPv4 376418 0t0 TCP 127.0.0.1:50002->127.0.0.1:45365 (CLOSE_WAIT)
sshd 4441 idssensor3 20u IPv4 376423 0t0 TCP 127.0.0.1:50002->127.0.0.1:45373 (CLOSE_WAIT)
sshd 4441 idssensor3 21u IPv4 384738 0t0 TCP 127.0.0.1:50002->127.0.0.1:45381 (CLOSE_WAIT)
sshd 4441 idssensor3 22u IPv4 376435 0t0 TCP 127.0.0.1:50002->127.0.0.1:45392 (CLOSE_WAIT)
sshd 4441 idssensor3 23u IPv4 376440 0t0 TCP 127.0.0.1:50002->127.0.0.1:45400 (CLOSE_WAIT)
sshd 4441 idssensor3 24u IPv4 376444 0t0 TCP 127.0.0.1:50002->127.0.0.1:45408 (CLOSE_WAIT)
sshd 4441 idssensor3 25u IPv4 376448 0t0 TCP 127.0.0.1:50002->127.0.0.1:45416 (CLOSE_WAIT)
sshd 4441 idssensor3 26u IPv4 376458 0t0 TCP 127.0.0.1:50002->127.0.0.1:45426 (CLOSE_WAIT)
sshd 4441 idssensor3 27u IPv4 376467 0t0 TCP 127.0.0.1:50002->127.0.0.1:45435 (CLOSE_WAIT)
sshd 4441 idssensor3 28u IPv4 376481 0t0 TCP 127.0.0.1:50002->127.0.0.1:45444 (CLOSE_WAIT)
sshd 4441 idssensor3 29u IPv4 376485 0t0 TCP 127.0.0.1:50002->127.0.0.1:45453 (CLOSE_WAIT)
sshd 4441 idssensor3 30u IPv4 376491 0t0 TCP 127.0.0.1:50002->127.0.0.1:45469 (CLOSE_WAIT)
sshd 4441 idssensor3 31u IPv4 376608 0t0 TCP 127.0.0.1:50002->127.0.0.1:45524 (CLOSE_WAIT)
sshd 4441 idssensor3 32u IPv4 405588 0t0 TCP 127.0.0.1:50002->127.0.0.1:45649 (CLOSE_WAIT)
sshd 4441 idssensor3 33u IPv4 411989 0t0 TCP 127.0.0.1:50002->127.0.0.1:45708 (CLOSE_WAIT)
sshd 4441 idssensor3 34u IPv4 411994 0t0 TCP 127.0.0.1:50002->127.0.0.1:45715 (CLOSE_WAIT)
sshd 4441 idssensor3 35u IPv4 412010 0t0 TCP 127.0.0.1:50002->127.0.0.1:45728 (CLOSE_WAIT)
sshd 4441 idssensor3 36u IPv4 412015 0t0 TCP 127.0.0.1:50002->127.0.0.1:45738 (CLOSE_WAIT)
/usr/sbin 4742 root 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 4742 root 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4742 root 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4749 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 4749 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4749 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4749 www-data 30u IPv4 419176 0t0 TCP 127.0.0.1:60418->127.0.0.1:3154 (CLOSE_WAIT)
/usr/sbin 4750 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 4750 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4750 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4753 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 4753 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4753 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5815 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 5815 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5815 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5815 www-data 30u IPv4 419161 0t0 TCP 127.0.0.1:60413->127.0.0.1:3154 (CLOSE_WAIT)
/usr/sbin 5816 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 5816 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5816 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5818 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 5818 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5818 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5819 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 5819 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5819 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
tclsh 6288 sguil 13u IPv4 405706 0t0 TCP *:7734 (LISTEN)
tclsh 6288 sguil 14u IPv6 405707 0t0 TCP *:7734 (LISTEN)
tclsh 6288 sguil 15u IPv4 405710 0t0 TCP *:7736 (LISTEN)
tclsh 6288 sguil 16u IPv6 405711 0t0 TCP *:7736 (LISTEN)
tclsh 6288 sguil 17u IPv4 393938 0t0 TCP 172.16.2.131:7736->172.16.2.135:43364 (ESTABLISHED)
tclsh 6288 sguil 18u IPv4 395904 0t0 TCP 127.0.0.1:7736->127.0.0.1:54044 (ESTABLISHED)
tclsh 6288 sguil 19u IPv4 395905 0t0 TCP 172.16.2.131:7736->172.16.2.134:37804 (ESTABLISHED)
tclsh 6288 sguil 20u IPv4 395906 0t0 TCP 172.16.2.131:7736->172.16.2.134:37803 (ESTABLISHED)
tclsh 6288 sguil 21u IPv4 400887 0t0 TCP 172.16.2.131:7736->172.16.2.134:37805 (ESTABLISHED)
tclsh 6288 sguil 22u IPv4 395907 0t0 TCP 172.16.2.131:7736->172.16.2.133:57999 (ESTABLISHED)
tclsh 6288 sguil 23u IPv4 389861 0t0 TCP 172.16.2.131:7736->172.16.2.133:58002 (ESTABLISHED)
tclsh 6288 sguil 24u IPv4 389862 0t0 TCP 172.16.2.131:7736->172.16.2.133:58003 (ESTABLISHED)
tclsh 6288 sguil 25u IPv4 400888 0t0 TCP 172.16.2.131:7736->172.16.2.133:58004 (ESTABLISHED)
tclsh 6288 sguil 26u IPv4 389863 0t0 TCP 172.16.2.131:7736->172.16.2.133:58000 (ESTABLISHED)
tclsh 6288 sguil 27u IPv4 389880 0t0 TCP 172.16.2.131:7736->172.16.2.134:37806 (ESTABLISHED)
tclsh 6288 sguil 28u IPv4 389884 0t0 TCP 172.16.2.131:7736->172.16.2.133:58005 (ESTABLISHED)
tclsh 6288 sguil 29u IPv4 379843 0t0 TCP 172.16.2.131:7736->172.16.2.134:37807 (ESTABLISHED)
tclsh 6288 sguil 30u IPv4 405713 0t0 TCP 172.16.2.131:7736->172.16.2.134:37808 (ESTABLISHED)
tclsh 6288 sguil 31u IPv4 389885 0t0 TCP 172.16.2.131:7736->172.16.2.133:58006 (ESTABLISHED)
tclsh 6288 sguil 32u IPv4 405714 0t0 TCP 172.16.2.131:7736->172.16.2.133:58007 (ESTABLISHED)
tclsh 6288 sguil 33u IPv4 389886 0t0 TCP 172.16.2.131:7736->172.16.2.133:58008 (ESTABLISHED)
tclsh 6288 sguil 34u IPv4 389887 0t0 TCP 172.16.2.131:7736->172.16.2.134:37809 (ESTABLISHED)
tclsh 6288 sguil 35u IPv4 379844 0t0 TCP 172.16.2.131:7736->172.16.2.134:37810 (ESTABLISHED)
tclsh 6288 sguil 36u IPv4 400889 0t0 TCP 172.16.2.131:7736->172.16.2.133:58009 (ESTABLISHED)
tclsh 6288 sguil 37u IPv4 389888 0t0 TCP 172.16.2.131:7736->172.16.2.133:58010 (ESTABLISHED)
tclsh 6288 sguil 38u IPv4 393005 0t0 TCP 172.16.2.131:7736->172.16.2.133:58011 (ESTABLISHED)
tclsh 6288 sguil 39u IPv4 393006 0t0 TCP 172.16.2.131:7736->172.16.2.134:37811 (ESTABLISHED)
tclsh 6288 sguil 40u IPv4 395937 0t0 TCP 172.16.2.131:7736->172.16.2.133:58012 (ESTABLISHED)
tclsh 6288 sguil 41u IPv4 389889 0t0 TCP 172.16.2.131:7736->172.16.2.133:58013 (ESTABLISHED)
tclsh 6288 sguil 42u IPv4 395939 0t0 TCP 172.16.2.131:7736->172.16.2.132:58530 (ESTABLISHED)
tclsh 6288 sguil 43u IPv4 400907 0t0 TCP 172.16.2.131:7736->172.16.2.134:37812 (ESTABLISHED)
tclsh 6288 sguil 44u IPv4 389891 0t0 TCP 172.16.2.131:7736->172.16.2.132:58532 (ESTABLISHED)
tclsh 6288 sguil 45u IPv4 395940 0t0 TCP 172.16.2.131:7736->172.16.2.134:37813 (ESTABLISHED)
tclsh 6288 sguil 46u IPv4 389892 0t0 TCP 172.16.2.131:7736->172.16.2.134:37814 (ESTABLISHED)
tclsh 6288 sguil 47u IPv4 400908 0t0 TCP 172.16.2.131:7736->172.16.2.132:58531 (ESTABLISHED)
tclsh 6288 sguil 48u IPv4 405719 0t0 TCP 172.16.2.131:7736->172.16.2.132:58533 (ESTABLISHED)
tclsh 6288 sguil 49u IPv4 389893 0t0 TCP 172.16.2.131:7736->172.16.2.132:58535 (ESTABLISHED)
tclsh 6288 sguil 50u IPv4 400909 0t0 TCP 172.16.2.131:7736->172.16.2.132:58534 (ESTABLISHED)
tclsh 6288 sguil 51u IPv4 389894 0t0 TCP 172.16.2.131:7736->172.16.2.132:58537 (ESTABLISHED)
tclsh 6288 sguil 52u IPv4 400910 0t0 TCP 172.16.2.131:7736->172.16.2.134:37815 (ESTABLISHED)
tclsh 6288 sguil 53u IPv4 389895 0t0 TCP 172.16.2.131:7736->172.16.2.132:58538 (ESTABLISHED)
tclsh 6288 sguil 54u IPv4 405722 0t0 TCP 172.16.2.131:7736->172.16.2.132:58539 (ESTABLISHED)
tclsh 6288 sguil 55u IPv4 389896 0t0 TCP 172.16.2.131:7736->172.16.2.132:58540 (ESTABLISHED)
tclsh 6288 sguil 56u IPv4 398694 0t0 TCP 172.16.2.131:7736->172.16.2.132:58541 (ESTABLISHED)
tclsh 6288 sguil 57u IPv4 393983 0t0 TCP 172.16.2.131:7736->172.16.2.134:37816 (ESTABLISHED)
tclsh 6288 sguil 58u IPv4 393984 0t0 TCP 172.16.2.131:7736->172.16.2.132:58542 (ESTABLISHED)
tclsh 6288 sguil 59u IPv4 405736 0t0 TCP 172.16.2.131:7736->172.16.2.132:58543 (ESTABLISHED)
tclsh 6288 sguil 60u IPv4 395969 0t0 TCP 172.16.2.131:7736->172.16.2.134:37817 (ESTABLISHED)
tclsh 6288 sguil 61u IPv4 393987 0t0 TCP 172.16.2.131:7736->172.16.2.134:37818 (ESTABLISHED)
tclsh 6288 sguil 62u IPv4 405737 0t0 TCP 172.16.2.131:7736->172.16.2.134:37819 (ESTABLISHED)
tclsh 6288 sguil 63u IPv4 395977 0t0 TCP 172.16.2.131:7736->172.16.2.134:37821 (ESTABLISHED)
tclsh 6288 sguil 64u IPv4 393988 0t0 TCP 172.16.2.131:7736->172.16.2.132:58544 (ESTABLISHED)
tclsh 6288 sguil 65u IPv4 393989 0t0 TCP 172.16.2.131:7736->172.16.2.134:37820 (ESTABLISHED)
tclsh 6288 sguil 66u IPv4 393990 0t0 TCP 172.16.2.131:7736->172.16.2.134:37822 (ESTABLISHED)
tclsh 6288 sguil 67u IPv4 405743 0t0 TCP 172.16.2.131:7736->172.16.2.134:37823 (ESTABLISHED)
tclsh 6288 sguil 68u IPv4 393991 0t0 TCP 172.16.2.131:7736->172.16.2.134:37824 (ESTABLISHED)
tclsh 6288 sguil 69u IPv4 393992 0t0 TCP 172.16.2.131:7736->172.16.2.134:37825 (ESTABLISHED)
tclsh 6288 sguil 70u IPv4 405744 0t0 TCP 172.16.2.131:7736->172.16.2.134:37826 (ESTABLISHED)
tclsh 6288 sguil 71u IPv4 393993 0t0 TCP 172.16.2.131:7736->172.16.2.134:37827 (ESTABLISHED)
tclsh 6288 sguil 72u IPv4 400947 0t0 TCP 172.16.2.131:7736->172.16.2.134:37828 (ESTABLISHED)
tclsh 6288 sguil 73u IPv4 394001 0t0 TCP 172.16.2.131:7736->172.16.2.134:37829 (ESTABLISHED)
tclsh 6288 sguil 74u IPv4 389940 0t0 TCP 172.16.2.131:7736->172.16.2.134:37830 (ESTABLISHED)
tclsh 6288 sguil 75u IPv4 409659 0t0 TCP 172.16.2.131:7736->172.16.2.135:59388 (ESTABLISHED)
tclsh 6288 sguil 76u IPv4 389949 0t0 TCP 172.16.2.131:7736->172.16.2.135:34299 (ESTABLISHED)
tclsh 6288 sguil 77u IPv4 414796 0t0 TCP 172.16.2.131:7736->172.16.2.135:49227 (ESTABLISHED)
tclsh 6288 sguil 78u IPv4 413918 0t0 TCP 172.16.2.131:7736->172.16.2.135:44566 (ESTABLISHED)
tclsh 6288 sguil 79u IPv4 411957 0t0 TCP 172.16.2.131:7736->172.16.2.135:48358 (ESTABLISHED)
tclsh 6288 sguil 80u IPv4 413927 0t0 TCP 172.16.2.131:7736->172.16.2.135:56371 (ESTABLISHED)
tclsh 6288 sguil 81u IPv4 413928 0t0 TCP 172.16.2.131:7736->172.16.2.135:33913 (ESTABLISHED)
tclsh 6288 sguil 82u IPv4 413929 0t0 TCP 172.16.2.131:7736->172.16.2.135:33450 (ESTABLISHED)
tclsh 6288 sguil 83u IPv4 413933 0t0 TCP 172.16.2.131:7736->172.16.2.135:50352 (ESTABLISHED)
tclsh 6288 sguil 84u IPv4 413934 0t0 TCP 172.16.2.131:7736->172.16.2.134:37831 (ESTABLISHED)
sshd 6330 root 3r IPv4 29999 0t0 TCP 172.16.2.131:22->172.16.1.63:3880 (ESTABLISHED)
sshd 6369 secids 3u IPv4 29999 0t0 TCP 172.16.2.131:22->172.16.1.63:3880 (ESTABLISHED)
/usr/sbin 9254 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 9254 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9254 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9258 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 9258 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9258 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12810 www-data 5u IPv6 404581 0t0 TCP *:443 (LISTEN)
/usr/sbin 12810 www-data 7u IPv6 404585 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12810 www-data 9u IPv6 404591 0t0 TCP *:3154 (LISTEN)
tclsh 23716 sguil 3u IPv4 379842 0t0 TCP 127.0.0.1:54044->127.0.0.1:7736 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Wed Apr 20 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 12 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2980.tar.gz....
Rules tarball download of snortrules-snapshot-2980.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Rules tarball download of community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2980.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 12834 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 288 flowbits
Enabled 2 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------93
Deleted:---31
Enabled Rules:----14787
Dropped Rules:----0
Disabled Rules:---36029
Total Rules:------50816
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.02 0.18 0.28
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 21:33:52 up 3:24, 2 users, load average: 0.02, 0.18, 0.28
Tasks: 301 total, 1 running, 298 sleeping, 2 stopped, 0 zombie
%Cpu(s): 2.2 us, 0.3 sy, 0.0 ni, 97.0 id, 0.4 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 13200428+total, 58679960 used, 73324328 free, 196120 buffers
KiB Swap: 49998844 total, 0 used, 49998844 free. 45628616 cached Mem

%CPU %MEM COMMAND
28.4 7.1 /usr/sbin/mysqld
1.6 0.1 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/se
0.9 0.0 cat node.log
0.8 0.0 /usr/bin/python3 /usr/share/oneconf/oneconf-service
0.4 0.0 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.2 0.2 /usr/bin/searchd --nodetach
0.2 0.0 /usr/bin/python /usr/bin/salt-master
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 [kworker/0:2]
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/u:0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/4]
0.0 0.0 [kworker/4:0]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/5]
0.0 0.0 [kworker/5:0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/6]
0.0 0.0 [kworker/6:0]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/7]
0.0 0.0 [kworker/7:0]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/8]
0.0 0.0 [kworker/8:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/9]
0.0 0.0 [kworker/9:0]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/10]
0.0 0.0 [kworker/10:0]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/11]
0.0 0.0 [kworker/11:0]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/12]
0.0 0.0 [kworker/12:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/13]
0.0 0.0 [kworker/13:0]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/14]
0.0 0.0 [kworker/14:0]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [watchdog/15]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/10:1]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/15:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/12:1]
0.0 0.0 [devfreq_wq]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [fc_exch_workque]
0.0 0.0 [fc_rport_eq]
0.0 0.0 [fnic_event_wq]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_wq_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_wq_2]
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kworker/15:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 rpcbind
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sdb5-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sdb1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: running [COIDSSNORT1.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 cron
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 lightdm
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 supervising syslog-ng
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 critical-stack-intel --debug pull --loop
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-maild
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [flush-8:0]
0.0 0.0 [flush-8:16]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-remoted
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 sendmail: MTA: accepting connections
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 sshd: idssensor4 [priv]
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 sshd: idssensor4
0.0 0.0 sshd: idssensor2 [priv]
0.0 0.0 sshd: idssensor2
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-sound/indicator-sound-service
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-AO1jGkctkX
0.0 0.0 upstart-event-bridge
0.0 0.0 /usr/bin/ibus-daemon --daemonize --xim
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /usr/lib/ibus/ibus-dconf
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 /usr/lib/ibus/ibus-ui-gtk3
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/ibus/ibus-x11 --kill-daemon
0.0 0.0 /usr/lib/ibus/ibus-engine-simple
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 xfwm4 --replace
0.0 0.0 xfce4-panel
0.0 0.0 Thunar --daemon
0.0 0.0 xfdesktop
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 update-notifier
0.0 0.0 light-locker
0.0 0.0 xscreensaver -no-splash
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 xfce4-volumed
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 nm-applet
0.0 0.0 xfsettingsd
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582952 systray Notification Area Area wh
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582953 indicator Indicator Plug
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libdatetime.so 7 12582954 datetime DateTime Date and Time
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 9 12582960 actions Action Buttons Log out, l
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 12582967 thunar-tpa Trash Applet Displ
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 sshd: secids [priv]
0.0 0.0 sshd: secids
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-sound/indicator-sound-service
0.0 0.0 sshd: idssensor3 [priv]
0.0 0.0 sshd: idssensor3
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/bin/X -core :1 -seat seat0 -auth /var/run/lightdm/root/:1 -nolisten tcp vt8 -novtswitch
0.0 0.0 lightdm --session-child 17 22
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/104/gvfs -f -o big_writes
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 lightdm --session-child 13 22
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-sound/indicator-sound-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/1:2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 su - sguil -- /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /et
0.0 0.0 sshd: secids [priv]
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/se
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/se
0.0 0.0 sshd: secids@pts/16
0.0 0.0 -bash
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/u:2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 sudo cat node.log
0.0 0.0 [kworker/4:2]
0.0 0.0 sudo sostat
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 su - sguil -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/0:1]

=========================================================================
Sguil Uncategorized Events
=========================================================================
+----------+
| COUNT(*) |
+----------+
| 101820 |
+----------+

=========================================================================
Sguil events summary for yesterday
=========================================================================
+--------+-------------+-----------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+-----------------------------------------------------------------------------------+
| 547 | 3:38330 | MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt |
| 356 | 120:11 | http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA |
| 58 | 120:4 | http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE |
| 48 | 1:2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected |
| 24 | 1:2012966 | ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt |
| 24 | 1:2013222 | ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt |
| 24 | 1:2000418 | ET POLICY Executable and linking format (ELF) file download |
| 20 | 133:27 | dcerpc2: Connection-oriented DCE/RPC - Invalid major version |
| 11 | 1:2018959 | ET POLICY PE EXE or DLL Windows file download HTTP |
| 6 | 1:2022603 | ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8 |
| 5 | 129:16 | stream5: FIN number is greater than prior FIN |
| 5 | 140:3 | sip: URI is too long |
| 1 | 140:2 | sip: Empty request URI |
+--------+-------------+-----------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 1129 |
+-------+

=========================================================================
Top 50 All time Sguil Events
=========================================================================
+---------+-------------+----------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+---------+-------------+----------------------------------------------------------------------------------------------+
| 6805352 | 123:12 | frag3: Number of overlapping fragments exceed configured limit |
| 2665165 | 3:19187 | PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt |
| 1768476 | 123:13 | frag3: Fragments smaller than configured min_fragment_length |
| 598724 | 3:31738 | PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected |
| 537000 | 3:30881 | MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt |
| 69555 | 1:2013049 | ET WEB_SERVER Binget PHP Library User Agent Inbound |
| 55817 | 3:21355 | PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid |
| 55774 | 1:2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected |
| 43689 | 133:27 | dcerpc2: Connection-oriented DCE/RPC - Invalid major version |
| 33900 | 119:34 | http_inspect: TOO MANY PIPELINED REQUESTS |
| 25655 | 1:2001564 | ET MALWARE MarketScore.com Spyware Proxied Traffic |
| 25610 | 1:2020630 | ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) |
| 22904 | 124:2 | smtp: Attempted data header buffer overflow |
| 21323 | 119:20 | http_inspect: MAX HEADERS |
| 20903 | 120:10 | http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED |
| 20859 | 119:28 | http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS |
| 20735 | 140:27 | sip: Maximum dialogs in a session reached |
| 20557 | 1:2017918 | ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02 |
| 20096 | 124:3 | smtp: Attempted response buffer overflow |
| 17639 | 123:5 | frag3: Zero-byte fragment |
| 16879 | 1:36535 | EXPLOIT-KIT Neutrino exploit kit landing page detected |
| 16777 | 1:2013222 | ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt |
| 15811 | 1:2016977 | ET WEB_SERVER allow_url_include PHP config option in uri |
| 15742 | 1:2016980 | ET WEB_SERVER disable_functions PHP config option in uri |
| 15740 | 1:2016978 | ET WEB_SERVER safe_mode PHP config option in uri |
| 15737 | 1:2016979 | ET WEB_SERVER suhosin.simulation PHP config option in uri |
| 14721 | 1:2016981 | ET WEB_SERVER open_basedir PHP config option in uri |
| 13089 | 1:2001562 | ET MALWARE MarketScore.com Spyware User Configuration and Setup Access User-Agent (OSSProxy) |
| 12129 | 1:2012230 | ET WEB_SERVER Likely Malicious Request for /proc/self/environ |
| 11900 | 1:2012252 | ET SHELLCODE Common 0a0a0a0a Heap Spray String |
| 11606 | 120:11 | http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA |
| 10985 | 124:10 | smtp: Base64 Decoding failed |
| 7878 | 1:2008517 | ET EXPLOIT SQL sp_configure - configuration change |
| 7689 | 3:13835 | OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt |
| 7234 | 1:2019416 | ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack |
| 6878 | 1:2019415 | ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack |
| 5808 | 128:1 | ssh: Gobbles exploit |
| 5793 | 120:9 | http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 |
| 5605 | 1:2018372 | ET CURRENT_EVENTS Malformed HeartBeat Request |
| 5199 | 1:2016184 | ET WEB_SERVER ColdFusion administrator access |
| 5072 | 1:2009714 | ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt |
| 5054 | 1:2020702 | ET DOS Bittorrent User-Agent inbound - possible DDOS |
| 4740 | 3:15912 | OS-WINDOWS TCP window closed before receiving data |
| 4644 | 120:4 | http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE |
| 4368 | 1:2016982 | ET WEB_SERVER auto_prepend_file PHP config option in uri |
| 4337 | 1:2011124 | ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) |
| 4268 | 1:22063 | SERVER-WEBAPP PHP-CGI remote file include attempt |
| 3903 | 123:4 | frag3: Fragment packet ends after defragmented packet |
| 3604 | 1:2018959 | ET POLICY PE EXE or DLL Windows file download HTTP |
| 3594 | 1:2013053 | ET WEB_SERVER PyCurl Suspicious User Agent Inbound |
+---------+-------------+----------------------------------------------------------------------------------------------+
+----------+
| Total |
+----------+
| 13218187 |
+----------+

=========================================================================
Last update
=========================================================================

Start-Date: 2016-04-18 14:44:16
Commandline: apt-get -y dist-upgrade
Upgrade: python-samba:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), python-tdb:amd64 (1.2.12-1, 1.3.8-0ubuntu0.14.04.1), libtevent0:amd64 (0.9.19-1, 0.9.26-0ubuntu0.14.04.1), samba-common-bin:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libldb1:amd64 (1.1.16-1ubuntu0.1, 1.1.24-0ubuntu0.14.04.1), libtdb1:amd64 (1.2.12-1, 1.3.8-0ubuntu0.14.04.1), samba-libs:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), smbclient:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libtalloc2:amd64 (2.1.0-1, 2.1.5-0ubuntu0.14.04.1), python-talloc:amd64 (2.1.0-1, 2.1.5-0ubuntu0.14.04.1), libwbclient0:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), python-ldb:amd64 (1.1.16-1ubuntu0.1, 1.1.24-0ubuntu0.14.04.1), samba-common:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2), libsmbclient:amd64 (4.1.6+dfsg-1ubuntu2.14.04.13, 4.3.8+dfsg-0ubuntu0.14.04.2)
End-Date: 2016-04-18 14:44:26

Start-Date: 2016-04-20 15:17:15
Commandline: apt-get -y dist-upgrade
Upgrade: apt:amd64 (1.0.1ubuntu2.12, 1.0.1ubuntu2.13), apt-transport-https:amd64 (1.0.1ubuntu2.12, 1.0.1ubuntu2.13), firefox-locale-en:amd64 (45.0.1+build1-0ubuntu0.14.04.2, 45.0.2+build1-0ubuntu0.14.04.1), apt-utils:amd64 (1.0.1ubuntu2.12, 1.0.1ubuntu2.13), firefox:amd64 (45.0.1+build1-0ubuntu0.14.04.2, 45.0.2+build1-0ubuntu0.14.04.1), libapt-inst1.5:amd64 (1.0.1ubuntu2.12, 1.0.1ubuntu2.13), libsnmp-base:amd64 (5.7.2~dfsg-8.1ubuntu3.1, 5.7.2~dfsg-8.1ubuntu3.2), libapt-pkg4.12:amd64 (1.0.1ubuntu2.12, 1.0.1ubuntu2.13), linux-firmware:amd64 (1.127.20, 1.127.22), snmp:amd64 (5.7.2~dfsg-8.1ubuntu3.1, 5.7.2~dfsg-8.1ubuntu3.2), firefox-globalmenu:amd64 (45.0.1+build1-0ubuntu0.14.04.2, 45.0.2+build1-0ubuntu0.14.04.1), libsnmp30:amd64 (5.7.2~dfsg-8.1ubuntu3.1, 5.7.2~dfsg-8.1ubuntu3.2)
End-Date: 2016-04-20 15:17:30

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1694 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1703 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1654 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1828 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
43G /nsm/elsa/data
16M /var/lib/mysql/syslog
57M /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
+---------------------+---------------------+
| MIN(start) | MAX(end) |
+---------------------+---------------------+
| 2014-04-29 15:59:35 | 2016-04-20 21:33:09 |
+---------------------+---------------------+

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 COIDSSNORT5 172.16.2.135
50002 COIDSSNORT3 172.16.2.133
50003 COIDSSNORT4 172.16.2.134
50004 COIDSSNORT2 172.16.2.132

Any assistance would be greatly appreciated!

Doug

Doug Burks

unread,

Apr 20, 2016, 6:11:11 PM4/20/16

to securit...@googlegroups.com

Hi Doug,

I don't remember seeing this issue before. Are you sure you followed
all steps in the Upgrade guide?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrading-from-12.04-to-14.04

You might want to install a fresh copy of Security Onion 14.04 in a VM
and then compare the Apache configuration to your upgraded box to look
for any differences.

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

--
Doug Burks

Reply all

Reply to author

Forward

0 new messages