After running updates I am still not seeing any Shellshock signatures in Snorby.
Doug Burks
Please provide more information.
Are you getting alerts other than ShellShock?
Are you sure your sensor is seeing traffic that should generate
ShellShock alerts?
Have you verified that you have ShellShock rules enabled in
/etc/nsm/rules/downloaded.rules? What is the output of the following?
grep CVE-2014-6271 /etc/nsm/rules/downloaded.rules
Please run the following command:
sudo sostat-redacted
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
On Fri, Sep 26, 2014 at 1:55 PM, Rizwan Ahmed <ahmed....@gmail.com> wrote:
> After running updates with Soup, i a still not seeing Shellshock signature in Snorby.
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Rizwan Ahmed
> After running updates with Soup, i a still not seeing Shellshock signature in Snorby.
Yes, i am getting alerts other than Shellshock.
My sensor is working and seeing traffic.
There is no output when i run this command.
grep CVE-2014-6271 /etc/nsm/rules/downloaded.rules
Here is the output for sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: SO-user
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X running 4360 2 26 Sep 17:32:22
proxy proxy X.X.X.X running 4654 2 26 Sep 17:32:26
SO-server-eth0-1 worker X.X.X.X running 4814 2 26 Sep 17:32:31
Status: SO-server-eth0
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:75769 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33936058 (33.9 MB) TX bytes:0 (0.0 B)
Interrupt:21 Base address:0x2000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17629 errors:0 dropped:0 overruns:0 frame:0
TX packets:20863 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6400743 (6.4 MB) TX bytes:14693157 (14.6 MB)
Interrupt:20 Memory:fdfc0000-fdfe0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14636 errors:0 dropped:0 overruns:0 frame:0
TX packets:14636 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9661964 (9.6 MB) TX bytes:9661964 (9.6 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
9661964 14636 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
9661964 14636 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
33936058 75769 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
6400743 17629 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
14693157 20863 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 144G 14G 123G 10% /
udev 1.6G 4.0K 1.6G 1% /dev
tmpfs 326M 912K 325M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 1.6G 76K 1.6G 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1046 avahi 12u IPv4 8677 0t0 UDP *:5353
avahi-dae 1046 avahi 13u IPv6 8678 0t0 UDP *:5353
avahi-dae 1046 avahi 14u IPv4 8679 0t0 UDP *:33779
avahi-dae 1046 avahi 15u IPv6 8680 0t0 UDP *:52740
cupsd 1065 root 8u IPv6 8670 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1065 root 9u IPv4 8671 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1221 root 3r IPv4 9080 0t0 TCP *:ssh_port (LISTEN)
sshd 1221 root 4u IPv6 9082 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 1335 root 9u IPv4 9548 0t0 TCP *:514 (LISTEN)
syslog-ng 1335 root 10u IPv4 9549 0t0 UDP *:514
mysqld 1502 mysql 10u IPv4 12469 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1502 mysql 48u IPv4 73887 0t0 TCP X.X.X.X:3306->X.X.X.X:40252 (ESTABLISHED)
searchd 1528 sphinxsearch 7u IPv4 10787 0t0 TCP *:9306 (LISTEN)
searchd 1528 sphinxsearch 8u IPv4 10788 0t0 TCP *:9312 (LISTEN)
salt-mast 1529 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
salt-mini 1530 root 14u IPv4 12928 0t0 TCP X.X.X.X:44542->X.X.X.X:4505 (ESTABLISHED)
salt-mast 1608 root 27u IPv4 10968 0t0 TCP *:4505 (LISTEN)
salt-mast 1608 root 29u IPv4 13615 0t0 TCP X.X.X.X:4505->X.X.X.X:44542 (ESTABLISHED)
salt-mast 1612 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
salt-mast 1613 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
salt-mast 1618 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
salt-mast 1621 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
salt-mast 1626 root 19u IPv4 10972 0t0 TCP *:4506 (LISTEN)
ossec-csy 1651 ossecm 5u IPv4 11070 0t0 UDP X.X.X.X:43744->X.X.X.X:514
ruby1.9.1 1947 www-data 12u IPv4 300055 0t0 TCP X.X.X.X:35487 (LISTEN)
/usr/sbin 2286 root 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2286 root 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2286 root 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2286 root 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 2350 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2350 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2350 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2350 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 2351 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2351 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2351 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2351 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 2352 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2352 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2352 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2352 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 2353 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2353 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2353 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2353 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 2354 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 2354 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2354 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2354 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
ntpd 3202 ntp 16u IPv4 15697 0t0 UDP *:123
ntpd 3202 ntp 17u IPv6 15698 0t0 UDP *:123
ntpd 3202 ntp 18u IPv4 15704 0t0 UDP X.X.X.X:123
ntpd 3202 ntp 19u IPv4 15705 0t0 UDP X.X.X.X:123
ntpd 3202 ntp 20u IPv6 15706 0t0 UDP [X.X.X.X]:123
ntpd 3202 ntp 21u IPv6 15707 0t0 UDP [X.X.X.X]:123
/usr/sbin 4085 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 4085 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4085 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4085 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
tclsh 4199 root 13u IPv4 18868 0t0 TCP *:7734 (LISTEN)
tclsh 4199 root 14u IPv4 18869 0t0 TCP *:7736 (LISTEN)
tclsh 4199 root 15u IPv4 19988 0t0 TCP X.X.X.X:7736->X.X.X.X:45249 (ESTABLISHED)
tclsh 4199 root 16u IPv4 19059 0t0 TCP X.X.X.X:7736->X.X.X.X:45250 (ESTABLISHED)
tclsh 4199 root 17u IPv4 19339 0t0 TCP X.X.X.X:7736->X.X.X.X:45251 (ESTABLISHED)
tclsh 4199 root 18u IPv4 19340 0t0 TCP X.X.X.X:7736->X.X.X.X:45252 (ESTABLISHED)
tclsh 4199 root 19u IPv4 20517 0t0 TCP X.X.X.X:7736->X.X.X.X:45253 (ESTABLISHED)
tclsh 4199 root 20u IPv4 23632 0t0 TCP X.X.X.X:7736->X.X.X.X:45269 (ESTABLISHED)
tclsh 4199 root 21u IPv4 22742 0t0 TCP X.X.X.X:7736->X.X.X.X:45270 (ESTABLISHED)
tclsh 4238 root 3u IPv4 19036 0t0 TCP X.X.X.X:45249->X.X.X.X:7736 (ESTABLISHED)
tclsh 4238 root 7u IPv4 23631 0t0 TCP X.X.X.X:45269->X.X.X.X:7736 (ESTABLISHED)
tclsh 4238 root 8u IPv4 22741 0t0 TCP X.X.X.X:45270->X.X.X.X:7736 (ESTABLISHED)
bro 4360 root 4u IPv4 18629 0t0 UDP X.X.X.X:57803->X.X.X.X:53
bro 4506 root 0u IPv4 19742 0t0 TCP *:47761 (LISTEN)
bro 4506 root 1u IPv6 19743 0t0 TCP *:47761 (LISTEN)
bro 4506 root 2u IPv4 19888 0t0 TCP X.X.X.X:47761->X.X.X.X:34307 (ESTABLISHED)
bro 4506 root 4u IPv4 18629 0t0 UDP X.X.X.X:57803->X.X.X.X:53
bro 4506 root 157u IPv4 19982 0t0 TCP X.X.X.X:47761->X.X.X.X:34308 (ESTABLISHED)
bro 4654 root 4u IPv4 19846 0t0 UDP X.X.X.X:54182->X.X.X.X:53
bro 4665 root 0u IPv4 19887 0t0 TCP X.X.X.X:34307->X.X.X.X:47761 (ESTABLISHED)
bro 4665 root 1u IPv4 19894 0t0 TCP *:47762 (LISTEN)
bro 4665 root 2u IPv6 19895 0t0 TCP *:47762 (LISTEN)
bro 4665 root 4u IPv4 19846 0t0 UDP X.X.X.X:54182->X.X.X.X:53
bro 4665 root 221u IPv4 19035 0t0 TCP X.X.X.X:47762->X.X.X.X:49231 (ESTABLISHED)
bro 4814 root 4u IPv4 19971 0t0 UDP X.X.X.X:35963->X.X.X.X:53
bro 4829 root 0u IPv4 19979 0t0 TCP X.X.X.X:34308->X.X.X.X:47761 (ESTABLISHED)
bro 4829 root 1u IPv4 19983 0t0 TCP X.X.X.X:49231->X.X.X.X:47762 (ESTABLISHED)
bro 4829 root 2u IPv4 19986 0t0 TCP *:47763 (LISTEN)
bro 4829 root 4u IPv4 19971 0t0 UDP X.X.X.X:35963->X.X.X.X:53
bro 4829 root 221u IPv6 19987 0t0 TCP *:47763 (LISTEN)
tclsh 4858 root 3u IPv4 19998 0t0 TCP X.X.X.X:45250->X.X.X.X:7736 (ESTABLISHED)
tclsh 4858 root 4u IPv4 20001 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 4858 root 6u IPv4 73883 0t0 TCP X.X.X.X:8001->X.X.X.X:59799 (ESTABLISHED)
tclsh 4942 root 3u IPv4 20115 0t0 TCP X.X.X.X:45252->X.X.X.X:7736 (ESTABLISHED)
tclsh 4958 root 3u IPv4 19338 0t0 TCP X.X.X.X:45251->X.X.X.X:7736 (ESTABLISHED)
tclsh 4995 root 3u IPv4 20516 0t0 TCP X.X.X.X:45253->X.X.X.X:7736 (ESTABLISHED)
dema 5044 root 4u IPv4 20618 0t0 TCP *:30001 (LISTEN)
dema 5044 root 5u IPv6 20619 0t0 TCP *:30001 (LISTEN)
/usr/sbin 5117 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 5117 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5117 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5117 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 5118 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 5118 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5118 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5118 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 5119 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 5119 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5119 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5119 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
/usr/sbin 5120 www-data 4u IPv4 12699 0t0 TCP *:443 (LISTEN)
/usr/sbin 5120 www-data 5u IPv4 12702 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5120 www-data 6u IPv4 12704 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5120 www-data 7u IPv4 12708 0t0 TCP *:444 (LISTEN)
sshd 10499 root 3r IPv4 341191 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:20281 (ESTABLISHED)
barnyard2 14794 root 3u IPv4 73882 0t0 TCP X.X.X.X:59799->X.X.X.X:8001 (ESTABLISHED)
barnyard2 14794 root 4u IPv4 73886 0t0 TCP X.X.X.X:40252->X.X.X.X:3306 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri Sep 26 07:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
LOCAL_NIDS_RULE_TUNING is enabled.
This will cause PulledPork to use the existing rules in /opt/emergingthreats/
instead of downloading new rules from the Internet.
If you want PulledPork to download new rules from the Internet,
set the following in /etc/nsm/SO-user.conf:
LOCAL_NIDS_RULE_TUNING=no
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 2083 rules
Done
Setting Flowbit State....
Enabled 34 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----12901
Dropped Rules:----0
Disabled Rules:---5449
Total Rules:------18350
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
top - 18:30:36 up 1:00, 1 user, load average: 1.57, 1.17, 1.09
Tasks: 169 total, 4 running, 165 sleeping, 0 stopped, 0 zombie
Cpu(s): 11.9%us, 18.2%sy, 3.2%ni, 63.4%id, 3.3%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 3330876k total, 2905488k used, 425388k free, 26592k buffers
Swap: 5061016k total, 208k used, 5060808k free, 1232728k cached
%CPU %MEM COMMAND
12.9 1.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
12.9 1.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
12.3 2.4 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
12.0 4.1 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
3.4 2.0 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
2.4 2.7 Rack: /opt/snorby
1.0 0.1 -bash
0.8 1.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.8 1.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.6 0.0 /var/ossec/bin/ossec-syscheckd
0.6 3.6 /usr/sbin/mysqld
0.5 6.5 snort -c /etc/nsm/SO-server-eth0/snort.conf -u sguil -g sguil -i eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U -m 112
0.3 2.9 delayed_job
0.2 1.2 tclsh /usr/bin/sguild -c /etc/nsm/SO-user/sguild.conf -a /etc/nsm/SO-user/autocat.conf -g /etc/nsm/SO-user/sguild.queries -A /etc/nsm/SO-user/sguild.access -C /etc/nsm/SO-user/certs
0.1 0.0 /var/ossec/bin/ossec-analysisd
0.1 1.2 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.2 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 PassengerHelperAgent
0.0 31.9 /usr/bin/searchd --nodetach
0.0 1.1 /usr/bin/python /usr/bin/salt-minion
0.0 0.2 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2014-09-26.log
0.0 0.1 sshd: root@pts/0
0.0 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 1.1 /usr/bin/python /usr/bin/salt-master
0.0 1.1 /usr/bin/python /usr/bin/salt-master
0.0 1.1 /usr/bin/python /usr/bin/salt-master
0.0 1.1 /usr/bin/python /usr/bin/salt-master
0.0 1.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.2 prads -i eth0 -c /etc/nsm/SO-server-eth0/prads.conf -u sguil -g sguil -L /nsm/sensor_data/SO-server-eth0/sancp/ -f /nsm/sensor_data/SO-server-eth0/pads.fifo -b ip or (vlan and ip)
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/0:2]
0.0 0.0 [kswapd0]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/1:2]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 /sbin/init
0.0 0.1 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 1.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/1]
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/0]
0.0 0.1 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http_eth0.log
0.0 0.1 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /usr/sbin/irqbalance
0.0 0.3 /usr/sbin/apache2 -k start
0.0 0.0 [flush-8:0]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.1 tclsh /usr/bin/sguild -c /etc/nsm/SO-user/sguild.conf -a /etc/nsm/SO-user/autocat.conf -g /etc/nsm/SO-user/sguild.queries -A /etc/nsm/SO-user/sguild.access -C /etc/nsm/SO-user/certs
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.1 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.2 Passenger spawn server
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/0:3]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [migration/0]
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.1 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.1 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [migration/1]
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [kworker/u:4]
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 cron
0.0 0.1 lightdm --session-child 16 19
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 lightdm
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [kworker/u:3]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/1:3]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [hd-audio0]
0.0 0.0 [kpsmoused]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 su -c salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 supervising syslog-ng
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 su -c salt-master
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.5 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 PassengerWatchdog
0.0 0.1 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sleep 600
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/SO-user/sguild.conf -a /etc/nsm/SO-user/autocat.conf -g /etc/nsm/SO-user/sguild.queries -A /etc/nsm/SO-user/sguild.access -C /etc/nsm/SO-user/certs
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 cat /nsm/sensor_data/SO-server-eth0/pads.fifo
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_eth0.log
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 7 days
32K .
4.0K ./2014-08-12
4.0K ./2014-08-18
4.0K ./2014-08-19
4.0K ./2014-08-20
4.0K ./2014-08-27
4.0K ./2014-09-05
4.0K ./2014-09-26
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 46 days
384M .
2.7M ./2014-08-12
8.2M ./2014-08-13
8.4M ./2014-08-14
8.0M ./2014-08-15
7.4M ./2014-08-16
6.0M ./2014-08-17
7.6M ./2014-08-18
7.2M ./2014-08-19
7.4M ./2014-08-20
7.4M ./2014-08-21
6.6M ./2014-08-22
5.7M ./2014-08-23
6.0M ./2014-08-24
7.4M ./2014-08-25
9.2M ./2014-08-26
8.7M ./2014-08-27
9.9M ./2014-08-28
8.5M ./2014-08-29
5.5M ./2014-08-30
20M ./2014-08-31
6.1M ./2014-09-01
11M ./2014-09-02
9.1M ./2014-09-03
560K ./2014-09-04
2.4M ./2014-09-05
5.3M ./2014-09-06
4.8M ./2014-09-07
8.1M ./2014-09-08
7.7M ./2014-09-09
8.6M ./2014-09-10
9.2M ./2014-09-11
8.8M ./2014-09-12
6.5M ./2014-09-13
5.0M ./2014-09-14
8.3M ./2014-09-15
8.8M ./2014-09-16
8.9M ./2014-09-17
8.9M ./2014-09-18
8.5M ./2014-09-19
5.9M ./2014-09-20
5.3M ./2014-09-21
8.3M ./2014-09-22
9.6M ./2014-09-23
9.7M ./2014-09-24
15M ./2014-09-25
9.4M ./2014-09-26
30M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1411756236.642189 recvd=74691 dropped=0 link=74691
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/14914-eth0.8
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 50021
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/4814-eth0.1
Appl. Name : bro-eth0
Tot Packets : 74691
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
17061
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
578 1:2014020 ET WEB_SERVER Wordpress Login Bruteforcing Detected
284 1:2406271 ET RBN Known Russian Business Network IP UDP (136)
185 1:2009714 ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt
129 1:2002997 ET WEB_SERVER PHP Remote File Inclusion (monster list http)
48 1:2012843 ET POLICY Cleartext WordPress Login
46 1:100000186 GPL WEB_SERVER WEB-PHP phpinfo access
31 1:2002677 ET SCAN Nikto Web App Scan in Progress
19 1:2001218 ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt
17 1:2013057 ET WEB_SERVER Inbound PHP User-Agent
14 1:2009702 ET POLICY DNS Update From External net
11 1:2101245 GPL EXPLOIT ISAPI .idq access
10 1:2101201 GPL WEB_SERVER 403 Forbidden
9 1:2100977 GPL EXPLOIT .cnf access
9 1:2101402 GPL EXPLOIT iissamples access
8 1:2100987 GPL EXPLOIT .htr access
8 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
8 1:2406002 ET RBN Known Russian Business Network IP TCP (2)
8 1:2406623 ET RBN Known Russian Business Network IP UDP (312)
7 10000:1 PADS New Asset - unknown @domain
6 1:2406197 ET RBN Known Russian Business Network IP UDP (99)
5 1:2406377 ET RBN Known Russian Business Network IP UDP (189)
5 1:2101018 GPL EXPLOIT iisadmpwd attempt
5 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
5 1:2406223 ET RBN Known Russian Business Network IP UDP (112)
5 1:2406415 ET RBN Known Russian Business Network IP UDP (208)
4 1:2406708 ET RBN Known Russian Business Network IP TCP (355)
4 1:2406144 ET RBN Known Russian Business Network IP TCP (73)
4 1:2101244 GPL EXPLOIT ISAPI .idq attempt
3 1:2006446 ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT
3 1:2406322 ET RBN Known Russian Business Network IP TCP (162)
3 1:2009361 ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt
3 1:2101616 GPL DNS named version attempt
3 1:2004589 ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php
3 1:2006445 ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
3 1:2101129 GPL WEB_SERVER .htaccess access
3 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
3 1:2100993 GPL WEB_SERVER iisadmin access
3 1:2101242 GPL EXPLOIT ISAPI .ida access
3 1:2006609 ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT
3 1:2406003 ET RBN Known Russian Business Network IP UDP (2)
2 1:2101145 GPL WEB_SERVER /~root access
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2010766 ET POLICY Proxy TRACE Request - inbound
2 1:2001219 ET SCAN Potential SSH Scan
2 1:2402000 ET DROP Dshield Block Listed Source
2 1:2102056 GPL WEB_SERVER TRACE attempt
2 1:2406821 ET RBN Known Russian Business Network IP UDP (411)
2 1:2406275 ET RBN Known Russian Business Network IP UDP (138)
1 1:2011142 ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)
1 1:2001949 ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt
1 1:2100965 GPL WEB_SERVER writeto.cnf access
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10
1 1:2100952 GPL WEB_SERVER author.exe access
1 1:2406154 ET RBN Known Russian Business Network IP TCP (78)
1 1:100000429 GPL WEB_SERVER WEB-MISC JBoss web-console access
1 1:2101877 GPL WEB_SERVER printenv access
1 1:2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt
1 1:2001343 ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C
1 1:2406337 ET RBN Known Russian Business Network IP UDP (169)
1 1:2403304 ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP)
1 1:2011143 ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)
1 1:2406323 ET RBN Known Russian Business Network IP UDP (162)
1 1:2011141 ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
1 10000:2 PADS Changed Asset - ssh OpenSSH 6.2 (Protocol 2.0)
1 1:2101401 GPL EXPLOIT /msadc/samples/ access
1 1:2100958 GPL WEB_SERVER service.cnf access
1 1:2101016 GPL WEB_SERVER global.asa access
1 1:2101108 GPL WEB_SERVER Tomcat server snoop access
1 10000:2 PADS Changed Asset - domain DNS SQR No Such Name
1 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
1 1:2101013 GPL EXPLOIT fpcount access
1 1:2016016 ET CURRENT_EVENTS DNS Amplification Attack Inbound
1 1:2011144 ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)
1 1:2406398 ET RBN Known Russian Business Network IP TCP (200)
1 1:2101071 GPL WEB_SERVER .htpasswd access
1 1:2100961 GPL WEB_SERVER services.cnf access
1 1:2406169 ET RBN Known Russian Business Network IP UDP (85)
1 1:2002731 ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
1 1:2406145 ET RBN Known Russian Business Network IP UDP (73)
1 1:2101256 GPL EXPLOIT CodeRed v2 root.exe access
1 1:2004592 ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
1 1:2101487 GPL EXPLOIT /iisadmpwd/aexp2.htr access
1 1:2406711 ET RBN Known Russian Business Network IP UDP (356)
Total
1562
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
3264 1:2406271 ET RBN Known Russian Business Network IP UDP (136)
2147 1:2014020 ET WEB_SERVER Wordpress Login Bruteforcing Detected
2093 1:2012843 ET POLICY Cleartext WordPress Login
1779 1:2002997 ET WEB_SERVER PHP Remote File Inclusion (monster list http)
1180 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
762 1:2406623 ET RBN Known Russian Business Network IP UDP (312)
735 1:2009702 ET POLICY DNS Update From External net
490 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
484 1:2009714 ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt
433 1:2013057 ET WEB_SERVER Inbound PHP User-Agent
404 10000:1 PADS New Asset - unknown @domain
249 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
148 1:2016016 ET CURRENT_EVENTS DNS Amplification Attack Inbound
133 1:2101201 GPL WEB_SERVER 403 Forbidden
111 1:2406376 ET RBN Known Russian Business Network IP TCP (189)
101 1:2406415 ET RBN Known Russian Business Network IP UDP (208)
93 1:2015709 ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html
90 1:2406223 ET RBN Known Russian Business Network IP UDP (112)
86 1:2406377 ET RBN Known Russian Business Network IP UDP (189)
80 10000:2 PADS Changed Asset - unknown @domain
79 10000:2 PADS Changed Asset - domain DNS SQR No Such Name
69 1:2406337 ET RBN Known Russian Business Network IP UDP (169)
65 1:2406177 ET RBN Known Russian Business Network IP UDP (89)
63 1:2100257 GPL DNS named version attempt
63 1:100000186 GPL WEB_SERVER WEB-PHP phpinfo access
60 1:2002731 ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
50 1:2406197 ET RBN Known Russian Business Network IP UDP (99)
41 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
38 1:2001218 ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt
38 1:2406322 ET RBN Known Russian Business Network IP TCP (162)
38 1:2406524 ET RBN Known Russian Business Network IP TCP (263)
37 1:2101402 GPL EXPLOIT iissamples access
36 1:2402000 ET DROP Dshield Block Listed Source
33 1:2406849 ET RBN Known Russian Business Network IP UDP (425)
31 1:2001795 ET DOS Excessive SMTP MAIL-FROM DDoS
31 1:2101649 GPL WEB_SERVER perl command attempt
31 1:2002677 ET SCAN Nikto Web App Scan in Progress
31 1:2406669 ET RBN Known Russian Business Network IP UDP (335)
27 1:2009361 ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt
26 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
26 1:2406866 ET RBN Known Russian Business Network IP TCP (434)
26 1:2406000 ET RBN Known Russian Business Network IP TCP (1)
26 1:2016992 ET WEB_SERVER WebShell Generic - *.tar.gz in POST body
26 1:2012936 ET SCAN ZmEu Scanner User-Agent Inbound
24 1:2406821 ET RBN Known Russian Business Network IP UDP (411)
24 1:2406409 ET RBN Known Russian Business Network IP UDP (205)
24 1:2101245 GPL EXPLOIT ISAPI .idq access
23 1:2406002 ET RBN Known Russian Business Network IP TCP (2)
22 1:2008411 ET TROJAN LDPinch SMTP Password Report with mail client The Bat!
20 1:2404117 ET CNC ZeusTracker/SpyeyeTracker Reported CnC Server UDP (group 9)
Total
17005
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
24569 URL senet-int.com
6422 URL www.senet-int.com
271 URL us.archive.ubuntu.com
67 URL security.ubuntu.com
26 URL game-sec.com
16 URL extras.ubuntu.com
12 URL dns1.senet-int.com
11 URL dns1.game-sec.com
9 URL X.X.X.X
7 URL rest.akismet.com
7 URL ppa.launchpad.net
5 URL X.X.X.X
4 URL api.wordpress.org
4 URL wordpress.org
2 URL (empty)
1 URL () {
1 URL Nikto
1 URL changelogs.ubuntu.com
1 URL planet.wordpress.org
Total
31436
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
578 1:2014020 ET WEB_SERVER Wordpress Login Bruteforcing Detected
284 1:2406271 ET RBN Known Russian Business Network IP UDP (136)
185 1:2009714 ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt
129 1:2002997 ET WEB_SERVER PHP Remote File Inclusion (monster list http)
48 1:2012843 ET POLICY Cleartext WordPress Login
46 1:100000186 GPL WEB_SERVER WEB-PHP phpinfo access
31 1:2002677 ET SCAN Nikto Web App Scan in Progress
19 1:2001218 ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt
17 1:2013057 ET WEB_SERVER Inbound PHP User-Agent
14 1:2009702 ET POLICY DNS Update From External net
11 1:2101245 GPL EXPLOIT ISAPI .idq access
10 1:2101201 GPL WEB_SERVER 403 Forbidden
9 1:2100977 GPL EXPLOIT .cnf access
9 1:2101402 GPL EXPLOIT iissamples access
8 1:2406623 ET RBN Known Russian Business Network IP UDP (312)
8 1:2406002 ET RBN Known Russian Business Network IP TCP (2)
8 1:2100987 GPL EXPLOIT .htr access
8 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
6 1:2406197 ET RBN Known Russian Business Network IP UDP (99)
5 1:2406377 ET RBN Known Russian Business Network IP UDP (189)
5 1:2101018 GPL EXPLOIT iisadmpwd attempt
5 1:2406415 ET RBN Known Russian Business Network IP UDP (208)
5 1:2406223 ET RBN Known Russian Business Network IP UDP (112)
5 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext
4 1:2406144 ET RBN Known Russian Business Network IP TCP (73)
4 1:2101244 GPL EXPLOIT ISAPI .idq attempt
4 1:2406708 ET RBN Known Russian Business Network IP TCP (355)
3 1:2101129 GPL WEB_SERVER .htaccess access
3 1:2101242 GPL EXPLOIT ISAPI .ida access
3 1:2100993 GPL WEB_SERVER iisadmin access
3 1:2009361 ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt
3 1:2010963 ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
3 1:2006609 ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT
3 1:2006446 ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT
3 1:2006445 ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
3 1:2004589 ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php
3 1:2101616 GPL DNS named version attempt
3 1:2406003 ET RBN Known Russian Business Network IP UDP (2)
3 1:2406322 ET RBN Known Russian Business Network IP TCP (162)
2 1:2402000 ET DROP Dshield Block Listed Source
2 1:2101145 GPL WEB_SERVER /~root access
2 1:2010766 ET POLICY Proxy TRACE Request - inbound
2 1:2102056 GPL WEB_SERVER TRACE attempt
2 1:2406275 ET RBN Known Russian Business Network IP UDP (138)
2 1:2406821 ET RBN Known Russian Business Network IP UDP (411)
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2001219 ET SCAN Potential SSH Scan
1 1:2403304 ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP)
1 1:2101071 GPL WEB_SERVER .htpasswd access
1 1:2001343 ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C
1 1:2101256 GPL EXPLOIT CodeRed v2 root.exe access
1 1:100000429 GPL WEB_SERVER WEB-MISC JBoss web-console access
1 1:2101016 GPL WEB_SERVER global.asa access
1 1:2101401 GPL EXPLOIT /msadc/samples/ access
1 1:2001949 ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt
1 1:2004592 ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php
1 1:2101877 GPL WEB_SERVER printenv access
1 1:2101108 GPL WEB_SERVER Tomcat server snoop access
1 1:2002731 ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
1 1:2100952 GPL WEB_SERVER author.exe access
1 1:2100958 GPL WEB_SERVER service.cnf access
1 1:2100961 GPL WEB_SERVER services.cnf access
1 1:2100965 GPL WEB_SERVER writeto.cnf access
1 1:2011141 ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)
1 1:2011144 ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)
1 1:2011142 ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)
1 1:2011143 ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)
1 1:2101013 GPL EXPLOIT fpcount access
1 1:2101487 GPL EXPLOIT /iisadmpwd/aexp2.htr access
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 1:2406154 ET RBN Known Russian Business Network IP TCP (78)
1 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
1 1:2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt
1 1:2406145 ET RBN Known Russian Business Network IP UDP (73)
1 1:2406169 ET RBN Known Russian Business Network IP UDP (85)
1 1:2406398 ET RBN Known Russian Business Network IP TCP (200)
1 1:2406323 ET RBN Known Russian Business Network IP UDP (162)
1 1:2016016 ET CURRENT_EVENTS DNS Amplification Attack Inbound
1 1:2406711 ET RBN Known Russian Business Network IP UDP (356)
1 1:2406337 ET RBN Known Russian Business Network IP UDP (169)
Total
1550
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
4285 1:2406271 ET RBN Known Russian Business Network IP UDP (136)
4080 1:2012843 ET POLICY Cleartext WordPress Login
2339 1:2014020 ET WEB_SERVER Wordpress Login Bruteforcing Detected
2046 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
1779 1:2002997 ET WEB_SERVER PHP Remote File Inclusion (monster list http)
1149 1:2009702 ET POLICY DNS Update From External net
929 1:2406623 ET RBN Known Russian Business Network IP UDP (312)
630 1:2013057 ET WEB_SERVER Inbound PHP User-Agent
501 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
484 1:2009714 ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt
477 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
226 1:2016016 ET CURRENT_EVENTS DNS Amplification Attack Inbound
165 1:2406415 ET RBN Known Russian Business Network IP UDP (208)
151 1:2101201 GPL WEB_SERVER 403 Forbidden
129 1:2406223 ET RBN Known Russian Business Network IP UDP (112)
127 1:2406376 ET RBN Known Russian Business Network IP TCP (189)
109 1:2406377 ET RBN Known Russian Business Network IP UDP (189)
106 1:2520526 ET TOR Known Tor Exit Node TCP Traffic (264)
93 1:2101616 GPL DNS named version attempt
93 1:2015709 ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html
89 1:2406177 ET RBN Known Russian Business Network IP UDP (89)
86 1:2100366 GPL ICMP_INFO PING *NIX
75 1:2100368 GPL ICMP_INFO PING BSDtype
73 1:2406337 ET RBN Known Russian Business Network IP UDP (169)
73 1:2520806 ET TOR Known Tor Exit Node TCP Traffic (404)
67 1:2012936 ET SCAN ZmEu Scanner User-Agent Inbound
65 1:2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
63 1:100000186 GPL WEB_SERVER WEB-PHP phpinfo access
62 1:2406197 ET RBN Known Russian Business Network IP UDP (99)
60 1:2002731 ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
53 1:2406849 ET RBN Known Russian Business Network IP UDP (425)
45 1:2402000 ET DROP Dshield Block Listed Source
41 1:2406669 ET RBN Known Russian Business Network IP UDP (335)
41 1:2406866 ET RBN Known Russian Business Network IP TCP (434)
41 1:2010920 ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
39 1:2406002 ET RBN Known Russian Business Network IP TCP (2)
38 1:2406842 ET RBN Known Russian Business Network IP TCP (422)
38 1:2001218 ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt
38 1:2406322 ET RBN Known Russian Business Network IP TCP (162)
38 1:2406524 ET RBN Known Russian Business Network IP TCP (263)
37 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
37 1:2101402 GPL EXPLOIT iissamples access
36 1:2406000 ET RBN Known Russian Business Network IP TCP (1)
35 1:2001795 ET DOS Excessive SMTP MAIL-FROM DDoS
31 1:2406135 ET RBN Known Russian Business Network IP UDP (68)
31 1:2404117 ET CNC ZeusTracker/SpyeyeTracker Reported CnC Server UDP (group 9)
31 1:2101649 GPL WEB_SERVER perl command attempt
31 1:2002677 ET SCAN Nikto Web App Scan in Progress
27 1:2406871 ET RBN Known Russian Business Network IP UDP (436)
27 1:2406821 ET RBN Known Russian Business Network IP UDP (411)
Total
22712
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1334 supervising syslog-ng
1335 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1502 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1452 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 1964 Sep 26 18:30 /nsm/elsa/data/elsa/tmp/buffers/1411756222.35306
-rw-r--r-- 1 root root 12356 Sep 26 18:30 /nsm/elsa/data/elsa/tmp/buffers/1411756162.31923
-rw-r--r-- 1 root root 53806 Sep 26 18:29 /nsm/elsa/data/elsa/tmp/buffers/1411756102.28787
-rw-r--r-- 1 root root 36474 Sep 26 18:28 /nsm/elsa/data/elsa/tmp/buffers/1411756042.26486
-rw-r--r-- 1 root root 59965 Sep 26 18:27 /nsm/elsa/data/elsa/tmp/buffers/1411755982.24596
-rw-r--r-- 1 root root 20936 Sep 26 18:26 /nsm/elsa/data/elsa/tmp/buffers/1411755922.21144
-rw-r--r-- 1 root root 46530 Sep 26 18:25 /nsm/elsa/data/elsa/tmp/buffers/1411755862.1894
-rw-r--r-- 1 root root 66718 Sep 26 18:24 /nsm/elsa/data/elsa/tmp/buffers/1411755802.16601
-rw-r--r-- 1 root root 77682 Sep 26 18:23 /nsm/elsa/data/elsa/tmp/buffers/1411755742.14412
-rw-r--r-- 1 root root 43211 Sep 26 18:22 /nsm/elsa/data/elsa/tmp/buffers/1411755682.12068
-rw-r--r-- 1 root root 22594 Sep 26 18:21 /nsm/elsa/data/elsa/tmp/buffers/1411755622.08903
-rw-r--r-- 1 root root 51244 Sep 26 18:20 /nsm/elsa/data/elsa/tmp/buffers/1411755562.06684
-rw-r--r-- 1 root root 47169 Sep 26 18:19 /nsm/elsa/data/elsa/tmp/buffers/1411755502.04381
-rw-r--r-- 1 root root 64512 Sep 26 18:18 /nsm/elsa/data/elsa/tmp/buffers/1411755442.02154
-rw-r--r-- 1 root root 58375 Sep 26 18:17 /nsm/elsa/data/elsa/tmp/buffers/1411755382.00074
-rw-r--r-- 1 root root 24711 Sep 26 18:16 /nsm/elsa/data/elsa/tmp/buffers/1411755321.96093
-rw-r--r-- 1 root root 10803 Sep 26 18:15 /nsm/elsa/data/elsa/tmp/buffers/1411755261.92096
-rw-r--r-- 1 root root 40958 Sep 26 18:14 /nsm/elsa/data/elsa/tmp/buffers/1411755201.88887
-rw-r--r-- 1 root root 34919 Sep 26 18:13 /nsm/elsa/data/elsa/tmp/buffers/1411755141.86671
-rw-r--r-- 1 root root 74354 Sep 26 18:12 /nsm/elsa/data/elsa/tmp/buffers/1411755081.84519
-rw-r--r-- 1 root root 32491 Sep 26 18:11 /nsm/elsa/data/elsa/tmp/buffers/1411755021.82168
-rw-r--r-- 1 root root 44496 Sep 26 18:10 /nsm/elsa/data/elsa/tmp/buffers/1411754961.78977
-rw-r--r-- 1 root root 48592 Sep 26 18:09 /nsm/elsa/data/elsa/tmp/buffers/1411754901.76731
-rw-r--r-- 1 root root 59886 Sep 26 18:08 /nsm/elsa/data/elsa/tmp/buffers/1411754841.74465
-rw-r--r-- 1 root root 13996 Sep 26 18:07 /nsm/elsa/data/elsa/tmp/buffers/1411754781.71547
-rw-r--r-- 1 root root 31446 Sep 26 18:06 /nsm/elsa/data/elsa/tmp/buffers/1411754721.68425
-rw-r--r-- 1 root root 32043 Sep 26 18:05 /nsm/elsa/data/elsa/tmp/buffers/1411754661.63532
-rw-r--r-- 1 root root 18484 Sep 26 18:04 /nsm/elsa/data/elsa/tmp/buffers/1411754601.60583
-rw-r--r-- 1 root root 128459 Sep 26 18:03 /nsm/elsa/data/elsa/tmp/buffers/1411754541.56577
-rw-r--r-- 1 root root 112104 Sep 26 18:02 /nsm/elsa/data/elsa/tmp/buffers/1411754481.53496
-rw-r--r-- 1 root root 54366 Sep 26 18:01 /nsm/elsa/data/elsa/tmp/buffers/1411754421.5034
-rw-r--r-- 1 root root 34585 Sep 26 18:00 /nsm/elsa/data/elsa/tmp/buffers/1411754361.43086
-rw-r--r-- 1 root root 77724 Sep 26 17:59 /nsm/elsa/data/elsa/tmp/buffers/1411754301.40839
-rw-r--r-- 1 root root 31701 Sep 26 17:58 /nsm/elsa/data/elsa/tmp/buffers/1411754241.38531
-rw-r--r-- 1 root root 17928 Sep 26 17:57 /nsm/elsa/data/elsa/tmp/buffers/1411754181.36352
-rw-r--r-- 1 root root 87307 Sep 26 17:56 /nsm/elsa/data/elsa/tmp/buffers/1411754121.29017
-rw-r--r-- 1 root root 50281 Sep 26 17:55 /nsm/elsa/data/elsa/tmp/buffers/1411754061.26806
-rw-r--r-- 1 root root 73395 Sep 26 17:54 /nsm/elsa/data/elsa/tmp/buffers/1411754001.24577
-rw-r--r-- 1 root root 11956 Sep 26 17:53 /nsm/elsa/data/elsa/tmp/buffers/1411753941.22321
-rw-r--r-- 1 root root 61433 Sep 26 17:52 /nsm/elsa/data/elsa/tmp/buffers/1411753881.20032
-rw-r--r-- 1 root root 50550 Sep 26 17:51 /nsm/elsa/data/elsa/tmp/buffers/1411753821.15415
-rw-r--r-- 1 root root 46146 Sep 26 17:50 /nsm/elsa/data/elsa/tmp/buffers/1411753761.11678
-rw-r--r-- 1 root root 30147 Sep 26 17:49 /nsm/elsa/data/elsa/tmp/buffers/1411753701.08359
-rw-r--r-- 1 root root 36102 Sep 26 17:48 /nsm/elsa/data/elsa/tmp/buffers/1411753641.03587
-rw-r--r-- 1 root root 38285 Sep 26 17:47 /nsm/elsa/data/elsa/tmp/buffers/1411753581.01438
-rw-r--r-- 1 root root 12734 Sep 26 17:46 /nsm/elsa/data/elsa/tmp/buffers/1411753520.98396
-rw-r--r-- 1 root root 27695 Sep 26 17:45 /nsm/elsa/data/elsa/tmp/buffers/1411753460.95324
-rw-r--r-- 1 root root 61655 Sep 26 17:44 /nsm/elsa/data/elsa/tmp/buffers/1411753400.92287
-rw-r--r-- 1 root root 39629 Sep 26 17:43 /nsm/elsa/data/elsa/tmp/buffers/1411753340.88998
-rw-r--r-- 1 root root 45567 Sep 26 17:42 /nsm/elsa/data/elsa/tmp/buffers/1411753280.86811
-rw-r--r-- 1 root root 137413 Sep 26 17:41 /nsm/elsa/data/elsa/tmp/buffers/1411753220.83564
-rw-r--r-- 1 root root 44738 Sep 26 17:40 /nsm/elsa/data/elsa/tmp/buffers/1411753160.7879
-rw-r--r-- 1 root root 14636 Sep 26 17:39 /nsm/elsa/data/elsa/tmp/buffers/1411753100.74968
-rw-r--r-- 1 root root 27156 Sep 26 17:38 /nsm/elsa/data/elsa/tmp/buffers/1411753040.70964
-rw-r--r-- 1 root root 107641 Sep 26 17:37 /nsm/elsa/data/elsa/tmp/buffers/1411752980.66914
-rw-r--r-- 1 root root 45530 Sep 26 17:36 /nsm/elsa/data/elsa/tmp/buffers/1411752920.63601
-rw-r--r-- 1 root root 73323 Sep 26 17:35 /nsm/elsa/data/elsa/tmp/buffers/1411752860.5881
-rw-r--r-- 1 root root 69744 Sep 26 17:34 /nsm/elsa/data/elsa/tmp/buffers/1411752800.52904
-rw-r--r-- 1 root root 15410 Sep 26 17:29 /nsm/elsa/data/elsa/tmp/buffers/1411752552.92281
-rw-r--r-- 1 root root 46886 Sep 26 17:29 /nsm/elsa/data/elsa/tmp/buffers/1411752492.892
-rw-r--r-- 1 root root 48456 Sep 26 17:28 /nsm/elsa/data/elsa/tmp/buffers/1411752432.86037
-rw-r--r-- 1 root root 52772 Sep 26 17:27 /nsm/elsa/data/elsa/tmp/buffers/1411752372.82968
-rw-r--r-- 1 root root 78009 Sep 26 17:26 /nsm/elsa/data/elsa/tmp/buffers/1411752312.79845
-rw-r--r-- 1 root root 84782 Sep 26 17:25 /nsm/elsa/data/elsa/tmp/buffers/1411752252.72661
-rw-r--r-- 1 root root 82174 Sep 26 17:24 /nsm/elsa/data/elsa/tmp/buffers/1411752192.69356
-rw-r--r-- 1 root root 59976 Sep 26 17:23 /nsm/elsa/data/elsa/tmp/buffers/1411752132.67217
-rw-r--r-- 1 root root 158250 Sep 26 17:22 /nsm/elsa/data/elsa/tmp/buffers/1411752072.61542
-rw-r--r-- 1 root root 20211 Sep 26 17:17 /nsm/elsa/data/elsa/tmp/buffers/1411751836.07024
-rw-r--r-- 1 root root 42211 Sep 26 17:17 /nsm/elsa/data/elsa/tmp/buffers/1411751776.04738
-rw-r--r-- 1 root root 21537 Sep 26 17:16 /nsm/elsa/data/elsa/tmp/buffers/1411751716.02551
-rw-r--r-- 1 root root 34284 Sep 26 17:15 /nsm/elsa/data/elsa/tmp/buffers/1411751656.00278
-rw-r--r-- 1 root root 74539 Sep 26 17:14 /nsm/elsa/data/elsa/tmp/buffers/1411751595.98004
-rw-r--r-- 1 root root 72152 Sep 26 17:13 /nsm/elsa/data/elsa/tmp/buffers/1411751535.95818
-rw-r--r-- 1 root root 94033 Sep 26 17:12 /nsm/elsa/data/elsa/tmp/buffers/1411751475.90898
-rw-r--r-- 1 root root 58363 Sep 26 17:11 /nsm/elsa/data/elsa/tmp/buffers/1411751415.88622
-rw-r--r-- 1 root root 20501 Sep 26 17:10 /nsm/elsa/data/elsa/tmp/buffers/1411751355.85479
-rw-r--r-- 1 root root 42845 Sep 26 17:09 /nsm/elsa/data/elsa/tmp/buffers/1411751295.83258
-rw-r--r-- 1 root root 38555 Sep 26 17:08 /nsm/elsa/data/elsa/tmp/buffers/1411751235.81045
-rw-r--r-- 1 root root 46103 Sep 26 17:07 /nsm/elsa/data/elsa/tmp/buffers/1411751175.77836
-rw-r--r-- 1 root root 28126 Sep 26 17:06 /nsm/elsa/data/elsa/tmp/buffers/1411751115.75632
-rw-r--r-- 1 root root 28742 Sep 26 17:05 /nsm/elsa/data/elsa/tmp/buffers/1411751055.72701
-rw-r--r-- 1 root root 42177 Sep 26 17:04 /nsm/elsa/data/elsa/tmp/buffers/1411750995.69457
-rw-r--r-- 1 root root 39625 Sep 26 17:03 /nsm/elsa/data/elsa/tmp/buffers/1411750935.6641
-rw-r--r-- 1 root root 92084 Sep 26 17:02 /nsm/elsa/data/elsa/tmp/buffers/1411750875.63182
-rw-r--r-- 1 root root 41288 Sep 26 17:01 /nsm/elsa/data/elsa/tmp/buffers/1411750815.61046
-rw-r--r-- 1 root root 56851 Sep 26 17:00 /nsm/elsa/data/elsa/tmp/buffers/1411750755.5786
-rw-r--r-- 1 root root 49761 Sep 26 16:59 /nsm/elsa/data/elsa/tmp/buffers/1411750695.55556
-rw-r--r-- 1 root root 55870 Sep 26 16:58 /nsm/elsa/data/elsa/tmp/buffers/1411750635.53252
-rw-r--r-- 1 root root 81452 Sep 26 16:57 /nsm/elsa/data/elsa/tmp/buffers/1411750575.50957
-rw-r--r-- 1 root root 55858 Sep 26 16:56 /nsm/elsa/data/elsa/tmp/buffers/1411750515.48874
-rw-r--r-- 1 root root 51603 Sep 26 16:55 /nsm/elsa/data/elsa/tmp/buffers/1411750455.45651
-rw-r--r-- 1 root root 69888 Sep 26 16:54 /nsm/elsa/data/elsa/tmp/buffers/1411750395.43354
-rw-r--r-- 1 root root 51126 Sep 26 16:53 /nsm/elsa/data/elsa/tmp/buffers/1411750335.41094
-rw-r--r-- 1 root root 35797 Sep 26 16:52 /nsm/elsa/data/elsa/tmp/buffers/1411750275.36434
-rw-r--r-- 1 root root 95842 Sep 26 16:51 /nsm/elsa/data/elsa/tmp/buffers/1411750215.34114
-rw-r--r-- 1 root root 63523 Sep 26 16:50 /nsm/elsa/data/elsa/tmp/buffers/1411750155.31885
-rw-r--r-- 1 root root 39563 Sep 26 16:49 /nsm/elsa/data/elsa/tmp/buffers/1411750095.26462
-rw-r--r-- 1 root root 30904 Sep 26 16:48 /nsm/elsa/data/elsa/tmp/buffers/1411750035.22416
-rw-r--r-- 1 root root 89836 Sep 26 16:47 /nsm/elsa/data/elsa/tmp/buffers/1411749975.20164
-rw-r--r-- 1 root root 88507 Sep 26 16:46 /nsm/elsa/data/elsa/tmp/buffers/1411749915.18274
-rw-r--r-- 1 root root 36982 Sep 26 16:45 /nsm/elsa/data/elsa/tmp/buffers/1411749855.14861
-rw-r--r-- 1 root root 39049 Sep 26 16:44 /nsm/elsa/data/elsa/tmp/buffers/1411749795.12577
-rw-r--r-- 1 root root 28302 Sep 26 16:43 /nsm/elsa/data/elsa/tmp/buffers/1411749735.10368
-rw-r--r-- 1 root root 84435 Sep 26 16:42 /nsm/elsa/data/elsa/tmp/buffers/1411749675.07201
-rw-r--r-- 1 root root 18884 Sep 26 16:41 /nsm/elsa/data/elsa/tmp/buffers/1411749615.04192
-rw-r--r-- 1 root root 10069 Sep 26 16:40 /nsm/elsa/data/elsa/tmp/buffers/1411749555.01065
-rw-r--r-- 1 root root 18599 Sep 26 16:39 /nsm/elsa/data/elsa/tmp/buffers/1411749494.97906
-rw-r--r-- 1 root root 38311 Sep 26 16:38 /nsm/elsa/data/elsa/tmp/buffers/1411749434.94879
-rw-r--r-- 1 root root 58142 Sep 26 16:37 /nsm/elsa/data/elsa/tmp/buffers/1411749374.90987
-rw-r--r-- 1 root root 59330 Sep 26 16:36 /nsm/elsa/data/elsa/tmp/buffers/1411749314.87887
-rw-r--r-- 1 root root 56071 Sep 26 16:35 /nsm/elsa/data/elsa/tmp/buffers/1411749254.84782
-rw-r--r-- 1 root root 40672 Sep 26 16:34 /nsm/elsa/data/elsa/tmp/buffers/1411749194.8171
-rw-r--r-- 1 root root 116345 Sep 26 16:33 /nsm/elsa/data/elsa/tmp/buffers/1411749134.7701
-rw-r--r-- 1 root root 83412 Sep 26 16:32 /nsm/elsa/data/elsa/tmp/buffers/1411749074.7375
-rw-r--r-- 1 root root 162940 Sep 26 16:31 /nsm/elsa/data/elsa/tmp/buffers/1411749014.71666
-rw-r--r-- 1 root root 25098 Sep 26 16:30 /nsm/elsa/data/elsa/tmp/buffers/1411748954.68434
-rw-r--r-- 1 root root 105464 Sep 26 16:29 /nsm/elsa/data/elsa/tmp/buffers/1411748894.65331
-rw-r--r-- 1 root root 25572 Sep 26 16:28 /nsm/elsa/data/elsa/tmp/buffers/1411748834.62166
-rw-r--r-- 1 root root 23177 Sep 26 16:27 /nsm/elsa/data/elsa/tmp/buffers/1411748774.591
-rw-r--r-- 1 root root 62898 Sep 26 16:26 /nsm/elsa/data/elsa/tmp/buffers/1411748714.56005
-rw-r--r-- 1 root root 56081 Sep 26 16:25 /nsm/elsa/data/elsa/tmp/buffers/1411748654.52008
-rw-r--r-- 1 root root 46394 Sep 26 16:24 /nsm/elsa/data/elsa/tmp/buffers/1411748594.49088
-rw-r--r-- 1 root root 22383 Sep 26 16:23 /nsm/elsa/data/elsa/tmp/buffers/1411748534.43487
-rw-r--r-- 1 root root 88758 Sep 26 16:22 /nsm/elsa/data/elsa/tmp/buffers/1411748474.40693
-rw-r--r-- 1 root root 62036 Sep 26 16:21 /nsm/elsa/data/elsa/tmp/buffers/1411748414.31992
-rw-r--r-- 1 root root 5876 Sep 26 16:20 /nsm/elsa/data/elsa/tmp/buffers/1411748354.28953
-rw-r--r-- 1 root root 13833 Sep 26 16:19 /nsm/elsa/data/elsa/tmp/buffers/1411748294.25762
-rw-r--r-- 1 root root 73297 Sep 26 16:18 /nsm/elsa/data/elsa/tmp/buffers/1411748234.19297
-rw-r--r-- 1 root root 37012 Sep 26 16:17 /nsm/elsa/data/elsa/tmp/buffers/1411748174.16962
-rw-r--r-- 1 root root 69829 Sep 26 16:16 /nsm/elsa/data/elsa/tmp/buffers/1411748114.05633
-rw-r--r-- 1 root root 90379 Sep 26 16:15 /nsm/elsa/data/elsa/tmp/buffers/1411748053.63829
-rw-r--r-- 1 root root 87177 Sep 26 16:14 /nsm/elsa/data/elsa/tmp/buffers/1411747993.58682
-rw-r--r-- 1 root root 56948 Sep 26 16:13 /nsm/elsa/data/elsa/tmp/buffers/1411747933.5533
-rw-r--r-- 1 root root 60178 Sep 26 16:12 /nsm/elsa/data/elsa/tmp/buffers/1411747873.53226
-rw-r--r-- 1 root root 128620 Sep 26 16:11 /nsm/elsa/data/elsa/tmp/buffers/1411747813.49288
-rw-r--r-- 1 root root 78564 Sep 26 16:10 /nsm/elsa/data/elsa/tmp/buffers/1411747753.4556
-rw-r--r-- 1 root root 35046 Sep 26 16:09 /nsm/elsa/data/elsa/tmp/buffers/1411747693.38117
-rw-r--r-- 1 root root 106 Sep 26 16:08 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
-rw-r--r-- 1 root root 33845 Sep 26 16:08 /nsm/elsa/data/elsa/tmp/buffers/1411747633.32618
-rw-r--r-- 1 root root 8971 Sep 26 16:03 /nsm/elsa/data/elsa/tmp/buffers/1411747404.24022
ELSA Directory Sizes:
4.2G /nsm/elsa/data
32M /var/lib/mysql/syslog
383M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2014-08-12 21:00:37 2014-09-26 16:07:12
Doug Burks
This will cause PulledPork to use the existing rules in /opt/emergingthreats/
instead of downloading new rules from the Internet.
If you want PulledPork to download new rules from the Internet,
LOCAL_NIDS_RULE_TUNING=no
Then run:
sudo rule-update
Assuming that works correctly, then you should have ShellShock rules
in /etc/nsm/rules/downloaded.rules:
grep CVE-2014-6271 /etc/nsm/rules/downloaded.rules
I also noticed that your box is very low on RAM:
-rw-r--r-- 1 root root 1964 Sep 26 18:30
/nsm/elsa/data/elsa/tmp/buffers/1411756222.35306
-rw-r--r-- 1 root root 12356 Sep 26 18:30
/nsm/elsa/data/elsa/tmp/buffers/1411756162.31923
-rw-r--r-- 1 root root 53806 Sep 26 18:29
/nsm/elsa/data/elsa/tmp/buffers/1411756102.28787
-rw-r--r-- 1 root root 36474 Sep 26 18:28
/nsm/elsa/data/elsa/tmp/buffers/1411756042.26486
-rw-r--r-- 1 root root 59965 Sep 26 18:27
/nsm/elsa/data/elsa/tmp/buffers/1411755982.24596
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Rizwan Ahmed
Rizwan Ahmed
Doug Burks
ShellShock alerts?
https://github.com/broala/bro-shellshock/raw/master/exploit.pcap
Rizwan Ahmed
Doug Burks
Greg Williams
> Yes...in theory :)
I can definitely verify they work ;)
I have over 500 alerts on it within the past 2 days.