SO stopped collecting data more than PADS

53 views
Skip to first unread message

Pentolino

unread,
May 13, 2014, 12:49:23 PM5/13/14
to securit...@googlegroups.com
Hi all,
Security Onion stopped collecting data more the the "PADS" signature (Changed assets, new assets)

It is not the first time that happens, but previous times I decided to recreate the machine from scratch.
As the previous times, security onion works like a charm for 1-2 months and than "stops working" as it should normally do.
Reboots and updating doesn't affect the machine nor solve the problem in anyway

Thanks for your assistance!


=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager x.x.x.x running 4802 3 13 May 15:49:18
proxy proxy x.x.x.x running 4972 3 13 May 15:49:22
x.x.x.x-1 worker x.x.x.x running 5303 2 13 May 15:49:26
x.x.x.x-2 worker x.x.x.x running 5304 2 13 May 15:49:26
Status: x.x.x.x
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr x.x.x.x
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:87362 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47685672 (47.6 MB) TX bytes:0 (0.0 B)
Interrupt:16 Memory:f8000000-f8012800

eth1 Link encap:Ethernet HWaddr x.x.x.x
inet addr:x.x.x.x Bcast:x.x.x.x Mask:x.x.x.x
inet6 addr: x.x.x.x Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3868 errors:0 dropped:0 overruns:0 frame:0
TX packets:558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:310555 (310.5 KB) TX bytes:324411 (324.4 KB)
Interrupt:17 Memory:fa000000-fa012800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1735 errors:0 dropped:0 overruns:0 frame:0
TX packets:1735 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2312514 (2.3 MB) TX bytes:2312514 (2.3 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
2319040 1737 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2319040 1737 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether x.x.x.x brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
47685672 87362 0 0 0 1363
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether x.x.x.x brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
310555 3868 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
324411 558 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/cciss/c0d1p5 120G 45G 70G 39% /
udev 5.9G 4.0K 5.9G 1% /dev
tmpfs 1.2G 808K 1.2G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 5.9G 0 5.9G 0% /run/shm
/dev/cciss/c0d0p1 673G 556G 84G 87% /nsm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 986 root 8u IPv6 8916 0t0 TCP [::1]:631 (LISTEN)
cupsd 986 root 9u IPv4 8917 0t0 TCP 127.0.0.1:631 (LISTEN)
avahi-dae 990 avahi 12u IPv4 7853 0t0 UDP *:5353
avahi-dae 990 avahi 13u IPv6 7854 0t0 UDP *:5353
avahi-dae 990 avahi 14u IPv4 7855 0t0 UDP *:59487
avahi-dae 990 avahi 15u IPv6 7856 0t0 UDP *:34632
sshd 1237 root 3r IPv4 2026 0t0 TCP *:22 (LISTEN)
sshd 1237 root 4u IPv6 2028 0t0 TCP *:22 (LISTEN)
syslog-ng 1419 root 9u IPv4 10331 0t0 TCP *:514 (LISTEN)
syslog-ng 1419 root 10u IPv4 10332 0t0 UDP *:514
mysqld 1447 mysql 10u IPv4 11483 0t0 TCP 127.0.0.1:3306 (LISTEN)
searchd 1590 sphinxsearch 7u IPv4 10370 0t0 TCP *:9306 (LISTEN)
searchd 1590 sphinxsearch 8u IPv4 10371 0t0 TCP *:9312 (LISTEN)
ossec-csy 1592 ossecm 5u IPv4 9717 0t0 UDP 127.0.0.1:58863->127.0.0.1:514
redis-ser 1758 redis 4u IPv4 11538 0t0 TCP 127.0.0.1:6379 (LISTEN)
xrdp 1830 xrdp 6u IPv4 12774 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 1835 root 6u IPv4 12759 0t0 TCP 127.0.0.1:3350 (LISTEN)
/usr/sbin 2053 root 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2053 root 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2053 root 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2053 root 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 2108 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2108 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2108 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2108 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 2109 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2109 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2109 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2109 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 2110 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2110 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2110 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2110 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 2111 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2111 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2111 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2111 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 2112 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 2112 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2112 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2112 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 4435 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 4435 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4435 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4435 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
bro 4802 root 4u IPv4 21640 0t0 UDP x.x.x.x:34732->x.x.x.x:53
bro 4820 root 0u IPv4 19068 0t0 TCP *:47761 (LISTEN)
bro 4820 root 1u IPv6 19069 0t0 TCP *:47761 (LISTEN)
bro 4820 root 2u IPv4 19801 0t0 TCP x.x.x.x:47761->x.x.x.x:47943 (ESTABLISHED)
bro 4820 root 4u IPv4 21640 0t0 UDP x.x.x.x:34732->x.x.x.x:53
bro 4820 root 19u IPv4 20934 0t0 TCP x.x.x.x:47761->x.x.x.x:47944 (ESTABLISHED)
bro 4820 root 21u IPv4 21841 0t0 TCP x.x.x.x:47761->x.x.x.x:47947 (ESTABLISHED)
bro 4972 root 4u IPv4 19131 0t0 UDP x.x.x.x:36469->x.x.x.x:53
bro 4980 root 0u IPv4 21713 0t0 TCP x.x.x.x:47943->x.x.x.x:47761 (ESTABLISHED)
bro 4980 root 1u IPv4 21716 0t0 TCP *:47762 (LISTEN)
bro 4980 root 2u IPv6 21717 0t0 TCP *:47762 (LISTEN)
bro 4980 root 4u IPv4 19131 0t0 UDP x.x.x.x:36469->x.x.x.x:53
bro 4980 root 19u IPv4 19261 0t0 TCP x.x.x.x:47762->x.x.x.x:52556 (ESTABLISHED)
bro 4980 root 21u IPv4 21838 0t0 TCP x.x.x.x:47762->x.x.x.x:52557 (ESTABLISHED)
bro 5303 root 4u IPv4 20926 0t0 UDP x.x.x.x:33908->x.x.x.x:53
bro 5304 root 4u IPv4 19872 0t0 UDP x.x.x.x:41283->x.x.x.x:53
bro 5308 root 0u IPv4 21821 0t0 TCP x.x.x.x:47944->x.x.x.x:47761 (ESTABLISHED)
bro 5308 root 1u IPv4 21824 0t0 TCP x.x.x.x:52556->x.x.x.x:47762 (ESTABLISHED)
bro 5308 root 2u IPv4 21827 0t0 TCP *:47764 (LISTEN)
bro 5308 root 4u IPv4 19872 0t0 UDP x.x.x.x:41283->x.x.x.x:53
bro 5308 root 20u IPv6 21828 0t0 TCP *:47764 (LISTEN)
bro 5344 root 0u IPv4 21837 0t0 TCP x.x.x.x:52557->x.x.x.x:47762 (ESTABLISHED)
bro 5344 root 1u IPv4 19305 0t0 TCP x.x.x.x:47947->x.x.x.x:47761 (ESTABLISHED)
bro 5344 root 2u IPv4 19308 0t0 TCP *:47763 (LISTEN)
bro 5344 root 4u IPv4 20926 0t0 UDP x.x.x.x:33908->x.x.x.x:53
bro 5344 root 20u IPv6 19309 0t0 TCP *:47763 (LISTEN)
ntpd 5418 ntp 16u IPv4 21856 0t0 UDP *:123
ntpd 5418 ntp 17u IPv6 21857 0t0 UDP *:123
ntpd 5418 ntp 18u IPv4 21863 0t0 UDP 127.0.0.1:123
ntpd 5418 ntp 19u IPv4 21864 0t0 UDP x.x.x.x:123
ntpd 5418 ntp 20u IPv6 21865 0t0 UDP [fe80::21a:4bff:fe51:8372]:123
ntpd 5418 ntp 21u IPv6 21866 0t0 UDP [::1]:123
/usr/sbin 5438 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 5438 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5438 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5438 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
tclsh 5440 root 3u IPv4 21040 0t0 TCP 127.0.0.1:8000 (LISTEN)
tclsh 5440 root 5u IPv4 23609 0t0 TCP 127.0.0.1:8000->127.0.0.1:35417 (ESTABLISHED)
/usr/sbin 5444 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 5444 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5444 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5444 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 5444 www-data 20u IPv4 23396 0t0 TCP x.x.x.x:443->x.x.x.x:63992 (ESTABLISHED)
/usr/sbin 5445 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 5445 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5445 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5445 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
/usr/sbin 5446 www-data 4u IPv4 11599 0t0 TCP *:443 (LISTEN)
/usr/sbin 5446 www-data 5u IPv4 11602 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5446 www-data 6u IPv4 11604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5446 www-data 7u IPv4 10593 0t0 TCP *:444 (LISTEN)
barnyard2 5493 root 3u IPv4 23608 0t0 TCP 127.0.0.1:35417->127.0.0.1:8000 (ESTABLISHED)
sshd 6181 root 3r IPv4 23312 0t0 TCP x.x.x.x:22->x.x.x.x:64838 (ESTABLISHED)
sshd 6316 polynt 3u IPv4 23312 0t0 TCP x.x.x.x:22->x.x.x.x:64838 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Tue May 13 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2956.tar.gz....
Restarting Barnyard2.
Restarting: xxxx
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: xxxx
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
top - 15:50:43 up 2 min, 1 user, load average: 6.65, 2.29, 0.83
Tasks: 176 total, 6 running, 170 sleeping, 0 stopped, 0 zombie
Cpu(s): 26.4%us, 11.8%sy, 1.1%ni, 38.7%id, 21.7%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 12305024k total, 7234088k used, 5070936k free, 48856k buffers
Swap: 21777504k total, 0k used, 21777504k free, 4292308k cached

%CPU %MEM COMMAND
75.8 1.1 suricata --user sguil --group sguil -c /etc/nsm/x.x.x.x/suricat
37.6 0.1 barnyard2 -c /etc/nsm/x.x.x.x/barnyard2.conf -d /nsm/sensor_dat
22.2 1.3 /usr/sbin/mysqld
16.1 0.4 ruby1.9.1 /opt/snorby/vendor/bundle/ruby/1.9.1/bin/rake snorby:update
14.1 0.8 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local
14.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy
13.7 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manag
13.6 0.8 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local
12.4 0.7 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local
12.3 0.7 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local
6.9 0.0 /var/ossec/bin/ossec-syscheckd
6.1 0.9 /usr/sbin/apache2 -k start
5.9 11.3 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/ns
5.5 0.0 -bash
2.8 3.6 /usr/bin/searchd --nodetach
2.4 0.3 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.0 0.9 /usr/sbin/apache2 -k start
1.8 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manag
1.5 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy
1.2 0.0 argus -i eth0 -F /etc/nsm/x.x.x.x/argus.conf -w /nsm/sensor_dat
0.7 0.6 netsniff-ng -i eth0 -o /nsm/sensor_data/x.x.x.x/dailylogs/2014-
0.6 0.0 /sbin/init
0.6 0.0 prads -i eth0 -c /etc/nsm/x.x.x.x/prads.conf -u sguil -g sguil
0.5 0.0 [flush-104:16]
0.3 0.1 /usr/sbin/lightdm-gtk-greeter
0.2 0.0 /var/ossec/bin/ossec-analysisd
0.2 0.0 [kworker/u:0]
0.2 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtsw
0.2 0.0 sshd: polynt [priv]
0.2 0.0 [jbd2/cciss!c0d1]
0.1 0.0 sudo sostat
0.1 0.1 /usr/sbin/apache2 -k start
0.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.1 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/x.x.x.x/pads_agent.co
0.0 0.0 [migration/1]
0.0 0.0 [kworker/0:1]
0.0 0.0 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/aler
0.0 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/x.x.x.x/http_agent.co
0.0 0.0 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/x.x.x.x/sancp_agent.
0.0 0.0 Passenger spawn server
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [flush-104:0]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/x.x.x.x/snort_agent.
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/x.x.x.x/pcap_agent.co
0.0 0.0 [kworker/0:2]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/2:2]
0.0 0.0 [kworker/1:1]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/bin/redis-server /etc/redis/redis.conf
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/0]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [migration/2]
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 lightdm
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0]
0.0 0.0 [watchdog/0]
0.0 0.0 [kworker/1:0]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [watchdog/3]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/3:1]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [kworker/u:2]
0.0 0.0 [kworker/u:3]
0.0 0.0 [devfreq_wq]
0.0 0.0 [cciss_scan]
0.0 0.0 [ttm_swap]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/cciss!c0d0]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [flush-251:0]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kpsmoused]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 avahi-daemon: running [itscids01.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /bin/sh -e /proc/self/fd/9
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 cron
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nod
0.0 0.0 supervising syslog-ng
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SE
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SE
0.0 0.0 sleep 600
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/ns
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/ns
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p br
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p br
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 tail -n 1 -f /nsm/sensor_data/x.x.x.x/snort.stats
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 cat /nsm/sensor_data/x.x.x.x/pads.fifo
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 su www-data -c cd /opt/snorby; bundle exec rake snorby:update RAILS_EN
0.0 0.0 sh -c cd /opt/snorby; bundle exec rake snorby:update RAILS_ENV=product
0.0 0.0 sshd: polynt@pts/0
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/x.x.x.x/dailylogs/ - 42 days
410G .
11G ./2014-04-02
12G ./2014-04-03
13G ./2014-04-04
2.7G ./2014-04-05
3.5G ./2014-04-06
12G ./2014-04-07
13G ./2014-04-08
11G ./2014-04-09
11G ./2014-04-10
9.2G ./2014-04-11
2.1G ./2014-04-12
1.9G ./2014-04-13
14G ./2014-04-14
11G ./2014-04-15
12G ./2014-04-16
12G ./2014-04-17
11G ./2014-04-18
3.8G ./2014-04-19
3.0G ./2014-04-20
4.0G ./2014-04-21
13G ./2014-04-22
13G ./2014-04-23
13G ./2014-04-24
4.2G ./2014-04-25
1.9G ./2014-04-26
2.1G ./2014-04-27
16G ./2014-04-28
16G ./2014-04-29
21G ./2014-04-30
18G ./2014-05-01
15G ./2014-05-02
8.4G ./2014-05-03
8.9G ./2014-05-04
20G ./2014-05-05
12G ./2014-05-06
14G ./2014-05-07
14G ./2014-05-08
13G ./2014-05-09
2.9G ./2014-05-10
2.9G ./2014-05-11
13G ./2014-05-12
8.8G ./2014-05-13

/nsm/bro/logs/ - 42 days
3.5G .
107M ./2014-04-02
102M ./2014-04-03
169M ./2014-04-04
34M ./2014-04-05
34M ./2014-04-06
159M ./2014-04-07
123M ./2014-04-08
109M ./2014-04-09
103M ./2014-04-10
110M ./2014-04-11
31M ./2014-04-12
36M ./2014-04-13
118M ./2014-04-14
113M ./2014-04-15
100M ./2014-04-16
104M ./2014-04-17
168M ./2014-04-18
31M ./2014-04-19
33M ./2014-04-20
44M ./2014-04-21
110M ./2014-04-22
102M ./2014-04-23
94M ./2014-04-24
43M ./2014-04-25
25M ./2014-04-26
27M ./2014-04-27
115M ./2014-04-28
97M ./2014-04-29
113M ./2014-04-30
37M ./2014-05-01
52M ./2014-05-02
42M ./2014-05-03
41M ./2014-05-04
124M ./2014-05-05
52M ./2014-05-06
108M ./2014-05-07
126M ./2014-05-08
105M ./2014-05-09
42M ./2014-05-10
39M ./2014-05-11
116M ./2014-05-12
84M ./2014-05-13
72K ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

x.x.x.x-1: 1399996244.822287 recvd=34297 dropped=0 link=34297
x.x.x.x-2: 1399996245.022216 recvd=10581 dropped=0 link=10581

=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/x.x.x.x/stats.log
tcp.ssn_memcap_drop | RxPFReth04 | 0
tcp.segment_memcap_drop | RxPFReth04 | 0


=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: exported$)
Total rings : 2

Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 48

/proc/net/pf_ring/5303-eth0.2
Appl. Name : <unknown>
Tot Packets : 34950
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 8151

/proc/net/pf_ring/5304-eth0.1
Appl. Name : <unknown>
Tot Packets : 10740
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 8151

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
+----------+
| COUNT(*) |
+----------+
| 1965736 |
+----------+

=========================================================================
Sguil events summary for yesterday
=========================================================================
+--------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
| ****MANUALLY REMOVED BY ME!**** |
+--------+-------------------------------------+--------------------------------------------------+
+-------+
| Total |
+-------+
| 144 |
+-------+

=========================================================================
Top 50 All time Sguil Events
=========================================================================
+--------+-------------+----------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+----------------------------------------------------------------------------------------------+
||
| ****MANUALLY REMOVED BY ME!**** |
+--------+-------------------------------------+
+---------+
| Total |
+---------+
| 1965291 |
+---------+

=========================================================================
Top 50 URLs for yesterday
=========================================================================
+--------+-------------------------------------+
| Totals | Signature |
+--------+-------------------------------------+
|
| ****MANUALLY REMOVED BY ME!**** |
+--------+-------------------------------------+
+--------+
| Total |
+--------+
| 271885 |
+--------+

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
+--------+-------------+----------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | SignatureName |
+--------+-------------+----------------------------------------------------------------------------------------------+
|
| ****MANUALLY REMOVED BY ME!**** |
+--------+-------------------------------------+
+---------+
| Total |
+---------+
| 1587496 |
+---------+

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1418 supervising syslog-ng
1419 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1447 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1408 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
-rw-r--r-- 1 root root 568096 May 13 15:52 /nsm/elsa/data/elsa/tmp/buffers/1399996269.28066
-rw-r--r-- 1 root root 773096 May 13 15:51 /nsm/elsa/data/elsa/tmp/buffers/1399996209.21624
-rw-r--r-- 1 root root 185 May 13 15:51 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv

ELSA Directory Sizes:
109G /nsm/elsa/data
40M /var/lib/mysql/syslog
427M /var/lib/mysql/syslog_data

ELSA Index Date Range:
+---------------------+---------------------+
| MIN(start) | MAX(end) |
+---------------------+---------------------+
| 2014-04-17 06:44:05 | 2014-05-13 15:51:08 |
+---------------------+---------------------+

Heine Lysemose

unread,
May 13, 2014, 2:33:25 PM5/13/14
to securit...@googlegroups.com

Previously mail is answered.

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Pentolino

unread,
May 14, 2014, 4:37:32 AM5/14/14
to securit...@googlegroups.com
Hi Lysemose,
I don't find your answer.
Could you kindly repeat it here?

thanks!

Shane Castle

unread,
May 14, 2014, 8:24:10 AM5/14/14
to securit...@googlegroups.com
He answered an email you sent about a half-hour before you sent this
one; it had the subject "SO suddenly stop working - not the first time".
Your problem is, you are not bothering to categorize any of the alerts.
This causes startup issues and long delays. An NSM requires regular and
daily care and attention. You *must* read and use the information in the
SO Wiki. Just installing and forgetting will not lead to NSM happiness.

--
Mit besten Grüßen
Shane Castle

On 14.05.2014 10:37, Pentolino wrote:
> Il giorno martedì 13 maggio 2014 20:33:25 UTC+2, Heine Lysemose ha scritto:
>> Previously mail is answered.
>>
>> Regards,
>>
>> Lysemose
>>
>> On May 13, 2014 6:50 PM, "Pentolino" <alessio.p...@gmail.com> wrote:
>> Security Onion stopped collecting data more the the "PADS" signature (Changed assets, new assets)
>>
>>
>> It is not the first time that happens, but previous times I decided to recreate the machine from scratch.
>>
>> As the previous times, security onion works like a charm for 1-2 months and than "stops working" as it should normally do.
>>
>> Reboots and updating doesn't affect the machine nor solve the problem in anyway
>>
>>
>>
>> Thanks for your assistance!
>>
>> =========================================================================
>>
>> Sguil Uncategorized Events
>>
>> =========================================================================
>>
>> +----------+
>>
>> | COUNT(*) |
>>
>> +----------+
>>
>> | 1965736 |
>>
>> +----------+

>

Heine Lysemose

unread,
May 14, 2014, 8:54:53 AM5/14/14
to securit...@googlegroups.com
Shane said it but anyway here is the answer from the other mail...

Hi

First of all, look at the uncategorized Sguil events, https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized

Second, what your number of enabled rules? If it's more than 5-6K, try optimizing the rules for your environment.

Regards, 
Lysemose



Pentolino

unread,
May 19, 2014, 7:04:40 AM5/19/14
to securit...@googlegroups.com
Thanks both,
I started cleaning the majority of my events following TAOSecurity suggestions but it's all the same: only PADS elements are visualized.

How can I easily "reset" the security onion DB and restart everything without the need of recreating the VM and without affecting configuration files?

Then I would try to keep the SO maintained as you suggested

thanks!

BBCan177

unread,
May 19, 2014, 11:42:42 AM5/19/14
to securit...@googlegroups.com
On Monday, May 19, 2014 7:04:40 AM UTC-4, Pentolino wrote:

> How can I easily "reset" the security onion DB and restart everything without the need of recreating the VM and without affecting configuration files?

Hi Pentolino,

There is a new tool called [ sudo sostat-quick ],

Here is a sample of the text which should help your situation.

If you allowed the uncategorized events to get out of control, you can do the following :

* You can control the uncategorized events by editing /etc/nsm/securityonion.conf and set DAYSTOKEEP to a smaller number like 7.
* You can also delete anything in the database older than 7 days, which should dramatically
lower your uncategorized events in sguild with the following command sudo sguil-db-purge.


Reply all
Reply to author
Forward
0 new messages