Prod VMWare ESX dropping packets

327 views
Skip to first unread message

jspud...@gmail.com

unread,
Aug 1, 2014, 4:37:02 PM8/1/14
to securit...@googlegroups.com
Looking to attempt to deploy a prod sensor in ESX, and for the life of me no matter what I throw at it I get dropped packets.

Currently I have 32GB of ram and v12 core processor configured and BRO, Snort and the interface (eth1 is sniffing interface) see dropped packets. I am doing a port span to a dedicated uplink port on the ESX host. I know the diskspace is low, but that is why I am doing this. If I can get the performance locked in, I get approval for more disks.

Is this virtual machine just not powerful enough to monitor a 100Mb link? Any ideas?

##SOSTAT REDACTED BELOW###

Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X running 5895 2 01 Aug 20:10:07
proxy proxy X.X.X.X running 6054 2 01 Aug 20:10:09
infosec-virtual-machine-eth1-1 worker X.X.X.X running 6209 2 01 Aug 20:10:11
Status: infosec-virtual-machine-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:843 errors:0 dropped:0 overruns:0 frame:0
TX packets:933 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:127510 (127.5 KB) TX bytes:110748 (110.7 KB)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:9718161 errors:0 dropped:204 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5016209890 (5.0 GB) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27030 errors:0 dropped:0 overruns:0 frame:0
TX packets:27030 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:92648780 (92.6 MB) TX bytes:92648780 (92.6 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
92648780 27030 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
92648780 27030 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
127510 843 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
110748 933 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
5016212808 9718178 0 204 0 34495
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 75G 31G 41G 44% /
udev 16G 4.0K 16G 1% /dev
tmpfs 6.3G 756K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 16G 84K 16G 1% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1075 avahi 12u IPv4 8129 0t0 UDP *:5353
avahi-dae 1075 avahi 13u IPv6 8130 0t0 UDP *:5353
avahi-dae 1075 avahi 14u IPv4 8131 0t0 UDP *:59697
avahi-dae 1075 avahi 15u IPv6 8132 0t0 UDP *:51584
cupsd 1088 root 8u IPv6 8139 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1088 root 9u IPv4 8140 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1310 root 3r IPv4 11444 0t0 TCP *:22 (LISTEN)
sshd 1310 root 4u IPv6 11446 0t0 TCP *:22 (LISTEN)
syslog-ng 1414 root 9u IPv4 1321 0t0 TCP *:514 (LISTEN)
syslog-ng 1414 root 10u IPv4 1322 0t0 UDP *:514
salt-mini 1418 root 14u IPv4 14715 0t0 TCP X.X.X.X:57775->X.X.X.X:4505 (ESTABLISHED)
salt-mast 1429 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
mysqld 1562 mysql 10u IPv4 17976 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1562 mysql 95u IPv4 23901 0t0 TCP X.X.X.X:3306->X.X.X.X:53986 (ESTABLISHED)
searchd 1612 sphinxsearch 7u IPv4 3708 0t0 TCP *:9306 (LISTEN)
searchd 1612 sphinxsearch 8u IPv4 3709 0t0 TCP *:9312 (LISTEN)
ossec-csy 1687 ossecm 5u IPv4 17894 0t0 UDP X.X.X.X:55059->X.X.X.X:514
salt-mast 1801 root 27u IPv4 8687 0t0 TCP *:4505 (LISTEN)
salt-mast 1801 root 29u IPv4 10666 0t0 TCP X.X.X.X:4505->X.X.X.X:57775 (ESTABLISHED)
salt-mast 1807 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
salt-mast 1808 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
salt-mast 1811 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
salt-mast 1814 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
salt-mast 1817 root 19u IPv4 18019 0t0 TCP *:4506 (LISTEN)
/usr/sbin 2529 root 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 2529 root 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2529 root 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2529 root 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
ntpd 2842 ntp 16u IPv4 12944 0t0 UDP *:123
ntpd 2842 ntp 17u IPv6 12945 0t0 UDP *:123
ntpd 2842 ntp 18u IPv4 12951 0t0 UDP X.X.X.X:123
ntpd 2842 ntp 19u IPv4 12952 0t0 UDP X.X.X.X:123
ntpd 2842 ntp 20u IPv6 12953 0t0 UDP [X.X.X.X]:123
ntpd 2842 ntp 21u IPv6 12954 0t0 UDP [X.X.X.X]:123
tclsh 4252 root 13u IPv4 20120 0t0 TCP *:7734 (LISTEN)
tclsh 4252 root 14u IPv4 20121 0t0 TCP *:7736 (LISTEN)
tclsh 4252 root 15u IPv4 26707 0t0 TCP X.X.X.X:7736->X.X.X.X:37831 (ESTABLISHED)
tclsh 4252 root 16u IPv4 21894 0t0 TCP X.X.X.X:7736->X.X.X.X:37832 (ESTABLISHED)
tclsh 4252 root 17u IPv4 12155 0t0 TCP X.X.X.X:7736->X.X.X.X:37836 (ESTABLISHED)
tclsh 4252 root 18u IPv4 28866 0t0 TCP X.X.X.X:7736->X.X.X.X:37881 (ESTABLISHED)
tclsh 4293 root 3u IPv4 20959 0t0 TCP X.X.X.X:37832->X.X.X.X:7736 (ESTABLISHED)
tclsh 4293 root 7u IPv4 26269 0t0 TCP X.X.X.X:37881->X.X.X.X:7736 (ESTABLISHED)
bro 4522 root 4u IPv4 24698 0t0 UDP X.X.X.X:36618->X.X.X.X:53
bro 4530 root 0u IPv4 20144 0t0 TCP *:47761 (LISTEN)
bro 4530 root 1u IPv6 20145 0t0 TCP *:47761 (LISTEN)
bro 4530 root 2u IPv4 16214 0t0 TCP X.X.X.X:47761->X.X.X.X:47818 (ESTABLISHED)
bro 4530 root 4u IPv4 24698 0t0 UDP X.X.X.X:36618->X.X.X.X:53
bro 4530 root 19u IPv4 20202 0t0 TCP X.X.X.X:47761->X.X.X.X:47821 (ESTABLISHED)
bro 4530 root 21u IPv4 15304 0t0 TCP X.X.X.X:47761->X.X.X.X:47822 (ESTABLISHED)
bro 4530 root 22u IPv4 25957 0t0 TCP X.X.X.X:47761->X.X.X.X:47827 (ESTABLISHED)
bro 4846 root 4u IPv4 21803 0t0 UDP X.X.X.X:44019->X.X.X.X:53
bro 4857 root 0u IPv4 20181 0t0 TCP X.X.X.X:47818->X.X.X.X:47761 (ESTABLISHED)
bro 4857 root 1u IPv4 20184 0t0 TCP *:47762 (LISTEN)
bro 4857 root 2u IPv6 20185 0t0 TCP *:47762 (LISTEN)
bro 4857 root 4u IPv4 21803 0t0 UDP X.X.X.X:44019->X.X.X.X:53
bro 4857 root 19u IPv4 15214 0t0 TCP X.X.X.X:47762->X.X.X.X:59135 (ESTABLISHED)
bro 4857 root 21u IPv4 25956 0t0 TCP X.X.X.X:47762->X.X.X.X:59141 (ESTABLISHED)
bro 5018 root 4u IPv4 23747 0t0 UDP X.X.X.X:49282->X.X.X.X:53
bro 5025 root 0u IPv4 25859 0t0 TCP X.X.X.X:59135->X.X.X.X:47762 (ESTABLISHED)
bro 5025 root 1u IPv4 25862 0t0 TCP X.X.X.X:47821->X.X.X.X:47761 (ESTABLISHED)
bro 5025 root 2u IPv4 25865 0t0 TCP *:47763 (LISTEN)
bro 5025 root 4u IPv4 23747 0t0 UDP X.X.X.X:49282->X.X.X.X:53
bro 5025 root 20u IPv6 25866 0t0 TCP *:47763 (LISTEN)
bro 5895 root 4u IPv4 22867 0t0 UDP X.X.X.X:40600->X.X.X.X:53
bro 5904 root 4u IPv4 22867 0t0 UDP X.X.X.X:40600->X.X.X.X:53
bro 6054 root 4u IPv4 20945 0t0 UDP X.X.X.X:41797->X.X.X.X:53
bro 6062 root 0u IPv4 25933 0t0 TCP X.X.X.X:47822->X.X.X.X:47761 (ESTABLISHED)
bro 6062 root 4u IPv4 20945 0t0 UDP X.X.X.X:41797->X.X.X.X:53
bro 6209 root 4u IPv4 16329 0t0 UDP X.X.X.X:40083->X.X.X.X:53
tclsh 6212 root 3u IPv4 21893 0t0 TCP X.X.X.X:37831->X.X.X.X:7736 (ESTABLISHED)
bro 6220 root 0u IPv4 17372 0t0 TCP X.X.X.X:59141->X.X.X.X:47762 (ESTABLISHED)
bro 6220 root 1u IPv4 17373 0t0 TCP X.X.X.X:47827->X.X.X.X:47761 (ESTABLISHED)
bro 6220 root 4u IPv4 16329 0t0 UDP X.X.X.X:40083->X.X.X.X:53
tclsh 6285 root 3u IPv4 23884 0t0 TCP X.X.X.X:37836->X.X.X.X:7736 (ESTABLISHED)
tclsh 6285 root 4u IPv4 28753 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 6285 root 6u IPv4 23900 0t0 TCP X.X.X.X:8001->X.X.X.X:41112 (ESTABLISHED)
barnyard2 6338 root 3u IPv4 16352 0t0 TCP X.X.X.X:41112->X.X.X.X:8001 (ESTABLISHED)
barnyard2 6338 root 4u IPv4 16355 0t0 TCP X.X.X.X:53986->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 7607 www-data 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 7607 www-data 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7607 www-data 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7607 www-data 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
/usr/sbin 7622 www-data 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 7622 www-data 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7622 www-data 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7622 www-data 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
/usr/sbin 7634 www-data 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 7634 www-data 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7634 www-data 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7634 www-data 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
/usr/sbin 7961 www-data 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 7961 www-data 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7961 www-data 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7961 www-data 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
/usr/sbin 8409 www-data 4u IPv4 18228 0t0 TCP *:443 (LISTEN)
/usr/sbin 8409 www-data 5u IPv4 18231 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8409 www-data 6u IPv4 18233 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8409 www-data 7u IPv4 18237 0t0 TCP *:444 (LISTEN)
sshd 8410 root 3r IPv4 36244 0t0 TCP X.X.X.X:22->X.X.X.X:54196 (ESTABLISHED)
sshd 8567 infosec 3u IPv4 36244 0t0 TCP X.X.X.X:22->X.X.X.X:54196 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================

=========================================================================
CPU Usage
=========================================================================
top - 20:21:08 up 11 min, 2 users, load average: 3.67, 2.96, 1.68
Tasks: 252 total, 7 running, 244 sleeping, 0 stopped, 1 zombie
Cpu(s): 16.1%us, 8.0%sy, 0.9%ni, 73.4%id, 1.0%wa, 0.0%hi, 0.6%si, 0.0%st
Mem: 32949964k total, 8245600k used, 24704364k free, 53528k buffers
Swap: 20666208k total, 0k used, 20666208k free, 5495712k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
6209 root 20 0 308m 242m 69m R 101 0.8 6:44.55 bro
6318 sguil 20 0 551m 249m 10m R 101 0.8 10:08.34 snort
8675 root 20 0 245m 58m 3904 R 101 0.2 0:01.43 perl
5018 root 20 0 252m 196m 69m R 99 0.6 6:53.41 bro
4530 root 25 5 97816 24m 1132 S 12 0.1 1:43.92 bro
4857 root 25 5 95768 23m 1140 R 12 0.1 1:37.98 bro
6062 root 25 5 89624 23m 1084 S 12 0.1 1:20.96 bro
5025 root 25 5 147m 88m 65m S 10 0.3 1:31.49 bro
5904 root 25 5 87544 23m 980 S 10 0.1 1:17.30 bro
6220 root 25 5 145m 88m 65m S 10 0.3 1:25.83 bro
5064 sguil 20 0 170m 144m 128m S 8 0.4 1:07.81 netsniff-ng
4522 root 20 0 266m 40m 4836 S 6 0.1 0:16.32 bro
1615 root 20 0 214m 42m 3900 S 2 0.1 0:11.73 perl
6054 root 20 0 95772 27m 4748 S 2 0.1 0:09.61 bro
1 root 20 0 24728 2668 1368 S 0 0.0 0:02.03 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.23 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.79 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/1
9 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0
10 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/2
14 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0
15 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
21 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/4
22 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:0
23 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/4
24 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/4
25 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/5
27 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/5
28 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/5
29 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/6
31 root 20 0 0 0 0 S 0 0.0 0:00.01 ksoftirqd/6
32 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/6
33 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/7
35 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/7
36 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/7
37 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/8
38 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/8:0
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/8
40 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/8
41 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/9
42 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/9:0
43 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/9
44 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/9
45 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/10
47 root 20 0 0 0 0 S 0 0.0 0:00.01 ksoftirqd/10
48 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/10
49 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/11
50 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/11:0
51 root 20 0 0 0 0 S 0 0.0 0:00.04 ksoftirqd/11
52 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/11
53 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
54 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
55 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
56 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
57 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:1
58 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
59 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
60 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
61 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
62 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
63 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
64 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
66 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
67 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
68 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
69 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
70 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
71 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
72 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
80 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
81 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
82 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
103 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
104 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/2:1
105 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/5:1
106 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/6:1
107 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/7:1
108 root 20 0 0 0 0 S 0 0.0 0:00.25 kworker/8:1
109 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/3:1
110 root 20 0 0 0 0 S 0 0.0 0:00.11 kworker/1:1
111 root 20 0 0 0 0 S 0 0.0 0:01.35 kworker/0:2
202 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/4:1
217 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/9:2
231 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:2
251 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
253 root 0 -20 0 0 0 S 0 0.0 0:00.00 vmw_pvscsi_wq_2
271 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
300 root 20 0 0 0 0 S 0 0.0 0:00.02 kworker/11:1
316 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/10:1
382 root 20 0 0 0 0 S 0 0.0 0:00.82 jbd2/sda1-8
383 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
480 root 20 0 17236 640 448 S 0 0.0 0:00.13 upstart-udev-br
487 root 20 0 21832 1656 820 S 0 0.0 0:00.15 udevd
618 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:2
628 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/6:2
634 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/7:2
649 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
650 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
657 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
851 root 20 0 15192 388 196 S 0 0.0 0:00.02 upstart-socket-
1030 messageb 20 0 24612 1712 836 S 0 0.0 0:00.24 dbus-daemon
1056 root 20 0 21324 1716 1436 S 0 0.0 0:00.00 bluetoothd
1075 avahi 20 0 32304 1704 1404 S 0 0.0 0:00.02 avahi-daemon
1077 avahi 20 0 32184 468 216 S 0 0.0 0:00.00 avahi-daemon
1088 root 20 0 101m 3708 2756 S 0 0.0 0:00.04 cupsd
1120 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1232 root 20 0 0 0 0 S 0 0.0 0:02.18 flush-8:0
1310 root 20 0 50036 2908 2304 S 0 0.0 0:00.00 sshd
1397 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1413 root 20 0 26784 440 200 S 0 0.0 0:00.00 syslog-ng
1414 root 20 0 71928 5496 2924 S 0 0.0 0:03.32 syslog-ng
1416 root 20 0 20012 980 812 S 0 0.0 0:00.00 getty
1418 root 20 0 432m 31m 7632 S 0 0.1 0:02.31 salt-minion
1425 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1426 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1429 root 20 0 484m 21m 5440 S 0 0.1 0:00.88 salt-master
1430 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1445 root 20 0 4464 820 560 S 0 0.0 0:00.00 acpid
1450 root 20 0 280m 4288 3512 S 0 0.0 0:00.06 lightdm
1455 daemon 20 0 16912 372 216 S 0 0.0 0:00.00 atd
1456 root 20 0 19116 1040 796 S 0 0.0 0:00.01 cron
1460 root 20 0 15984 732 548 S 0 0.0 0:00.15 irqbalance
1482 sphinxse 20 0 72928 2040 1468 S 0 0.0 0:00.01 su
1484 root 20 0 4154m 3972 2848 S 0 0.0 0:00.11 console-kit-dae
1551 root 20 0 207m 4864 3640 S 0 0.0 0:00.21 polkitd
1562 mysql 20 0 1756m 75m 8308 S 0 0.2 0:09.50 mysqld
1583 root 20 0 223m 32m 11m S 0 0.1 0:03.90 Xorg
1612 sphinxse 20 0 578m 342m 120m S 0 1.1 0:05.97 searchd
1613 root 20 0 4404 608 504 S 0 0.0 0:00.00 sh
1650 root 20 0 21696 1068 360 S 0 0.0 0:00.00 udevd
1651 root 20 0 21696 1016 312 S 0 0.0 0:00.00 udevd
1687 ossecm 20 0 12920 612 424 S 0 0.0 0:00.02 ossec-csyslogd
1719 root 20 0 12808 528 348 S 0 0.0 0:00.00 ossec-execd
1724 ossec 20 0 14508 2340 784 S 0 0.0 0:02.88 ossec-analysisd
1730 root 20 0 132m 4496 3728 S 0 0.0 0:00.08 accounts-daemon
1738 root 20 0 4532 552 412 S 0 0.0 0:00.01 ossec-logcollec
1794 root 20 0 205m 27m 5228 S 0 0.1 0:00.58 salt-master
1801 root 20 0 228m 17m 1652 S 0 0.1 0:00.00 salt-master
1804 root 20 0 228m 17m 1484 S 0 0.1 0:00.00 salt-master
1807 root 20 0 610m 29m 5868 S 0 0.1 0:01.60 salt-master
1808 root 20 0 610m 29m 5600 S 0 0.1 0:01.14 salt-master
1811 root 20 0 610m 29m 5868 S 0 0.1 0:01.26 salt-master
1814 root 20 0 610m 29m 5868 S 0 0.1 0:01.15 salt-master
1817 root 20 0 613m 30m 5884 S 0 0.1 0:01.49 salt-master
1931 root 20 0 214m 4332 3372 S 0 0.0 0:00.05 upowerd
2264 root 20 0 5504 1564 496 S 0 0.0 0:06.32 ossec-syscheckd
2274 ossec 20 0 13064 548 364 S 0 0.0 0:00.00 ossec-monitord
2303 root 20 0 185m 4756 3748 S 0 0.0 0:00.05 lightdm
2412 root 20 0 163m 4720 3776 S 0 0.0 0:00.59 vmtoolsd
2529 root 20 0 176m 12m 6608 S 0 0.0 0:00.12 /usr/sbin/apach
2536 root 20 0 215m 2080 1788 S 0 0.0 0:00.00 PassengerWatchd
2542 root 20 0 288m 2292 2004 S 0 0.0 0:00.00 PassengerHelper
2547 root 20 0 108m 8196 2164 S 0 0.0 0:00.10 ruby1.9.1
2550 nobody 20 0 165m 4672 3644 S 0 0.0 0:00.00 PassengerLoggin
2594 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
2842 ntp 20 0 37776 2216 1580 S 0 0.0 0:00.04 ntpd
3434 infosec 20 0 4404 696 576 S 0 0.0 0:00.02 sh
3474 infosec 20 0 12572 320 0 S 0 0.0 0:00.00 ssh-agent
3478 infosec 20 0 26564 800 488 S 0 0.0 0:00.00 dbus-launch
3480 infosec 20 0 25436 1816 628 S 0 0.0 0:00.21 dbus-daemon
3489 infosec 20 0 47608 2736 2196 S 0 0.0 0:00.06 xfconfd
3496 infosec 20 0 63852 2648 2020 S 0 0.0 0:00.15 xscreensaver
3499 infosec 20 0 158m 6552 5140 S 0 0.0 0:00.09 xfce4-session
3511 infosec 20 0 154m 10m 8128 S 0 0.0 0:00.36 xfwm4
3513 infosec 20 0 296m 19m 10m S 0 0.1 0:00.57 xfce4-panel
3515 infosec 20 0 161m 7548 6100 S 0 0.0 0:00.04 Thunar
3517 infosec 20 0 309m 24m 11m S 0 0.1 0:00.80 xfdesktop
3522 infosec 20 0 128m 4012 2772 S 0 0.0 0:00.01 xfsettingsd
3524 infosec 20 0 257m 23m 11m S 0 0.1 0:00.36 applet.py
3529 infosec 20 0 186m 5656 4536 S 0 0.0 0:00.03 polkit-gnome-au
3534 infosec 20 0 52408 2460 2056 S 0 0.0 0:00.01 gvfsd
3536 infosec 20 0 215m 3604 2988 S 0 0.0 0:00.00 gvfs-fuse-daemo
3545 infosec 20 0 213m 4524 3232 S 0 0.0 0:00.04 xfce4-power-man
3550 infosec 20 0 383m 12m 9588 S 0 0.0 0:00.20 update-notifier
3554 infosec 20 0 451m 16m 11m S 0 0.0 0:00.20 nm-applet
3559 root 20 0 116m 3588 2864 S 0 0.0 0:00.06 udisks-daemon
3566 root 20 0 45520 808 452 S 0 0.0 0:00.00 udisks-daemon
3580 infosec 20 0 577m 31m 14m S 0 0.1 0:00.53 blueman-applet
3583 infosec 20 0 57112 2716 1980 S 0 0.0 0:00.07 gconfd-2
3589 infosec 9 -11 270m 4004 2816 S 0 0.0 0:00.03 pulseaudio
3591 rtkit 21 1 164m 1312 1084 S 0 0.0 0:00.00 rtkit-daemon
3601 infosec 20 0 238m 18m 14m S 0 0.1 0:01.57 vmtoolsd
3618 infosec 20 0 150m 3844 2440 S 0 0.0 0:00.05 xfce4-settings-
3624 infosec 20 0 529m 8976 6116 S 0 0.0 0:00.08 xfce4-volumed
3646 infosec 20 0 149m 7148 5604 S 0 0.0 0:00.05 panel-4-systray
3660 infosec 20 0 407m 13m 9928 S 0 0.0 0:00.22 xfce4-indicator
3662 infosec 20 0 148m 8736 6984 S 0 0.0 0:00.07 panel-7-datetim
3670 infosec 20 0 169m 9.8m 7300 S 0 0.0 0:00.08 panel-9-xfsm-lo
3676 infosec 20 0 190m 10m 7844 S 0 0.0 0:00.09 panel-24-thunar
3681 infosec 20 0 69364 3904 3288 S 0 0.0 0:00.01 gvfsd-trash
3685 infosec 20 0 80668 4272 3480 S 0 0.0 0:00.03 gvfs-gdu-volume
3697 infosec 20 0 642m 6680 5180 S 0 0.0 0:00.10 indicator-messa
3699 infosec 20 0 339m 5080 4004 S 0 0.0 0:00.04 indicator-appli
3701 infosec 20 0 524m 7564 5944 S 0 0.0 0:00.07 indicator-sound
3705 infosec 20 0 138m 2524 2028 S 0 0.0 0:00.00 gvfs-afc-volume
3711 infosec 20 0 60332 2416 1920 S 0 0.0 0:00.01 gvfs-gphoto2-vo
3759 infosec 20 0 57812 2620 2164 S 0 0.0 0:00.00 obex-data-serve
4252 root 20 0 136m 23m 3736 S 0 0.1 0:01.59 tclsh
4274 root 20 0 118m 3440 764 S 0 0.0 0:00.01 tclsh
4275 root 20 0 118m 3260 568 S 0 0.0 0:00.00 tclsh
4293 root 20 0 36116 5872 3008 S 0 0.0 0:00.12 tclsh
4378 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
4601 root 20 0 17892 1604 1320 S 0 0.0 0:00.00 bash
4846 root 20 0 99.7m 32m 4824 R 0 0.1 0:10.12 bro
4935 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5144 root 20 0 16556 1536 1300 S 0 0.0 0:00.01 bash
5895 root 20 0 117m 27m 4688 S 0 0.1 0:10.00 bro
5978 root 20 0 16556 1536 1300 S 0 0.0 0:00.00 bash
6129 root 20 0 16556 1536 1300 S 0 0.0 0:00.00 bash
6212 root 20 0 32920 4508 2944 S 0 0.0 0:00.06 tclsh
6216 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6285 root 20 0 32864 4600 2948 S 0 0.0 0:00.08 tclsh
6287 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6338 root 20 0 163m 64m 1860 S 0 0.2 0:19.29 barnyard2
6381 root 19 -1 14892 1932 308 S 0 0.0 0:00.03 dema
6407 infosec 20 0 260m 15m 10m S 0 0.0 0:00.93 xfce4-terminal
6410 infosec 20 0 0 0 0 Z 0 0.0 0:00.00 xfce4-terminal <defunct>
6411 infosec 20 0 28024 5052 1716 S 0 0.0 0:00.20 bash
6675 www-data 20 0 349m 84m 3268 S 0 0.3 0:01.02 ruby
7061 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/10:0
7287 root 20 0 0 0 0 S 0 0.0 0:00.35 kworker/0:0
7607 www-data 20 0 176m 6936 672 S 0 0.0 0:00.00 /usr/sbin/apach
7622 www-data 20 0 176m 6936 672 S 0 0.0 0:00.00 /usr/sbin/apach
7634 www-data 20 0 176m 6936 672 S 0 0.0 0:00.00 /usr/sbin/apach
7961 www-data 20 0 176m 6936 672 S 0 0.0 0:00.00 /usr/sbin/apach
7966 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/10:2
7972 root 20 0 4404 608 508 S 0 0.0 0:00.00 sh
7975 root 20 0 4404 320 220 S 0 0.0 0:00.00 sh
7980 root 20 0 4312 348 272 S 0 0.0 0:00.00 sleep
8199 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:1
8409 www-data 20 0 176m 6936 672 S 0 0.0 0:00.00 /usr/sbin/apach
8410 root 20 0 101m 4396 3344 S 0 0.0 0:00.03 sshd
8567 infosec 20 0 101m 1992 940 S 0 0.0 0:00.00 sshd
8568 infosec 20 0 32036 9112 1764 S 0 0.0 0:00.27 bash
8670 root 20 0 68924 1928 1340 S 0 0.0 0:00.00 cron
8674 root 20 0 4404 608 504 S 0 0.0 0:00.00 sh
8683 root 20 0 78144 2376 1772 S 0 0.0 0:00.00 sudo
8684 root 20 0 16536 1356 1140 S 0 0.0 0:00.00 sostat-redacted
8685 root 20 0 16552 1496 1264 S 0 0.0 0:00.00 sostat
8686 root 20 0 15728 816 696 S 0 0.0 0:00.00 sed
8687 root 20 0 15728 820 696 S 0 0.0 0:00.00 sed
8688 root 20 0 16404 1344 752 S 0 0.0 0:00.00 sed
8878 root 20 0 17468 1392 944 R 0 0.0 0:00.00 top


=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/infosec-virtual-machine-eth1/dailylogs/ - 1 days
26G .
26G ./2014-08-01

/nsm/bro/logs/ - 1 days
47M .
47M ./2014-08-01
192K ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.002620

infosec-virtual-machine-eth1-1: 1406924469.023871 recvd=4770957 dropped=125 link=4770957

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-1.stats last reported pkt_drop_percent as 52.939

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)
Total rings : 3

Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 1363

/proc/net/pf_ring/5018-eth1.1
Appl. Name : <unknown>
Tot Packets : 4780143
Tot Pkt Lost : 125
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 8151

/proc/net/pf_ring/6209-eth1.2
Appl. Name : <unknown>
Tot Packets : 3846194
Tot Pkt Lost : 99
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 8151
Num Free Slots : 8151

/proc/net/pf_ring/6318-eth1.4
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 8331586
Tot Pkt Lost : 4387817
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4872
Num Free Slots : 0

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
8954

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
REMOVE BY ME

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
REMOVED

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1413 supervising syslog-ng
1414 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1562 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1482 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
-rw-r--r-- 1 root root 4398029 Aug 1 20:21 /nsm/elsa/data/elsa/tmp/buffers/1406924440.48696
-rw-r--r-- 1 root root 166 Aug 1 20:21 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
-rw-r--r-- 1 root root 6526431 Aug 1 20:08 /nsm/elsa/data/elsa/tmp/buffers/1406923658.17461

ELSA Directory Sizes:
799M /nsm/elsa/data
280K /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Log Node SSH Tunnels:

jswan

unread,
Aug 1, 2014, 6:00:33 PM8/1/14
to securit...@googlegroups.com
I just set up something similar in ESXi on a ~100+Mb link, and had packet loss initially. It looks like you're only running one Snort and Bro worker process.

My setup:

24GB RAM
8 vCPUs
8 Snort processes
4 Bro worker processes
Snort signatures reduced to <7000 (should probably go lower)
Snort raw IP-list signatures disabled (ciarmy, ET Compromised, DShield, etc)

I'm also filtering out all Netflix and YouTube traffic before it hits SO.

After this tuning, I'm at zero packet loss.

jspud...@gmail.com

unread,
Aug 2, 2014, 6:58:56 PM8/2/14
to securit...@googlegroups.com
jswan,

You are correct I am only running one instance of bro and snort. Its good to hear you were able to tune this and get better performance.

When I get back into the office on Monday, I'll make these changes and see what I get. I am also going to filter out pandora/netflix/youtube traffic thats a great idea. I'm curious how you did your filtering? BPF or something sitting in front of SO?

Jay Swan

unread,
Aug 2, 2014, 7:37:19 PM8/2/14
to securit...@googlegroups.com
We just got a Gigamon mirror switch (the smallest one) so I'm using that to do both SPAN replication and filtering. In the past I used BPF.

Greg Williams

unread,
Aug 4, 2014, 12:43:24 AM8/4/14
to securit...@googlegroups.com
We also run ESXi seeing around 600-800Mbps. Once you tune it, for Snort <3500 signatures and Bro, you'll see that packet loss drop. We have ~.00004% packet loss. Snort performance monitoring is also your friend. Once you've tuned out what you don't care about, go in and look at the rule processing stats. It will help identity some further tuning areas.

jspud...@gmail.com

unread,
Aug 4, 2014, 10:20:49 AM8/4/14
to securit...@googlegroups.com
Greg/jswan,

I'm starting to tune this thing today and had a question on rules:

1. How in the world are you guys tuning your snort signature to < 7000 ? I see they are all in one big downloaded.rules file. I'm not seeing the classic way of disabling categories that we had with snort when I used it years back. Is there a way to bulk disable un-needed rules? If so how?

Heine Lysemose

unread,
Aug 4, 2014, 10:25:43 AM8/4/14
to securit...@googlegroups.com

Hi

Have you seen, https://code.google.com/p/security-onion/wiki/ManagingAlerts#Disable_the_sid, this can also be used to disable whole categories.

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

BBCan177

unread,
Aug 4, 2014, 10:35:45 AM8/4/14
to securit...@googlegroups.com
In [ /etc/nsm/pulledpork/disablesid.conf ], you can disable individual, categories or by PCRE.

# example disablesid.conf V3.1

# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010

# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013

# Example of modifying state for MS and cve rules, note the use of the :
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids! These support regular expression
# matching only after you have specified what you are looking for, i.e.
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+

# Example of using the pcre: keyword to modify rulestate. the pcre keyword
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10
# pcre:MS(0[7-9]|10)-\d+

# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp

# Any of the above values can be on a single line or multiple lines, when
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233

# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your
# environment.


I posted a thread about a list of PCRE that can be used here:

https://groups.google.com/forum/#!searchin/security-onion/disablesid/security-onion/73tW_nGGXbM/l2wKenThGd0J

jspud...@gmail.com

unread,
Aug 4, 2014, 10:37:58 AM8/4/14
to securit...@googlegroups.com
Lysemose,

Thanks for the response. But its not clear to me. I have seen that link, but I took that as needing to know each sid you wanted to disable. I need to knock out big chunks of un-needed rules to get from 16k enabled rules down to less than 7k.

So I was hoping for a way to do what I had done a few years back with snort, and that was to disable the rules from even loading in snort.conf such as:

#policy.rules
#scada.rules
#finger.rules

If they are all in one big file how do I know the category they belong to?

BBCan177

unread,
Aug 4, 2014, 10:41:55 AM8/4/14
to securit...@googlegroups.com
http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html
http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

jswan

unread,
Aug 4, 2014, 12:36:20 PM8/4/14
to securit...@googlegroups.com
The fastest way I've found is to look for big blocks of similar signatures that don't affect your environment, and disable them in disablesid.conf with PCRE as mentioned previously in the thread.

I posted some commands here to display a sorted summary of enabled and disabled signatures:

https://groups.google.com/forum/m/#!search/%22showenabled%22/security-onion/KZwsWSjsCi4

For example, we have no PHP in our environment so I disabled all the PHP related web server signatures. That step alone gets rid of thousands of signatures. Disabling the raw IP-list signatures gets rid of hundreds of signatures that are among the most resource-intensive, too.

Heine Lysemose

unread,
Aug 4, 2014, 1:34:32 PM8/4/14
to securit...@googlegroups.com

Hi

The most comprehensive list of categories you can get is from the snort.conf file,http://labs.snort.org/snort/2961/snort.conf.

See Step #7

Then in your disablesid.conf, to disable all php related, add the following web-php

Regards,
Lysemose

jspud...@gmail.com

unread,
Aug 4, 2014, 2:23:41 PM8/4/14
to securit...@googlegroups.com
jswan, Lysemose, and BBCan177

Thanks a ton for all your responses! With the last few posts it finally started clicking and I was able to tune this down...WAY DOWN. Currently running under 5k signatures and sure enough my snort process are not dropping anything. I also up'ed my PF_RING to 65534 during install.

However I still see dropped packets on my interface eth1 (not near as many this is way down from what it was). I also see some being dropped by bro now. Can anyone comment on the stats I have and if there would be concern running this as a prod machine with these levels of packet loss? Here is my latest sostat-redacted with about 2 hours of uptime.

=========================================================================


Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started

manager manager X.X.X.X running 4776 7 04 Aug 16:28:51
proxy proxy X.X.X.X running 4938 7 04 Aug 16:28:54
infosec-virtual-machine-eth1-1 worker X.X.X.X running 5779 2 04 Aug 16:28:56
infosec-virtual-machine-eth1-2 worker X.X.X.X running 5781 2 04 Aug 16:28:56
infosec-virtual-machine-eth1-3 worker X.X.X.X running 5784 2 04 Aug 16:28:56
infosec-virtual-machine-eth1-4 worker X.X.X.X running 5783 2 04 Aug 16:28:56
infosec-virtual-machine-eth1-5 worker X.X.X.X running 5780 2 04 Aug 16:28:56
infosec-virtual-machine-eth1-6 worker X.X.X.X running 5782 2 04 Aug 16:28:56


Status: infosec-virtual-machine-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]

* snort_agent-2 (sguil)[ OK ]
* snort_agent-3 (sguil)[ OK ]
* snort_agent-4 (sguil)[ OK ]
* snort_agent-5 (sguil)[ OK ]
* snort_agent-6 (sguil)[ OK ]
* snort_agent-7 (sguil)[ OK ]
* snort_agent-8 (sguil)[ OK ]


* snort-1 (alert data)[ OK ]

* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* snort-5 (alert data)[ OK ]
* snort-6 (alert data)[ OK ]
* snort-7 (alert data)[ OK ]
* snort-8 (alert data)[ OK ]


* barnyard2-1 (spooler, unified2 format)[ OK ]

* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
* barnyard2-5 (spooler, unified2 format)[ OK ]
* barnyard2-6 (spooler, unified2 format)[ OK ]
* barnyard2-7 (spooler, unified2 format)[ OK ]
* barnyard2-8 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9581 errors:0 dropped:0 overruns:0 frame:0
TX packets:9052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2921338 (2.9 MB) TX bytes:3549792 (3.5 MB)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1

RX packets:96980747 errors:0 dropped:1023 overruns:0 frame:0


TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000

RX bytes:48800451465 (48.8 GB) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1801224 errors:0 dropped:0 overruns:0 frame:0
TX packets:1801224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1260012003 (1.2 GB) TX bytes:1260012003 (1.2 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

1260012003 1801224 0 0 0 0


RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

1260012003 1801224 0 0 0 0


TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

2921338 9581 0 0 0 0


RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns

3549792 9052 0 0 0 0


TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast

48800509547 96980816 0 1023 0 297236


RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on

/dev/sda1 75G 34G 38G 47% /


udev 16G 4.0K 16G 1% /dev

tmpfs 6.3G 840K 6.3G 1% /run


none 5.0M 0 5.0M 0% /run/lock

none 16G 0 16G 0% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

avahi-dae 1085 avahi 12u IPv4 10464 0t0 UDP *:5353
avahi-dae 1085 avahi 13u IPv6 10465 0t0 UDP *:5353
avahi-dae 1085 avahi 14u IPv4 10466 0t0 UDP *:48220
avahi-dae 1085 avahi 15u IPv6 10467 0t0 UDP *:44103
cupsd 1106 root 8u IPv6 1603 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1106 root 9u IPv4 1604 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1296 root 3u IPv4 10033 0t0 TCP *:22 (LISTEN)
sshd 1296 root 4u IPv6 10035 0t0 TCP *:22 (LISTEN)
salt-mini 1400 root 15u IPv4 3057 0t0 TCP X.X.X.X:35637->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 1406 root 9u IPv4 2580 0t0 TCP *:514 (LISTEN)
syslog-ng 1406 root 10u IPv4 2581 0t0 UDP *:514
salt-mast 1415 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
mysqld 1481 mysql 10u IPv4 8594 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1481 mysql 32u IPv4 24501 0t0 TCP X.X.X.X:3306->X.X.X.X:33323 (ESTABLISHED)
mysqld 1481 mysql 82u IPv4 27508 0t0 TCP X.X.X.X:3306->X.X.X.X:33321 (ESTABLISHED)
mysqld 1481 mysql 83u IPv4 24551 0t0 TCP X.X.X.X:3306->X.X.X.X:33327 (ESTABLISHED)
mysqld 1481 mysql 84u IPv4 24502 0t0 TCP X.X.X.X:3306->X.X.X.X:33325 (ESTABLISHED)
mysqld 1481 mysql 87u IPv4 32797 0t0 TCP X.X.X.X:3306->X.X.X.X:33329 (ESTABLISHED)
mysqld 1481 mysql 90u IPv4 29610 0t0 TCP X.X.X.X:3306->X.X.X.X:33331 (ESTABLISHED)
mysqld 1481 mysql 93u IPv4 33271 0t0 TCP X.X.X.X:3306->X.X.X.X:33345 (ESTABLISHED)
mysqld 1481 mysql 96u IPv4 33367 0t0 TCP X.X.X.X:3306->X.X.X.X:33348 (ESTABLISHED)
searchd 1635 sphinxsearch 7u IPv4 8129 0t0 TCP *:9306 (LISTEN)
searchd 1635 sphinxsearch 8u IPv4 8130 0t0 TCP *:9312 (LISTEN)
ossec-csy 1651 ossecm 5u IPv4 8557 0t0 UDP X.X.X.X:34043->X.X.X.X:514
salt-mast 1783 root 27u IPv4 8164 0t0 TCP *:4505 (LISTEN)
salt-mast 1783 root 29u IPv4 13464 0t0 TCP X.X.X.X:4505->X.X.X.X:35637 (ESTABLISHED)
salt-mast 1789 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
salt-mast 1791 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
salt-mast 1794 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
salt-mast 1798 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
salt-mast 1801 root 19u IPv4 12690 0t0 TCP *:4506 (LISTEN)
sshd 2406 root 3u IPv4 14759 0t0 TCP X.X.X.X:22->X.X.X.X:61513 (ESTABLISHED)
/usr/sbin 2555 root 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 2555 root 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2555 root 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2555 root 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
sshd 2970 infosec 3u IPv4 14759 0t0 TCP X.X.X.X:22->X.X.X.X:61513 (ESTABLISHED)
ntpd 3023 ntp 16u IPv4 13067 0t0 UDP *:123
ntpd 3023 ntp 17u IPv6 13068 0t0 UDP *:123
ntpd 3023 ntp 18u IPv4 13074 0t0 UDP X.X.X.X:123
ntpd 3023 ntp 19u IPv4 13075 0t0 UDP X.X.X.X:123
ntpd 3023 ntp 20u IPv6 13076 0t0 UDP [X.X.X.X]:123
ntpd 3023 ntp 21u IPv6 13077 0t0 UDP [X.X.X.X]:123
/usr/sbin 3121 www-data 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 3121 www-data 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3121 www-data 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3121 www-data 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
/usr/sbin 4095 www-data 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 4095 www-data 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4095 www-data 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4095 www-data 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
/usr/sbin 4119 www-data 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 4119 www-data 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4119 www-data 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4119 www-data 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
/usr/sbin 4146 www-data 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 4146 www-data 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4146 www-data 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4146 www-data 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
/usr/sbin 4169 www-data 4u IPv4 11966 0t0 TCP *:443 (LISTEN)
/usr/sbin 4169 www-data 5u IPv4 11969 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4169 www-data 6u IPv4 11971 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4169 www-data 7u IPv4 11975 0t0 TCP *:444 (LISTEN)
tclsh 4502 root 13u IPv4 23644 0t0 TCP *:7734 (LISTEN)
tclsh 4502 root 14u IPv4 23645 0t0 TCP *:7736 (LISTEN)
tclsh 4502 root 15u IPv4 25752 0t0 TCP X.X.X.X:7736->X.X.X.X:59191 (ESTABLISHED)
tclsh 4502 root 16u IPv4 26172 0t0 TCP X.X.X.X:7736->X.X.X.X:59230 (ESTABLISHED)
tclsh 4502 root 17u IPv4 29250 0t0 TCP X.X.X.X:7736->X.X.X.X:59234 (ESTABLISHED)
tclsh 4502 root 18u IPv4 24004 0t0 TCP X.X.X.X:7736->X.X.X.X:59235 (ESTABLISHED)
tclsh 4502 root 19u IPv4 24013 0t0 TCP X.X.X.X:7736->X.X.X.X:59237 (ESTABLISHED)
tclsh 4502 root 20u IPv4 24042 0t0 TCP X.X.X.X:7736->X.X.X.X:59238 (ESTABLISHED)
tclsh 4502 root 21u IPv4 26973 0t0 TCP X.X.X.X:7736->X.X.X.X:59249 (ESTABLISHED)
tclsh 4502 root 22u IPv4 24045 0t0 TCP X.X.X.X:7736->X.X.X.X:59250 (ESTABLISHED)
tclsh 4502 root 23u IPv4 24054 0t0 TCP X.X.X.X:7736->X.X.X.X:59251 (ESTABLISHED)
tclsh 4502 root 24u IPv4 24055 0t0 TCP X.X.X.X:7736->X.X.X.X:59252 (ESTABLISHED)
tclsh 4545 root 3u IPv4 25751 0t0 TCP X.X.X.X:59191->X.X.X.X:7736 (ESTABLISHED)
tclsh 4545 root 5u IPv4 273579 0t0 UDP *:58289
bro 4776 root 4u IPv4 18328 0t0 UDP X.X.X.X:38967->X.X.X.X:53
bro 4787 root 0u IPv4 23719 0t0 TCP *:47761 (LISTEN)
bro 4787 root 1u IPv6 23720 0t0 TCP *:47761 (LISTEN)
bro 4787 root 2u IPv4 18343 0t0 TCP X.X.X.X:47761->X.X.X.X:57908 (ESTABLISHED)
bro 4787 root 4u IPv4 18328 0t0 UDP X.X.X.X:38967->X.X.X.X:53
bro 4787 root 19u IPv4 23223 0t0 TCP X.X.X.X:47761->X.X.X.X:57910 (ESTABLISHED)
bro 4787 root 21u IPv4 27688 0t0 TCP X.X.X.X:47761->X.X.X.X:57911 (ESTABLISHED)
bro 4787 root 22u IPv4 27689 0t0 TCP X.X.X.X:47761->X.X.X.X:57912 (ESTABLISHED)
bro 4787 root 23u IPv4 26675 0t0 TCP X.X.X.X:47761->X.X.X.X:57915 (ESTABLISHED)
bro 4787 root 24u IPv4 26676 0t0 TCP X.X.X.X:47761->X.X.X.X:57917 (ESTABLISHED)
bro 4787 root 25u IPv4 19088 0t0 TCP X.X.X.X:47761->X.X.X.X:57920 (ESTABLISHED)
bro 4938 root 4u IPv4 23735 0t0 UDP X.X.X.X:55091->X.X.X.X:53
bro 4946 root 0u IPv4 23744 0t0 TCP X.X.X.X:57908->X.X.X.X:47761 (ESTABLISHED)
bro 4946 root 1u IPv4 23747 0t0 TCP *:47762 (LISTEN)
bro 4946 root 2u IPv6 23748 0t0 TCP *:47762 (LISTEN)
bro 4946 root 4u IPv4 23735 0t0 UDP X.X.X.X:55091->X.X.X.X:53
bro 4946 root 19u IPv4 24871 0t0 TCP X.X.X.X:47762->X.X.X.X:51397 (ESTABLISHED)
bro 4946 root 21u IPv4 24892 0t0 TCP X.X.X.X:47762->X.X.X.X:51401 (ESTABLISHED)
bro 4946 root 22u IPv4 23229 0t0 TCP X.X.X.X:47762->X.X.X.X:51402 (ESTABLISHED)
bro 4946 root 23u IPv4 25908 0t0 TCP X.X.X.X:47762->X.X.X.X:51404 (ESTABLISHED)
bro 4946 root 24u IPv4 27707 0t0 TCP X.X.X.X:47762->X.X.X.X:51406 (ESTABLISHED)
bro 4946 root 25u IPv4 23884 0t0 TCP X.X.X.X:47762->X.X.X.X:51407 (ESTABLISHED)
bro 5779 root 4u IPv4 19050 0t0 UDP X.X.X.X:57015->X.X.X.X:53
bro 5780 root 4u IPv4 23852 0t0 UDP X.X.X.X:36892->X.X.X.X:53
bro 5781 root 4u IPv4 25892 0t0 UDP X.X.X.X:53181->X.X.X.X:53
bro 5782 root 4u IPv4 24854 0t0 UDP X.X.X.X:36111->X.X.X.X:53
bro 5783 root 4u IPv4 14306 0t0 UDP X.X.X.X:55147->X.X.X.X:53
bro 5784 root 4u IPv4 23127 0t0 UDP X.X.X.X:48193->X.X.X.X:53
bro 5814 root 0u IPv4 23858 0t0 TCP X.X.X.X:51397->X.X.X.X:47762 (ESTABLISHED)
bro 5814 root 1u IPv4 23861 0t0 TCP X.X.X.X:57910->X.X.X.X:47761 (ESTABLISHED)
bro 5814 root 2u IPv4 23864 0t0 TCP *:47767 (LISTEN)
bro 5814 root 4u IPv4 23852 0t0 UDP X.X.X.X:36892->X.X.X.X:53
bro 5814 root 20u IPv6 23865 0t0 TCP *:47767 (LISTEN)
bro 5819 root 0u IPv4 19070 0t0 TCP X.X.X.X:57912->X.X.X.X:47761 (ESTABLISHED)
bro 5819 root 1u IPv4 19072 0t0 TCP X.X.X.X:51401->X.X.X.X:47762 (ESTABLISHED)
bro 5819 root 2u IPv4 19075 0t0 TCP *:47763 (LISTEN)
bro 5819 root 4u IPv4 19050 0t0 UDP X.X.X.X:57015->X.X.X.X:53
bro 5819 root 20u IPv6 19076 0t0 TCP *:47763 (LISTEN)
bro 5839 root 0u IPv4 27683 0t0 TCP X.X.X.X:57911->X.X.X.X:47761 (ESTABLISHED)
bro 5839 root 1u IPv4 27690 0t0 TCP X.X.X.X:51402->X.X.X.X:47762 (ESTABLISHED)
bro 5839 root 2u IPv4 27693 0t0 TCP *:47768 (LISTEN)
bro 5839 root 4u IPv4 24854 0t0 UDP X.X.X.X:36111->X.X.X.X:53
bro 5839 root 20u IPv6 27694 0t0 TCP *:47768 (LISTEN)
bro 5843 root 0u IPv4 25904 0t0 TCP X.X.X.X:57915->X.X.X.X:47761 (ESTABLISHED)
bro 5843 root 1u IPv4 25907 0t0 TCP X.X.X.X:51404->X.X.X.X:47762 (ESTABLISHED)
bro 5843 root 2u IPv4 25911 0t0 TCP *:47764 (LISTEN)
bro 5843 root 4u IPv4 25892 0t0 UDP X.X.X.X:53181->X.X.X.X:53
bro 5843 root 19u IPv6 25912 0t0 TCP *:47764 (LISTEN)
bro 5848 root 0u IPv4 23871 0t0 TCP X.X.X.X:57917->X.X.X.X:47761 (ESTABLISHED)
bro 5848 root 1u IPv4 23874 0t0 TCP X.X.X.X:51406->X.X.X.X:47762 (ESTABLISHED)
bro 5848 root 2u IPv4 23877 0t0 TCP *:47766 (LISTEN)
bro 5848 root 4u IPv4 14306 0t0 UDP X.X.X.X:55147->X.X.X.X:53
bro 5848 root 20u IPv6 23878 0t0 TCP *:47766 (LISTEN)
bro 5867 root 0u IPv4 23883 0t0 TCP X.X.X.X:51407->X.X.X.X:47762 (ESTABLISHED)
bro 5867 root 1u IPv4 23887 0t0 TCP X.X.X.X:57920->X.X.X.X:47761 (ESTABLISHED)
bro 5867 root 2u IPv4 23890 0t0 TCP *:47765 (LISTEN)
bro 5867 root 4u IPv4 23127 0t0 UDP X.X.X.X:48193->X.X.X.X:53
bro 5867 root 20u IPv6 23891 0t0 TCP *:47765 (LISTEN)
tclsh 6288 root 3u IPv4 29240 0t0 TCP X.X.X.X:59230->X.X.X.X:7736 (ESTABLISHED)
tclsh 6351 root 3u IPv4 26902 0t0 TCP X.X.X.X:59234->X.X.X.X:7736 (ESTABLISHED)
tclsh 6351 root 4u IPv4 26903 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 6351 root 6u IPv4 24492 0t0 TCP X.X.X.X:8001->X.X.X.X:57851 (ESTABLISHED)
tclsh 6369 root 3u IPv4 24003 0t0 TCP X.X.X.X:59235->X.X.X.X:7736 (ESTABLISHED)
tclsh 6369 root 4u IPv4 24005 0t0 TCP X.X.X.X:8002 (LISTEN)
tclsh 6369 root 6u IPv4 24497 0t0 TCP X.X.X.X:8002->X.X.X.X:41557 (ESTABLISHED)
tclsh 6387 root 3u IPv4 24012 0t0 TCP X.X.X.X:59237->X.X.X.X:7736 (ESTABLISHED)
tclsh 6387 root 4u IPv4 24014 0t0 TCP X.X.X.X:8003 (LISTEN)
tclsh 6387 root 6u IPv4 30194 0t0 TCP X.X.X.X:8003->X.X.X.X:45990 (ESTABLISHED)
tclsh 6406 root 3u IPv4 20333 0t0 TCP X.X.X.X:59238->X.X.X.X:7736 (ESTABLISHED)
tclsh 6406 root 4u IPv4 20334 0t0 TCP X.X.X.X:8004 (LISTEN)
tclsh 6406 root 6u IPv4 32793 0t0 TCP X.X.X.X:8004->X.X.X.X:34605 (ESTABLISHED)
tclsh 6425 root 3u IPv4 26972 0t0 TCP X.X.X.X:59249->X.X.X.X:7736 (ESTABLISHED)
tclsh 6425 root 4u IPv4 26974 0t0 TCP X.X.X.X:8005 (LISTEN)
tclsh 6425 root 6u IPv4 24547 0t0 TCP X.X.X.X:8005->X.X.X.X:43787 (ESTABLISHED)
tclsh 6443 root 3u IPv4 26472 0t0 TCP X.X.X.X:59250->X.X.X.X:7736 (ESTABLISHED)
tclsh 6443 root 4u IPv4 24046 0t0 TCP X.X.X.X:8006 (LISTEN)
tclsh 6443 root 6u IPv4 31276 0t0 TCP X.X.X.X:8006->X.X.X.X:36320 (ESTABLISHED)
tclsh 6461 root 3u IPv4 29278 0t0 TCP X.X.X.X:59251->X.X.X.X:7736 (ESTABLISHED)
tclsh 6461 root 4u IPv4 29279 0t0 TCP X.X.X.X:8007 (LISTEN)
tclsh 6461 root 6u IPv4 34143 0t0 TCP X.X.X.X:8007->X.X.X.X:39813 (ESTABLISHED)
tclsh 6479 root 3u IPv4 26478 0t0 TCP X.X.X.X:59252->X.X.X.X:7736 (ESTABLISHED)
tclsh 6479 root 4u IPv4 26479 0t0 TCP X.X.X.X:8008 (LISTEN)
tclsh 6479 root 6u IPv4 32964 0t0 TCP X.X.X.X:8008->X.X.X.X:44274 (ESTABLISHED)
barnyard2 6975 root 3u IPv4 24491 0t0 TCP X.X.X.X:57851->X.X.X.X:8001 (ESTABLISHED)
barnyard2 6975 root 4u IPv4 24495 0t0 TCP X.X.X.X:33321->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7013 root 3u IPv4 24496 0t0 TCP X.X.X.X:41557->X.X.X.X:8002 (ESTABLISHED)
barnyard2 7013 root 4u IPv4 24500 0t0 TCP X.X.X.X:33323->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7051 root 3u IPv4 30193 0t0 TCP X.X.X.X:45990->X.X.X.X:8003 (ESTABLISHED)
barnyard2 7051 root 4u IPv4 30197 0t0 TCP X.X.X.X:33325->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7087 root 3u IPv4 32279 0t0 TCP X.X.X.X:34605->X.X.X.X:8004 (ESTABLISHED)
barnyard2 7087 root 4u IPv4 32796 0t0 TCP X.X.X.X:33329->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7123 root 3u IPv4 24546 0t0 TCP X.X.X.X:43787->X.X.X.X:8005 (ESTABLISHED)
barnyard2 7123 root 4u IPv4 24550 0t0 TCP X.X.X.X:33327->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7162 root 3u IPv4 37114 0t0 TCP X.X.X.X:36320->X.X.X.X:8006 (ESTABLISHED)
barnyard2 7162 root 4u IPv4 37118 0t0 TCP X.X.X.X:33348->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7199 root 3u IPv4 33267 0t0 TCP X.X.X.X:39813->X.X.X.X:8007 (ESTABLISHED)
barnyard2 7199 root 4u IPv4 33270 0t0 TCP X.X.X.X:33345->X.X.X.X:3306 (ESTABLISHED)
barnyard2 7236 root 3u IPv4 32482 0t0 TCP X.X.X.X:44274->X.X.X.X:8008 (ESTABLISHED)
barnyard2 7236 root 4u IPv4 32485 0t0 TCP X.X.X.X:33331->X.X.X.X:3306 (ESTABLISHED)
ruby1.9.1 24119 www-data 12u IPv4 231555 0t0 TCP X.X.X.X:40646 (LISTEN)

=========================================================================
IDS Rules Update
=========================================================================

=========================================================================
CPU Usage
=========================================================================
top - 18:09:02 up 1:41, 1 user, load average: 6.26, 5.87, 5.91
Tasks: 235 total, 6 running, 226 sleeping, 0 stopped, 3 zombie
Cpu(s): 34.4%us, 22.0%sy, 2.2%ni, 39.5%id, 0.1%wa, 0.0%hi, 1.7%si, 0.0%st
Mem: 32950412k total, 32709084k used, 241328k free, 105620k buffers
Swap: 20666432k total, 0k used, 20666432k free, 19981748k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

5779 root 20 0 1231m 1.1g 1.0g R 96 3.7 42:02.65 bro
4505 root 20 0 140m 48m 2856 R 88 0.1 0:00.88 perl
8706 sguil 20 0 586m 299m 130m R 55 0.9 4:23.03 snort
5781 root 20 0 1202m 1.1g 1.0g S 39 3.5 40:52.07 bro
5784 root 20 0 1186m 1.1g 1.0g S 35 3.5 42:36.11 bro
5782 root 20 0 1188m 1.1g 1.0g S 29 3.5 42:58.58 bro
5780 root 20 0 1196m 1.1g 1.0g S 27 3.5 44:40.94 bro
5783 root 20 0 1188m 1.1g 1.0g S 27 3.5 41:51.89 bro
7378 sguil 20 0 586m 300m 130m S 27 0.9 4:06.51 snort
5867 root 25 5 1107m 1.0g 1.0g S 18 3.3 8:23.43 bro
4946 root 25 5 101m 23m 1120 S 16 0.1 18:01.43 bro
4787 root 25 5 101m 25m 1136 R 14 0.1 17:03.35 bro
5839 root 25 5 1107m 1.0g 1.0g R 14 3.3 8:31.60 bro
5843 root 25 5 1107m 1.0g 1.0g S 14 3.3 8:42.36 bro
5848 root 25 5 1107m 1.0g 1.0g S 12 3.3 8:30.34 bro
6100 sguil 20 0 299m 273m 256m S 12 0.8 6:52.43 netsniff-ng
5814 root 25 5 1107m 1.0g 1.0g S 8 3.3 8:19.14 bro
5819 root 25 5 1107m 1.0g 1.0g S 6 3.3 8:29.72 bro
7964 sguil 20 0 586m 299m 130m S 6 0.9 3:33.39 snort
7422 sguil 20 0 585m 297m 130m S 4 0.9 3:54.56 snort
7465 sguil 20 0 586m 299m 130m S 4 0.9 3:32.27 snort
51 root 20 0 0 0 0 S 2 0.0 0:01.36 kswapd0
365 root 20 0 0 0 0 S 2 0.0 0:18.28 jbd2/sda1-8
1406 root 20 0 116m 51m 2920 S 2 0.2 1:01.38 syslog-ng
1481 mysql 20 0 2784m 116m 8384 S 2 0.4 75:00.31 mysqld
1495 root 20 0 214m 42m 3852 S 2 0.1 1:42.12 perl
4502 root 20 0 138m 26m 3740 S 2 0.1 0:10.62 tclsh
4776 root 20 0 328m 70m 4896 S 2 0.2 2:41.80 bro
7013 root 20 0 163m 65m 1872 S 2 0.2 0:32.59 barnyard2
7162 root 20 0 163m 65m 1876 S 2 0.2 0:35.65 barnyard2
7334 sguil 20 0 588m 301m 130m S 2 0.9 4:26.28 snort
8130 sguil 20 0 588m 300m 130m S 2 0.9 4:49.65 snort
1 root 20 0 24732 2676 1368 S 0 0.0 0:02.02 init


2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd

3 root 20 0 0 0 0 S 0 0.0 0:00.19 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.46 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/1
9 root 20 0 0 0 0 S 0 0.0 0:01.11 kworker/1:0
10 root 20 0 0 0 0 S 0 0.0 0:00.61 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.22 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/2
14 root 20 0 0 0 0 S 0 0.0 0:00.71 kworker/2:0
15 root 20 0 0 0 0 S 0 0.0 0:00.24 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.22 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.08 watchdog/3
21 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/4
23 root 20 0 0 0 0 S 0 0.0 0:00.61 ksoftirqd/4
24 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/4
25 root RT 0 0 0 0 S 0 0.0 0:00.30 migration/5
27 root 20 0 0 0 0 S 0 0.0 0:00.26 ksoftirqd/5
28 root RT 0 0 0 0 S 0 0.0 0:00.81 watchdog/5
29 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/6
31 root 20 0 0 0 0 S 0 0.0 0:00.22 ksoftirqd/6
32 root RT 0 0 0 0 S 0 0.0 0:00.08 watchdog/6
33 root RT 0 0 0 0 S 0 0.0 0:00.06 migration/7
35 root 20 0 0 0 0 S 0 0.0 0:00.45 ksoftirqd/7
36 root RT 0 0 0 0 S 0 0.0 0:00.27 watchdog/7
37 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
38 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
39 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
41 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:1
42 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
43 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
44 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
45 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
46 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
47 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
48 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
50 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
52 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
53 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
54 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
55 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
56 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
64 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
66 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_0
67 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
89 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
228 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
229 root 0 -20 0 0 0 S 0 0.0 0:00.00 vmw_pvscsi_wq_2
231 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
354 root 20 0 0 0 0 S 0 0.0 0:00.17 kworker/3:1
366 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
398 root 20 0 0 0 0 S 0 0.0 0:00.28 kworker/7:1
454 root 20 0 0 0 0 S 0 0.0 0:00.28 kworker/1:2
461 root 20 0 17500 900 528 S 0 0.0 0:00.12 upstart-udev-br
468 root 20 0 21700 1516 820 S 0 0.0 0:00.10 udevd
470 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:1
509 root 20 0 0 0 0 S 0 0.0 0:00.39 kworker/5:1
594 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
595 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
633 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
1017 messageb 20 0 24276 1384 816 S 0 0.0 0:00.09 dbus-daemon
1064 root 20 0 21192 1720 1440 S 0 0.0 0:00.00 bluetoothd
1085 avahi 20 0 32312 1744 1436 S 0 0.0 0:00.01 avahi-daemon
1090 avahi 20 0 32184 472 216 S 0 0.0 0:00.00 avahi-daemon
1106 root 20 0 101m 3712 2756 S 0 0.0 0:00.02 cupsd
1118 root 20 0 15324 636 344 S 0 0.0 0:00.01 upstart-socket-
1140 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1218 root 20 0 0 0 0 S 0 0.0 0:43.94 flush-8:0
1296 root 20 0 50036 2920 2308 S 0 0.0 0:00.00 sshd
1383 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1396 root 20 0 20012 972 812 S 0 0.0 0:00.00 getty
1400 root 20 0 432m 31m 7632 S 0 0.1 0:05.77 salt-minion
1405 root 20 0 26784 432 196 S 0 0.0 0:00.00 syslog-ng
1411 root 20 0 20012 980 812 S 0 0.0 0:00.00 getty
1412 root 20 0 20012 968 812 S 0 0.0 0:00.00 getty
1415 root 20 0 484m 21m 5436 S 0 0.1 0:00.73 salt-master
1416 root 20 0 20012 976 812 S 0 0.0 0:00.00 getty
1433 root 20 0 4464 824 560 S 0 0.0 0:00.00 acpid
1438 daemon 20 0 16912 372 216 S 0 0.0 0:00.00 atd
1440 root 20 0 19116 1040 796 S 0 0.0 0:00.08 cron
1443 root 20 0 280m 4264 3500 S 0 0.0 0:00.03 lightdm
1450 root 20 0 15984 736 552 S 0 0.0 0:01.10 irqbalance
1468 sphinxse 20 0 72928 2036 1468 S 0 0.0 0:00.01 su
1493 root 20 0 4404 612 508 S 0 0.0 0:00.00 sh
1498 root 20 0 4090m 3944 2848 S 0 0.0 0:00.07 console-kit-dae
1594 root 20 0 207m 4808 3604 S 0 0.0 0:00.06 polkitd
1627 root 20 0 198m 17m 9704 S 0 0.1 0:05.32 Xorg
1635 sphinxse 20 0 1746m 443m 208m S 0 1.4 0:17.87 searchd
1636 root 20 0 21696 772 76 S 0 0.0 0:00.00 udevd
1637 root 20 0 21696 772 76 S 0 0.0 0:00.00 udevd
1651 ossecm 20 0 12920 612 424 S 0 0.0 0:00.04 ossec-csyslogd
1667 root 20 0 185m 4724 3724 S 0 0.0 0:00.03 lightdm
1670 root 20 0 132m 4328 3668 S 0 0.0 0:00.13 accounts-daemon
1675 root 20 0 12808 528 348 S 0 0.0 0:00.00 ossec-execd
1735 ossec 20 0 14508 2396 812 S 0 0.0 0:03.71 ossec-analysisd
1739 root 20 0 4532 544 412 S 0 0.0 0:00.00 ossec-logcollec
1763 lightdm 20 0 4404 612 504 S 0 0.0 0:00.00 lightdm-greeter
1771 lightdm 20 0 23952 856 560 S 0 0.0 0:00.00 dbus-daemon
1775 lightdm 20 0 244m 13m 10m S 0 0.0 0:10.57 lightdm-gtk-gre
1776 root 20 0 205m 27m 5228 S 0 0.1 0:00.54 salt-master
1783 root 20 0 228m 17m 1644 S 0 0.1 0:00.00 salt-master
1784 root 20 0 228m 17m 1468 S 0 0.1 0:00.00 salt-master
1789 root 20 0 613m 30m 5896 S 0 0.1 0:01.88 salt-master
1791 root 20 0 613m 30m 5896 S 0 0.1 0:02.36 salt-master
1794 root 20 0 613m 30m 5896 S 0 0.1 0:02.26 salt-master
1798 root 20 0 613m 30m 5896 S 0 0.1 0:02.02 salt-master
1801 root 20 0 613m 31m 5896 S 0 0.1 0:02.51 salt-master
1816 lightdm 20 0 52408 2404 2004 S 0 0.0 0:00.00 gvfsd
1818 lightdm 20 0 215m 3600 2988 S 0 0.0 0:00.01 gvfs-fuse-daemo
1850 root 20 0 214m 4272 3312 S 0 0.0 0:00.04 upowerd
2066 root 20 0 94672 2616 1928 S 0 0.0 0:00.00 lightdm
2294 root 20 0 93804 4600 3728 S 0 0.0 0:04.25 vmtoolsd
2311 root 20 0 5800 2176 652 S 0 0.0 0:15.86 ossec-syscheckd
2315 ossec 20 0 13064 548 364 S 0 0.0 0:00.00 ossec-monitord
2406 root 20 0 101m 4400 3348 S 0 0.0 0:00.07 sshd
2555 root 20 0 176m 12m 6612 S 0 0.0 0:00.46 /usr/sbin/apach
2561 root 20 0 215m 2076 1788 S 0 0.0 0:00.00 PassengerWatchd
2569 root 20 0 288m 2396 2072 S 0 0.0 0:02.66 PassengerHelper
2575 root 20 0 108m 9380 2244 S 0 0.0 0:00.11 ruby1.9.1
2578 nobody 20 0 165m 4668 3644 S 0 0.0 0:00.01 PassengerLoggin
2651 root 20 0 20012 964 812 S 0 0.0 0:00.00 getty
2970 infosec 20 0 101m 2108 1044 S 0 0.0 0:00.13 sshd
2973 infosec 20 0 32072 9168 1772 S 0 0.0 0:01.07 bash
3023 ntp 20 0 37776 2244 1616 S 0 0.0 0:00.31 ntpd
3075 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/7:0
3097 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/5:0
3098 root 20 0 0 0 0 S 0 0.0 0:00.11 kworker/3:2
3100 root 20 0 0 0 0 S 0 0.0 0:00.10 kworker/4:1
3121 www-data 20 0 176m 6928 668 S 0 0.0 0:00.00 /usr/sbin/apach
4095 www-data 20 0 176m 6928 668 S 0 0.0 0:00.00 /usr/sbin/apach
4119 www-data 20 0 176m 6928 668 S 0 0.0 0:00.00 /usr/sbin/apach
4127 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/4:3
4146 www-data 20 0 176m 6928 668 S 0 0.0 0:00.00 /usr/sbin/apach
4169 www-data 20 0 176m 6928 668 S 0 0.0 0:00.00 /usr/sbin/apach
4172 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:2
4182 root 20 0 4404 608 504 S 0 0.0 0:00.00 sh
4185 root 20 0 4404 324 220 S 0 0.0 0:00.00 sh
4190 root 20 0 4312 352 272 S 0 0.0 0:00.00 sleep
4191 root 20 0 0 0 0 S 0 0.0 0:00.24 kworker/6:0
4206 root 20 0 78144 2380 1772 S 0 0.0 0:00.00 sudo
4207 root 20 0 16536 1356 1140 S 0 0.0 0:00.00 sostat-redacted
4208 root 20 0 16552 1496 1264 S 0 0.0 0:00.00 sostat
4209 root 20 0 15728 820 696 S 0 0.0 0:00.00 sed
4210 root 20 0 15728 820 696 S 0 0.0 0:00.00 sed
4211 root 20 0 16404 1348 752 S 0 0.0 0:00.00 sed
4242 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
4495 root 20 0 68924 1928 1340 S 0 0.0 0:00.00 cron
4499 root 20 0 4404 612 508 S 0 0.0 0:00.00 sh
4521 root 20 0 118m 3432 764 S 0 0.0 0:00.21 tclsh
4522 root 20 0 118m 3256 580 S 0 0.0 0:00.00 tclsh
4545 root 20 0 36116 5864 3004 S 0 0.0 0:00.16 tclsh
4547 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
4629 root 20 0 17896 1608 1320 S 0 0.0 0:00.00 bash
4633 root 20 0 17468 1376 944 R 0 0.0 0:00.00 top
4854 root 20 0 17892 1600 1320 S 0 0.0 0:00.01 bash
4938 root 20 0 110m 43m 4820 S 0 0.1 1:21.52 bro
5595 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5600 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5602 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5613 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5624 root 20 0 17896 1608 1320 S 0 0.0 0:00.00 bash
5626 root 20 0 17896 1604 1320 S 0 0.0 0:00.00 bash
5818 root 20 0 0 0 0 Z 0 0.0 0:00.01 sh <defunct>
5846 root 20 0 0 0 0 Z 0 0.0 0:00.01 sh <defunct>
5847 root 20 0 0 0 0 Z 0 0.0 0:00.01 sh <defunct>
6288 root 20 0 32920 4656 2952 S 0 0.0 0:00.09 tclsh
6351 root 20 0 32844 4580 2956 S 0 0.0 0:00.26 tclsh
6353 root 20 0 4348 356 276 S 0 0.0 0:00.00 tail
6369 root 20 0 32844 4580 2956 S 0 0.0 0:00.40 tclsh
6371 root 20 0 4348 356 276 S 0 0.0 0:00.00 tail
6387 root 20 0 32844 4576 2956 S 0 0.0 0:00.21 tclsh
6389 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6406 root 20 0 32844 4576 2956 S 0 0.0 0:00.22 tclsh
6408 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6425 root 20 0 32844 4580 2956 S 0 0.0 0:00.80 tclsh
6427 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6443 root 20 0 32844 4572 2952 S 0 0.0 0:00.85 tclsh
6445 root 20 0 4348 356 276 S 0 0.0 0:00.00 tail
6461 root 20 0 32844 4580 2956 S 0 0.0 0:00.22 tclsh
6463 root 20 0 4348 356 276 S 0 0.0 0:00.00 tail
6479 root 20 0 32844 4576 2956 S 0 0.0 0:00.54 tclsh
6481 root 20 0 4348 352 276 S 0 0.0 0:00.00 tail
6853 root 19 -1 14892 1932 308 S 0 0.0 0:00.53 dema
6975 root 20 0 163m 65m 1876 S 0 0.2 0:28.51 barnyard2
7051 root 20 0 163m 65m 1872 S 0 0.2 0:34.12 barnyard2
7087 root 20 0 163m 65m 1868 S 0 0.2 0:30.31 barnyard2
7123 root 20 0 163m 65m 1844 S 0 0.2 0:34.58 barnyard2
7199 root 20 0 163m 65m 1872 S 0 0.2 0:26.35 barnyard2
7236 root 20 0 163m 65m 1876 S 0 0.2 0:30.83 barnyard2
8206 sguil 20 0 585m 298m 130m S 0 0.9 3:11.12 snort
8746 www-data 20 0 349m 85m 3276 S 0 0.3 0:08.40 ruby
12201 root 20 0 0 0 0 S 0 0.0 0:00.84 kworker/6:1
12218 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/4:0
13574 root 20 0 0 0 0 S 0 0.0 0:01.60 kworker/4:2
24087 root 20 0 0 0 0 S 0 0.0 0:00.74 kworker/2:1
24119 www-data 20 0 349m 89m 3524 S 0 0.3 0:01.06 ruby1.9.1
24300 root 20 0 0 0 0 S 0 0.0 0:00.17 kworker/6:2
26566 root 20 0 0 0 0 S 0 0.0 0:01.00 kworker/0:2


=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/infosec-virtual-machine-eth1/dailylogs/ - 1 days

28G .
28G ./2014-08-04

/nsm/bro/logs/ - 1 days
104M .
104M ./2014-08-04
288K ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.001079

infosec-virtual-machine-eth1-1: 1407175743.320965 recvd=8558207 dropped=146 link=8558207
infosec-virtual-machine-eth1-2: 1407175743.521851 recvd=5282096 dropped=97 link=5282096
infosec-virtual-machine-eth1-3: 1407175743.721711 recvd=12574219 dropped=92 link=12574219
infosec-virtual-machine-eth1-4: 1407175743.921666 recvd=15380553 dropped=129 link=15380553
infosec-virtual-machine-eth1-5: 1407175744.121728 recvd=14948230 dropped=153 link=14948230
infosec-virtual-machine-eth1-6: 1407175744.321792 recvd=8486730 dropped=87 link=8486730

=========================================================================
IDS Engine (snort) packet drops
=========================================================================

/nsm/sensor_data/infosec-virtual-machine-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-4.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-5.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-6.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-7.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/infosec-virtual-machine-eth1/snort-8.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)

Total rings : 14

Standard (non DNA) Options
Ring slots : 65534


Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0

Cluster Fragment Discard : 13893

/proc/net/pf_ring/5779-eth1.1
Appl. Name : <unknown>
Tot Packets : 8562864
Tot Pkt Lost : 146


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/5780-eth1.4
Appl. Name : <unknown>
Tot Packets : 14951461
Tot Pkt Lost : 153


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/5781-eth1.6
Appl. Name : <unknown>
Tot Packets : 5287934
Tot Pkt Lost : 97


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/5782-eth1.2
Appl. Name : <unknown>
Tot Packets : 8488170
Tot Pkt Lost : 87


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/5783-eth1.3
Appl. Name : <unknown>
Tot Packets : 15384185
Tot Pkt Lost : 129


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/5784-eth1.5
Appl. Name : <unknown>
Tot Packets : 12577770
Tot Pkt Lost : 92


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 130434
Num Free Slots : 130433

/proc/net/pf_ring/7334-eth1.16
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 4493928
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77904

/proc/net/pf_ring/7378-eth1.17
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5455614
Tot Pkt Lost : 1


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 78000

/proc/net/pf_ring/7422-eth1.20
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 4461780
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77944

/proc/net/pf_ring/7465-eth1.18
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 4312549
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77971

/proc/net/pf_ring/7964-eth1.19
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5737296
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77927

/proc/net/pf_ring/8130-eth1.21
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 6831206
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77971

/proc/net/pf_ring/8206-eth1.22
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 3750473
Tot Pkt Lost : 0


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77986

/proc/net/pf_ring/8706-eth1.23
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5779216
Tot Pkt Lost : 1


TX: Send Errors : 0
Reflect: Fwd Errors: 0

Min Num Slots : 78028
Num Free Slots : 77349

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)

9674

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All time Sguil Events
=========================================================================

REMOVED

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
REMOVED

Total


=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:

1405 supervising syslog-ng
1406 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid


Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1481 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1468 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach


Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
-rw-r--r-- 1 root root 2497780 Aug 4 18:09 /nsm/elsa/data/elsa/tmp/buffers/1407175723.09115
-rw-r--r-- 1 root root 9477851 Aug 4 18:08 /nsm/elsa/data/elsa/tmp/buffers/1407175663.08453
-rw-r--r-- 1 root root 226 Aug 4 18:08 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
-rw-r--r-- 1 root root 7285121 Aug 4 16:27 /nsm/elsa/data/elsa/tmp/buffers/1407169636.77968

ELSA Directory Sizes:
1.8G /nsm/elsa/data
312K /var/lib/mysql/syslog

Michael Starks

unread,
Aug 4, 2014, 3:10:36 PM8/4/14
to securit...@googlegroups.com
On 2014-08-04 13:23, jspud...@gmail.com wrote:
> jswan, Lysemose, and BBCan177
>
> Thanks a ton for all your responses! With the last few posts it
> finally started clicking and I was able to tune this down...WAY DOWN.
> Currently running under 5k signatures and sure enough my snort process
> are not dropping anything. I also up'ed my PF_RING to 65534 during
> install.
>
> However I still see dropped packets on my interface eth1 (not near as
> many this is way down from what it was). I also see some being dropped
> by bro now. Can anyone comment on the stats I have and if there would
> be concern running this as a prod machine with these levels of packet
> loss? Here is my latest sostat-redacted with about 2 hours of uptime.

I have experienced dropped UDP packets with log servers due to the
kernel buffer size. You may need to add something like this to
/etc/sysctl.conf. Of course, use values that make sense for you. You'll
need to reboot or maybe just restart the interfaces after adding this.

# Increase UDP buffer size due to packet loss seen via netstat -s
net.core.rmem_max=134217728
net.core.rmem_default=134217728
Reply all
Reply to author
Forward
0 new messages