Security Onion 20120518 High CPU Load
951 views
Skip to first unread message
Samuel Beckett
May 31, 2012, 4:11:30 AM5/31/12
to security-onion
Hi,
I experience a high CPU load with an average of 22 running the latest
version of Security Onion. Re-running the setup script didn't fix the
issue. Please see below the output of top. Any suggestions are highly
welcome.
Thanks,
Samuel
top - 08:02:38 up 22:31, 1 user, load average: 23.03, 23.86, 22.08
Tasks: 240 total, 14 running, 226 sleeping, 0 stopped, 0 zombie
Cpu(s): 29.7%us, 19.7%sy, 1.5%ni, 45.6%id, 0.3%wa, 0.1%hi,
3.1%si, 0.0%st
Mem: 8262192k total, 7997160k used, 265032k free, 7988k
buffers
Swap: 9960716k total, 0k used, 9960716k free, 6672808k
cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
32039 sguil 20 0 381m 284m 3368 S 67 3.5 24:19.02
suricata
19443 root 20 0 52636 45m 9.9m R 52 0.6 41:35.47
bro
19444 root 20 0 61676 54m 9952 R 44 0.7 46:37.48
bro
32152 sguil 20 0 485m 318m 3484 S 43 3.9 25:46.68
suricata
9244 root 30 10 5372 4080 416 R 30 0.0 0:12.17
bzip2
9601 root 20 0 2540 1156 808 R 15 0.0 0:00.34
top
19013 sguil 20 0 6200 4944 4804 R 15 0.1 13:59.71
daemonlogger
19225 sguil 20 0 6200 4940 4804 S 12 0.1 19:54.14
daemonlogger
19032 sguil 20 0 42760 19m 3200 S 11 0.2 16:28.93
argus
1259 mysql 20 0 156m 41m 6868 S 11 0.5 179:50.54
mysqld
19244 sguil 20 0 34828 11m 3200 S 11 0.1 16:46.44
argus
489 sguil 20 0 10756 8576 5180 S 10 0.1 6:20.81
sancp
19190 sguil 20 0 9172 7904 5020 R 10 0.1 10:59.48
pads
18828 root 20 0 11012 6864 3368 S 9 0.1 18:35.34
tclsh
19265 root 20 0 6060 3820 2644 S 7 0.0 4:33.83
tclsh
19385 root 20 0 25844 18m 3440 S 7 0.2 9:13.02
bro
18978 sguil 20 0 7848 6552 5020 R 6 0.1 6:28.80
pads
19496 root 25 5 29292 15m 4560 R 6 0.2 4:56.31
bro
4723 root 30 10 5328 1672 1476 S 5 0.0 0:15.81
bzip2
8948 root 39 19 12192 6000 3032 R 5 0.1 0:03.79
python
19174 sguil 20 0 8380 6188 5180 R 4 0.1 10:38.90
sancp
19342 root 20 0 24560 17m 3448 R 3 0.2 12:40.66
bro
19411 root 25 5 27272 11m 488 S 3 0.1 5:23.64
bro
19361 root 25 5 27288 11m 488 R 2 0.1 5:51.47
bro
19499 root 25 5 29292 15m 4556 R 2 0.2 4:57.37
bro
19206 root 20 0 5784 3576 2636 S 2 0.0 3:17.62
tclsh
5328 nobody 20 0 72240 59m 3088 S 1 0.7 0:22.85
ruby
1 root 20 0 2880 1792 1236 S 0 0.0 0:09.02
init
2 root 20 0 0 0 0 S 0 0.0 0:00.00
kthreadd
3 root RT 0 0 0 0 S 0 0.0 0:02.76 migration/
0
4 root 20 0 0 0 0 S 0 0.0 1:18.69 ksoftirqd/
0
5 root RT 0 0 0 0 S 0 0.0 0:00.01 watchdog/
0
6 root RT 0 0 0 0 S 0 0.0 0:02.39 migration/
1
7 root 20 0 0 0 0 S 0 0.0 0:52.36 ksoftirqd/
1
8 root RT 0 0 0 0 S 0 0.0 0:00.03 watchdog/
1
9 root RT 0 0 0 0 S 0 0.0 0:02.30 migration/
2
10 root 20 0 0 0 0 S 0 0.0 0:35.37 ksoftirqd/
2
11 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/
2
12 root RT 0 0 0 0 S 0 0.0 0:02.49 migration/
3
13 root 20 0 0 0 0 S 0 0.0 0:27.47 ksoftirqd/
3
14 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/
3
15 root 20 0 0 0 0 S 0 0.0 0:09.48 events/
0
16 root 20 0 0 0 0 S 0 0.0 0:07.80 events/
1
17 root 20 0 0 0 0 S 0 0.0 0:06.77 events/
2
18 root 20 0 0 0 0 S 0 0.0 0:07.30 events/
3
19 root 20 0 0 0 0 S 0 0.0 0:00.00
cpuset
20 root 20 0 0 0 0 S 0 0.0 0:00.00
khelper
21 root 20 0 0 0 0 S 0 0.0 0:00.00
netns
22 root 20 0 0 0 0 S 0 0.0 0:00.00 async/
mgr
23 root 20 0 0 0 0 S 0 0.0 0:00.00
pm
25 root 20 0 0 0 0 S 0 0.0 0:00.42
sync_supers
26 root 20 0 0 0 0 S 0 0.0 0:00.66 bdi-
default
27 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/0
28 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/1
29 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/2
30 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/3
31 root 20 0 0 0 0 S 0 0.0 0:08.35 kblockd/
0
32 root 20 0 0 0 0 S 0 0.0 0:04.82 kblockd/
1
33 root 20 0 0 0 0 S 0 0.0 0:09.46 kblockd/
2
34 root 20 0 0 0 0 S 0 0.0 0:09.08 kblockd/
3
35 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpid
36 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_notify
37 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_hotplug
38 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
0
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
1
40 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
2
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
3
42 root 20 0 0 0 0 S 0 0.0 0:00.00
ata_aux
43 root 20 0 0 0 0 S 0 0.0 0:00.00
ksuspend_usbd
44 root 20 0 0 0 0 S 0 0.0 0:00.00
khubd
45 root 20 0 0 0 0 S 0 0.0 0:00.04
kseriod
46 root 20 0 0 0 0 S 0 0.0 0:00.00
kmmcd
51 root 20 0 0 0 0 S 0 0.0 0:00.97
khungtaskd
52 root 20 0 0 0 0 S 0 0.0 1:53.81
kswapd0
53 root 25 5 0 0 0 S 0 0.0 0:00.00
ksmd
54 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
0
55 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
1
56 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
2
57 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
3
58 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-
kthrea
59 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
0
60 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
1
61 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
2
62 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
3
66 root 20 0 0 0 0 S 0 0.0 0:00.00
kstriped
67 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
0
68 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
1
69 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
2
70 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
3
71 root 20 0 0 0 0 S 0 0.0 0:00.00
kmpath_handlerd
72 root 20 0 0 0 0 S 0 0.0 0:00.00
ksnapd
73 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
0
74 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
1
75 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
2
76 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
3
77 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/0
78 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/1
79 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/2
80 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/3
236 root 20 0 0 0 0 S 0 0.0 0:04.53
mpt_poll_0
237 root 20 0 0 0 0 S 0 0.0 0:00.00 mpt/
0
240 root 20 0 0 0 0 S 0 0.0 0:00.00
scsi_eh_0
299 root 20 0 0 0 0 S 0 0.0 3:13.70 jbd2/
sda1-8
300 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
301 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
302 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
303 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
337 root 20 0 0 0 0 S 0 0.0 8:07.55
flush-8:0
364 root 20 0 2312 920 676 S 0 0.0 0:00.27 upstart-
udev-br
366 root 16 -4 2444 860 332 S 0 0.0 0:00.18
udevd
607 root 20 0 0 0 0 S 0 0.0 0:00.00
kpsmoused
672 root 20 0 0 0 0 S 0 0.0 0:17.02 edac-
poller
745 root 20 0 5548 2140 1724 S 0 0.0 0:02.50
sshd
756 messageb 20 0 3044 1400 824 S 0 0.0 0:01.90 dbus-
daemon
772 avahi 20 0 3032 1608 1312 S 0 0.0 0:01.86 avahi-
daemon
774 avahi 20 0 2924 544 320 S 0 0.0 0:00.00 avahi-
daemon
830 root 18 -2 2524 904 300 S 0 0.0 0:00.01
udevd
967 root 20 0 18780 3264 2700 S 0 0.0 0:00.51 gdm-
binary
1004 root 20 0 20564 3200 2268 S 0 0.0 0:01.55 console-
kit-dae
1074 root 20 0 20368 3408 2812 S 0 0.0 0:00.17 gdm-
simple-slav
1096 root 20 0 47500 23m 4708 S 0 0.3 0:29.95
Xorg
1112 root 20 0 1788 564 484 S 0 0.0 0:00.00
getty
1116 root 20 0 1788 564 488 S 0 0.0 0:00.00
getty
1124 root 20 0 1788 564 488 S 0 0.0 0:00.00
getty
1125 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1129 root 20 0 1788 572 488 S 0 0.0 0:00.00
getty
1139 root 20 0 2824 600 484 S 0 0.0 2:15.27
irqbalance
1142 root 20 0 2044 864 504 S 0 0.0 0:00.03
acpid
1146 daemon 20 0 2244 432 292 S 0 0.0 0:00.02
atd
1610 Debian-e 20 0 6724 964 608 S 0 0.0 0:00.33
exim4
1684 www-data 20 0 40404 6444 2272 S 0 0.1 0:00.60
apache2
1844 ntp 20 0 4420 1376 1032 S 0 0.0 0:37.76
ntpd
1889 root 20 0 6696 2520 1896 S 0 0.0 0:00.08
cupsd
1994 root 20 0 39708 9040 5300 S 0 0.1 0:29.67
apache2
1997 root 20 0 4372 1756 1536 S 0 0.0 0:00.06
PassengerWatchd
2002 root 20 0 16944 2696 2012 S 0 0.0 10:59.75
PassengerHelper
2009 gdm 20 0 3380 776 516 S 0 0.0 0:00.00 dbus-
launch
2014 nobody 20 0 9576 3144 2584 S 0 0.0 0:01.70
PassengerLoggin
2020 gdm 20 0 2660 888 624 S 0 0.0 0:00.15 dbus-
daemon
2023 gdm 20 0 27280 5924 4836 S 0 0.1 0:00.63 gnome-
session
2049 gdm 20 0 6508 3184 2240 S 0 0.0 0:04.78
gconfd-2
2072 gdm 20 0 34168 10m 7996 S 0 0.1 0:30.77 gnome-
settings-
2080 www-data 20 0 40316 6568 2312 S 0 0.1 0:03.07
apache2
2082 www-data 20 0 40604 9216 4340 S 0 0.1 0:03.50
apache2
2121 root 20 0 1788 572 488 S 0 0.0 0:00.01
getty
2133 gdm 20 0 6164 2068 1772 S 0 0.0 0:00.06
gvfsd
2134 gdm 20 0 28552 7840 6160 S 0 0.1 0:04.70
metacity
2137 gdm 20 0 3852 1944 1688 S 0 0.0 0:00.06
xfconfd
2140 gdm 20 0 32768 12m 9.8m S 0 0.2 0:49.58 gdm-
simple-gree
2141 gdm 20 0 16576 3204 2256 S 0 0.0 0:00.26 xfce4-
power-man
2142 root 20 0 7928 2408 2048 S 0 0.0 0:00.06 gdm-
session-wor
2146 haldaemo 20 0 16376 3972 3280 S 0 0.0 0:09.23
hald
2152 root 20 0 3532 1276 1084 S 0 0.0 0:00.08 hald-
runner
2202 root 20 0 3608 1240 1064 S 0 0.0 0:00.05 hald-
addon-inpu
2215 haldaemo 20 0 3416 1184 1008 S 0 0.0 0:00.02 hald-
addon-acpi
2463 www-data 20 0 39848 6136 2232 S 0 0.1 0:00.60
apache2
2663 root 20 0 1976 820 684 S 0 0.0 0:00.04
anacron
3223 www-data 20 0 39848 6088 2192 S 0 0.1 0:00.37
apache2
3224 www-data 20 0 39848 6068 2192 S 0 0.1 0:00.44
apache2
3298 root 20 0 1828 528 460 S 0 0.0 0:00.02
sh
3299 root 30 10 1752 512 432 S 0 0.0 0:00.09 run-
parts
3346 root 30 10 1828 588 492 S 0 0.0 0:00.18
apt
4036 root 20 0 2372 908 716 S 0 0.0 0:00.15
cron
4700 root 30 10 5664 2148 1672 R 0 0.0 0:03.69 apt-
get
4702 root 30 10 5532 1972 1728 S 0 0.0 0:00.14
http
4703 root 30 10 5532 1972 1728 S 0 0.0 0:00.12
http
4704 root 30 10 5532 1980 1728 S 0 0.0 0:00.18
http
4706 root 30 10 5532 1988 1728 S 0 0.0 0:00.17
http
4707 root 30 10 5532 2084 1768 S 0 0.0 0:00.54
http
4709 root 30 10 5532 2088 1768 S 0 0.0 0:05.31
http
4712 root 30 10 5340 1672 1484 S 0 0.0 0:00.14
gpgv
7632 root 18 -2 2524 896 292 S 0 0.0 0:00.01
udevd
7633 root 20 0 0 0 0 S 0 0.0 0:00.00
xfs_mru_cache
7634 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
0
7635 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
1
7636 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
2
7637 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
3
7638 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
0
7639 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
1
7640 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
2
7641 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
3
7642 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/0
7643 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/1
7644 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/2
7645 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/3
7648 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsIO
7649 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7650 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7651 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7652 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7653 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsSync
8139 www-data 20 0 40388 8868 4232 S 0 0.1 0:02.14
apache2
8360 root 20 0 4440 1564 1316 S 0 0.0 0:00.22
bash
8627 root 30 10 4448 1552 1292 S 0 0.0 0:00.27
bash
8925 root 39 19 1620 340 284 S 0 0.0 0:00.06
time
8930 root 30 10 3320 812 700 S 0 0.0 0:00.05
grep
9277 root 20 0 4216 1376 1176 S 0 0.0 0:00.12
sostat
9278 root 20 0 10548 2884 2208 S 0 0.0 0:00.16
mail
13995 www-data 20 0 40484 9152 4284 S 0 0.1 0:02.67
apache2
14304 www-data 20 0 40404 6616 2324 S 0 0.1 0:01.88
apache2
14614 [removed] 20 0 23932 2164 1752 S 0 0.0 0:00.13 gnome-
keyring-d
14625 root 20 0 6144 3772 2964 S 0 0.0 0:02.20
polkitd
14631 root 20 0 5360 2788 2332 S 0 0.0 0:00.39 udisks-
daemon
14634 [removed] 20 0 84664 3344 2536 S 0 0.0 0:00.35
pulseaudio
14636 rtkit 21 1 22904 1228 1036 S 0 0.0 0:02.44 rtkit-
daemon
14637 root 20 0 5184 832 564 S 0 0.0 0:00.00 udisks-
daemon
15100 syslog 20 0 34412 1400 1064 S 0 0.0 0:01.67
rsyslogd
15195 ossec 20 0 3008 1608 692 S 0 0.0 1:11.78 ossec-
analysisd
15199 root 20 0 1956 508 388 S 0 0.0 0:03.36 ossec-
logcollec
15209 root 20 0 3028 1888 616 S 0 0.0 5:16.79 ossec-
syscheckd
15213 ossec 20 0 2232 544 404 S 0 0.0 0:00.12 ossec-
monitord
18760 www-data 20 0 74416 59m 3508 S 0 0.7 5:02.90
ruby
18854 root 20 0 9064 2968 1104 S 0 0.0 0:12.87
tclsh
18855 root 20 0 9064 2628 788 S 0 0.0 0:00.01
tclsh
18885 root 20 0 6600 4248 2660 S 0 0.1 6:05.23
tclsh
18902 root 20 0 5940 3764 2656 S 0 0.0 0:01.10
tclsh
18904 root 20 0 3252 668 576 S 0 0.0 0:02.35
tail
18994 root 20 0 5732 3488 2632 S 0 0.0 0:06.77
tclsh
18997 root 20 0 3252 632 536 S 0 0.0 0:00.60
cat
19053 root 20 0 6060 3832 2644 S 0 0.0 12:55.44
tclsh
19055 root 20 0 3260 732 632 S 0 0.0 0:05.72
tail
19096 root 20 0 6464 4248 2660 S 0 0.1 2:36.06
tclsh
19112 root 20 0 6072 3776 2656 S 0 0.0 0:00.81
tclsh
19114 root 20 0 3252 672 576 S 0 0.0 0:02.24
tail
19208 root 20 0 3252 636 536 S 0 0.0 0:26.33
cat
19267 root 20 0 3260 732 632 S 0 0.0 0:05.19
tail
19292 root 20 0 7036 4472 2404 S 0 0.1 0:00.84
tclsh
19299 root 20 0 3256 668 576 S 0 0.0 0:03.62
tail
19333 root 20 0 4444 1556 1308 S 0 0.0 0:00.07
bash
19376 root 20 0 4444 1556 1308 S 0 0.0 0:00.12
bash
19423 root 20 0 4444 1556 1308 S 0 0.0 0:00.16
bash
19426 root 20 0 4444 1556 1308 S 0 0.0 0:00.13
bash
19602 root 20 0 11012 7704 2292 S 0 0.1 0:38.75
ruby
22222 root 20 0 10880 3548 2736 S 0 0.0 0:01.28
sshd
22309 [removed] 20 0 10880 1888 1048 S 0 0.0 0:27.97
sshd
22310 [removed] 20 0 6476 3864 1564 S 0 0.0 0:03.82
bash
22361 www-data 20 0 39884 6264 2284 S 0 0.1 0:01.29
apache2
23002 root 20 0 6616 4028 1588 S 0 0.0 0:13.56
bash
31474 root 20 0 11248 5612 1760 S 0 0.1 0:44.14
barnyard2
31643 root 20 0 11248 5676 1800 S 0 0.1 0:32.10
barnyard2
I experience a high CPU load with an average of 22 running the latest
version of Security Onion. Re-running the setup script didn't fix the
issue. Please see below the output of top. Any suggestions are highly
welcome.
Thanks,
Samuel
top - 08:02:38 up 22:31, 1 user, load average: 23.03, 23.86, 22.08
Tasks: 240 total, 14 running, 226 sleeping, 0 stopped, 0 zombie
Cpu(s): 29.7%us, 19.7%sy, 1.5%ni, 45.6%id, 0.3%wa, 0.1%hi,
3.1%si, 0.0%st
Mem: 8262192k total, 7997160k used, 265032k free, 7988k
buffers
Swap: 9960716k total, 0k used, 9960716k free, 6672808k
cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
32039 sguil 20 0 381m 284m 3368 S 67 3.5 24:19.02
suricata
19443 root 20 0 52636 45m 9.9m R 52 0.6 41:35.47
bro
19444 root 20 0 61676 54m 9952 R 44 0.7 46:37.48
bro
32152 sguil 20 0 485m 318m 3484 S 43 3.9 25:46.68
suricata
9244 root 30 10 5372 4080 416 R 30 0.0 0:12.17
bzip2
9601 root 20 0 2540 1156 808 R 15 0.0 0:00.34
top
19013 sguil 20 0 6200 4944 4804 R 15 0.1 13:59.71
daemonlogger
19225 sguil 20 0 6200 4940 4804 S 12 0.1 19:54.14
daemonlogger
19032 sguil 20 0 42760 19m 3200 S 11 0.2 16:28.93
argus
1259 mysql 20 0 156m 41m 6868 S 11 0.5 179:50.54
mysqld
19244 sguil 20 0 34828 11m 3200 S 11 0.1 16:46.44
argus
489 sguil 20 0 10756 8576 5180 S 10 0.1 6:20.81
sancp
19190 sguil 20 0 9172 7904 5020 R 10 0.1 10:59.48
pads
18828 root 20 0 11012 6864 3368 S 9 0.1 18:35.34
tclsh
19265 root 20 0 6060 3820 2644 S 7 0.0 4:33.83
tclsh
19385 root 20 0 25844 18m 3440 S 7 0.2 9:13.02
bro
18978 sguil 20 0 7848 6552 5020 R 6 0.1 6:28.80
pads
19496 root 25 5 29292 15m 4560 R 6 0.2 4:56.31
bro
4723 root 30 10 5328 1672 1476 S 5 0.0 0:15.81
bzip2
8948 root 39 19 12192 6000 3032 R 5 0.1 0:03.79
python
19174 sguil 20 0 8380 6188 5180 R 4 0.1 10:38.90
sancp
19342 root 20 0 24560 17m 3448 R 3 0.2 12:40.66
bro
19411 root 25 5 27272 11m 488 S 3 0.1 5:23.64
bro
19361 root 25 5 27288 11m 488 R 2 0.1 5:51.47
bro
19499 root 25 5 29292 15m 4556 R 2 0.2 4:57.37
bro
19206 root 20 0 5784 3576 2636 S 2 0.0 3:17.62
tclsh
5328 nobody 20 0 72240 59m 3088 S 1 0.7 0:22.85
ruby
1 root 20 0 2880 1792 1236 S 0 0.0 0:09.02
init
2 root 20 0 0 0 0 S 0 0.0 0:00.00
kthreadd
3 root RT 0 0 0 0 S 0 0.0 0:02.76 migration/
0
4 root 20 0 0 0 0 S 0 0.0 1:18.69 ksoftirqd/
0
5 root RT 0 0 0 0 S 0 0.0 0:00.01 watchdog/
0
6 root RT 0 0 0 0 S 0 0.0 0:02.39 migration/
1
7 root 20 0 0 0 0 S 0 0.0 0:52.36 ksoftirqd/
1
8 root RT 0 0 0 0 S 0 0.0 0:00.03 watchdog/
1
9 root RT 0 0 0 0 S 0 0.0 0:02.30 migration/
2
10 root 20 0 0 0 0 S 0 0.0 0:35.37 ksoftirqd/
2
11 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/
2
12 root RT 0 0 0 0 S 0 0.0 0:02.49 migration/
3
13 root 20 0 0 0 0 S 0 0.0 0:27.47 ksoftirqd/
3
14 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/
3
15 root 20 0 0 0 0 S 0 0.0 0:09.48 events/
0
16 root 20 0 0 0 0 S 0 0.0 0:07.80 events/
1
17 root 20 0 0 0 0 S 0 0.0 0:06.77 events/
2
18 root 20 0 0 0 0 S 0 0.0 0:07.30 events/
3
19 root 20 0 0 0 0 S 0 0.0 0:00.00
cpuset
20 root 20 0 0 0 0 S 0 0.0 0:00.00
khelper
21 root 20 0 0 0 0 S 0 0.0 0:00.00
netns
22 root 20 0 0 0 0 S 0 0.0 0:00.00 async/
mgr
23 root 20 0 0 0 0 S 0 0.0 0:00.00
pm
25 root 20 0 0 0 0 S 0 0.0 0:00.42
sync_supers
26 root 20 0 0 0 0 S 0 0.0 0:00.66 bdi-
default
27 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/0
28 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/1
29 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/2
30 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/3
31 root 20 0 0 0 0 S 0 0.0 0:08.35 kblockd/
0
32 root 20 0 0 0 0 S 0 0.0 0:04.82 kblockd/
1
33 root 20 0 0 0 0 S 0 0.0 0:09.46 kblockd/
2
34 root 20 0 0 0 0 S 0 0.0 0:09.08 kblockd/
3
35 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpid
36 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_notify
37 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_hotplug
38 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
0
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
1
40 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
2
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
3
42 root 20 0 0 0 0 S 0 0.0 0:00.00
ata_aux
43 root 20 0 0 0 0 S 0 0.0 0:00.00
ksuspend_usbd
44 root 20 0 0 0 0 S 0 0.0 0:00.00
khubd
45 root 20 0 0 0 0 S 0 0.0 0:00.04
kseriod
46 root 20 0 0 0 0 S 0 0.0 0:00.00
kmmcd
51 root 20 0 0 0 0 S 0 0.0 0:00.97
khungtaskd
52 root 20 0 0 0 0 S 0 0.0 1:53.81
kswapd0
53 root 25 5 0 0 0 S 0 0.0 0:00.00
ksmd
54 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
0
55 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
1
56 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
2
57 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/
3
58 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-
kthrea
59 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
0
60 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
1
61 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
2
62 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/
3
66 root 20 0 0 0 0 S 0 0.0 0:00.00
kstriped
67 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
0
68 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
1
69 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
2
70 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/
3
71 root 20 0 0 0 0 S 0 0.0 0:00.00
kmpath_handlerd
72 root 20 0 0 0 0 S 0 0.0 0:00.00
ksnapd
73 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
0
74 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
1
75 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
2
76 root 20 0 0 0 0 S 0 0.0 0:00.00 kondemand/
3
77 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/0
78 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/1
79 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/2
80 root 20 0 0 0 0 S 0 0.0 0:00.00
kconservative/3
236 root 20 0 0 0 0 S 0 0.0 0:04.53
mpt_poll_0
237 root 20 0 0 0 0 S 0 0.0 0:00.00 mpt/
0
240 root 20 0 0 0 0 S 0 0.0 0:00.00
scsi_eh_0
299 root 20 0 0 0 0 S 0 0.0 3:13.70 jbd2/
sda1-8
300 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
301 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
302 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
303 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
337 root 20 0 0 0 0 S 0 0.0 8:07.55
flush-8:0
364 root 20 0 2312 920 676 S 0 0.0 0:00.27 upstart-
udev-br
366 root 16 -4 2444 860 332 S 0 0.0 0:00.18
udevd
607 root 20 0 0 0 0 S 0 0.0 0:00.00
kpsmoused
672 root 20 0 0 0 0 S 0 0.0 0:17.02 edac-
poller
745 root 20 0 5548 2140 1724 S 0 0.0 0:02.50
sshd
756 messageb 20 0 3044 1400 824 S 0 0.0 0:01.90 dbus-
daemon
772 avahi 20 0 3032 1608 1312 S 0 0.0 0:01.86 avahi-
daemon
774 avahi 20 0 2924 544 320 S 0 0.0 0:00.00 avahi-
daemon
830 root 18 -2 2524 904 300 S 0 0.0 0:00.01
udevd
967 root 20 0 18780 3264 2700 S 0 0.0 0:00.51 gdm-
binary
1004 root 20 0 20564 3200 2268 S 0 0.0 0:01.55 console-
kit-dae
1074 root 20 0 20368 3408 2812 S 0 0.0 0:00.17 gdm-
simple-slav
1096 root 20 0 47500 23m 4708 S 0 0.3 0:29.95
Xorg
1112 root 20 0 1788 564 484 S 0 0.0 0:00.00
getty
1116 root 20 0 1788 564 488 S 0 0.0 0:00.00
getty
1124 root 20 0 1788 564 488 S 0 0.0 0:00.00
getty
1125 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1129 root 20 0 1788 572 488 S 0 0.0 0:00.00
getty
1139 root 20 0 2824 600 484 S 0 0.0 2:15.27
irqbalance
1142 root 20 0 2044 864 504 S 0 0.0 0:00.03
acpid
1146 daemon 20 0 2244 432 292 S 0 0.0 0:00.02
atd
1610 Debian-e 20 0 6724 964 608 S 0 0.0 0:00.33
exim4
1684 www-data 20 0 40404 6444 2272 S 0 0.1 0:00.60
apache2
1844 ntp 20 0 4420 1376 1032 S 0 0.0 0:37.76
ntpd
1889 root 20 0 6696 2520 1896 S 0 0.0 0:00.08
cupsd
1994 root 20 0 39708 9040 5300 S 0 0.1 0:29.67
apache2
1997 root 20 0 4372 1756 1536 S 0 0.0 0:00.06
PassengerWatchd
2002 root 20 0 16944 2696 2012 S 0 0.0 10:59.75
PassengerHelper
2009 gdm 20 0 3380 776 516 S 0 0.0 0:00.00 dbus-
launch
2014 nobody 20 0 9576 3144 2584 S 0 0.0 0:01.70
PassengerLoggin
2020 gdm 20 0 2660 888 624 S 0 0.0 0:00.15 dbus-
daemon
2023 gdm 20 0 27280 5924 4836 S 0 0.1 0:00.63 gnome-
session
2049 gdm 20 0 6508 3184 2240 S 0 0.0 0:04.78
gconfd-2
2072 gdm 20 0 34168 10m 7996 S 0 0.1 0:30.77 gnome-
settings-
2080 www-data 20 0 40316 6568 2312 S 0 0.1 0:03.07
apache2
2082 www-data 20 0 40604 9216 4340 S 0 0.1 0:03.50
apache2
2121 root 20 0 1788 572 488 S 0 0.0 0:00.01
getty
2133 gdm 20 0 6164 2068 1772 S 0 0.0 0:00.06
gvfsd
2134 gdm 20 0 28552 7840 6160 S 0 0.1 0:04.70
metacity
2137 gdm 20 0 3852 1944 1688 S 0 0.0 0:00.06
xfconfd
2140 gdm 20 0 32768 12m 9.8m S 0 0.2 0:49.58 gdm-
simple-gree
2141 gdm 20 0 16576 3204 2256 S 0 0.0 0:00.26 xfce4-
power-man
2142 root 20 0 7928 2408 2048 S 0 0.0 0:00.06 gdm-
session-wor
2146 haldaemo 20 0 16376 3972 3280 S 0 0.0 0:09.23
hald
2152 root 20 0 3532 1276 1084 S 0 0.0 0:00.08 hald-
runner
2202 root 20 0 3608 1240 1064 S 0 0.0 0:00.05 hald-
addon-inpu
2215 haldaemo 20 0 3416 1184 1008 S 0 0.0 0:00.02 hald-
addon-acpi
2463 www-data 20 0 39848 6136 2232 S 0 0.1 0:00.60
apache2
2663 root 20 0 1976 820 684 S 0 0.0 0:00.04
anacron
3223 www-data 20 0 39848 6088 2192 S 0 0.1 0:00.37
apache2
3224 www-data 20 0 39848 6068 2192 S 0 0.1 0:00.44
apache2
3298 root 20 0 1828 528 460 S 0 0.0 0:00.02
sh
3299 root 30 10 1752 512 432 S 0 0.0 0:00.09 run-
parts
3346 root 30 10 1828 588 492 S 0 0.0 0:00.18
apt
4036 root 20 0 2372 908 716 S 0 0.0 0:00.15
cron
4700 root 30 10 5664 2148 1672 R 0 0.0 0:03.69 apt-
get
4702 root 30 10 5532 1972 1728 S 0 0.0 0:00.14
http
4703 root 30 10 5532 1972 1728 S 0 0.0 0:00.12
http
4704 root 30 10 5532 1980 1728 S 0 0.0 0:00.18
http
4706 root 30 10 5532 1988 1728 S 0 0.0 0:00.17
http
4707 root 30 10 5532 2084 1768 S 0 0.0 0:00.54
http
4709 root 30 10 5532 2088 1768 S 0 0.0 0:05.31
http
4712 root 30 10 5340 1672 1484 S 0 0.0 0:00.14
gpgv
7632 root 18 -2 2524 896 292 S 0 0.0 0:00.01
udevd
7633 root 20 0 0 0 0 S 0 0.0 0:00.00
xfs_mru_cache
7634 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
0
7635 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
1
7636 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
2
7637 root 20 0 0 0 0 S 0 0.0 0:00.00 xfslogd/
3
7638 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
0
7639 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
1
7640 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
2
7641 root 20 0 0 0 0 S 0 0.0 0:00.00 xfsdatad/
3
7642 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/0
7643 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/1
7644 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/2
7645 root 20 0 0 0 0 S 0 0.0 0:00.00
xfsconvertd/3
7648 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsIO
7649 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7650 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7651 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7652 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsCommit
7653 root 20 0 0 0 0 S 0 0.0 0:00.00
jfsSync
8139 www-data 20 0 40388 8868 4232 S 0 0.1 0:02.14
apache2
8360 root 20 0 4440 1564 1316 S 0 0.0 0:00.22
bash
8627 root 30 10 4448 1552 1292 S 0 0.0 0:00.27
bash
8925 root 39 19 1620 340 284 S 0 0.0 0:00.06
time
8930 root 30 10 3320 812 700 S 0 0.0 0:00.05
grep
9277 root 20 0 4216 1376 1176 S 0 0.0 0:00.12
sostat
9278 root 20 0 10548 2884 2208 S 0 0.0 0:00.16
13995 www-data 20 0 40484 9152 4284 S 0 0.1 0:02.67
apache2
14304 www-data 20 0 40404 6616 2324 S 0 0.1 0:01.88
apache2
14614 [removed] 20 0 23932 2164 1752 S 0 0.0 0:00.13 gnome-
keyring-d
14625 root 20 0 6144 3772 2964 S 0 0.0 0:02.20
polkitd
14631 root 20 0 5360 2788 2332 S 0 0.0 0:00.39 udisks-
daemon
14634 [removed] 20 0 84664 3344 2536 S 0 0.0 0:00.35
pulseaudio
14636 rtkit 21 1 22904 1228 1036 S 0 0.0 0:02.44 rtkit-
daemon
14637 root 20 0 5184 832 564 S 0 0.0 0:00.00 udisks-
daemon
15100 syslog 20 0 34412 1400 1064 S 0 0.0 0:01.67
rsyslogd
15195 ossec 20 0 3008 1608 692 S 0 0.0 1:11.78 ossec-
analysisd
15199 root 20 0 1956 508 388 S 0 0.0 0:03.36 ossec-
logcollec
15209 root 20 0 3028 1888 616 S 0 0.0 5:16.79 ossec-
syscheckd
15213 ossec 20 0 2232 544 404 S 0 0.0 0:00.12 ossec-
monitord
18760 www-data 20 0 74416 59m 3508 S 0 0.7 5:02.90
ruby
18854 root 20 0 9064 2968 1104 S 0 0.0 0:12.87
tclsh
18855 root 20 0 9064 2628 788 S 0 0.0 0:00.01
tclsh
18885 root 20 0 6600 4248 2660 S 0 0.1 6:05.23
tclsh
18902 root 20 0 5940 3764 2656 S 0 0.0 0:01.10
tclsh
18904 root 20 0 3252 668 576 S 0 0.0 0:02.35
tail
18994 root 20 0 5732 3488 2632 S 0 0.0 0:06.77
tclsh
18997 root 20 0 3252 632 536 S 0 0.0 0:00.60
cat
19053 root 20 0 6060 3832 2644 S 0 0.0 12:55.44
tclsh
19055 root 20 0 3260 732 632 S 0 0.0 0:05.72
tail
19096 root 20 0 6464 4248 2660 S 0 0.1 2:36.06
tclsh
19112 root 20 0 6072 3776 2656 S 0 0.0 0:00.81
tclsh
19114 root 20 0 3252 672 576 S 0 0.0 0:02.24
tail
19208 root 20 0 3252 636 536 S 0 0.0 0:26.33
cat
19267 root 20 0 3260 732 632 S 0 0.0 0:05.19
tail
19292 root 20 0 7036 4472 2404 S 0 0.1 0:00.84
tclsh
19299 root 20 0 3256 668 576 S 0 0.0 0:03.62
tail
19333 root 20 0 4444 1556 1308 S 0 0.0 0:00.07
bash
19376 root 20 0 4444 1556 1308 S 0 0.0 0:00.12
bash
19423 root 20 0 4444 1556 1308 S 0 0.0 0:00.16
bash
19426 root 20 0 4444 1556 1308 S 0 0.0 0:00.13
bash
19602 root 20 0 11012 7704 2292 S 0 0.1 0:38.75
ruby
22222 root 20 0 10880 3548 2736 S 0 0.0 0:01.28
sshd
22309 [removed] 20 0 10880 1888 1048 S 0 0.0 0:27.97
sshd
22310 [removed] 20 0 6476 3864 1564 S 0 0.0 0:03.82
bash
22361 www-data 20 0 39884 6264 2284 S 0 0.1 0:01.29
apache2
23002 root 20 0 6616 4028 1588 S 0 0.0 0:13.56
bash
31474 root 20 0 11248 5612 1760 S 0 0.1 0:44.14
barnyard2
31643 root 20 0 11248 5676 1800 S 0 0.1 0:32.10
barnyard2
Doug Burks
May 31, 2012, 7:32:44 AM5/31/12
to securit...@googlegroups.com
Hi Samuel,
Did you follow our Installation guide?
http://code.google.com/p/security-onion/wiki/Installation
Specifically, did you read the Hardware page?
http://code.google.com/p/security-onion/wiki/Hardware
What are the hardware specs of your box? CPU, RAM, NICs, hard drives, etc.
How much traffic are you monitoring?
What is the output of the following command?
sudo sostat
(redact sensitive info as necessary)
Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Did you follow our Installation guide?
http://code.google.com/p/security-onion/wiki/Installation
Specifically, did you read the Hardware page?
http://code.google.com/p/security-onion/wiki/Hardware
What are the hardware specs of your box? CPU, RAM, NICs, hard drives, etc.
How much traffic are you monitoring?
What is the output of the following command?
sudo sostat
(redact sensitive info as necessary)
Thanks,
Doug
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Samuel Beckett
Jun 1, 2012, 5:03:40 AM6/1/12
to security-onion
Hi,
Yes I did follow the installation guide. Please see the output of
sostat and lshw below.
Thanks!
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: [removed]-eth1
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: [removed]-eth3
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: HIDS
* ossec_agent (sguil)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-
minute interval!
Status: Bro
Name Type Host Status Pid Peers
Started
manager manager [removed] running 13838 3 01 Jun
06:52:05
proxy-1 proxy [removed] running 13892 3 01 Jun
06:52:17
[removed]-eth1 worker [removed] running 27870 2 01 Jun
08:20:21
[removed]-eth3 worker [removed] running 13971 2 01 Jun
06:52:35
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:15:c5:f9:88:bc
inet addr:[removed] Bcast:[removed] Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fef9:88bc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112040 errors:0 dropped:0 overruns:0 frame:0
TX packets:21430 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23856390 (23.8 MB) TX bytes:11634159 (11.6 MB)
eth1 Link encap:Ethernet HWaddr 00:15:c5:f9:88:bd
inet6 addr: fe80::215:c5ff:fef9:88bd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10450122 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2366103411 (2.3 GB) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr 00:19:b9:f7:28:87
inet6 addr: fe80::219:b9ff:fef7:2887/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6528525 errors:0 dropped:396651 overruns:0 frame:
0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3652329215 (3.6 GB) TX bytes:0 (0.0 B)
Interrupt:16 Memory:f4000000-f4012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:188685 errors:0 dropped:0 overruns:0 frame:0
TX packets:188685 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:234903059 (234.9 MB) TX bytes:234903059 (234.9 MB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 129G 17G 106G 14% /
none 4.0G 252K 4.0G 1% /dev
none 4.0G 0 4.0G 0% /dev/shm
none 4.0G 172K 4.0G 1% /var/run
none 4.0G 0 4.0G 0% /var/lock
none 4.0G 0 4.0G 0% /lib/init/rw
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 740 root 3r IPv6 4284 0t0 TCP *:22
(LISTEN)
sshd 740 root 4u IPv4 4286 0t0 TCP *:22
(LISTEN)
avahi-dae 766 avahi 13u IPv4 4235 0t0 UDP *:5353
avahi-dae 766 avahi 14u IPv4 4236 0t0 UDP *:57146
mysqld 1187 mysql 10u IPv4 4865 0t0 TCP
127.0.0.1:3306 (LISTEN)
mysqld 1187 mysql 15u IPv4 216385 0t0 TCP
127.0.0.1:3306->127.0.0.1:40968 (ESTABLISHED)
mysqld 1187 mysql 16u IPv4 216129 0t0 TCP
127.0.0.1:3306->127.0.0.1:40956 (ESTABLISHED)
exim4 1518 Debian-exim 3u IPv4 5051 0t0 TCP
127.0.0.1:25 (LISTEN)
exim4 1518 Debian-exim 4u IPv6 5052 0t0 TCP [::1]:25
(LISTEN)
tclsh 1667 root 14u IPv4 6150 0t0 TCP *:7734
(LISTEN)
tclsh 1667 root 15u IPv4 6151 0t0 TCP *:7736
(LISTEN)
tclsh 1667 root 16u IPv4 213817 0t0 TCP
127.0.0.1:7736->127.0.0.1:36731 (ESTABLISHED)
tclsh 1667 root 17u IPv4 213842 0t0 TCP
127.0.0.1:7736->127.0.0.1:36732 (ESTABLISHED)
tclsh 1667 root 18u IPv4 193047 0t0 TCP
127.0.0.1:7736->127.0.0.1:36558 (ESTABLISHED)
tclsh 1667 root 19u IPv4 213812 0t0 TCP
127.0.0.1:7736->127.0.0.1:36730 (ESTABLISHED)
tclsh 1667 root 20u IPv4 191040 0t0 TCP
127.0.0.1:7736->127.0.0.1:36512 (ESTABLISHED)
tclsh 1667 root 21u IPv4 191930 0t0 TCP
127.0.0.1:7736->127.0.0.1:36544 (ESTABLISHED)
tclsh 1667 root 22u IPv4 191185 0t0 TCP
127.0.0.1:7736->127.0.0.1:36513 (ESTABLISHED)
tclsh 1667 root 23u IPv4 191296 0t0 TCP
127.0.0.1:7736->127.0.0.1:36514 (ESTABLISHED)
tclsh 1667 root 24u IPv4 193197 0t0 TCP
127.0.0.1:7736->127.0.0.1:36567 (ESTABLISHED)
tclsh 1667 root 25u IPv4 192269 0t0 TCP
127.0.0.1:7736->127.0.0.1:36545 (ESTABLISHED)
tclsh 1667 root 26u IPv4 192506 0t0 TCP
127.0.0.1:7736->127.0.0.1:36549 (ESTABLISHED)
tclsh 1667 root 27u IPv4 192621 0t0 TCP
127.0.0.1:7736->127.0.0.1:36550 (ESTABLISHED)
tclsh 1667 root 28u IPv4 192397 0t0 TCP
127.0.0.1:7736->127.0.0.1:36547 (ESTABLISHED)
tclsh 1667 root 29u IPv4 216100 0t0 TCP
127.0.0.1:7736->127.0.0.1:36788 (ESTABLISHED)
tclsh 1667 root 30u IPv4 193537 0t0 TCP
127.0.0.1:7736->127.0.0.1:36571 (ESTABLISHED)
tclsh 1667 root 31u IPv4 193799 0t0 TCP
127.0.0.1:7736->127.0.0.1:36572 (ESTABLISHED)
tclsh 1667 root 32u IPv4 197142 0t0 TCP
127.0.0.1:7736->127.0.0.1:36595 (ESTABLISHED)
tclsh 1667 root 33u IPv4 200212 0t0 TCP
127.0.0.1:7736->127.0.0.1:36617 (ESTABLISHED)
tclsh 1667 root 34u IPv4 204002 0t0 TCP
127.0.0.1:7736->127.0.0.1:36643 (ESTABLISHED)
tclsh 1667 root 35u IPv4 207865 0t0 TCP
127.0.0.1:7736->127.0.0.1:36670 (ESTABLISHED)
tclsh 1667 root 36u IPv4 213462 0t0 TCP
127.0.0.1:7736->127.0.0.1:36715 (ESTABLISHED)
tclsh 1667 root 37u IPv4 213808 0t0 TCP
127.0.0.1:7736->127.0.0.1:36729 (ESTABLISHED)
tclsh 1667 root 38u IPv4 210301 0t0 TCP
127.0.0.1:7736->127.0.0.1:36694 (ESTABLISHED)
tclsh 1667 root 39u IPv4 218457 0t0 TCP
127.0.0.1:7736->127.0.0.1:36813 (ESTABLISHED)
tclsh 1667 root 40u IPv4 220910 0t0 TCP
127.0.0.1:7736->127.0.0.1:36861 (ESTABLISHED)
tclsh 1667 root 41u IPv4 223360 0t0 TCP
127.0.0.1:7736->127.0.0.1:36883 (ESTABLISHED)
tclsh 1667 root 42u IPv4 225737 0t0 TCP
127.0.0.1:7736->127.0.0.1:36905 (ESTABLISHED)
tclsh 1667 root 43u IPv4 228591 0t0 TCP
127.0.0.1:7736->127.0.0.1:36998 (ESTABLISHED)
tclsh 1667 root 44u IPv4 231067 0t0 TCP
127.0.0.1:7736->127.0.0.1:37022 (ESTABLISHED)
tclsh 1667 root 45u IPv4 234481 0t0 TCP
127.0.0.1:7736->127.0.0.1:37046 (ESTABLISHED)
tclsh 1667 root 46u IPv4 237197 0t0 TCP
127.0.0.1:7736->127.0.0.1:37068 (ESTABLISHED)
tclsh 1667 root 47u IPv4 239574 0t0 TCP
127.0.0.1:7736->127.0.0.1:37089 (ESTABLISHED)
tclsh 1667 root 48u IPv4 244457 0t0 TCP
127.0.0.1:7736->127.0.0.1:37179 (ESTABLISHED)
tclsh 1667 root 49u IPv4 241911 0t0 TCP
127.0.0.1:7736->127.0.0.1:37111 (ESTABLISHED)
tclsh 1667 root 50u IPv4 247173 0t0 TCP
127.0.0.1:7736->127.0.0.1:37203 (ESTABLISHED)
tclsh 1667 root 51u IPv4 249561 0t0 TCP
127.0.0.1:7736->127.0.0.1:37225 (ESTABLISHED)
tclsh 1667 root 52u IPv4 251972 0t0 TCP
127.0.0.1:7736->127.0.0.1:37247 (ESTABLISHED)
ntpd 1738 ntp 16u IPv4 5823 0t0 UDP *:123
ntpd 1738 ntp 17u IPv6 5824 0t0 UDP *:123
ntpd 1738 ntp 18u IPv4 5828 0t0 UDP
127.0.0.1:123
ntpd 1738 ntp 19u IPv4 5829 0t0 UDP [removed]:
123
ntpd 1738 ntp 20u IPv6 5830 0t0 UDP [::1]:
123
ntpd 1738 ntp 21u IPv6 5831 0t0 UDP
[fe80::215:c5ff:fef9:88bc]:123
ntpd 1738 ntp 22u IPv6 19598 0t0 UDP
[fe80::219:b9ff:fef7:2887]:123
ntpd 1738 ntp 23u IPv6 19599 0t0 UDP
[fe80::215:c5ff:fef9:88bd]:123
cupsd 1762 root 5u IPv6 182066 0t0 TCP [::1]:631
(LISTEN)
cupsd 1762 root 6u IPv4 182067 0t0 TCP
127.0.0.1:631 (LISTEN)
apache2 1852 root 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1852 root 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1852 root 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1929 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1929 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1929 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1930 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1930 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1930 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1931 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1931 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1931 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1933 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1933 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1933 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 3727 root 3u IPv4 213807 0t0 TCP
127.0.0.1:36732->127.0.0.1:7736 (ESTABLISHED)
tclsh 4323 root 3u IPv4 193011 0t0 TCP
127.0.0.1:36558->127.0.0.1:7736 (ESTABLISHED)
tclsh 4958 root 3u IPv4 213804 0t0 TCP
127.0.0.1:36731->127.0.0.1:7736 (ESTABLISHED)
sshd 5487 root 3r IPv4 17498 0t0 TCP [removed]:
22->[removed]:3197 (ESTABLISHED)
sshd 5778 [removed] 3u IPv4 17498 0t0 TCP
[removed]:22->[removed]:3197 (ESTABLISHED)
tclsh 6113 root 3u IPv4 213798 0t0 TCP
127.0.0.1:36729->127.0.0.1:7736 (ESTABLISHED)
tclsh 11294 root 3u IPv4 213801 0t0 TCP
127.0.0.1:36730->127.0.0.1:7736 (ESTABLISHED)
apache2 11526 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 11526 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 11526 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12995 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12995 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12995 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12996 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12996 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12996 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12997 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12997 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12997 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 13369 root 3u IPv4 191039 0t0 TCP
127.0.0.1:36512->127.0.0.1:7736 (ESTABLISHED)
tclsh 13391 root 3u IPv4 191184 0t0 TCP
127.0.0.1:36513->127.0.0.1:7736 (ESTABLISHED)
tclsh 13409 root 3u IPv4 191295 0t0 TCP
127.0.0.1:36514->127.0.0.1:7736 (ESTABLISHED)
tclsh 13409 root 4u IPv4 191298 0t0 TCP
127.0.0.1:8000 (LISTEN)
tclsh 13409 root 6u IPv4 216381 0t0 TCP
127.0.0.1:8000->127.0.0.1:47000 (ESTABLISHED)
tclsh 13498 root 3u IPv4 191929 0t0 TCP
127.0.0.1:36544->127.0.0.1:7736 (ESTABLISHED)
tclsh 13557 root 3u IPv4 192268 0t0 TCP
127.0.0.1:36545->127.0.0.1:7736 (ESTABLISHED)
tclsh 13581 root 3u IPv4 192396 0t0 TCP
127.0.0.1:36547->127.0.0.1:7736 (ESTABLISHED)
tclsh 13598 root 3u IPv4 192505 0t0 TCP
127.0.0.1:36549->127.0.0.1:7736 (ESTABLISHED)
tclsh 13614 root 3u IPv4 192620 0t0 TCP
127.0.0.1:36550->127.0.0.1:7736 (ESTABLISHED)
tclsh 13614 root 4u IPv4 192623 0t0 TCP
127.0.0.1:8001 (LISTEN)
tclsh 13614 root 6u IPv4 216125 0t0 TCP
127.0.0.1:8001->127.0.0.1:42412 (ESTABLISHED)
tclsh 13704 root 3u IPv4 193196 0t0 TCP
127.0.0.1:36567->127.0.0.1:7736 (ESTABLISHED)
tclsh 13764 root 3u IPv4 193536 0t0 TCP
127.0.0.1:36571->127.0.0.1:7736 (ESTABLISHED)
tclsh 13825 root 3u IPv4 193798 0t0 TCP
127.0.0.1:36572->127.0.0.1:7736 (ESTABLISHED)
bro 13838 root 4u IPv4 193817 0t0 UDP [removed]:
54129->[removed]:53
bro 13874 root 0u IPv4 194023 0t0 TCP *:47761
(LISTEN)
bro 13874 root 1u IPv4 194260 0t0 TCP [removed]:
47761->[removed]:54753 (ESTABLISHED)
bro 13874 root 2u IPv4 243775 0t0 TCP [removed]:
47761->[removed]:55355 (ESTABLISHED)
bro 13874 root 4u IPv4 193817 0t0 UDP [removed]:
54129->[removed]:53
bro 13874 root 8u IPv4 194664 0t0 TCP [removed]:
47761->[removed]:54757 (ESTABLISHED)
bro 13892 root 4u IPv4 194077 0t0 UDP [removed]:
49902->[removed]:53
bro 13931 root 0u IPv4 194258 0t0 TCP [removed]:
54753->[removed]:47761 (ESTABLISHED)
bro 13931 root 1u IPv4 194259 0t0 TCP *:47762
(LISTEN)
bro 13931 root 2u IPv4 243773 0t0 TCP [removed]:
47762->[removed]:51462 (ESTABLISHED)
bro 13931 root 4u IPv4 194077 0t0 UDP [removed]:
49902->[removed]:53
bro 13931 root 7u IPv4 194662 0t0 TCP [removed]:
47762->[removed]:50864 (ESTABLISHED)
bro 13971 root 4u IPv4 194351 0t0 UDP [removed]:
58826->[removed]:53
bro 14034 root 0u IPv4 194661 0t0 TCP [removed]:
50864->[removed]:47762 (ESTABLISHED)
bro 14034 root 1u IPv4 194663 0t0 TCP [removed]:
54757->[removed]:47761 (ESTABLISHED)
bro 14034 root 2u IPv4 194665 0t0 TCP *:47764
(LISTEN)
bro 14034 root 4u IPv4 194351 0t0 UDP [removed]:
58826->[removed]:53
tclsh 14691 root 3u IPv4 197141 0t0 TCP
127.0.0.1:36595->127.0.0.1:7736 (ESTABLISHED)
tclsh 15918 root 3u IPv4 200198 0t0 TCP
127.0.0.1:36617->127.0.0.1:7736 (ESTABLISHED)
apache2 15950 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 15950 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 15950 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 16923 root 3u IPv4 204001 0t0 TCP
127.0.0.1:36643->127.0.0.1:7736 (ESTABLISHED)
apache2 17539 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 17539 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 17539 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 17912 root 3u IPv4 207860 0t0 TCP
127.0.0.1:36670->127.0.0.1:7736 (ESTABLISHED)
tclsh 18584 root 3u IPv4 210300 0t0 TCP
127.0.0.1:36694->127.0.0.1:7736 (ESTABLISHED)
barnyard2 18656 root 3u IPv4 216380 0t0 TCP
127.0.0.1:47000->127.0.0.1:8000 (ESTABLISHED)
barnyard2 18656 root 4u IPv4 216384 0t0 TCP
127.0.0.1:40968->127.0.0.1:3306 (ESTABLISHED)
barnyard2 18699 root 3u IPv4 216124 0t0 TCP
127.0.0.1:42412->127.0.0.1:8001 (ESTABLISHED)
barnyard2 18699 root 4u IPv4 216128 0t0 TCP
127.0.0.1:40956->127.0.0.1:3306 (ESTABLISHED)
tclsh 19449 root 3u IPv4 213461 0t0 TCP
127.0.0.1:36715->127.0.0.1:7736 (ESTABLISHED)
tclsh 20118 root 3u IPv4 216099 0t0 TCP
127.0.0.1:36788->127.0.0.1:7736 (ESTABLISHED)
tclsh 20769 root 3u IPv4 218456 0t0 TCP
127.0.0.1:36813->127.0.0.1:7736 (ESTABLISHED)
tclsh 21423 root 3u IPv4 220909 0t0 TCP
127.0.0.1:36861->127.0.0.1:7736 (ESTABLISHED)
ruby 21453 nobody 9u IPv4 221161 0t0 TCP
127.0.0.1:39344 (LISTEN)
tclsh 22087 root 3u IPv4 223359 0t0 TCP
127.0.0.1:36883->127.0.0.1:7736 (ESTABLISHED)
tclsh 22737 root 3u IPv4 225736 0t0 TCP
127.0.0.1:36905->127.0.0.1:7736 (ESTABLISHED)
tclsh 23474 root 3u IPv4 228590 0t0 TCP
127.0.0.1:36998->127.0.0.1:7736 (ESTABLISHED)
tclsh 24129 root 3u IPv4 231066 0t0 TCP
127.0.0.1:37022->127.0.0.1:7736 (ESTABLISHED)
tclsh 25520 root 3u IPv4 234480 0t0 TCP
127.0.0.1:37046->127.0.0.1:7736 (ESTABLISHED)
tclsh 26230 root 3u IPv4 237196 0t0 TCP
127.0.0.1:37068->127.0.0.1:7736 (ESTABLISHED)
tclsh 26887 root 3u IPv4 239573 0t0 TCP
127.0.0.1:37089->127.0.0.1:7736 (ESTABLISHED)
tclsh 27539 root 3u IPv4 241910 0t0 TCP
127.0.0.1:37111->127.0.0.1:7736 (ESTABLISHED)
bro 27870 root 4u IPv4 243304 0t0 UDP [removed]:
59584->[removed]:53
bro 27974 root 0u IPv4 243772 0t0 TCP [removed]:
51462->[removed]:47762 (ESTABLISHED)
bro 27974 root 1u IPv4 243774 0t0 TCP [removed]:
55355->[removed]:47761 (ESTABLISHED)
bro 27974 root 2u IPv4 243776 0t0 TCP *:47763
(LISTEN)
bro 27974 root 4u IPv4 243304 0t0 UDP [removed]:
59584->[removed]:53
tclsh 28118 root 3u IPv4 244456 0t0 TCP
127.0.0.1:37179->127.0.0.1:7736 (ESTABLISHED)
tclsh 29020 root 3u IPv4 247172 0t0 TCP
127.0.0.1:37203->127.0.0.1:7736 (ESTABLISHED)
tclsh 29670 root 3u IPv4 249560 0t0 TCP
127.0.0.1:37225->127.0.0.1:7736 (ESTABLISHED)
tclsh 30321 root 3u IPv4 251971 0t0 TCP
127.0.0.1:37247->127.0.0.1:7736 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 1 07:01:02 UTC 2012
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.5.0 The Drowning Rat
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/pulledpork/disablesid.conf....
Modified 33 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 10 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/snort/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----12627
Dropped Rules:----0
Disabled Rules:---2592
Total Rules:------15219
Done
Please review /var/log/sid_changes.log for additional details Fly
Piggy Fly!
Restarting Barnyard2.
Restarting: [removed]-eth1
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: [removed]-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ] Restarting
IDS Engine.
Restarting: [removed]-eth1
* stopping: snort (alert data)[ OK ]
* starting: snort (alert data)[ OK ]
Restarting: [removed]-eth3
* stopping: snort (alert data)[ OK ]
* starting: snort (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
top - 08:39:50 up 2:34, 1 user, load average: 15.94, 15.73, 15.54
Tasks: 232 total, 8 running, 224 sleeping, 0 stopped, 0 zombie
Cpu(s): 63.1%us, 19.8%sy, 4.5%ni, 6.8%id, 0.1%wa, 0.3%hi,
5.3%si, 0.0%st
Mem: 8262192k total, 6865128k used, 1397064k free, 178608k
buffers
Swap: 9960716k total, 0k used, 9960716k free, 5421416k
bro
18817 sguil 20 0 507m 271m 134m R 78 3.4 42:05.40
snort
13971 root 20 0 58364 51m 9.9m R 72 0.6 39:58.39
bro
18773 sguil 20 0 508m 271m 134m R 57 3.4 41:56.95
snort
30714 root 20 0 2540 1152 808 R 19 0.0 0:00.33
top
13838 root 20 0 24184 16m 3448 S 13 0.2 10:24.20
bro
13931 root 25 5 27272 12m 496 S 13 0.2 5:33.47
bro
13517 sguil 20 0 6200 4944 4804 R 12 0.1 13:48.01
daemonlogger
13687 sguil 20 0 11320 9984 5020 S 12 0.1 8:25.12
pads
13722 sguil 20 0 6200 4944 4804 S 12 0.1 11:56.44
daemonlogger
13742 sguil 20 0 35584 12m 3196 S 12 0.2 8:40.10
argus
13892 root 20 0 27668 20m 3440 S 10 0.3 9:28.60
bro
13536 sguil 20 0 41656 18m 3200 S 9 0.2 15:11.61
argus
13704 root 20 0 5828 3588 2636 S 9 0.0 3:00.43
tclsh
27974 root 25 5 29292 16m 4560 R 9 0.2 0:53.80
bro
13874 root 25 5 27292 11m 488 S 7 0.1 6:20.22
bro
14034 root 25 5 29292 15m 4560 R 7 0.2 4:48.52
bro
13466 sguil 20 0 10756 8588 5180 S 6 0.1 12:34.88
sancp
13482 sguil 20 0 7320 6076 5020 S 4 0.1 5:19.60
pads
13671 sguil 20 0 9172 6992 5180 S 4 0.1 6:00.63
sancp
1852 root 20 0 39708 9040 5300 S 1 0.1 0:07.80
apache2
13712 root 20 0 3252 644 536 S 1 0.0 0:23.25
cat
18699 root 20 0 11380 5800 1792 S 1 0.1 2:28.54
barnyard2
29671 root 20 0 1788 472 412 S 1 0.0 0:00.22
tail
1 root 20 0 2880 1788 1236 S 0 0.0 0:02.96
0
4 root 20 0 0 0 0 S 0 0.0 0:32.09 ksoftirqd/
0
5 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
0
6 root RT 0 0 0 0 S 0 0.0 0:00.52 migration/
1
7 root 20 0 0 0 0 S 0 0.0 0:02.36 ksoftirqd/
1
8 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
1
9 root RT 0 0 0 0 S 0 0.0 0:00.57 migration/
2
10 root 20 0 0 0 0 S 0 0.0 0:04.46 ksoftirqd/
2
11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
2
12 root RT 0 0 0 0 S 0 0.0 0:00.54 migration/
3
13 root 20 0 0 0 0 S 0 0.0 0:02.93 ksoftirqd/
3
14 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
3
15 root 20 0 0 0 0 S 0 0.0 0:08.59 events/
0
16 root 20 0 0 0 0 S 0 0.0 0:01.85 events/
1
17 root 20 0 0 0 0 S 0 0.0 0:01.18 events/
2
18 root 20 0 0 0 0 S 0 0.0 0:01.94 events/
sync_supers
26 root 20 0 0 0 0 S 0 0.0 0:00.14 bdi-
0
32 root 20 0 0 0 0 S 0 0.0 0:00.59 kblockd/
1
33 root 20 0 0 0 0 S 0 0.0 0:01.42 kblockd/
2
34 root 20 0 0 0 0 S 0 0.0 0:01.84 kblockd/
khungtaskd
52 root 20 0 0 0 0 S 0 0.0 0:00.00
234 root 20 0 0 0 0 S 0 0.0 0:01.28
mpt_poll_0
235 root 20 0 0 0 0 S 0 0.0 0:00.00 mpt/
0
238 root 20 0 0 0 0 S 0 0.0 0:00.00
scsi_eh_0
297 root 20 0 0 0 0 S 0 0.0 0:42.90 jbd2/
sda1-8
298 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
299 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
flush-8:0
361 root 20 0 2312 932 676 S 0 0.0 0:00.17 upstart-
udev-br
364 root 16 -4 2528 928 336 S 0 0.0 0:00.13
udevd
642 root 20 0 0 0 0 S 0 0.0 0:00.00
kpsmoused
649 root 20 0 0 0 0 S 0 0.0 0:04.80 edac-
poller
738 syslog 20 0 34808 1840 1044 S 0 0.0 0:02.18
rsyslogd
740 root 20 0 5548 2136 1724 S 0 0.0 0:00.39
sshd
751 messageb 20 0 2660 912 632 S 0 0.0 0:00.23 dbus-
daemon
766 avahi 20 0 3032 1608 1312 S 0 0.0 0:01.08 avahi-
daemon
769 avahi 20 0 2924 548 320 S 0 0.0 0:00.00 avahi-
daemon
809 root 18 -2 2524 892 304 S 0 0.0 0:00.00
udevd
815 root 18 -2 2524 876 288 S 0 0.0 0:00.00
udevd
1020 root 20 0 1788 568 484 S 0 0.0 0:00.01
getty
1024 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1033 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1034 root 20 0 1788 568 488 S 0 0.0 0:00.01
getty
1039 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1049 root 20 0 2824 600 484 S 0 0.0 0:22.18
irqbalance
1053 root 20 0 2044 860 504 S 0 0.0 0:00.02
acpid
1059 daemon 20 0 2244 428 292 S 0 0.0 0:00.00
atd
1060 root 20 0 2372 904 716 S 0 0.0 0:00.88
cron
1187 mysql 20 0 155m 39m 6496 S 0 0.5 20:51.34
mysqld
1518 Debian-e 20 0 6724 960 608 S 0 0.0 0:00.06
exim4
1569 ossec 20 0 3008 1608 688 S 0 0.0 1:24.88 ossec-
analysisd
1575 root 20 0 1956 504 388 S 0 0.0 0:04.32 ossec-
logcollec
1593 root 20 0 3024 1888 616 S 0 0.0 4:22.54 ossec-
syscheckd
1599 ossec 20 0 2232 548 404 S 0 0.0 0:00.14 ossec-
monitord
1667 root 20 0 15092 10m 3312 S 0 0.1 11:30.51
tclsh
1687 root 20 0 8764 2948 1096 S 0 0.0 0:18.15
tclsh
1691 root 20 0 8764 2624 788 S 0 0.0 0:00.00
tclsh
1738 ntp 20 0 4420 1380 1032 S 0 0.0 0:10.84
ntpd
1762 root 20 0 6696 2436 1832 S 0 0.0 0:00.08
cupsd
1854 root 20 0 5396 1752 1536 S 0 0.0 0:00.04
PassengerWatchd
1857 root 20 0 16808 2468 1884 S 0 0.0 1:24.73
PassengerHelper
1860 root 20 0 12032 7668 2292 S 0 0.1 0:40.28
ruby
1863 nobody 20 0 10600 3144 2584 S 0 0.0 0:00.44
PassengerLoggin
1929 www-data 20 0 40276 6472 2304 S 0 0.1 0:00.75
apache2
1930 www-data 20 0 39848 5864 2000 S 0 0.1 0:00.44
apache2
1931 www-data 20 0 39888 6276 2292 S 0 0.1 0:00.42
apache2
1933 www-data 20 0 40272 6608 2304 S 0 0.1 0:01.28
apache2
1952 root 20 0 1788 568 488 S 0 0.0 0:00.15
getty
3082 root 20 0 20468 3076 2212 S 0 0.0 0:00.73 console-
kit-dae
3727 root 20 0 6728 4456 2412 S 0 0.1 0:01.77
tclsh
3728 root 20 0 1792 500 432 S 0 0.0 0:03.92
tail
4323 root 20 0 6728 4460 2412 S 0 0.1 0:01.81
tclsh
4324 root 20 0 1792 500 432 S 0 0.0 0:03.60
tail
4375 www-data 20 0 75488 61m 3500 S 0 0.8 5:55.51
ruby
4958 root 20 0 6728 4460 2412 S 0 0.1 0:01.63
tclsh
4959 root 20 0 1792 504 432 S 0 0.0 0:03.37
tail
5487 root 20 0 10880 3548 2736 S 0 0.0 0:00.82
sshd
5778 [removed] 20 0 10880 1884 1048 S 0 0.0 0:17.91
sshd
5781 [removed] 20 0 6476 3868 1564 S 0 0.0 0:01.98
bash
6113 root 20 0 6728 4456 2412 S 0 0.1 0:01.76
tclsh
6120 root 20 0 1792 504 432 S 0 0.0 0:03.27
tail
6129 root 20 0 6504 3912 1584 S 0 0.0 0:06.69
bash
11294 root 20 0 7036 4492 2412 S 0 0.1 0:02.02
tclsh
11295 root 20 0 3256 676 576 S 0 0.0 0:02.81
tail
11526 www-data 20 0 39848 5884 2012 S 0 0.1 0:00.80
apache2
12995 www-data 20 0 40284 6392 2256 S 0 0.1 0:00.37
apache2
12996 www-data 20 0 40196 6460 2276 S 0 0.1 0:00.61
apache2
12997 www-data 20 0 40272 6548 2320 S 0 0.1 0:00.60
apache2
13369 root 20 0 6084 3764 2648 S 0 0.0 0:01.02
tclsh
13391 root 20 0 6600 4252 2660 S 0 0.1 6:04.15
tclsh
13409 root 20 0 6064 3784 2656 S 0 0.0 0:01.09
tclsh
13411 root 20 0 3256 676 576 S 0 0.0 0:02.21
tail
13498 root 20 0 5788 3500 2632 S 0 0.0 0:08.46
tclsh
13500 root 20 0 3252 632 536 S 0 0.0 0:00.89
cat
13557 root 20 0 6080 3836 2644 S 0 0.0 2:59.50
tclsh
13559 root 20 0 3260 732 632 S 0 0.0 0:04.10
tail
13581 root 20 0 6084 3772 2648 S 0 0.0 0:01.48
tclsh
13598 root 20 0 6600 4260 2660 S 0 0.1 2:12.29
tclsh
13614 root 20 0 6064 3772 2656 S 0 0.0 0:01.69
tclsh
13617 root 20 0 3256 672 576 S 0 0.0 0:02.37
tail
13764 root 20 0 6084 3820 2644 S 0 0.0 4:17.85
tclsh
13771 root 20 0 3260 736 632 S 0 0.0 0:04.34
tail
13825 root 20 0 7036 4480 2404 S 0 0.1 0:00.74
tclsh
13828 root 20 0 4232 1416 1200 S 0 0.0 0:00.26
bash
13830 root 20 0 3256 668 576 S 0 0.0 0:02.44
tail
13882 root 20 0 4232 1416 1200 S 0 0.0 0:00.28
bash
13952 root 20 0 4232 1412 1200 S 0 0.0 0:00.25
bash
14691 root 20 0 6728 4452 2404 S 0 0.1 0:00.88
tclsh
14692 root 20 0 1792 504 432 S 0 0.0 0:02.64
tail
15918 root 20 0 6728 4456 2404 S 0 0.1 0:00.85
tclsh
15927 root 20 0 1792 500 432 S 0 0.0 0:02.67
tail
15950 www-data 20 0 40272 6408 2256 S 0 0.1 0:00.34
apache2
16923 root 20 0 6728 4452 2404 S 0 0.1 0:01.09
tclsh
16924 root 20 0 1792 504 432 S 0 0.0 0:02.33
tail
17539 www-data 20 0 40268 6108 2076 S 0 0.1 0:00.17
apache2
17912 root 20 0 6728 4448 2404 S 0 0.1 0:00.80
tclsh
17913 root 20 0 1792 504 432 S 0 0.0 0:02.06
tail
18584 root 20 0 6728 4448 2404 S 0 0.1 0:00.88
tclsh
18585 root 20 0 1792 508 432 S 0 0.0 0:02.37
tail
18656 root 20 0 11380 5796 1792 S 0 0.1 3:20.38
barnyard2
19449 root 20 0 6728 4452 2404 S 0 0.1 0:00.83
tclsh
19450 root 20 0 1792 508 432 S 0 0.0 0:02.51
tail
20118 root 20 0 6728 4452 2404 S 0 0.1 0:00.61
tclsh
20119 root 20 0 1792 496 432 S 0 0.0 0:01.99
tail
20769 root 20 0 6728 4452 2404 S 0 0.1 0:00.73
tclsh
20771 root 20 0 1792 500 432 S 0 0.0 0:01.66
tail
21423 root 20 0 6728 4452 2404 S 0 0.1 0:00.58
tclsh
21424 root 20 0 1792 500 432 S 0 0.0 0:01.46
tail
21453 nobody 20 0 71812 58m 3232 S 0 0.7 0:40.75
ruby
22087 root 20 0 6728 4452 2404 S 0 0.1 0:00.60
tclsh
22089 root 20 0 1792 504 432 S 0 0.0 0:01.64
tail
22737 root 20 0 6728 4456 2404 S 0 0.1 0:00.75
tclsh
22738 root 20 0 1792 496 432 S 0 0.0 0:01.43
tail
23474 root 20 0 6728 4452 2404 S 0 0.1 0:00.54
tclsh
23515 root 20 0 1792 508 432 S 0 0.0 0:01.14
tail
24129 root 20 0 6728 4452 2404 S 0 0.1 0:00.57
tclsh
24130 root 20 0 1792 500 432 S 0 0.0 0:01.09
tail
25520 root 20 0 6728 4448 2404 S 0 0.1 0:00.51
tclsh
25521 root 20 0 1792 504 432 S 0 0.0 0:00.93
tail
26230 root 20 0 6728 4448 2404 S 0 0.1 0:00.52
tclsh
26231 root 20 0 1792 504 432 S 0 0.0 0:00.85
tail
26887 root 20 0 6728 4452 2404 S 0 0.1 0:00.74
tclsh
26889 root 20 0 1792 504 432 S 0 0.0 0:00.65
tail
27539 root 20 0 6728 4456 2404 S 0 0.1 0:00.66
tclsh
27540 root 20 0 1792 500 432 S 0 0.0 0:00.64
tail
27796 root 20 0 2724 1248 1076 S 0 0.0 0:00.15
bash
28118 root 20 0 6068 3556 2232 S 0 0.0 0:00.15
tclsh
28119 root 20 0 1788 476 412 S 0 0.0 0:00.51
tail
29020 root 20 0 6068 3556 2232 S 0 0.0 0:00.19
tclsh
29021 root 20 0 1788 472 412 S 0 0.0 0:00.37
tail
29670 root 20 0 6068 3560 2232 S 0 0.0 0:00.24
tclsh
30321 root 20 0 6068 3552 2232 S 0 0.0 0:00.14
tclsh
30322 root 20 0 1788 476 412 S 0 0.0 0:00.12
tail
30370 root 20 0 4216 1380 1176 S 0 0.0 0:00.20
sostat
30371 root 20 0 10548 2884 2208 S 0 0.0 0:00.22
mail
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/[removed]-eth1/dailylogs/
3.4G .
3.4G ./2012-06-01
/nsm/sensor_data/[removed]-eth3/dailylogs/
5.2G .
5.2G ./2012-06-01
/nsm/bro/logs/
665M .
8.0K ./20--
5.8M ./2012-05-25
27M ./2012-05-26
15M ./2012-05-27
216M ./2012-05-28
248M ./2012-05-29
59M ./2012-05-30
59M ./2012-05-31
32M ./2012-06-01
6.4M ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/[removed]-eth1/snort.stats last reported
pkt_drop_percent as 93.146 /nsm/sensor_data/[removed]-eth3/snort.stats
last reported pkt_drop_percent as 66.920
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
2307
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals SignatureID SignatureName
890 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
37 2100538 GPL NETBIOS SMB IPC$ unicode share access
31 1411 GPL SNMP public access udp
13 2009702 ET POLICY DNS Update From External net
11 2012648 ET POLICY Dropbox Client Broadcasting
9 2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic,
Potential Scan or Infection
8 2012811 ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile
6 1390 GPL SHELLCODE x86 inc ebx NOOP
1 2003068 ET SCAN Potential SSH Scan OUTBOUND
1 2001219 ET SCAN Potential SSH Scan
Total
1007
[removed]
description: Multi-system
product: PowerEdge 1955
vendor: Dell Inc.
serial: JWK2T1S
width: 32 bits
capabilities: smbios-2.4 dmi-2.4 smp-1.4 smp
configuration: boot=normal chassis=multi-system cpus=4
uuid=44454C4C-5700-104B-8032-CAC04F543153
*-core
description: Motherboard
vendor: Dell Inc.
physical id: 0
serial: .9VN1T1S..05.
slot: Slot 05
*-firmware
description: BIOS
vendor: Dell Inc.
physical id: 0
version: 1.4.2 (10/08/2007)
size: 64KiB
capacity: 960KiB
capabilities: isa pci pnp upgrade shadowing escd cdboot
bootselect edd int13floppytoshiba int13floppy360 int13floppy1200
int13floppy720 int5printscreen int9keyboard int14serial int17printer
int10video acpi usb biosbootspecification netboot
*-cpu:0
description: CPU
product: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
vendor: Intel Corp.
physical id: 400
bus info: cpu@0
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
slot: CPU1
size: 2333MHz
capacity: 3600MHz
width: 64 bits
clock: 1333MHz
capabilities: boot fpu fpu_exception wp vme de pse tsc msr
pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx
fxsr sse sse2 ss ht tm pbe nx x86-64 constant_tsc arch_perfmon pebs
bts aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr
pdcm dca lahf_lm tpr_shadow vnmi flexpriority
configuration: id=3
*-cache:0
description: L1 cache
physical id: 700
size: 128KiB
capacity: 128KiB
capabilities: internal write-back data
*-cache:1
description: L2 cache
physical id: 701
size: 8MiB
capacity: 8MiB
capabilities: internal write-back unified
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
width: 64 bits
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
width: 64 bits
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
width: 64 bits
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
width: 64 bits
capabilities: logical
*-cpu:1 DISABLED
description: CPU [empty]
vendor: Intel
physical id: 401
slot: CPU2
*-memory
description: System Memory
physical id: 1000
slot: System board or motherboard
size: 8GiB
*-bank:0
description: FB-DIMM DDR2 FB-DIMM Synchronous 667 MHz
(1.5 ns)
product: HYMP151F72CP4N3-Y5
vendor: 80AD808980AD
physical id: 0
serial: 0686260F
slot: DIMM1
size: 4GiB
width: 64 bits
clock: 667MHz (1.5ns)
*-bank:1
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 1
slot: DIMM2
width: 64 bits
*-bank:2
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 2
slot: DIMM3
width: 64 bits
*-bank:3
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 3
slot: DIMM4
width: 64 bits
*-bank:4
description: FB-DIMM DDR2 FB-DIMM Synchronous 667 MHz
(1.5 ns)
product: HYMP151F72CP4N3-Y5
vendor: 80AD808980AD
physical id: 4
serial: 06862302
slot: DIMM5
size: 4GiB
width: 64 bits
clock: 667MHz (1.5ns)
*-bank:5
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 5
slot: DIMM6
width: 64 bits
*-bank:6
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 6
slot: DIMM7
width: 64 bits
*-bank:7
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 7
slot: DIMM8
width: 64 bits
*-cpu:2
physical id: 1
bus info: cpu@1
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-cpu:3
physical id: 2
bus info: cpu@2
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-cpu:4
physical id: 3
bus info: cpu@3
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-pci:0
description: Host bridge
product: 5000P Chipset Memory Controller Hub
vendor: Intel Corporation
physical id: 100
bus info: pci@0000:00:00.0
version: 92
width: 32 bits
clock: 33MHz
*-pci:0
description: PCI bridge
product: 5000 Series Chipset PCI Express x4 Port 2
vendor: Intel Corporation
physical id: 2
bus info: pci@0000:00:02.0
version: 92
width: 32 bits
clock: 33MHz
capabilities: pci pm msi pciexpress bus_master cap_list
configuration: driver=pcieport
resources: irq:216 ioport:e000(size=4096) memory:f2000000-
f7ffffff
*-pci:0
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Upstream Port
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:03:00.0
version: 01
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pm bus_master cap_list
configuration: driver=pcieport
resources: irq:16 memory:f4000000-f7ffffff
*-pci:0
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Downstream
Port E1
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:04:00.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: pci pciexpress msi pm bus_master
cap_list
configuration: driver=pcieport
resources: iomemory:200000f00-200000eff irq:223
memory:f4000000-f7ffffff
*-pci
description: PCI bridge
product: EPB PCI-Express to PCI-X Bridge
vendor: Broadcom
physical id: 0
bus info: pci@0000:05:00.0
version: c3
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pcix pm bus_master
cap_list
resources: memory:f4000000-f7ffffff
*-network
description: Ethernet interface
product: NetXtreme II BCM5708S Gigabit
Ethernet
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:06:00.0
logical name: eth3
version: 12
serial: 00:19:b9:f7:28:87
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pcix pm vpd msi bus_master
cap_list ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=on
broadcast=yes driver=bnx2 driverversion=2.0.2 duplex=full
firmware=3.5.12 ipms 1.6.0 latency=64 link=yes mingnt=64 multicast=yes
port=fibre speed=1GB/s
resources: irq:225 memory:f4000000-f5ffffff
*-pci:1
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Downstream
Port E2
vendor: Intel Corporation
physical id: 1
bus info: pci@0000:04:01.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: pci pciexpress msi pm bus_master
cap_list
configuration: driver=pcieport
resources: iomemory:f00-eff irq:224
*-pci:1
description: PCI bridge
product: 6311ESB/6321ESB PCI Express to PCI-X Bridge
vendor: Intel Corporation
physical id: 0.3
bus info: pci@0000:03:00.3
version: 01
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pm pcix bus_master
cap_list
resources: ioport:e000(size=4096) memory:f3e00000-
f3ffffff
*-network:0
description: Ethernet interface
product: 82546GB Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 5
bus info: pci@0000:08:05.0
logical name: eth0
version: 03
serial: 00:15:c5:f9:88:bc
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pm pcix msi bus_master cap_list
ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes
driver=e1000 driverversion=7.3.21-k5-NAPI duplex=full firmware=N/A
ip=[removed] latency=64 link=yes mingnt=255 multicast=yes port=fibre
speed=1GB/s
resources: irq:32 memory:f3ee0000-f3efffff
ioport:ecc0(size=64)
*-network:1
description: Ethernet interface
product: 82546GB Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 5.1
bus info: pci@0000:08:05.1
logical name: eth1
version: 03
serial: 00:15:c5:f9:88:bd
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pm pcix msi bus_master cap_list
ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes
driver=e1000 driverversion=7.3.21-k5-NAPI duplex=full firmware=N/A
latency=64 link=yes mingnt=255 multicast=yes port=fibre speed=1GB/s
resources: irq:33 memory:f3ec0000-f3edffff
ioport:ec80(size=64)
*-scsi
description: SCSI storage controller
product: SAS1068 PCI-X Fusion-MPT SAS
vendor: LSI Logic / Symbios Logic
physical id: 8
bus info: pci@0000:0e:08.0
logical name: scsi0
version: 01
width: 64 bits
clock: 66MHz
capabilities: scsi pm msi pcix msix bus_master
cap_list rom scsi-host
configuration: driver=mptsas latency=72
maxlatency=10 mingnt=64
resources: irq:192 ioport:dc00(size=256)
memory:fc4fc000-fc4fffff memory:fc4e0000-fc4effff memory:fc500000-
fc5fffff(prefetchable)
*-disk:0 UNCLAIMED
description: SCSI Disk
product: MBB2147RC
vendor: FUJITSU
physical id: 0.0.0
bus info: scsi@0:0.0.0
version: D406
serial: BS03P7C01A6Y
capacity: 172GiB (184GB)
capabilities: 10000rpm
configuration: ansiversion=5
*-disk:1 UNCLAIMED
description: SCSI Disk
product: MBB2147RC
vendor: FUJITSU
physical id: 0.1.0
bus info: scsi@0:0.1.0
version: D406
serial: BS03P7C01ARE
capacity: 172GiB (184GB)
capabilities: 10000rpm
configuration: ansiversion=5
*-disk:2
description: SCSI Disk
product: VIRTUAL DISK
vendor: Dell
physical id: 1.0.0
bus info: scsi@0:1.0.0
logical name: /dev/sda
version: 1028
size: 135GiB (145GB)
capacity: 135GiB (145GB)
capabilities: 15000rpm partitioned
partitioned:dos
configuration: ansiversion=5 signature=0004c676
*-volume:0
description: EXT4 volume
vendor: Linux
physical id: 1
bus info: scsi@0:1.0.0,1
logical name: /dev/sda1
logical name: /
version: 1.0
serial: 667df2a7-a829-4cde-8ec3-cdb5d85457c6
size: 130GiB
capacity: 130GiB
capabilities: primary bootable journaled
extended_attributes large_files huge_files dir_nlink extents ext4 ext2
initialized
configuration: created=2012-05-25 15:57:10
filesystem=ext4 lastmountpoint=/
�œ�_Q�ؙ���ï���^:�5'!�m60��^:�>�!
�@��@��_Q��^:�^:��) modified=2012-05-25 10:39:55
mount.fstype=ext4 mount.options=rw,relatime,errors=remount-
ro,barrier=1,data=ordered mounted=2012-05-31 09:23:57 state=mounted
*-volume:1
description: Extended partition
physical id: 2
bus info: scsi@0:1.0.0,2
logical name: /dev/sda2
size: 5693MiB
capacity: 5693MiB
capabilities: primary extended partitioned
partitioned:extended
*-logicalvolume
description: Linux swap / Solaris
partition
physical id: 5
logical name: /dev/sda5
capacity: 5693MiB
capabilities: nofs
> Did you follow our Installation guide?http://code.google.com/p/security-onion/wiki/Installation
>
> Specifically, did you read the Hardware page?http://code.google.com/p/security-onion/wiki/Hardware
> ...
>
> read more »
Yes I did follow the installation guide. Please see the output of
sostat and lshw below.
Thanks!
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: [removed]-eth1
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: [removed]-eth3
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: HIDS
* ossec_agent (sguil)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-
minute interval!
Status: Bro
Name Type Host Status Pid Peers
Started
manager manager [removed] running 13838 3 01 Jun
06:52:05
proxy-1 proxy [removed] running 13892 3 01 Jun
06:52:17
[removed]-eth1 worker [removed] running 27870 2 01 Jun
08:20:21
[removed]-eth3 worker [removed] running 13971 2 01 Jun
06:52:35
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:15:c5:f9:88:bc
inet addr:[removed] Bcast:[removed] Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fef9:88bc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112040 errors:0 dropped:0 overruns:0 frame:0
TX packets:21430 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23856390 (23.8 MB) TX bytes:11634159 (11.6 MB)
eth1 Link encap:Ethernet HWaddr 00:15:c5:f9:88:bd
inet6 addr: fe80::215:c5ff:fef9:88bd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10450122 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2366103411 (2.3 GB) TX bytes:0 (0.0 B)
eth3 Link encap:Ethernet HWaddr 00:19:b9:f7:28:87
inet6 addr: fe80::219:b9ff:fef7:2887/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6528525 errors:0 dropped:396651 overruns:0 frame:
0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3652329215 (3.6 GB) TX bytes:0 (0.0 B)
Interrupt:16 Memory:f4000000-f4012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:188685 errors:0 dropped:0 overruns:0 frame:0
TX packets:188685 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:234903059 (234.9 MB) TX bytes:234903059 (234.9 MB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 129G 17G 106G 14% /
none 4.0G 252K 4.0G 1% /dev
none 4.0G 0 4.0G 0% /dev/shm
none 4.0G 172K 4.0G 1% /var/run
none 4.0G 0 4.0G 0% /var/lock
none 4.0G 0 4.0G 0% /lib/init/rw
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 740 root 3r IPv6 4284 0t0 TCP *:22
(LISTEN)
sshd 740 root 4u IPv4 4286 0t0 TCP *:22
(LISTEN)
avahi-dae 766 avahi 13u IPv4 4235 0t0 UDP *:5353
avahi-dae 766 avahi 14u IPv4 4236 0t0 UDP *:57146
mysqld 1187 mysql 10u IPv4 4865 0t0 TCP
127.0.0.1:3306 (LISTEN)
mysqld 1187 mysql 15u IPv4 216385 0t0 TCP
127.0.0.1:3306->127.0.0.1:40968 (ESTABLISHED)
mysqld 1187 mysql 16u IPv4 216129 0t0 TCP
127.0.0.1:3306->127.0.0.1:40956 (ESTABLISHED)
exim4 1518 Debian-exim 3u IPv4 5051 0t0 TCP
127.0.0.1:25 (LISTEN)
exim4 1518 Debian-exim 4u IPv6 5052 0t0 TCP [::1]:25
(LISTEN)
tclsh 1667 root 14u IPv4 6150 0t0 TCP *:7734
(LISTEN)
tclsh 1667 root 15u IPv4 6151 0t0 TCP *:7736
(LISTEN)
tclsh 1667 root 16u IPv4 213817 0t0 TCP
127.0.0.1:7736->127.0.0.1:36731 (ESTABLISHED)
tclsh 1667 root 17u IPv4 213842 0t0 TCP
127.0.0.1:7736->127.0.0.1:36732 (ESTABLISHED)
tclsh 1667 root 18u IPv4 193047 0t0 TCP
127.0.0.1:7736->127.0.0.1:36558 (ESTABLISHED)
tclsh 1667 root 19u IPv4 213812 0t0 TCP
127.0.0.1:7736->127.0.0.1:36730 (ESTABLISHED)
tclsh 1667 root 20u IPv4 191040 0t0 TCP
127.0.0.1:7736->127.0.0.1:36512 (ESTABLISHED)
tclsh 1667 root 21u IPv4 191930 0t0 TCP
127.0.0.1:7736->127.0.0.1:36544 (ESTABLISHED)
tclsh 1667 root 22u IPv4 191185 0t0 TCP
127.0.0.1:7736->127.0.0.1:36513 (ESTABLISHED)
tclsh 1667 root 23u IPv4 191296 0t0 TCP
127.0.0.1:7736->127.0.0.1:36514 (ESTABLISHED)
tclsh 1667 root 24u IPv4 193197 0t0 TCP
127.0.0.1:7736->127.0.0.1:36567 (ESTABLISHED)
tclsh 1667 root 25u IPv4 192269 0t0 TCP
127.0.0.1:7736->127.0.0.1:36545 (ESTABLISHED)
tclsh 1667 root 26u IPv4 192506 0t0 TCP
127.0.0.1:7736->127.0.0.1:36549 (ESTABLISHED)
tclsh 1667 root 27u IPv4 192621 0t0 TCP
127.0.0.1:7736->127.0.0.1:36550 (ESTABLISHED)
tclsh 1667 root 28u IPv4 192397 0t0 TCP
127.0.0.1:7736->127.0.0.1:36547 (ESTABLISHED)
tclsh 1667 root 29u IPv4 216100 0t0 TCP
127.0.0.1:7736->127.0.0.1:36788 (ESTABLISHED)
tclsh 1667 root 30u IPv4 193537 0t0 TCP
127.0.0.1:7736->127.0.0.1:36571 (ESTABLISHED)
tclsh 1667 root 31u IPv4 193799 0t0 TCP
127.0.0.1:7736->127.0.0.1:36572 (ESTABLISHED)
tclsh 1667 root 32u IPv4 197142 0t0 TCP
127.0.0.1:7736->127.0.0.1:36595 (ESTABLISHED)
tclsh 1667 root 33u IPv4 200212 0t0 TCP
127.0.0.1:7736->127.0.0.1:36617 (ESTABLISHED)
tclsh 1667 root 34u IPv4 204002 0t0 TCP
127.0.0.1:7736->127.0.0.1:36643 (ESTABLISHED)
tclsh 1667 root 35u IPv4 207865 0t0 TCP
127.0.0.1:7736->127.0.0.1:36670 (ESTABLISHED)
tclsh 1667 root 36u IPv4 213462 0t0 TCP
127.0.0.1:7736->127.0.0.1:36715 (ESTABLISHED)
tclsh 1667 root 37u IPv4 213808 0t0 TCP
127.0.0.1:7736->127.0.0.1:36729 (ESTABLISHED)
tclsh 1667 root 38u IPv4 210301 0t0 TCP
127.0.0.1:7736->127.0.0.1:36694 (ESTABLISHED)
tclsh 1667 root 39u IPv4 218457 0t0 TCP
127.0.0.1:7736->127.0.0.1:36813 (ESTABLISHED)
tclsh 1667 root 40u IPv4 220910 0t0 TCP
127.0.0.1:7736->127.0.0.1:36861 (ESTABLISHED)
tclsh 1667 root 41u IPv4 223360 0t0 TCP
127.0.0.1:7736->127.0.0.1:36883 (ESTABLISHED)
tclsh 1667 root 42u IPv4 225737 0t0 TCP
127.0.0.1:7736->127.0.0.1:36905 (ESTABLISHED)
tclsh 1667 root 43u IPv4 228591 0t0 TCP
127.0.0.1:7736->127.0.0.1:36998 (ESTABLISHED)
tclsh 1667 root 44u IPv4 231067 0t0 TCP
127.0.0.1:7736->127.0.0.1:37022 (ESTABLISHED)
tclsh 1667 root 45u IPv4 234481 0t0 TCP
127.0.0.1:7736->127.0.0.1:37046 (ESTABLISHED)
tclsh 1667 root 46u IPv4 237197 0t0 TCP
127.0.0.1:7736->127.0.0.1:37068 (ESTABLISHED)
tclsh 1667 root 47u IPv4 239574 0t0 TCP
127.0.0.1:7736->127.0.0.1:37089 (ESTABLISHED)
tclsh 1667 root 48u IPv4 244457 0t0 TCP
127.0.0.1:7736->127.0.0.1:37179 (ESTABLISHED)
tclsh 1667 root 49u IPv4 241911 0t0 TCP
127.0.0.1:7736->127.0.0.1:37111 (ESTABLISHED)
tclsh 1667 root 50u IPv4 247173 0t0 TCP
127.0.0.1:7736->127.0.0.1:37203 (ESTABLISHED)
tclsh 1667 root 51u IPv4 249561 0t0 TCP
127.0.0.1:7736->127.0.0.1:37225 (ESTABLISHED)
tclsh 1667 root 52u IPv4 251972 0t0 TCP
127.0.0.1:7736->127.0.0.1:37247 (ESTABLISHED)
ntpd 1738 ntp 16u IPv4 5823 0t0 UDP *:123
ntpd 1738 ntp 17u IPv6 5824 0t0 UDP *:123
ntpd 1738 ntp 18u IPv4 5828 0t0 UDP
127.0.0.1:123
ntpd 1738 ntp 19u IPv4 5829 0t0 UDP [removed]:
123
ntpd 1738 ntp 20u IPv6 5830 0t0 UDP [::1]:
123
ntpd 1738 ntp 21u IPv6 5831 0t0 UDP
[fe80::215:c5ff:fef9:88bc]:123
ntpd 1738 ntp 22u IPv6 19598 0t0 UDP
[fe80::219:b9ff:fef7:2887]:123
ntpd 1738 ntp 23u IPv6 19599 0t0 UDP
[fe80::215:c5ff:fef9:88bd]:123
cupsd 1762 root 5u IPv6 182066 0t0 TCP [::1]:631
(LISTEN)
cupsd 1762 root 6u IPv4 182067 0t0 TCP
127.0.0.1:631 (LISTEN)
apache2 1852 root 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1852 root 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1852 root 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1929 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1929 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1929 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1930 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1930 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1930 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1931 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1931 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1931 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 1933 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 1933 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 1933 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 3727 root 3u IPv4 213807 0t0 TCP
127.0.0.1:36732->127.0.0.1:7736 (ESTABLISHED)
tclsh 4323 root 3u IPv4 193011 0t0 TCP
127.0.0.1:36558->127.0.0.1:7736 (ESTABLISHED)
tclsh 4958 root 3u IPv4 213804 0t0 TCP
127.0.0.1:36731->127.0.0.1:7736 (ESTABLISHED)
sshd 5487 root 3r IPv4 17498 0t0 TCP [removed]:
22->[removed]:3197 (ESTABLISHED)
sshd 5778 [removed] 3u IPv4 17498 0t0 TCP
[removed]:22->[removed]:3197 (ESTABLISHED)
tclsh 6113 root 3u IPv4 213798 0t0 TCP
127.0.0.1:36729->127.0.0.1:7736 (ESTABLISHED)
tclsh 11294 root 3u IPv4 213801 0t0 TCP
127.0.0.1:36730->127.0.0.1:7736 (ESTABLISHED)
apache2 11526 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 11526 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 11526 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12995 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12995 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12995 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12996 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12996 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12996 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
apache2 12997 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 12997 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 12997 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 13369 root 3u IPv4 191039 0t0 TCP
127.0.0.1:36512->127.0.0.1:7736 (ESTABLISHED)
tclsh 13391 root 3u IPv4 191184 0t0 TCP
127.0.0.1:36513->127.0.0.1:7736 (ESTABLISHED)
tclsh 13409 root 3u IPv4 191295 0t0 TCP
127.0.0.1:36514->127.0.0.1:7736 (ESTABLISHED)
tclsh 13409 root 4u IPv4 191298 0t0 TCP
127.0.0.1:8000 (LISTEN)
tclsh 13409 root 6u IPv4 216381 0t0 TCP
127.0.0.1:8000->127.0.0.1:47000 (ESTABLISHED)
tclsh 13498 root 3u IPv4 191929 0t0 TCP
127.0.0.1:36544->127.0.0.1:7736 (ESTABLISHED)
tclsh 13557 root 3u IPv4 192268 0t0 TCP
127.0.0.1:36545->127.0.0.1:7736 (ESTABLISHED)
tclsh 13581 root 3u IPv4 192396 0t0 TCP
127.0.0.1:36547->127.0.0.1:7736 (ESTABLISHED)
tclsh 13598 root 3u IPv4 192505 0t0 TCP
127.0.0.1:36549->127.0.0.1:7736 (ESTABLISHED)
tclsh 13614 root 3u IPv4 192620 0t0 TCP
127.0.0.1:36550->127.0.0.1:7736 (ESTABLISHED)
tclsh 13614 root 4u IPv4 192623 0t0 TCP
127.0.0.1:8001 (LISTEN)
tclsh 13614 root 6u IPv4 216125 0t0 TCP
127.0.0.1:8001->127.0.0.1:42412 (ESTABLISHED)
tclsh 13704 root 3u IPv4 193196 0t0 TCP
127.0.0.1:36567->127.0.0.1:7736 (ESTABLISHED)
tclsh 13764 root 3u IPv4 193536 0t0 TCP
127.0.0.1:36571->127.0.0.1:7736 (ESTABLISHED)
tclsh 13825 root 3u IPv4 193798 0t0 TCP
127.0.0.1:36572->127.0.0.1:7736 (ESTABLISHED)
bro 13838 root 4u IPv4 193817 0t0 UDP [removed]:
54129->[removed]:53
bro 13874 root 0u IPv4 194023 0t0 TCP *:47761
(LISTEN)
bro 13874 root 1u IPv4 194260 0t0 TCP [removed]:
47761->[removed]:54753 (ESTABLISHED)
bro 13874 root 2u IPv4 243775 0t0 TCP [removed]:
47761->[removed]:55355 (ESTABLISHED)
bro 13874 root 4u IPv4 193817 0t0 UDP [removed]:
54129->[removed]:53
bro 13874 root 8u IPv4 194664 0t0 TCP [removed]:
47761->[removed]:54757 (ESTABLISHED)
bro 13892 root 4u IPv4 194077 0t0 UDP [removed]:
49902->[removed]:53
bro 13931 root 0u IPv4 194258 0t0 TCP [removed]:
54753->[removed]:47761 (ESTABLISHED)
bro 13931 root 1u IPv4 194259 0t0 TCP *:47762
(LISTEN)
bro 13931 root 2u IPv4 243773 0t0 TCP [removed]:
47762->[removed]:51462 (ESTABLISHED)
bro 13931 root 4u IPv4 194077 0t0 UDP [removed]:
49902->[removed]:53
bro 13931 root 7u IPv4 194662 0t0 TCP [removed]:
47762->[removed]:50864 (ESTABLISHED)
bro 13971 root 4u IPv4 194351 0t0 UDP [removed]:
58826->[removed]:53
bro 14034 root 0u IPv4 194661 0t0 TCP [removed]:
50864->[removed]:47762 (ESTABLISHED)
bro 14034 root 1u IPv4 194663 0t0 TCP [removed]:
54757->[removed]:47761 (ESTABLISHED)
bro 14034 root 2u IPv4 194665 0t0 TCP *:47764
(LISTEN)
bro 14034 root 4u IPv4 194351 0t0 UDP [removed]:
58826->[removed]:53
tclsh 14691 root 3u IPv4 197141 0t0 TCP
127.0.0.1:36595->127.0.0.1:7736 (ESTABLISHED)
tclsh 15918 root 3u IPv4 200198 0t0 TCP
127.0.0.1:36617->127.0.0.1:7736 (ESTABLISHED)
apache2 15950 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 15950 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 15950 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 16923 root 3u IPv4 204001 0t0 TCP
127.0.0.1:36643->127.0.0.1:7736 (ESTABLISHED)
apache2 17539 www-data 3u IPv4 5918 0t0 TCP *:443
(LISTEN)
apache2 17539 www-data 4u IPv4 5920 0t0 TCP *:9876
(LISTEN)
apache2 17539 www-data 5u IPv4 5925 0t0 TCP *:3000
(LISTEN)
tclsh 17912 root 3u IPv4 207860 0t0 TCP
127.0.0.1:36670->127.0.0.1:7736 (ESTABLISHED)
tclsh 18584 root 3u IPv4 210300 0t0 TCP
127.0.0.1:36694->127.0.0.1:7736 (ESTABLISHED)
barnyard2 18656 root 3u IPv4 216380 0t0 TCP
127.0.0.1:47000->127.0.0.1:8000 (ESTABLISHED)
barnyard2 18656 root 4u IPv4 216384 0t0 TCP
127.0.0.1:40968->127.0.0.1:3306 (ESTABLISHED)
barnyard2 18699 root 3u IPv4 216124 0t0 TCP
127.0.0.1:42412->127.0.0.1:8001 (ESTABLISHED)
barnyard2 18699 root 4u IPv4 216128 0t0 TCP
127.0.0.1:40956->127.0.0.1:3306 (ESTABLISHED)
tclsh 19449 root 3u IPv4 213461 0t0 TCP
127.0.0.1:36715->127.0.0.1:7736 (ESTABLISHED)
tclsh 20118 root 3u IPv4 216099 0t0 TCP
127.0.0.1:36788->127.0.0.1:7736 (ESTABLISHED)
tclsh 20769 root 3u IPv4 218456 0t0 TCP
127.0.0.1:36813->127.0.0.1:7736 (ESTABLISHED)
tclsh 21423 root 3u IPv4 220909 0t0 TCP
127.0.0.1:36861->127.0.0.1:7736 (ESTABLISHED)
ruby 21453 nobody 9u IPv4 221161 0t0 TCP
127.0.0.1:39344 (LISTEN)
tclsh 22087 root 3u IPv4 223359 0t0 TCP
127.0.0.1:36883->127.0.0.1:7736 (ESTABLISHED)
tclsh 22737 root 3u IPv4 225736 0t0 TCP
127.0.0.1:36905->127.0.0.1:7736 (ESTABLISHED)
tclsh 23474 root 3u IPv4 228590 0t0 TCP
127.0.0.1:36998->127.0.0.1:7736 (ESTABLISHED)
tclsh 24129 root 3u IPv4 231066 0t0 TCP
127.0.0.1:37022->127.0.0.1:7736 (ESTABLISHED)
tclsh 25520 root 3u IPv4 234480 0t0 TCP
127.0.0.1:37046->127.0.0.1:7736 (ESTABLISHED)
tclsh 26230 root 3u IPv4 237196 0t0 TCP
127.0.0.1:37068->127.0.0.1:7736 (ESTABLISHED)
tclsh 26887 root 3u IPv4 239573 0t0 TCP
127.0.0.1:37089->127.0.0.1:7736 (ESTABLISHED)
tclsh 27539 root 3u IPv4 241910 0t0 TCP
127.0.0.1:37111->127.0.0.1:7736 (ESTABLISHED)
bro 27870 root 4u IPv4 243304 0t0 UDP [removed]:
59584->[removed]:53
bro 27974 root 0u IPv4 243772 0t0 TCP [removed]:
51462->[removed]:47762 (ESTABLISHED)
bro 27974 root 1u IPv4 243774 0t0 TCP [removed]:
55355->[removed]:47761 (ESTABLISHED)
bro 27974 root 2u IPv4 243776 0t0 TCP *:47763
(LISTEN)
bro 27974 root 4u IPv4 243304 0t0 UDP [removed]:
59584->[removed]:53
tclsh 28118 root 3u IPv4 244456 0t0 TCP
127.0.0.1:37179->127.0.0.1:7736 (ESTABLISHED)
tclsh 29020 root 3u IPv4 247172 0t0 TCP
127.0.0.1:37203->127.0.0.1:7736 (ESTABLISHED)
tclsh 29670 root 3u IPv4 249560 0t0 TCP
127.0.0.1:37225->127.0.0.1:7736 (ESTABLISHED)
tclsh 30321 root 3u IPv4 251971 0t0 TCP
127.0.0.1:37247->127.0.0.1:7736 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri Jun 1 07:01:02 UTC 2012
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.5.0 The Drowning Rat
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/pulledpork/disablesid.conf....
Modified 33 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 10 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/snort/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----12627
Dropped Rules:----0
Disabled Rules:---2592
Total Rules:------15219
Done
Please review /var/log/sid_changes.log for additional details Fly
Piggy Fly!
Restarting Barnyard2.
Restarting: [removed]-eth1
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: [removed]-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ] Restarting
IDS Engine.
Restarting: [removed]-eth1
* stopping: snort (alert data)[ OK ]
* starting: snort (alert data)[ OK ]
Restarting: [removed]-eth3
* stopping: snort (alert data)[ OK ]
* starting: snort (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
top - 08:39:50 up 2:34, 1 user, load average: 15.94, 15.73, 15.54
Tasks: 232 total, 8 running, 224 sleeping, 0 stopped, 0 zombie
Cpu(s): 63.1%us, 19.8%sy, 4.5%ni, 6.8%id, 0.1%wa, 0.3%hi,
5.3%si, 0.0%st
Mem: 8262192k total, 6865128k used, 1397064k free, 178608k
buffers
Swap: 9960716k total, 0k used, 9960716k free, 5421416k
cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
27870 root 20 0 54556 47m 9824 R 84 0.6 9:17.35
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
COMMAND
bro
18817 sguil 20 0 507m 271m 134m R 78 3.4 42:05.40
snort
13971 root 20 0 58364 51m 9.9m R 72 0.6 39:58.39
bro
18773 sguil 20 0 508m 271m 134m R 57 3.4 41:56.95
snort
30714 root 20 0 2540 1152 808 R 19 0.0 0:00.33
top
13838 root 20 0 24184 16m 3448 S 13 0.2 10:24.20
bro
13931 root 25 5 27272 12m 496 S 13 0.2 5:33.47
bro
13517 sguil 20 0 6200 4944 4804 R 12 0.1 13:48.01
daemonlogger
13687 sguil 20 0 11320 9984 5020 S 12 0.1 8:25.12
pads
13722 sguil 20 0 6200 4944 4804 S 12 0.1 11:56.44
daemonlogger
13742 sguil 20 0 35584 12m 3196 S 12 0.2 8:40.10
argus
13892 root 20 0 27668 20m 3440 S 10 0.3 9:28.60
bro
13536 sguil 20 0 41656 18m 3200 S 9 0.2 15:11.61
argus
13704 root 20 0 5828 3588 2636 S 9 0.0 3:00.43
tclsh
27974 root 25 5 29292 16m 4560 R 9 0.2 0:53.80
bro
13874 root 25 5 27292 11m 488 S 7 0.1 6:20.22
bro
14034 root 25 5 29292 15m 4560 R 7 0.2 4:48.52
bro
13466 sguil 20 0 10756 8588 5180 S 6 0.1 12:34.88
sancp
13482 sguil 20 0 7320 6076 5020 S 4 0.1 5:19.60
pads
13671 sguil 20 0 9172 6992 5180 S 4 0.1 6:00.63
sancp
1852 root 20 0 39708 9040 5300 S 1 0.1 0:07.80
apache2
13712 root 20 0 3252 644 536 S 1 0.0 0:23.25
cat
18699 root 20 0 11380 5800 1792 S 1 0.1 2:28.54
barnyard2
29671 root 20 0 1788 472 412 S 1 0.0 0:00.22
tail
1 root 20 0 2880 1788 1236 S 0 0.0 0:02.96
init
2 root 20 0 0 0 0 S 0 0.0 0:00.00
kthreadd
3 root RT 0 0 0 0 S 0 0.0 0:00.63 migration/
2 root 20 0 0 0 0 S 0 0.0 0:00.00
kthreadd
0
4 root 20 0 0 0 0 S 0 0.0 0:32.09 ksoftirqd/
0
5 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
0
6 root RT 0 0 0 0 S 0 0.0 0:00.52 migration/
1
7 root 20 0 0 0 0 S 0 0.0 0:02.36 ksoftirqd/
1
8 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
1
9 root RT 0 0 0 0 S 0 0.0 0:00.57 migration/
2
10 root 20 0 0 0 0 S 0 0.0 0:04.46 ksoftirqd/
2
11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
2
12 root RT 0 0 0 0 S 0 0.0 0:00.54 migration/
3
13 root 20 0 0 0 0 S 0 0.0 0:02.93 ksoftirqd/
3
14 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/
3
15 root 20 0 0 0 0 S 0 0.0 0:08.59 events/
0
16 root 20 0 0 0 0 S 0 0.0 0:01.85 events/
1
17 root 20 0 0 0 0 S 0 0.0 0:01.18 events/
2
18 root 20 0 0 0 0 S 0 0.0 0:01.94 events/
3
19 root 20 0 0 0 0 S 0 0.0 0:00.00
cpuset
20 root 20 0 0 0 0 S 0 0.0 0:00.00
khelper
21 root 20 0 0 0 0 S 0 0.0 0:00.00
netns
22 root 20 0 0 0 0 S 0 0.0 0:00.00 async/
mgr
23 root 20 0 0 0 0 S 0 0.0 0:00.00
pm
25 root 20 0 0 0 0 S 0 0.0 0:00.12
19 root 20 0 0 0 0 S 0 0.0 0:00.00
cpuset
20 root 20 0 0 0 0 S 0 0.0 0:00.00
khelper
21 root 20 0 0 0 0 S 0 0.0 0:00.00
netns
22 root 20 0 0 0 0 S 0 0.0 0:00.00 async/
mgr
23 root 20 0 0 0 0 S 0 0.0 0:00.00
pm
sync_supers
26 root 20 0 0 0 0 S 0 0.0 0:00.14 bdi-
default
27 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/0
28 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/1
29 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/2
30 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/3
31 root 20 0 0 0 0 S 0 0.0 0:01.42 kblockd/
27 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/0
28 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/1
29 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/2
30 root 20 0 0 0 0 S 0 0.0 0:00.00
kintegrityd/3
0
32 root 20 0 0 0 0 S 0 0.0 0:00.59 kblockd/
1
33 root 20 0 0 0 0 S 0 0.0 0:01.42 kblockd/
2
34 root 20 0 0 0 0 S 0 0.0 0:01.84 kblockd/
3
35 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpid
36 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_notify
37 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_hotplug
38 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
0
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
1
40 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
2
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
3
42 root 20 0 0 0 0 S 0 0.0 0:00.00
ata_aux
43 root 20 0 0 0 0 S 0 0.0 0:00.00
ksuspend_usbd
44 root 20 0 0 0 0 S 0 0.0 0:00.00
khubd
45 root 20 0 0 0 0 S 0 0.0 0:00.05
35 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpid
36 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_notify
37 root 20 0 0 0 0 S 0 0.0 0:00.00
kacpi_hotplug
38 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
0
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
1
40 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
2
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ata/
3
42 root 20 0 0 0 0 S 0 0.0 0:00.00
ata_aux
43 root 20 0 0 0 0 S 0 0.0 0:00.00
ksuspend_usbd
44 root 20 0 0 0 0 S 0 0.0 0:00.00
khubd
kseriod
46 root 20 0 0 0 0 S 0 0.0 0:00.00
kmmcd
51 root 20 0 0 0 0 S 0 0.0 0:00.15
46 root 20 0 0 0 0 S 0 0.0 0:00.00
kmmcd
khungtaskd
52 root 20 0 0 0 0 S 0 0.0 0:00.00
mpt_poll_0
235 root 20 0 0 0 0 S 0 0.0 0:00.00 mpt/
0
238 root 20 0 0 0 0 S 0 0.0 0:00.00
scsi_eh_0
297 root 20 0 0 0 0 S 0 0.0 0:42.90 jbd2/
sda1-8
298 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
299 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
300 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
301 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
335 root 20 0 0 0 0 S 0 0.0 1:09.46
unwrit
301 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-
unwrit
flush-8:0
361 root 20 0 2312 932 676 S 0 0.0 0:00.17 upstart-
udev-br
364 root 16 -4 2528 928 336 S 0 0.0 0:00.13
udevd
642 root 20 0 0 0 0 S 0 0.0 0:00.00
kpsmoused
649 root 20 0 0 0 0 S 0 0.0 0:04.80 edac-
poller
738 syslog 20 0 34808 1840 1044 S 0 0.0 0:02.18
rsyslogd
740 root 20 0 5548 2136 1724 S 0 0.0 0:00.39
sshd
751 messageb 20 0 2660 912 632 S 0 0.0 0:00.23 dbus-
daemon
766 avahi 20 0 3032 1608 1312 S 0 0.0 0:01.08 avahi-
daemon
769 avahi 20 0 2924 548 320 S 0 0.0 0:00.00 avahi-
daemon
809 root 18 -2 2524 892 304 S 0 0.0 0:00.00
udevd
815 root 18 -2 2524 876 288 S 0 0.0 0:00.00
udevd
1020 root 20 0 1788 568 484 S 0 0.0 0:00.01
getty
1024 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1033 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1034 root 20 0 1788 568 488 S 0 0.0 0:00.01
getty
1039 root 20 0 1788 568 488 S 0 0.0 0:00.00
getty
1049 root 20 0 2824 600 484 S 0 0.0 0:22.18
irqbalance
1053 root 20 0 2044 860 504 S 0 0.0 0:00.02
acpid
1059 daemon 20 0 2244 428 292 S 0 0.0 0:00.00
atd
1060 root 20 0 2372 904 716 S 0 0.0 0:00.88
cron
1187 mysql 20 0 155m 39m 6496 S 0 0.5 20:51.34
mysqld
1518 Debian-e 20 0 6724 960 608 S 0 0.0 0:00.06
exim4
1569 ossec 20 0 3008 1608 688 S 0 0.0 1:24.88 ossec-
analysisd
1575 root 20 0 1956 504 388 S 0 0.0 0:04.32 ossec-
logcollec
1593 root 20 0 3024 1888 616 S 0 0.0 4:22.54 ossec-
syscheckd
1599 ossec 20 0 2232 548 404 S 0 0.0 0:00.14 ossec-
monitord
1667 root 20 0 15092 10m 3312 S 0 0.1 11:30.51
tclsh
1687 root 20 0 8764 2948 1096 S 0 0.0 0:18.15
tclsh
1691 root 20 0 8764 2624 788 S 0 0.0 0:00.00
tclsh
1738 ntp 20 0 4420 1380 1032 S 0 0.0 0:10.84
ntpd
1762 root 20 0 6696 2436 1832 S 0 0.0 0:00.08
cupsd
1854 root 20 0 5396 1752 1536 S 0 0.0 0:00.04
PassengerWatchd
1857 root 20 0 16808 2468 1884 S 0 0.0 1:24.73
PassengerHelper
1860 root 20 0 12032 7668 2292 S 0 0.1 0:40.28
ruby
1863 nobody 20 0 10600 3144 2584 S 0 0.0 0:00.44
PassengerLoggin
1929 www-data 20 0 40276 6472 2304 S 0 0.1 0:00.75
apache2
1930 www-data 20 0 39848 5864 2000 S 0 0.1 0:00.44
apache2
1931 www-data 20 0 39888 6276 2292 S 0 0.1 0:00.42
apache2
1933 www-data 20 0 40272 6608 2304 S 0 0.1 0:01.28
apache2
1952 root 20 0 1788 568 488 S 0 0.0 0:00.15
getty
3082 root 20 0 20468 3076 2212 S 0 0.0 0:00.73 console-
kit-dae
3727 root 20 0 6728 4456 2412 S 0 0.1 0:01.77
tclsh
3728 root 20 0 1792 500 432 S 0 0.0 0:03.92
tail
4323 root 20 0 6728 4460 2412 S 0 0.1 0:01.81
tclsh
4324 root 20 0 1792 500 432 S 0 0.0 0:03.60
tail
4375 www-data 20 0 75488 61m 3500 S 0 0.8 5:55.51
ruby
4958 root 20 0 6728 4460 2412 S 0 0.1 0:01.63
tclsh
4959 root 20 0 1792 504 432 S 0 0.0 0:03.37
tail
5487 root 20 0 10880 3548 2736 S 0 0.0 0:00.82
sshd
5778 [removed] 20 0 10880 1884 1048 S 0 0.0 0:17.91
sshd
5781 [removed] 20 0 6476 3868 1564 S 0 0.0 0:01.98
bash
6113 root 20 0 6728 4456 2412 S 0 0.1 0:01.76
tclsh
6120 root 20 0 1792 504 432 S 0 0.0 0:03.27
tail
6129 root 20 0 6504 3912 1584 S 0 0.0 0:06.69
bash
11294 root 20 0 7036 4492 2412 S 0 0.1 0:02.02
tclsh
11295 root 20 0 3256 676 576 S 0 0.0 0:02.81
tail
11526 www-data 20 0 39848 5884 2012 S 0 0.1 0:00.80
apache2
12995 www-data 20 0 40284 6392 2256 S 0 0.1 0:00.37
apache2
12996 www-data 20 0 40196 6460 2276 S 0 0.1 0:00.61
apache2
12997 www-data 20 0 40272 6548 2320 S 0 0.1 0:00.60
apache2
13369 root 20 0 6084 3764 2648 S 0 0.0 0:01.02
tclsh
13391 root 20 0 6600 4252 2660 S 0 0.1 6:04.15
tclsh
13409 root 20 0 6064 3784 2656 S 0 0.0 0:01.09
tclsh
13411 root 20 0 3256 676 576 S 0 0.0 0:02.21
tail
13498 root 20 0 5788 3500 2632 S 0 0.0 0:08.46
tclsh
13500 root 20 0 3252 632 536 S 0 0.0 0:00.89
cat
13557 root 20 0 6080 3836 2644 S 0 0.0 2:59.50
tclsh
13559 root 20 0 3260 732 632 S 0 0.0 0:04.10
tail
13581 root 20 0 6084 3772 2648 S 0 0.0 0:01.48
tclsh
13598 root 20 0 6600 4260 2660 S 0 0.1 2:12.29
tclsh
13614 root 20 0 6064 3772 2656 S 0 0.0 0:01.69
tclsh
13617 root 20 0 3256 672 576 S 0 0.0 0:02.37
tail
13764 root 20 0 6084 3820 2644 S 0 0.0 4:17.85
tclsh
13771 root 20 0 3260 736 632 S 0 0.0 0:04.34
tail
13825 root 20 0 7036 4480 2404 S 0 0.1 0:00.74
tclsh
13828 root 20 0 4232 1416 1200 S 0 0.0 0:00.26
bash
13830 root 20 0 3256 668 576 S 0 0.0 0:02.44
tail
13882 root 20 0 4232 1416 1200 S 0 0.0 0:00.28
bash
13952 root 20 0 4232 1412 1200 S 0 0.0 0:00.25
bash
14691 root 20 0 6728 4452 2404 S 0 0.1 0:00.88
tclsh
14692 root 20 0 1792 504 432 S 0 0.0 0:02.64
tail
15918 root 20 0 6728 4456 2404 S 0 0.1 0:00.85
tclsh
15927 root 20 0 1792 500 432 S 0 0.0 0:02.67
tail
15950 www-data 20 0 40272 6408 2256 S 0 0.1 0:00.34
apache2
16923 root 20 0 6728 4452 2404 S 0 0.1 0:01.09
tclsh
16924 root 20 0 1792 504 432 S 0 0.0 0:02.33
tail
17539 www-data 20 0 40268 6108 2076 S 0 0.1 0:00.17
apache2
17912 root 20 0 6728 4448 2404 S 0 0.1 0:00.80
tclsh
17913 root 20 0 1792 504 432 S 0 0.0 0:02.06
tail
18584 root 20 0 6728 4448 2404 S 0 0.1 0:00.88
tclsh
18585 root 20 0 1792 508 432 S 0 0.0 0:02.37
tail
18656 root 20 0 11380 5796 1792 S 0 0.1 3:20.38
barnyard2
19449 root 20 0 6728 4452 2404 S 0 0.1 0:00.83
tclsh
19450 root 20 0 1792 508 432 S 0 0.0 0:02.51
tail
20118 root 20 0 6728 4452 2404 S 0 0.1 0:00.61
tclsh
20119 root 20 0 1792 496 432 S 0 0.0 0:01.99
tail
20769 root 20 0 6728 4452 2404 S 0 0.1 0:00.73
tclsh
20771 root 20 0 1792 500 432 S 0 0.0 0:01.66
tail
21423 root 20 0 6728 4452 2404 S 0 0.1 0:00.58
tclsh
21424 root 20 0 1792 500 432 S 0 0.0 0:01.46
tail
21453 nobody 20 0 71812 58m 3232 S 0 0.7 0:40.75
ruby
22087 root 20 0 6728 4452 2404 S 0 0.1 0:00.60
tclsh
22089 root 20 0 1792 504 432 S 0 0.0 0:01.64
tail
22737 root 20 0 6728 4456 2404 S 0 0.1 0:00.75
tclsh
22738 root 20 0 1792 496 432 S 0 0.0 0:01.43
tail
23474 root 20 0 6728 4452 2404 S 0 0.1 0:00.54
tclsh
23515 root 20 0 1792 508 432 S 0 0.0 0:01.14
tail
24129 root 20 0 6728 4452 2404 S 0 0.1 0:00.57
tclsh
24130 root 20 0 1792 500 432 S 0 0.0 0:01.09
tail
25520 root 20 0 6728 4448 2404 S 0 0.1 0:00.51
tclsh
25521 root 20 0 1792 504 432 S 0 0.0 0:00.93
tail
26230 root 20 0 6728 4448 2404 S 0 0.1 0:00.52
tclsh
26231 root 20 0 1792 504 432 S 0 0.0 0:00.85
tail
26887 root 20 0 6728 4452 2404 S 0 0.1 0:00.74
tclsh
26889 root 20 0 1792 504 432 S 0 0.0 0:00.65
tail
27539 root 20 0 6728 4456 2404 S 0 0.1 0:00.66
tclsh
27540 root 20 0 1792 500 432 S 0 0.0 0:00.64
tail
27796 root 20 0 2724 1248 1076 S 0 0.0 0:00.15
bash
28118 root 20 0 6068 3556 2232 S 0 0.0 0:00.15
tclsh
28119 root 20 0 1788 476 412 S 0 0.0 0:00.51
tail
29020 root 20 0 6068 3556 2232 S 0 0.0 0:00.19
tclsh
29021 root 20 0 1788 472 412 S 0 0.0 0:00.37
tail
29670 root 20 0 6068 3560 2232 S 0 0.0 0:00.24
tclsh
30321 root 20 0 6068 3552 2232 S 0 0.0 0:00.14
tclsh
30322 root 20 0 1788 476 412 S 0 0.0 0:00.12
tail
30370 root 20 0 4216 1380 1176 S 0 0.0 0:00.20
sostat
30371 root 20 0 10548 2884 2208 S 0 0.0 0:00.22
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/[removed]-eth1/dailylogs/
3.4G .
3.4G ./2012-06-01
/nsm/sensor_data/[removed]-eth3/dailylogs/
5.2G .
5.2G ./2012-06-01
/nsm/bro/logs/
665M .
8.0K ./20--
5.8M ./2012-05-25
27M ./2012-05-26
15M ./2012-05-27
216M ./2012-05-28
248M ./2012-05-29
59M ./2012-05-30
59M ./2012-05-31
32M ./2012-06-01
6.4M ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/[removed]-eth1/snort.stats last reported
pkt_drop_percent as 93.146 /nsm/sensor_data/[removed]-eth3/snort.stats
last reported pkt_drop_percent as 66.920
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
2307
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals SignatureID SignatureName
890 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
37 2100538 GPL NETBIOS SMB IPC$ unicode share access
31 1411 GPL SNMP public access udp
13 2009702 ET POLICY DNS Update From External net
11 2012648 ET POLICY Dropbox Client Broadcasting
9 2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic,
Potential Scan or Infection
8 2012811 ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile
6 1390 GPL SHELLCODE x86 inc ebx NOOP
1 2003068 ET SCAN Potential SSH Scan OUTBOUND
1 2001219 ET SCAN Potential SSH Scan
Total
1007
[removed]
description: Multi-system
product: PowerEdge 1955
vendor: Dell Inc.
serial: JWK2T1S
width: 32 bits
capabilities: smbios-2.4 dmi-2.4 smp-1.4 smp
configuration: boot=normal chassis=multi-system cpus=4
uuid=44454C4C-5700-104B-8032-CAC04F543153
*-core
description: Motherboard
vendor: Dell Inc.
physical id: 0
serial: .9VN1T1S..05.
slot: Slot 05
*-firmware
description: BIOS
vendor: Dell Inc.
physical id: 0
version: 1.4.2 (10/08/2007)
size: 64KiB
capacity: 960KiB
capabilities: isa pci pnp upgrade shadowing escd cdboot
bootselect edd int13floppytoshiba int13floppy360 int13floppy1200
int13floppy720 int5printscreen int9keyboard int14serial int17printer
int10video acpi usb biosbootspecification netboot
*-cpu:0
description: CPU
product: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
vendor: Intel Corp.
physical id: 400
bus info: cpu@0
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
slot: CPU1
size: 2333MHz
capacity: 3600MHz
width: 64 bits
clock: 1333MHz
capabilities: boot fpu fpu_exception wp vme de pse tsc msr
pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx
fxsr sse sse2 ss ht tm pbe nx x86-64 constant_tsc arch_perfmon pebs
bts aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr
pdcm dca lahf_lm tpr_shadow vnmi flexpriority
configuration: id=3
*-cache:0
description: L1 cache
physical id: 700
size: 128KiB
capacity: 128KiB
capabilities: internal write-back data
*-cache:1
description: L2 cache
physical id: 701
size: 8MiB
capacity: 8MiB
capabilities: internal write-back unified
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
width: 64 bits
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
width: 64 bits
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
width: 64 bits
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
width: 64 bits
capabilities: logical
*-cpu:1 DISABLED
description: CPU [empty]
vendor: Intel
physical id: 401
slot: CPU2
*-memory
description: System Memory
physical id: 1000
slot: System board or motherboard
size: 8GiB
*-bank:0
description: FB-DIMM DDR2 FB-DIMM Synchronous 667 MHz
(1.5 ns)
product: HYMP151F72CP4N3-Y5
vendor: 80AD808980AD
physical id: 0
serial: 0686260F
slot: DIMM1
size: 4GiB
width: 64 bits
clock: 667MHz (1.5ns)
*-bank:1
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 1
slot: DIMM2
width: 64 bits
*-bank:2
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 2
slot: DIMM3
width: 64 bits
*-bank:3
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 3
slot: DIMM4
width: 64 bits
*-bank:4
description: FB-DIMM DDR2 FB-DIMM Synchronous 667 MHz
(1.5 ns)
product: HYMP151F72CP4N3-Y5
vendor: 80AD808980AD
physical id: 4
serial: 06862302
slot: DIMM5
size: 4GiB
width: 64 bits
clock: 667MHz (1.5ns)
*-bank:5
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 5
slot: DIMM6
width: 64 bits
*-bank:6
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 6
slot: DIMM7
width: 64 bits
*-bank:7
description: FB-DIMM DDR2 FB-DIMM Synchronous [empty]
physical id: 7
slot: DIMM8
width: 64 bits
*-cpu:2
physical id: 1
bus info: cpu@1
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-cpu:3
physical id: 2
bus info: cpu@2
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-cpu:4
physical id: 3
bus info: cpu@3
version: 6.15.11
serial: 0000-06FB-0000-0000-0000-0000
size: 2350MHz
capabilities: vmx ht
configuration: id=3
*-logicalcpu:0
description: Logical CPU
physical id: 3.1
capabilities: logical
*-logicalcpu:1
description: Logical CPU
physical id: 3.2
capabilities: logical
*-logicalcpu:2
description: Logical CPU
physical id: 3.3
capabilities: logical
*-logicalcpu:3
description: Logical CPU
physical id: 3.4
capabilities: logical
*-pci:0
description: Host bridge
product: 5000P Chipset Memory Controller Hub
vendor: Intel Corporation
physical id: 100
bus info: pci@0000:00:00.0
version: 92
width: 32 bits
clock: 33MHz
*-pci:0
description: PCI bridge
product: 5000 Series Chipset PCI Express x4 Port 2
vendor: Intel Corporation
physical id: 2
bus info: pci@0000:00:02.0
version: 92
width: 32 bits
clock: 33MHz
capabilities: pci pm msi pciexpress bus_master cap_list
configuration: driver=pcieport
resources: irq:216 ioport:e000(size=4096) memory:f2000000-
f7ffffff
*-pci:0
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Upstream Port
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:03:00.0
version: 01
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pm bus_master cap_list
configuration: driver=pcieport
resources: irq:16 memory:f4000000-f7ffffff
*-pci:0
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Downstream
Port E1
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:04:00.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: pci pciexpress msi pm bus_master
cap_list
configuration: driver=pcieport
resources: iomemory:200000f00-200000eff irq:223
memory:f4000000-f7ffffff
*-pci
description: PCI bridge
product: EPB PCI-Express to PCI-X Bridge
vendor: Broadcom
physical id: 0
bus info: pci@0000:05:00.0
version: c3
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pcix pm bus_master
cap_list
resources: memory:f4000000-f7ffffff
*-network
description: Ethernet interface
product: NetXtreme II BCM5708S Gigabit
Ethernet
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:06:00.0
logical name: eth3
version: 12
serial: 00:19:b9:f7:28:87
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pcix pm vpd msi bus_master
cap_list ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=on
broadcast=yes driver=bnx2 driverversion=2.0.2 duplex=full
firmware=3.5.12 ipms 1.6.0 latency=64 link=yes mingnt=64 multicast=yes
port=fibre speed=1GB/s
resources: irq:225 memory:f4000000-f5ffffff
*-pci:1
description: PCI bridge
product: 6311ESB/6321ESB PCI Express Downstream
Port E2
vendor: Intel Corporation
physical id: 1
bus info: pci@0000:04:01.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: pci pciexpress msi pm bus_master
cap_list
configuration: driver=pcieport
resources: iomemory:f00-eff irq:224
*-pci:1
description: PCI bridge
product: 6311ESB/6321ESB PCI Express to PCI-X Bridge
vendor: Intel Corporation
physical id: 0.3
bus info: pci@0000:03:00.3
version: 01
width: 32 bits
clock: 33MHz
capabilities: pci pciexpress pm pcix bus_master
cap_list
resources: ioport:e000(size=4096) memory:f3e00000-
f3ffffff
*-network:0
description: Ethernet interface
product: 82546GB Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 5
bus info: pci@0000:08:05.0
logical name: eth0
version: 03
serial: 00:15:c5:f9:88:bc
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pm pcix msi bus_master cap_list
ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes
driver=e1000 driverversion=7.3.21-k5-NAPI duplex=full firmware=N/A
ip=[removed] latency=64 link=yes mingnt=255 multicast=yes port=fibre
speed=1GB/s
resources: irq:32 memory:f3ee0000-f3efffff
ioport:ecc0(size=64)
*-network:1
description: Ethernet interface
product: 82546GB Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 5.1
bus info: pci@0000:08:05.1
logical name: eth1
version: 03
serial: 00:15:c5:f9:88:bd
size: 1GB/s
capacity: 1GB/s
width: 64 bits
clock: 66MHz
capabilities: pm pcix msi bus_master cap_list
ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes
driver=e1000 driverversion=7.3.21-k5-NAPI duplex=full firmware=N/A
latency=64 link=yes mingnt=255 multicast=yes port=fibre speed=1GB/s
resources: irq:33 memory:f3ec0000-f3edffff
ioport:ec80(size=64)
*-scsi
description: SCSI storage controller
product: SAS1068 PCI-X Fusion-MPT SAS
vendor: LSI Logic / Symbios Logic
physical id: 8
bus info: pci@0000:0e:08.0
logical name: scsi0
version: 01
width: 64 bits
clock: 66MHz
capabilities: scsi pm msi pcix msix bus_master
cap_list rom scsi-host
configuration: driver=mptsas latency=72
maxlatency=10 mingnt=64
resources: irq:192 ioport:dc00(size=256)
memory:fc4fc000-fc4fffff memory:fc4e0000-fc4effff memory:fc500000-
fc5fffff(prefetchable)
*-disk:0 UNCLAIMED
description: SCSI Disk
product: MBB2147RC
vendor: FUJITSU
physical id: 0.0.0
bus info: scsi@0:0.0.0
version: D406
serial: BS03P7C01A6Y
capacity: 172GiB (184GB)
capabilities: 10000rpm
configuration: ansiversion=5
*-disk:1 UNCLAIMED
description: SCSI Disk
product: MBB2147RC
vendor: FUJITSU
physical id: 0.1.0
bus info: scsi@0:0.1.0
version: D406
serial: BS03P7C01ARE
capacity: 172GiB (184GB)
capabilities: 10000rpm
configuration: ansiversion=5
*-disk:2
description: SCSI Disk
product: VIRTUAL DISK
vendor: Dell
physical id: 1.0.0
bus info: scsi@0:1.0.0
logical name: /dev/sda
version: 1028
size: 135GiB (145GB)
capacity: 135GiB (145GB)
capabilities: 15000rpm partitioned
partitioned:dos
configuration: ansiversion=5 signature=0004c676
*-volume:0
description: EXT4 volume
vendor: Linux
physical id: 1
bus info: scsi@0:1.0.0,1
logical name: /dev/sda1
logical name: /
version: 1.0
serial: 667df2a7-a829-4cde-8ec3-cdb5d85457c6
size: 130GiB
capacity: 130GiB
capabilities: primary bootable journaled
extended_attributes large_files huge_files dir_nlink extents ext4 ext2
initialized
configuration: created=2012-05-25 15:57:10
filesystem=ext4 lastmountpoint=/
�œ�_Q�ؙ���ï���^:�5'!�m60��^:�>�!
�@��@��_Q��^:�^:��) modified=2012-05-25 10:39:55
mount.fstype=ext4 mount.options=rw,relatime,errors=remount-
ro,barrier=1,data=ordered mounted=2012-05-31 09:23:57 state=mounted
*-volume:1
description: Extended partition
physical id: 2
bus info: scsi@0:1.0.0,2
logical name: /dev/sda2
size: 5693MiB
capacity: 5693MiB
capabilities: primary extended partitioned
partitioned:extended
*-logicalvolume
description: Linux swap / Solaris
partition
physical id: 5
logical name: /dev/sda5
capacity: 5693MiB
capabilities: nofs
> Did you follow our Installation guide?http://code.google.com/p/security-onion/wiki/Installation
>
> Specifically, did you read the Hardware page?http://code.google.com/p/security-onion/wiki/Hardware
>
> read more »
Doug Burks
Jun 1, 2012, 6:21:46 AM6/1/12
to securit...@googlegroups.com
It seems your hardware is being overwhelmed by the amount of traffic
it's seeing:
/nsm/sensor_data/[removed]-eth1/snort.stats last reported
pkt_drop_percent as 93.146 /nsm/sensor_data/[removed]-eth3/snort.stats
last reported pkt_drop_percent as 66.920
How much traffic are you trying to monitor?
Thanks,
Doug
it's seeing:
/nsm/sensor_data/[removed]-eth1/snort.stats last reported
pkt_drop_percent as 93.146 /nsm/sensor_data/[removed]-eth3/snort.stats
last reported pkt_drop_percent as 66.920
Thanks,
Doug
Reply all
Reply to author
Forward
0 new messages