netsniff-ng (full packet data) [ FAIL ]
1,997 views
Skip to first unread message
jrs...@mtu.edu
Oct 1, 2014, 2:54:09 PM10/1/14
to securit...@googlegroups.com
When running sostat, all of my interfaces show netsniff-ng as failing. All 3 monitoring interfaces say, "netsniff-ng (full packet data) [ FAIL ]".
I'm not really sure where to look for more information so I'm hoping someone can point me in the right direction.
Thanks,
Justin
Doug Burks
Oct 1, 2014, 2:56:18 PM10/1/14
to securit...@googlegroups.com
Hi Justin,
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service like http://pastebin.com.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Zachary Trousdale
Jan 21, 2015, 12:48:56 PM1/21/15
to securit...@googlegroups.com
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X running 6564 3 13 Jan 14:03:28
proxy proxy X.X.X.X running 6792 3 13 Jan 14:03:31
SO-server-eth0-1 worker X.X.X.X running 7155 2 13 Jan 14:03:34
SO-server-eth0-2 worker X.X.X.X running 7154 2 13 Jan 14:03:34
Status: SO-server-eth0
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort_agent-2 (sguil)[ OK ]
* snort_agent-3 (sguil)[ OK ]
* snort_agent-4 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2833106023 errors:0 dropped:321131660 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:823071271999 (823.0 GB) TX bytes:180 (180.0 B)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1500933 errors:0 dropped:0 overruns:0 frame:0
TX packets:583777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:362227757 (362.2 MB) TX bytes:441471362 (441.4 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:11315769 errors:0 dropped:0 overruns:0 frame:0
TX packets:11315769 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17161748212 (17.1 GB) TX bytes:17161748212 (17.1 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
17161748212 11315769 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
17161748212 11315769 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
823071282707 2833106070 0 321131688 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
180 2 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
362227757 1500933 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
441471362 583777 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 95G 61G 29G 68% /
udev 5.9G 4.0K 5.9G 1% /dev
tmpfs 1.2G 792K 1.2G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 5.9G 84K 5.9G 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 805 avahi 12u IPv4 9040 0t0 UDP *:5353
avahi-dae 805 avahi 13u IPv6 9041 0t0 UDP *:5353
avahi-dae 805 avahi 14u IPv4 9042 0t0 UDP *:44680
avahi-dae 805 avahi 15u IPv6 9043 0t0 UDP *:45907
cupsd 882 root 8u IPv6 8891179 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 882 root 9u IPv4 8891180 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1324 root 3u IPv4 10369 0t0 TCP *:ssh_port (LISTEN)
sshd 1324 root 4u IPv6 10371 0t0 TCP *:ssh_port (LISTEN)
mysqld 1656 mysql 12u IPv4 13743 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1656 mysql 20u IPv4 8864724 0t0 TCP X.X.X.X:3306->X.X.X.X:48169 (ESTABLISHED)
mysqld 1656 mysql 75u IPv4 8869969 0t0 TCP X.X.X.X:3306->X.X.X.X:48188 (ESTABLISHED)
mysqld 1656 mysql 115u IPv4 8867400 0t0 TCP X.X.X.X:3306->X.X.X.X:48173 (ESTABLISHED)
mysqld 1656 mysql 365u IPv4 8867465 0t0 TCP X.X.X.X:3306->X.X.X.X:48175 (ESTABLISHED)
teamviewe 1669 root 12u IPv4 11643 0t0 TCP X.X.X.X:5939 (LISTEN)
teamviewe 1669 root 16u IPv4 8355447 0t0 TCP X.X.X.X:53417->X.X.X.X:5938 (ESTABLISHED)
teamviewe 1669 root 20u IPv4 8311062 0t0 TCP X.X.X.X:5939->X.X.X.X:51855 (ESTABLISHED)
searchd 1678 sphinxsearch 7u IPv4 12491 0t0 TCP *:9306 (LISTEN)
searchd 1678 sphinxsearch 8u IPv4 12492 0t0 TCP *:9312 (LISTEN)
ossec-csy 1728 ossecm 5u IPv4 11537 0t0 UDP X.X.X.X:58316->X.X.X.X:514
master 2248 root 12u IPv4 11867 0t0 TCP *:25 (LISTEN)
master 2248 root 13u IPv6 11868 0t0 TCP *:25 (LISTEN)
/usr/sbin 2411 root 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 2411 root 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2411 root 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2411 root 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 4605 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 4605 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4605 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4605 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 5298 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5298 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5298 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5298 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 5551 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5551 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5551 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5551 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 6073 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 6073 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6073 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6073 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 6236 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 6236 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6236 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6236 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
bro 6564 root 4u IPv4 22442 0t0 UDP X.X.X.X:57500->X.X.X.X:53
bro 6599 root 0u IPv4 24530 0t0 TCP *:47761 (LISTEN)
bro 6599 root 1u IPv6 24531 0t0 TCP *:47761 (LISTEN)
bro 6599 root 2u IPv4 23547 0t0 TCP X.X.X.X:47761->X.X.X.X:40860 (ESTABLISHED)
bro 6599 root 4u IPv4 22442 0t0 UDP X.X.X.X:57500->X.X.X.X:53
bro 6599 root 251u IPv4 25500 0t0 TCP X.X.X.X:47761->X.X.X.X:40864 (ESTABLISHED)
bro 6599 root 255u IPv4 25787 0t0 TCP X.X.X.X:47761->X.X.X.X:40866 (ESTABLISHED)
bro 6792 root 4u IPv4 25665 0t0 UDP X.X.X.X:59017->X.X.X.X:53
bro 6802 root 0u IPv4 26689 0t0 TCP X.X.X.X:40860->X.X.X.X:47761 (ESTABLISHED)
bro 6802 root 1u IPv4 26692 0t0 TCP *:47762 (LISTEN)
bro 6802 root 2u IPv6 26693 0t0 TCP *:47762 (LISTEN)
bro 6802 root 4u IPv4 25665 0t0 UDP X.X.X.X:59017->X.X.X.X:53
bro 6802 root 157u IPv4 25784 0t0 TCP X.X.X.X:47762->X.X.X.X:60627 (ESTABLISHED)
bro 6802 root 254u IPv4 26872 0t0 TCP X.X.X.X:47762->X.X.X.X:60629 (ESTABLISHED)
tclsh 7038 root 3u IPv4 7925038 0t0 TCP X.X.X.X:50514->X.X.X.X:7736 (CLOSE_WAIT)
bro 7154 root 4u IPv4 25774 0t0 UDP X.X.X.X:35303->X.X.X.X:53
bro 7155 root 4u IPv4 25418 0t0 UDP X.X.X.X:33305->X.X.X.X:53
bro 7182 root 0u IPv4 27836 0t0 TCP X.X.X.X:40864->X.X.X.X:47761 (ESTABLISHED)
bro 7182 root 1u IPv4 27839 0t0 TCP X.X.X.X:60627->X.X.X.X:47762 (ESTABLISHED)
bro 7182 root 2u IPv4 27842 0t0 TCP *:47764 (LISTEN)
bro 7182 root 4u IPv4 25774 0t0 UDP X.X.X.X:35303->X.X.X.X:53
bro 7182 root 251u IPv6 27843 0t0 TCP *:47764 (LISTEN)
bro 7189 root 0u IPv4 25501 0t0 TCP X.X.X.X:40866->X.X.X.X:47761 (ESTABLISHED)
bro 7189 root 1u IPv4 25788 0t0 TCP X.X.X.X:60629->X.X.X.X:47762 (ESTABLISHED)
bro 7189 root 2u IPv4 27846 0t0 TCP *:47763 (LISTEN)
bro 7189 root 4u IPv4 25418 0t0 UDP X.X.X.X:33305->X.X.X.X:53
bro 7189 root 251u IPv6 27847 0t0 TCP *:47763 (LISTEN)
tclsh 7355 root 3u IPv4 8653372 0t0 TCP X.X.X.X:40995->X.X.X.X:7736 (ESTABLISHED)
tclsh 7659 root 3u IPv4 8777241 0t0 TCP X.X.X.X:40993->X.X.X.X:7736 (ESTABLISHED)
tclsh 7659 root 4u IPv4 7925457 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 7659 root 6u IPv4 8866788 0t0 TCP X.X.X.X:8001->X.X.X.X:33811 (ESTABLISHED)
tclsh 7899 root 3u IPv4 8784124 0t0 TCP X.X.X.X:40992->X.X.X.X:7736 (ESTABLISHED)
tclsh 7899 root 4u IPv4 7933118 0t0 TCP X.X.X.X:8002 (LISTEN)
tclsh 7899 root 6u IPv4 8868943 0t0 TCP X.X.X.X:8002->X.X.X.X:52265 (ESTABLISHED)
tclsh 7955 root 3u IPv4 8653371 0t0 TCP X.X.X.X:40994->X.X.X.X:7736 (ESTABLISHED)
tclsh 7955 root 4u IPv4 7933177 0t0 TCP X.X.X.X:8003 (LISTEN)
tclsh 7955 root 6u IPv4 8867991 0t0 TCP X.X.X.X:8003->X.X.X.X:51587 (ESTABLISHED)
tclsh 7999 root 3u IPv4 8784122 0t0 TCP X.X.X.X:40991->X.X.X.X:7736 (ESTABLISHED)
tclsh 7999 root 4u IPv4 7934169 0t0 TCP X.X.X.X:8004 (LISTEN)
tclsh 7999 root 6u IPv4 8869040 0t0 TCP X.X.X.X:8004->X.X.X.X:36199 (ESTABLISHED)
/usr/sbin 8363 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 8363 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8363 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 8363 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
ruby1.9.1 9797 www-data 12u IPv4 8265586 0t0 TCP X.X.X.X:41796 (LISTEN)
salt-mast 13793 root 12u IPv4 8277592 0t0 TCP *:4505 (LISTEN)
salt-mast 13826 root 20u IPv4 8276809 0t0 TCP *:4506 (LISTEN)
sshd 15311 root 3u IPv4 8971988 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:1311 (ESTABLISHED)
sshd 15312 root 3u IPv4 8973336 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:1312 (ESTABLISHED)
sshd 15644 SO-user 3u IPv4 8973336 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:1312 (ESTABLISHED)
sshd 15644 SO-user 11u IPv6 8972497 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 15644 SO-user 12u IPv4 8972498 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 15657 SO-user 3u IPv4 8971988 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:1311 (ESTABLISHED)
sshd 15657 SO-user 11u IPv6 8973462 0t0 TCP [X.X.X.X]:6011 (LISTEN)
sshd 15657 SO-user 12u IPv4 8973463 0t0 TCP X.X.X.X:6011 (LISTEN)
barnyard2 15790 sguil 3u IPv4 8867337 0t0 TCP X.X.X.X:33811->X.X.X.X:8001 (ESTABLISHED)
barnyard2 15790 sguil 4u IPv4 8866791 0t0 TCP X.X.X.X:48169->X.X.X.X:3306 (ESTABLISHED)
barnyard2 15843 sguil 3u IPv4 8867399 0t0 TCP X.X.X.X:52265->X.X.X.X:8002 (ESTABLISHED)
barnyard2 15843 sguil 4u IPv4 8867972 0t0 TCP X.X.X.X:48173->X.X.X.X:3306 (ESTABLISHED)
barnyard2 15922 sguil 3u IPv4 8869003 0t0 TCP X.X.X.X:51587->X.X.X.X:8003 (ESTABLISHED)
barnyard2 15922 sguil 4u IPv4 8867994 0t0 TCP X.X.X.X:48175->X.X.X.X:3306 (ESTABLISHED)
barnyard2 15970 sguil 3u IPv4 8869039 0t0 TCP X.X.X.X:36199->X.X.X.X:8004 (ESTABLISHED)
barnyard2 15970 sguil 4u IPv4 8868112 0t0 TCP X.X.X.X:48188->X.X.X.X:3306 (ESTABLISHED)
/usr/sbin 20591 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 20591 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20591 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20591 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 20593 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 20593 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20593 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20593 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 20594 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 20594 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20594 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20594 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
/usr/sbin 20676 www-data 4u IPv4 14428 0t0 TCP *:443 (LISTEN)
/usr/sbin 20676 www-data 5u IPv4 14431 0t0 TCP *:9876 (LISTEN)
/usr/sbin 20676 www-data 6u IPv4 14433 0t0 TCP *:3154 (LISTEN)
/usr/sbin 20676 www-data 7u IPv4 14437 0t0 TCP *:444 (LISTEN)
syslog-ng 21472 root 19u IPv4 8424010 0t0 TCP *:514 (LISTEN)
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
Restarting Barnyard2.
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data)[ OK ]
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]
CPU Usage
=========================================================================
top - 09:32:16 up 7 days, 19:30, 3 users, load average: 2.50, 2.75, 2.99
Tasks: 254 total, 4 running, 249 sleeping, 0 stopped, 1 zombie
Cpu(s): 27.3%us, 26.9%sy, 2.2%ni, 42.4%id, 0.1%wa, 0.0%hi, 1.1%si, 0.0%st
Mem: 12305208k total, 10706368k used, 1598840k free, 62012k buffers
Swap: 10343828k total, 235296k used, 10108532k free, 2885580k cached
%CPU %MEM COMMAND
1.4 0.6 /usr/bin/python /usr/bin/salt-master
1.2 0.0 -bash
1.2 0.0 -bash
0.8 1.9 /usr/sbin/mysqld
0.3 0.3 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.2 0.0 [ksoftirqd/1]
0.2 0.0 /bin/bash /usr/bin/sostat
0.2 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.1 0.0 /usr/lib/vmware-tools/sbin64/vmtoolsd -n vmusr
0.1 0.0 sudo sostat-redacted
0.1 0.0 /opt/teamviewer/tv_bin/wine/bin/wineserver
0.1 0.8 delayed_job
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 sshd: SO-user [priv]
0.1 0.0 sshd: SO-user [priv]
0.1 0.0 /opt/teamviewer/tv_bin/teamviewerd -f
0.1 0.0 /usr/sbin/vmtoolsd
0.0 0.0 [rcu_sched]
0.0 0.2 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [kswapd0]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/0:2]
0.0 0.0 PassengerHelperAgent
0.0 0.0 /opt/teamviewer/tv_bin/TVGuiSlave.64 13 1
0.0 0.2 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuos/2]
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u8:0]
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.9 /usr/sbin/apache2 -k start
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/0]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/3]
0.0 0.0 /sbin/init
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/u8:2]
0.0 0.1 xfce4-panel
0.0 0.1 xfdesktop
0.0 0.0 xfwm4 --replace
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 update-notifier
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 xscreensaver -no-splash
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-2.conf
0.0 0.0 [migration/3]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-3.conf
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 [migration/2]
0.0 0.0 [migration/0]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-maild
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.1 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/lib/postfix/master
0.0 0.0 [migration/1]
0.0 0.1 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 pickup -l -t fifo -u -c
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/2]
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [watchdog/3]
0.0 0.0 xfce4-power-manager
0.0 0.0 xfce4-volumed
0.0 0.0 xfce4-session
0.0 0.0 nm-applet
0.0 0.0 qmgr -l -t fifo -u
0.0 0.0 xfce4-settings-helper
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 Thunar --daemon
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 Passenger spawn server
0.0 0.0 lightdm --session-child 12 45
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-2.stats
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-3.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-4.stats
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.10 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 [kworker/u9:1]
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 lightdm
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 C:\windows\system32\services.exe
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [lightdm] <defunct>
0.0 0.0 [kthreadd]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 PassengerWatchdog
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
503,1 57%
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl bas
e/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/
frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 loc
al.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 loc
al.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 [kworker/3:2]
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user@pts/5
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0
-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]
{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|
:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5
]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0
-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/u9:2]
0.0 0.0 [kworker/1:0]
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/2:2]
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityoni
on/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 2531061
=========================================================================
502,2 64%
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 2 days
31G .
31G ./2015-01-20
4.0K ./2015-01-21
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 1 days
78M .
20M ./2015-01-20
59M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1421861537.145623 recvd=902193346 dropped=0 link=902193346
SO-server-eth0-2: 1421861537.349813 recvd=1930606307 dropped=0 link=1930606307
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth0/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth0/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth0/snort-4.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 6
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/16080-eth0.4475
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 11485121
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65397
/proc/net/pf_ring/16129-eth0.4476
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5701683
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65508
/proc/net/pf_ring/16178-eth0.4477
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 14263906
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65463
/proc/net/pf_ring/16226-eth0.4478
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5971961
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65473
/proc/net/pf_ring/7154-eth0.1
Appl. Name : bro-eth0
Tot Packets : 1930612482
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65526
/proc/net/pf_ring/7155-eth0.2
Appl. Name : bro-eth0
Tot Packets : 902196115
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65529
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log Processed: Cannot Lost: allocate RX_RING!
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150112000503 Processed: Cannot Lost: allocate RX_RING!
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150112164003 Processed: log Lost:
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150113140337 Processed: +3892767 Lost: -9781
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150118000502 Processed: Cannot Lost: allocate RX_RING!
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1070820
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
123 1:2012648 ET POLICY Dropbox Client Broadcasting
120 1:2101923 GPL RPC portmap proxy attempt UDP
117 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
25 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
15 1:2100366 GPL ICMP_INFO PING *NIX
15 1:2100369 GPL ICMP_INFO PING BayRS Router
15 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
15 1:2100368 GPL ICMP_INFO PING BSDtype
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2001219 ET SCAN Potential SSH Scan
Total
464
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
569657 1:2101411 GPL SNMP public access udp
281880 1:2100366 GPL ICMP_INFO PING *NIX
232678 1:2016303 ET INFO UPnP Discovery Search Response vulnerable UPnP device 2
51765 1:2009243 ET POLICY HSRP Active Router Changed
27590 1:2100368 GPL ICMP_INFO PING BSDtype
9379 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
6207 1:2100369 GPL ICMP_INFO PING BayRS Router
6207 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
6133 1:2012648 ET POLICY Dropbox Client Broadcasting
2775 1:2101923 GPL RPC portmap proxy attempt UDP
2375 1:2100371 GPL ICMP_INFO PING Cisco Type.x
15 1:2100366 GPL ICMP_INFO PING *NIX
15 1:2100369 GPL ICMP_INFO PING BayRS Router
15 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
15 1:2100368 GPL ICMP_INFO PING BSDtype
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2001219 ET SCAN Potential SSH Scan
Total
464
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
569657 1:2101411 GPL SNMP public access udp
281880 1:2100366 GPL ICMP_INFO PING *NIX
232678 1:2016303 ET INFO UPnP Discovery Search Response vulnerable UPnP device 2
51765 1:2009243 ET POLICY HSRP Active Router Changed
27590 1:2100368 GPL ICMP_INFO PING BSDtype
9379 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
6207 1:2100369 GPL ICMP_INFO PING BayRS Router
6207 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
6133 1:2012648 ET POLICY Dropbox Client Broadcasting
2775 1:2101923 GPL RPC portmap proxy attempt UDP
2375 1:2100371 GPL ICMP_INFO PING Cisco Type.x
1333 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
685 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
644 1:2001219 ET SCAN Potential SSH Scan
371 1:2100579 GPL RPC portmap mountd request UDP
209 1:2522757 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 379
89 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
70 1:2003310 ET P2P Edonkey Publicize File
32 1:2103196 GPL NETBIOS name query overflow attempt UDP
23 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
20 1:2009970 ET P2P eMule Kademlia Hello Request
20 1:2402000 ET DROP Dshield Block Listed Source group 1
15 1:2003317 ET P2P Edonkey Search Request (any type file)
15 1:2100474 GPL SCAN superscan echo
10 1:2100590 GPL RPC portmap ypserv request UDP
8 1:2009099 ET P2P ThunderNetwork UDP Traffic
6 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
5 1:2101892 GPL SNMP null community string attempt
5 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
5 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
4 1:2403406 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 54
2 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
1 1:2403334 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 18
1 1:2500010 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 6
1 1:2403392 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 47
1 1:648 GPL SHELLCODE x86 NOOP
Total
1200221
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
123 1:2012648 ET POLICY Dropbox Client Broadcasting
120 1:2101923 GPL RPC portmap proxy attempt UDP
117 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
25 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
15 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
15 1:2100368 GPL ICMP_INFO PING BSDtype
15 1:2100366 GPL ICMP_INFO PING *NIX
15 1:2100369 GPL ICMP_INFO PING BayRS Router
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2001219 ET SCAN Potential SSH Scan
Total
464
=========================================================================
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65463
/proc/net/pf_ring/16226-eth0.4478
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 5971961
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65473
/proc/net/pf_ring/7154-eth0.1
Appl. Name : bro-eth0
Tot Packets : 1930612482
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65526
/proc/net/pf_ring/7155-eth0.2
Appl. Name : bro-eth0
Tot Packets : 902196115
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65529
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log Processed: Cannot Lost: allocate RX_RING!
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150112000503 Processed: Cannot Lost: allocate RX_RING!
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150112164003 Processed: log Lost:
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150112164003 Processed: 1421109508! Lost: No such file or
directory
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150113140337 Processed: +3892767 Lost: -9781
File: /var/log/nsm/SO-server-eth0/netsniff-ng.log.20150118000502 Processed: Cannot Lost: allocate RX_RING!
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1070820
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
123 1:2012648 ET POLICY Dropbox Client Broadcasting
120 1:2101923 GPL RPC portmap proxy attempt UDP
117 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
25 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
15 1:2100366 GPL ICMP_INFO PING *NIX
15 1:2100369 GPL ICMP_INFO PING BayRS Router
15 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
15 1:2100368 GPL ICMP_INFO PING BSDtype
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2001219 ET SCAN Potential SSH Scan
Total
464
629,1 82%
Total
464
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
569657 1:2101411 GPL SNMP public access udp
281880 1:2100366 GPL ICMP_INFO PING *NIX
232678 1:2016303 ET INFO UPnP Discovery Search Response vulnerable UPnP device 2
51765 1:2009243 ET POLICY HSRP Active Router Changed
27590 1:2100368 GPL ICMP_INFO PING BSDtype
9379 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
6207 1:2100369 GPL ICMP_INFO PING BayRS Router
6207 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
6133 1:2012648 ET POLICY Dropbox Client Broadcasting
2775 1:2101923 GPL RPC portmap proxy attempt UDP
2375 1:2100371 GPL ICMP_INFO PING Cisco Type.x
1333 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
685 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
644 1:2001219 ET SCAN Potential SSH Scan
371 1:2100579 GPL RPC portmap mountd request UDP
209 1:2522757 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 379
89 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
70 1:2003310 ET P2P Edonkey Publicize File
32 1:2103196 GPL NETBIOS name query overflow attempt UDP
23 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
20 1:2009970 ET P2P eMule Kademlia Hello Request
20 1:2402000 ET DROP Dshield Block Listed Source group 1
15 1:2003317 ET P2P Edonkey Search Request (any type file)
15 1:2100474 GPL SCAN superscan echo
10 1:2100590 GPL RPC portmap ypserv request UDP
8 1:2009099 ET P2P ThunderNetwork UDP Traffic
6 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
5 1:2101892 GPL SNMP null community string attempt
5 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
5 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
4 1:2403406 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 54
2 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
1 1:2403334 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 18
1 1:2500010 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 6
1 1:2403392 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 47
1 1:648 GPL SHELLCODE x86 NOOP
Total
1200221
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
123 1:2012648 ET POLICY Dropbox Client Broadcasting
120 1:2101923 GPL RPC portmap proxy attempt UDP
117 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
25 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
15 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
15 1:2100368 GPL ICMP_INFO PING BSDtype
15 1:2100366 GPL ICMP_INFO PING *NIX
15 1:2100369 GPL ICMP_INFO PING BayRS Router
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
692,1 90%
10 1:2003310 ET P2P Edonkey Publicize File
7 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2001219 ET SCAN Potential SSH Scan
Total
464
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
31272 1:2101411 GPL SNMP public access udp
9741 1:2016303 ET INFO UPnP Discovery Search Response vulnerable UPnP device 2
7866 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
1898 1:2012648 ET POLICY Dropbox Client Broadcasting
1750 1:2101923 GPL RPC portmap proxy attempt UDP
473 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
451 1:2100366 GPL ICMP_INFO PING *NIX
385 1:2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
385 1:2100368 GPL ICMP_INFO PING BSDtype
385 1:2100369 GPL ICMP_INFO PING BayRS Router
371 1:2100579 GPL RPC portmap mountd request UDP
228 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
204 1:2001219 ET SCAN Potential SSH Scan
89 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02
40 1:2003310 ET P2P Edonkey Publicize File
32 1:2103196 GPL NETBIOS name query overflow attempt UDP
25 1:2100371 GPL ICMP_INFO PING Cisco Type.x
15 1:2100474 GPL SCAN superscan echo
10 1:2003317 ET P2P Edonkey Search Request (any type file)
10 1:2009970 ET P2P eMule Kademlia Hello Request
4 1:2009099 ET P2P ThunderNetwork UDP Traffic
2 1:2013479 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
1 1:648 GPL SHELLCODE x86 NOOP
Total
55637
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
21471 supervising syslog-ng
21472 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1656 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1526 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
-rw-r--r-- 1 root root 212587 Jan 21 09:32 /nsm/elsa/data/elsa/tmp/buffers/1421861528.93753
-rw-r--r-- 1 root root 449659 Jan 21 09:32 /nsm/elsa/data/elsa/tmp/buffers/1421861468.92925
-rw-r--r-- 1 root root 166 Jan 21 09:32 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
-rw-r--r-- 1 root root 720571 Dec 17 15:33 /nsm/elsa/data/elsa/tmp/buffers/1418859145.04657
ELSA Directory Sizes:
756,1 98%
Doug Burks
Jan 21, 2015, 2:21:25 PM1/21/15
to securit...@googlegroups.com
Hi Zachary,
Have you checked the netsniff-ng log file at
/var/log/nsm/HOSTNAME-INTERFACE/netsniff-ng.log?
Have you tried restarting netsniff-ng?
sudo nsm_sensor_ps-restart --only-pcap
Have you tried rebooting?
Also, I noticed the following in your sostat output:
https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized
Have you checked the netsniff-ng log file at
/var/log/nsm/HOSTNAME-INTERFACE/netsniff-ng.log?
Have you tried restarting netsniff-ng?
sudo nsm_sensor_ps-restart --only-pcap
Have you tried rebooting?
Also, I noticed the following in your sostat output:
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1070820
Please see:
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1070820
https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized
Zachary Trousdale
Jan 21, 2015, 2:44:06 PM1/21/15
to securit...@googlegroups.com
Thank you Mr. Burks. Here is the output of the log.
This is the current log.
Executing: netsniff-ng -i eth0 -o /nsm/sensor_data/usacasd-snort-eth0/dailylogs/2015-01-21/ --user 1001 --group 1001 -s --prefix sno
rt.log. --verbose --ring-size 1024MiB --interval 1024MiB --mmap
RX: 1024.00 MiB, 524288 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
.(+3903389/-0).(+3929024/-0).(+3926840/-0).(+3952103/-0).(+3945764/-0)
This is the previous log.
Executing netsniff-ng -i eth0 -o /nsm/sensor_data/usacasd-snort-eth0/dailylogs/2015-01-12/ --user 1001 --group 1001 -s --prefix snor
t.log. --verbose --ring-size 1024MiB --interval 1024MiB --mmap
Cannot allocate RX_RING!
This is the output after restarting netsniff-ng
* restarting with overlap: netsniff-ng (full packet data)
* starting: netsniff-ng (full packet data) [ OK ]
- stopping old process: netsniff-ng (full packet data) [ OK ]
I will clean up the Sguil logs :)
Thanks Again Sir!
~ On Wednesday, January 21, 2015 at 11:21:25 AM UTC-8, Doug Burks wrote:
> Hi Zachary,
>
> Have you checked the netsniff-ng log file at
> /var/log/nsm/HOSTNAME-INTERFACE/netsniff-ng.log?
>
> Have you tried restarting netsniff-ng?
> sudo nsm_sensor_ps-restart --only-pcap
>
> Have you tried rebooting?
>
> Also, I noticed the following in your sostat output:
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 1070820
>
> Please see:
> https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized
>
> On Wed, Jan 21, 2015 at 12:48 PM, Zachary Trousdale
> > 89 1:2017918 ET DOS Possible NTP DDoS Inbound Frequent Un...
This is the current log.
Executing: netsniff-ng -i eth0 -o /nsm/sensor_data/usacasd-snort-eth0/dailylogs/2015-01-21/ --user 1001 --group 1001 -s --prefix sno
rt.log. --verbose --ring-size 1024MiB --interval 1024MiB --mmap
RX: 1024.00 MiB, 524288 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
.(+3903389/-0).(+3929024/-0).(+3926840/-0).(+3952103/-0).(+3945764/-0)
This is the previous log.
Executing netsniff-ng -i eth0 -o /nsm/sensor_data/usacasd-snort-eth0/dailylogs/2015-01-12/ --user 1001 --group 1001 -s --prefix snor
t.log. --verbose --ring-size 1024MiB --interval 1024MiB --mmap
Cannot allocate RX_RING!
This is the output after restarting netsniff-ng
* restarting with overlap: netsniff-ng (full packet data)
* starting: netsniff-ng (full packet data) [ OK ]
- stopping old process: netsniff-ng (full packet data) [ OK ]
I will clean up the Sguil logs :)
Thanks Again Sir!
~ On Wednesday, January 21, 2015 at 11:21:25 AM UTC-8, Doug Burks wrote:
> Hi Zachary,
>
> Have you checked the netsniff-ng log file at
> /var/log/nsm/HOSTNAME-INTERFACE/netsniff-ng.log?
>
> Have you tried restarting netsniff-ng?
> sudo nsm_sensor_ps-restart --only-pcap
>
> Have you tried rebooting?
>
> Also, I noticed the following in your sostat output:
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 1070820
>
> Please see:
> https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized
>
> On Wed, Jan 21, 2015 at 12:48 PM, Zachary Trousdale
Doug Burks
Jan 21, 2015, 2:48:41 PM1/21/15
to securit...@googlegroups.com
It looks like you have adjusted the --ring-size, --interval, and
--mmap options and this may be resulting in the "Cannot allocate
RX_RING!" error. You may need to decrease those settings and/or
consider increasing your RAM.
--mmap options and this may be resulting in the "Cannot allocate
RX_RING!" error. You may need to decrease those settings and/or
consider increasing your RAM.
Zachary Trousdale
Jan 21, 2015, 2:57:41 PM1/21/15
to securit...@googlegroups.com
Where would I change those settings back and what would be the appropriate settings based on the system specs below?
OS: Ubuntu Linux (64-BIT)
4 core cpu
and 12GB of RAM.
On Wednesday, January 21, 2015 at 11:48:41 AM UTC-8, Doug Burks wrote:
> It looks like you have adjusted the --ring-size, --interval, and
> --mmap options and this may be resulting in the "Cannot allocate
> RX_RING!" error. You may need to decrease those settings and/or
> consider increasing your RAM.
>
> On Wed, Jan 21, 2015 at 2:44 PM, Zachary Trousdale
> >> > 117 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound l...
OS: Ubuntu Linux (64-BIT)
4 core cpu
and 12GB of RAM.
On Wednesday, January 21, 2015 at 11:48:41 AM UTC-8, Doug Burks wrote:
> It looks like you have adjusted the --ring-size, --interval, and
> --mmap options and this may be resulting in the "Cannot allocate
> RX_RING!" error. You may need to decrease those settings and/or
> consider increasing your RAM.
>
> On Wed, Jan 21, 2015 at 2:44 PM, Zachary Trousdale
Doug Burks
Jan 21, 2015, 3:09:51 PM1/21/15
to securit...@googlegroups.com
You can change those settings in
/etc/nsm/HOSTNAME-INTERFACE/sensor.conf. It may require some tweaking
as it's highly dependent on your network traffic.
/etc/nsm/HOSTNAME-INTERFACE/sensor.conf. It may require some tweaking
as it's highly dependent on your network traffic.
Alireza M
Jul 10, 2015, 10:09:38 AM7/10/15
to securit...@googlegroups.com
hello
I have this problem also. after read this thread i go to update SO using soup command, after update and some minute ,problem exists same as before.
what can i do with it ? i want to solve.
thanks a lot.
I have this problem also. after read this thread i go to update SO using soup command, after update and some minute ,problem exists same as before.
what can i do with it ? i want to solve.
thanks a lot.
Doug Burks
Jul 10, 2015, 10:12:19 AM7/10/15
to securit...@googlegroups.com
Prashant Shrivastva
Mar 10, 2019, 7:46:23 AM3/10/19
to security-onion
Hi,
I am having the same problem. My netsniff is failing to start all of a sudden.
It stopped working on the weekend. We lost logs from ELK stack for the weekend.
My netsniff.log file is as below:
seconion@seconion-master-virtual-machine:/var/log/nsm/seconion-master-virtual-machine-ens192$ cat netsniff-ng.log
Executing: netsniff-ng -i ens192 -o /nsm/sensor_data/seconion-master-virtual-machine-ens192/dailylogs/2019-03-10/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 256MiB --interval 250MiB --mmap
pcap file I/O method: mmap
RX,V3: 256.00 MiB, 4096 Blocks, each 65536 Byte allocated
Running! Hang up with ^C!
7634 packets incoming (25 unread on exit)
7659 packets passed filter
0 packets failed filter (out of space)
0.0000% packet droprate
3 sec, 417591 usec in total
Cannot set NIC flags (Operation not permitted)!
Kindly suggest me a quick fix for these. We are not able to ingest anything into ELK. Blank from last two days.
Regards
Prashant
Prashant Shrivastva
Mar 10, 2019, 7:59:57 AM3/10/19
to security-onion
Also please find my so-redacted output
seconion@seconion-master-virtual-machine:/tmp$ cat sostat-redacted.txt
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 5207 10 Mar 08:53:47
proxy proxy localhost running 5312 10 Mar 08:53:49
SO-server-ens192-1 worker localhost running 5970 10 Mar 08:53:52
SO-server-ens192-2 worker localhost running 5977 10 Mar 08:53:52
SO-server-ens192-3 worker localhost running 5979 10 Mar 08:53:52
SO-server-ens192-4 worker localhost running 5987 10 Mar 08:53:52
SO-server-ens192-5 worker localhost running 5990 10 Mar 08:53:52
SO-server-ens192-6 worker localhost running 5992 10 Mar 08:53:52
SO-server-ens192-7 worker localhost running 5991 10 Mar 08:53:52
Status: SO-server-ens192
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: Elastic stack
* so-elasticsearch[ OK ]
* so-logstash[ OK ]
* so-kibana[ OK ]
* so-curator[ OK ]
* so-elastalert[ OK ]
=========================================================================
Interface Status
=========================================================================
br-ced1db549372 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:1091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:452 (452.0 B) TX bytes:76442 (76.4 KB)
docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:242948974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11222288675 (11.2 GB) TX bytes:1526910826106 (1.5 TB)
ens192 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
RX packets:8773990036 errors:0 dropped:0 overruns:0 frame:0
TX packets:210978833 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7564761972297 (7.5 TB) TX bytes:16134279541 (16.1 GB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:403587076 errors:0 dropped:0 overruns:0 frame:0
TX packets:403587076 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:622028404762 (622.0 GB) TX bytes:622028404762 (622.0 GB)
so-curator
-------------------------------------------------------------------------
(eth0)
vethc124f5d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1118 (1.1 KB)
(eth1)
veth3d517c2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:18139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1226432 (1.2 MB) TX bytes:757110070 (757.1 MB)
so-elastalert
-------------------------------------------------------------------------
(eth0)
vethd2ba9de Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:838 (838.0 B) TX bytes:1784 (1.7 KB)
(eth1)
vethfa726ca Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:1475 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:378253 (378.2 KB) TX bytes:7371139 (7.3 MB)
so-kibana
-------------------------------------------------------------------------
(eth0)
veth324e148 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:525 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3191989 (3.1 MB) TX bytes:84400 (84.4 KB)
(eth1)
veth2d6f84d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:2837 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:509127 (509.1 KB) TX bytes:1894276 (1.8 MB)
so-logstash
-------------------------------------------------------------------------
(eth0)
veth7555e5e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:2558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:280501 (280.5 KB) TX bytes:13465838 (13.4 MB)
(eth1)
veth6dfc87a Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:1656 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15225679 (15.2 MB) TX bytes:168955 (168.9 KB)
so-elasticsearch
-------------------------------------------------------------------------
(eth0)
veth490d0a9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:333 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15963 (15.9 KB) TX bytes:24831 (24.8 KB)
(eth1)
veth93a4676 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
TX packets:12294 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:766570959 (766.5 MB) TX bytes:17347469 (17.3 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
TX errors: aborted fifo window heartbeat transns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 1
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
TX errors: aborted fifo window heartbeat transns
0 0 0 0 4
4: br-ced1db549372: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
TX errors: aborted fifo window heartbeat transns
0 0 0 0 4
26: veth490d0a9@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
TX errors: aborted fifo window heartbeat transns
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
TX errors: aborted fifo window heartbeat transns
tmpfs 13G 138M 13G 2% /run
/dev/mapper/securityonion--vg-root 12T 11T 673G 95% /
tmpfs 63G 176K 63G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 63G 0 63G 0% /sys/fs/cgroup
/dev/sda2 721M 137M 548M 20% /boot
tmpfs 13G 0 13G 0% /run/user/1001
tmpfs 13G 8.0K 13G 1% /run/user/1000
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/b98bbae2e6560389cf5ff18348c2eb295856d5a64de12ad23fd0d9e85db78a9f/merged
shm 64M 0 64M 0% /var/lib/docker/containers/622b479a2746f8f3a207db067e9411ae8e51aa1fdb1bd62a369d3527853db288/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/8c41cfe1caa22f20d8a00d3218993091b732469e336126616290ac189e713a7f/merged
shm 64M 0 64M 0% /var/lib/docker/containers/b34101b3940823df8508aedb2d3c02e66a19afd5720d0c78c0f7e3844430222a/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/bd9a7687c3734d26aa943cba80c99f9204c9f72d7022cccd30b6d7bf2bca7b5e/merged
shm 64M 0 64M 0% /var/lib/docker/containers/a80cd14eabe68a3ac0ef8b7bef30a038ca0b7aa1423794824bc6f2e7328a5476/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/6c7ae6faee1fd57aab8dc4e6150df84625eac38b54b4d33caa32db8d2f0c19e0/merged
shm 64M 0 64M 0% /var/lib/docker/containers/04e32bcc4573915270742d8e7c2da70c08538c47222c9f2acc88c31b0a21ef17/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/69bd5d72f9149e4ed6e055c8a5242a2fd1c6806f9c9dd1f36e332062c6340a2e/merged
shm 64M 0 64M 0% /var/lib/docker/containers/17e063a283cd83b28d8595d4519d706505d3083a28a62375876c4e012f1169f0/mounts/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 926 SO-user 13u IPv4 71596009 0t0 TCP *:7734 (LISTEN)
tclsh 926 SO-user 14u IPv6 71596010 0t0 TCP *:7734 (LISTEN)
tclsh 926 SO-user 15u IPv4 71596013 0t0 TCP *:7736 (LISTEN)
tclsh 926 SO-user 16u IPv6 71596014 0t0 TCP *:7736 (LISTEN)
tclsh 926 SO-user 17u IPv4 71607317 0t0 TCP X.X.X.X:7736->X.X.X.X:46485 (ESTABLISHED)
tclsh 926 SO-user 18u IPv4 71602070 0t0 TCP X.X.X.X:7736->X.X.X.X:41629 (ESTABLISHED)
tclsh 926 SO-user 19u IPv4 71603172 0t0 TCP X.X.X.X:7736->X.X.X.X:35873 (ESTABLISHED)
tclsh 926 SO-user 20u IPv4 71607320 0t0 TCP X.X.X.X:7736->X.X.X.X:45171 (ESTABLISHED)
tclsh 926 SO-user 21u IPv4 71607321 0t0 TCP X.X.X.X:7736->X.X.X.X:33153 (ESTABLISHED)
tclsh 926 SO-user 22u IPv4 71598750 0t0 TCP X.X.X.X:7736->X.X.X.X:34247 (ESTABLISHED)
tclsh 926 SO-user 23u IPv4 71606341 0t0 TCP X.X.X.X:7736->X.X.X.X:40141 (ESTABLISHED)
tclsh 999 SO-user 3u IPv4 71605377 0t0 TCP X.X.X.X:40141->X.X.X.X:7736 (ESTABLISHED)
sshd 1857 root 3u IPv4 29604 0t0 TCP *:ssh_port (LISTEN)
sshd 1857 root 4u IPv6 29606 0t0 TCP *:ssh_port (LISTEN)
mysqld 1913 mysql 14u IPv4 15964 0t0 TCP X.X.X.X:3306 (LISTEN)
ntpd 2364 ntp 16u IPv6 27234 0t0 UDP *:123
ntpd 2364 ntp 17u IPv4 27237 0t0 UDP *:123
ntpd 2364 ntp 18u IPv4 27242 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 19u IPv4 27244 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 20u IPv6 27246 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 21u IPv6 27248 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 25u IPv4 71608224 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 26u IPv6 71608228 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 27u IPv6 71615883 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 28u IPv4 71615916 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 29u IPv6 71615921 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 30u IPv6 71615924 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 31u IPv6 71605156 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 32u IPv6 71622714 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 33u IPv6 71628900 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 34u IPv6 71628902 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 35u IPv6 71628979 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 36u IPv6 71616317 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 37u IPv6 71629064 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 38u IPv6 71614293 0t0 UDP [X.X.X.X]:123
apache2 2540 root 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
bro 5207 SO-user 4u IPv4 71603076 0t0 UDP X.X.X.X:58332->X.X.X.X:53
bro 5278 SO-user 0u IPv4 71614488 0t0 TCP *:47761 (LISTEN)
bro 5278 SO-user 1u IPv6 71614489 0t0 TCP *:47761 (LISTEN)
bro 5278 SO-user 2u IPv4 71603854 0t0 TCP X.X.X.X:47761->X.X.X.X:37792 (ESTABLISHED)
bro 5278 SO-user 4u IPv4 71603076 0t0 UDP X.X.X.X:58332->X.X.X.X:53
bro 5278 SO-user 14u IPv4 71600096 0t0 TCP X.X.X.X:47761->X.X.X.X:37800 (ESTABLISHED)
bro 5278 SO-user 19u IPv4 71600101 0t0 TCP X.X.X.X:47761->X.X.X.X:37802 (ESTABLISHED)
bro 5278 SO-user 24u IPv4 71603892 0t0 TCP X.X.X.X:47761->X.X.X.X:37806 (ESTABLISHED)
bro 5278 SO-user 29u IPv4 71602041 0t0 TCP X.X.X.X:47761->X.X.X.X:37810 (ESTABLISHED)
bro 5278 SO-user 34u IPv4 71612523 0t0 TCP X.X.X.X:47761->X.X.X.X:37814 (ESTABLISHED)
bro 5278 SO-user 39u IPv4 71610779 0t0 TCP X.X.X.X:47761->X.X.X.X:37818 (ESTABLISHED)
bro 5278 SO-user 44u IPv4 71599082 0t0 TCP X.X.X.X:47761->X.X.X.X:37822 (ESTABLISHED)
bro 5278 SO-user 49u IPv4 71606140 0t0 TCP X.X.X.X:47761->X.X.X.X:37848 (ESTABLISHED)
bro 5312 SO-user 4u IPv4 71603084 0t0 UDP X.X.X.X:40952->X.X.X.X:53
bro 5314 SO-user 0u IPv4 71600037 0t0 TCP X.X.X.X:37792->X.X.X.X:47761 (ESTABLISHED)
bro 5314 SO-user 4u IPv4 71603084 0t0 UDP X.X.X.X:40952->X.X.X.X:53
bro 5314 SO-user 12u IPv4 71600042 0t0 TCP *:47762 (LISTEN)
bro 5314 SO-user 13u IPv6 71600043 0t0 TCP *:47762 (LISTEN)
bro 5314 SO-user 14u IPv4 71600093 0t0 TCP X.X.X.X:47762->X.X.X.X:56638 (ESTABLISHED)
bro 5314 SO-user 19u IPv4 71600104 0t0 TCP X.X.X.X:47762->X.X.X.X:56644 (ESTABLISHED)
bro 5314 SO-user 24u IPv4 71604791 0t0 TCP X.X.X.X:47762->X.X.X.X:56648 (ESTABLISHED)
bro 5314 SO-user 29u IPv4 71608843 0t0 TCP X.X.X.X:47762->X.X.X.X:56652 (ESTABLISHED)
bro 5314 SO-user 34u IPv4 71612526 0t0 TCP X.X.X.X:47762->X.X.X.X:56656 (ESTABLISHED)
bro 5314 SO-user 39u IPv4 71599070 0t0 TCP X.X.X.X:47762->X.X.X.X:56660 (ESTABLISHED)
bro 5314 SO-user 44u IPv4 71610782 0t0 TCP X.X.X.X:47762->X.X.X.X:56664 (ESTABLISHED)
bro 5314 SO-user 49u IPv4 71606856 0t0 TCP X.X.X.X:47762->X.X.X.X:56694 (ESTABLISHED)
bro 5970 SO-user 4u IPv4 71603116 0t0 UDP X.X.X.X:59727->X.X.X.X:53
bro 5977 SO-user 4u IPv4 71607715 0t0 UDP X.X.X.X:40581->X.X.X.X:53
bro 5979 SO-user 4u IPv4 71609901 0t0 UDP X.X.X.X:57320->X.X.X.X:53
bro 5987 SO-user 4u IPv4 71606642 0t0 UDP X.X.X.X:55235->X.X.X.X:53
bro 5990 SO-user 4u IPv4 71613559 0t0 UDP X.X.X.X:34186->X.X.X.X:53
bro 5991 SO-user 4u IPv4 71599058 0t0 UDP X.X.X.X:52531->X.X.X.X:53
bro 5992 SO-user 4u IPv4 71608842 0t0 UDP X.X.X.X:34260->X.X.X.X:53
bro 6002 SO-user 0u IPv4 71607721 0t0 TCP X.X.X.X:37802->X.X.X.X:47761 (ESTABLISHED)
bro 6002 SO-user 4u IPv4 71607715 0t0 UDP X.X.X.X:40581->X.X.X.X:53
bro 6002 SO-user 12u IPv4 71607724 0t0 TCP X.X.X.X:56644->X.X.X.X:47762 (ESTABLISHED)
bro 6002 SO-user 17u IPv4 71607729 0t0 TCP *:47764 (LISTEN)
bro 6002 SO-user 18u IPv6 71607730 0t0 TCP *:47764 (LISTEN)
bro 6003 SO-user 0u IPv4 71604781 0t0 TCP X.X.X.X:56638->X.X.X.X:47762 (ESTABLISHED)
bro 6003 SO-user 4u IPv4 71599058 0t0 UDP X.X.X.X:52531->X.X.X.X:53
bro 6003 SO-user 12u IPv4 71604784 0t0 TCP X.X.X.X:37800->X.X.X.X:47761 (ESTABLISHED)
bro 6003 SO-user 17u IPv4 71604789 0t0 TCP *:47769 (LISTEN)
bro 6003 SO-user 18u IPv6 71604790 0t0 TCP *:47769 (LISTEN)
bro 6006 SO-user 0u IPv4 71600107 0t0 TCP X.X.X.X:37806->X.X.X.X:47761 (ESTABLISHED)
bro 6006 SO-user 4u IPv4 71609901 0t0 UDP X.X.X.X:57320->X.X.X.X:53
bro 6006 SO-user 12u IPv4 71600110 0t0 TCP X.X.X.X:56648->X.X.X.X:47762 (ESTABLISHED)
bro 6006 SO-user 17u IPv4 71600115 0t0 TCP *:47765 (LISTEN)
bro 6006 SO-user 18u IPv6 71600116 0t0 TCP *:47765 (LISTEN)
bro 6008 SO-user 0u IPv4 71612499 0t0 TCP X.X.X.X:37810->X.X.X.X:47761 (ESTABLISHED)
bro 6008 SO-user 4u IPv4 71613559 0t0 UDP X.X.X.X:34186->X.X.X.X:53
bro 6008 SO-user 12u IPv4 71612502 0t0 TCP X.X.X.X:56652->X.X.X.X:47762 (ESTABLISHED)
bro 6041 SO-user 0u IPv4 71609909 0t0 TCP X.X.X.X:37814->X.X.X.X:47761 (ESTABLISHED)
bro 6041 SO-user 4u IPv4 71606642 0t0 UDP X.X.X.X:55235->X.X.X.X:53
bro 6041 SO-user 12u IPv4 71609912 0t0 TCP X.X.X.X:56656->X.X.X.X:47762 (ESTABLISHED)
bro 6041 SO-user 17u IPv4 71609917 0t0 TCP *:47766 (LISTEN)
bro 6041 SO-user 18u IPv6 71609918 0t0 TCP *:47766 (LISTEN)
bro 6043 SO-user 0u IPv4 71607742 0t0 TCP X.X.X.X:37818->X.X.X.X:47761 (ESTABLISHED)
bro 6043 SO-user 4u IPv4 71603116 0t0 UDP X.X.X.X:59727->X.X.X.X:53
bro 6043 SO-user 12u IPv4 71607745 0t0 TCP X.X.X.X:56660->X.X.X.X:47762 (ESTABLISHED)
bro 6043 SO-user 17u IPv4 71607750 0t0 TCP *:47763 (LISTEN)
bro 6043 SO-user 18u IPv6 71607751 0t0 TCP *:47763 (LISTEN)
bro 6092 SO-user 0u IPv4 71603128 0t0 TCP X.X.X.X:37822->X.X.X.X:47761 (ESTABLISHED)
bro 6092 SO-user 4u IPv4 71608842 0t0 UDP X.X.X.X:34260->X.X.X.X:53
bro 6092 SO-user 12u IPv4 71603131 0t0 TCP X.X.X.X:56664->X.X.X.X:47762 (ESTABLISHED)
bro 6092 SO-user 17u IPv4 71603136 0t0 TCP *:47768 (LISTEN)
bro 6092 SO-user 18u IPv6 71603137 0t0 TCP *:47768 (LISTEN)
bro 6174 SO-user 4u IPv4 46094 0t0 UDP X.X.X.X:49237->X.X.X.X:53
tclsh 6180 SO-user 3u IPv4 71611713 0t0 TCP X.X.X.X:35873->X.X.X.X:7736 (ESTABLISHED)
bro 6221 SO-user 0u IPv4 71614783 0t0 TCP X.X.X.X:37848->X.X.X.X:47761 (ESTABLISHED)
bro 6221 SO-user 4u IPv4 46094 0t0 UDP X.X.X.X:49237->X.X.X.X:53
bro 6221 SO-user 12u IPv4 71606163 0t0 TCP X.X.X.X:56694->X.X.X.X:47762 (ESTABLISHED)
bro 6221 SO-user 17u IPv4 32580 0t0 TCP *:47767 (LISTEN)
bro 6221 SO-user 18u IPv6 32581 0t0 TCP *:47767 (LISTEN)
tclsh 6226 SO-user 3u IPv4 71614603 0t0 TCP X.X.X.X:41629->X.X.X.X:7736 (ESTABLISHED)
tclsh 6226 SO-user 4u IPv4 71607780 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6226 SO-user 6u IPv4 71616643 0t0 TCP X.X.X.X:8000->X.X.X.X:57108 (ESTABLISHED)
barnyard2 6846 SO-user 3u IPv4 71611917 0t0 TCP X.X.X.X:57108->X.X.X.X:8000 (ESTABLISHED)
docker-pr 9571 root 4u IPv4 71606271 0t0 TCP X.X.X.X:9300 (LISTEN)
docker-pr 9585 root 4u IPv4 71608176 0t0 TCP X.X.X.X:9200 (LISTEN)
docker-pr 10005 root 4u IPv6 71618738 0t0 TCP *:9600 (LISTEN)
docker-pr 10019 root 4u IPv6 71613128 0t0 TCP *:6053 (LISTEN)
docker-pr 10033 root 4u IPv6 71611216 0t0 TCP *:6052 (LISTEN)
docker-pr 10047 root 4u IPv6 71605112 0t0 TCP *:6051 (LISTEN)
docker-pr 10062 root 3u IPv6 71638573 0t0 TCP X.X.X.X:6050->X.X.X.X:38825 (ESTABLISHED)
docker-pr 10062 root 4u IPv6 71617012 0t0 TCP *:6050 (LISTEN)
docker-pr 10062 root 6u IPv4 71638575 0t0 TCP X.X.X.X:34580->X.X.X.X:6050 (ESTABLISHED)
docker-pr 10062 root 7u IPv6 71647386 0t0 TCP X.X.X.X:6050->X.X.X.X:34466 (ESTABLISHED)
docker-pr 10062 root 8u IPv4 71647388 0t0 TCP X.X.X.X:34584->X.X.X.X:6050 (ESTABLISHED)
docker-pr 10077 root 4u IPv6 71611231 0t0 TCP *:5044 (LISTEN)
docker-pr 11738 root 3u IPv4 71628565 0t0 TCP X.X.X.X:5601->X.X.X.X:42436 (FIN_WAIT2)
docker-pr 11738 root 4u IPv4 71627882 0t0 TCP X.X.X.X:5601 (LISTEN)
docker-pr 11738 root 6u IPv4 71628567 0t0 TCP X.X.X.X:44570->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 7u IPv4 71647327 0t0 TCP X.X.X.X:5601->X.X.X.X:42622 (FIN_WAIT2)
docker-pr 11738 root 8u IPv4 71647329 0t0 TCP X.X.X.X:44756->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 9u IPv4 71653447 0t0 TCP X.X.X.X:5601->X.X.X.X:42916 (FIN_WAIT2)
docker-pr 11738 root 10u IPv4 71653449 0t0 TCP X.X.X.X:45050->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 12u IPv4 71657352 0t0 TCP X.X.X.X:5601->X.X.X.X:43162 (FIN_WAIT2)
docker-pr 11738 root 13u IPv4 71657354 0t0 TCP X.X.X.X:45296->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 14u IPv4 71649226 0t0 TCP X.X.X.X:5601->X.X.X.X:43170 (FIN_WAIT2)
docker-pr 11738 root 15u IPv4 71649228 0t0 TCP X.X.X.X:45304->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 16u IPv4 71655703 0t0 TCP X.X.X.X:5601->X.X.X.X:43180 (FIN_WAIT2)
docker-pr 11738 root 17u IPv4 71655705 0t0 TCP X.X.X.X:45314->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 18u IPv4 71650948 0t0 TCP X.X.X.X:5601->X.X.X.X:43190 (FIN_WAIT2)
docker-pr 11738 root 19u IPv4 71650950 0t0 TCP X.X.X.X:45324->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 20u IPv4 71650951 0t0 TCP X.X.X.X:5601->X.X.X.X:43194 (FIN_WAIT2)
docker-pr 11738 root 21u IPv4 71650953 0t0 TCP X.X.X.X:45328->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 22u IPv4 71650954 0t0 TCP X.X.X.X:5601->X.X.X.X:43198 (FIN_WAIT2)
docker-pr 11738 root 23u IPv4 71650956 0t0 TCP X.X.X.X:45332->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 24u IPv4 71650957 0t0 TCP X.X.X.X:5601->X.X.X.X:43206 (FIN_WAIT2)
docker-pr 11738 root 25u IPv4 71650959 0t0 TCP X.X.X.X:45340->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 26u IPv4 71638827 0t0 TCP X.X.X.X:5601->X.X.X.X:43216 (FIN_WAIT2)
docker-pr 11738 root 27u IPv4 71638829 0t0 TCP X.X.X.X:45350->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 28u IPv4 71655712 0t0 TCP X.X.X.X:5601->X.X.X.X:43226 (FIN_WAIT2)
docker-pr 11738 root 29u IPv4 71655714 0t0 TCP X.X.X.X:45360->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 30u IPv4 71646718 0t0 TCP X.X.X.X:5601->X.X.X.X:43234 (FIN_WAIT2)
docker-pr 11738 root 31u IPv4 71646720 0t0 TCP X.X.X.X:45368->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 32u IPv4 71646721 0t0 TCP X.X.X.X:5601->X.X.X.X:43238 (FIN_WAIT2)
docker-pr 11738 root 33u IPv4 71646723 0t0 TCP X.X.X.X:45372->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 34u IPv4 71646725 0t0 TCP X.X.X.X:5601->X.X.X.X:43242 (FIN_WAIT2)
docker-pr 11738 root 35u IPv4 71646727 0t0 TCP X.X.X.X:45376->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 36u IPv4 71638839 0t0 TCP X.X.X.X:5601->X.X.X.X:43248 (FIN_WAIT2)
docker-pr 11738 root 37u IPv4 71638841 0t0 TCP X.X.X.X:45382->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 38u IPv4 71646728 0t0 TCP X.X.X.X:5601->X.X.X.X:43254 (FIN_WAIT2)
docker-pr 11738 root 39u IPv4 71646730 0t0 TCP X.X.X.X:45388->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 40u IPv4 71638843 0t0 TCP X.X.X.X:5601->X.X.X.X:43268 (FIN_WAIT2)
docker-pr 11738 root 41u IPv4 71638845 0t0 TCP X.X.X.X:45402->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 42u IPv4 71655752 0t0 TCP X.X.X.X:5601->X.X.X.X:43438 (FIN_WAIT2)
docker-pr 11738 root 43u IPv4 71655754 0t0 TCP X.X.X.X:45572->X.X.X.X:5601 (CLOSE_WAIT)
ossec-rem 14597 ossecr 4u IPv4 40773723 0t0 UDP *:1514
apache2 19084 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 19084 www-data 15u IPv4 71637589 0t0 TCP X.X.X.X:42622->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 16u IPv4 71655706 0t0 TCP X.X.X.X:43198->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 17u IPv4 71586203 0t0 TCP X.X.X.X:40602->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 18u IPv4 71590188 0t0 TCP X.X.X.X:40594->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 19u IPv4 71655717 0t0 TCP X.X.X.X:43242->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 19094 www-data 15u IPv4 71607407 0t0 TCP X.X.X.X:41442->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 16u IPv4 71595310 0t0 TCP X.X.X.X:41038->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 17u IPv4 71652718 0t0 TCP X.X.X.X:43216->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 18u IPv4 71638825 0t0 TCP X.X.X.X:43194->X.X.X.X:5601 (CLOSE_WAIT)
tclsh 20751 SO-user 3u IPv4 71602804 0t0 TCP X.X.X.X:33153->X.X.X.X:7736 (ESTABLISHED)
apache2 23201 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 23260 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 23308 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 25957 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 25957 www-data 14u IPv6 71660741 0t0 TCP X.X.X.X:443->X.X.X.X:52697 (ESTABLISHED)
apache2 25957 www-data 15u IPv4 71597161 0t0 TCP X.X.X.X:41046->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 16u IPv4 71658497 0t0 TCP X.X.X.X:43190->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 17u IPv4 71596219 0t0 TCP X.X.X.X:41070->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 18u IPv4 71646096 0t0 TCP X.X.X.X:43238->X.X.X.X:5601 (CLOSE_WAIT)
sshd 28310 root 3u IPv4 71592112 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52895 (ESTABLISHED)
sshd 28409 SO-user 3u IPv4 71592112 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52895 (ESTABLISHED)
syslog-ng 31235 root 21u IPv4 71149191 0t0 TCP *:514 (LISTEN)
syslog-ng 31235 root 22u IPv4 71149192 0t0 UDP *:514
syslog-ng 31235 root 40u IPv4 71647385 0t0 TCP X.X.X.X:38825->X.X.X.X:6050 (ESTABLISHED)
sshd 32105 root 3u IPv4 71597409 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46550 (ESTABLISHED)
sshd 32118 SO-user 3u IPv4 71597409 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46550 (ESTABLISHED)
sshd 32118 SO-user 4u IPv4 71639939 0t0 TCP X.X.X.X:34466->X.X.X.X:6050 (ESTABLISHED)
apache2 32188 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32188 www-data 15u IPv4 71650896 0t0 TCP X.X.X.X:43162->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 16u IPv4 71591735 0t0 TCP X.X.X.X:41172->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 17u IPv4 71646093 0t0 TCP X.X.X.X:43234->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 18u IPv4 71600271 0t0 TCP X.X.X.X:41278->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 19u IPv4 71646030 0t0 TCP X.X.X.X:43170->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 20u IPv4 71652096 0t0 TCP X.X.X.X:43438->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32189 www-data 15u IPv4 71596504 0t0 TCP X.X.X.X:41274->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 16u IPv4 71636612 0t0 TCP X.X.X.X:42436->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 17u IPv4 71586957 0t0 TCP X.X.X.X:40514->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 18u IPv4 71595523 0t0 TCP X.X.X.X:41222->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 19u IPv4 71652038 0t0 TCP X.X.X.X:43248->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32190 www-data 15u IPv4 71646519 0t0 TCP X.X.X.X:42916->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 16u IPv4 71646637 0t0 TCP X.X.X.X:43180->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 17u IPv4 71655711 0t0 TCP X.X.X.X:43226->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 18u IPv4 71646089 0t0 TCP X.X.X.X:43206->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32192 www-data 15u IPv4 71652040 0t0 TCP X.X.X.X:43254->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 16u IPv4 71566332 0t0 TCP X.X.X.X:39462->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 17u IPv4 71652724 0t0 TCP X.X.X.X:43268->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 18u IPv4 71589017 0t0 TCP X.X.X.X:40316->X.X.X.X:5601 (CLOSE_WAIT)
=========================================================================
IDS Rules Update
=========================================================================
ح مار 10 07:01:01 UTC 2019
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 45 minutes to avoid overwhelming rule sites.
ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.0.5.
Running PulledPork.
Error 500 when fetching https://rules.emergingthreats.net/open/suricata-4.0.5/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
mainX.X.X.Xmd5file("open", "emerging.rules.tar.gz", "/tmp/", "https://rules.emergingthreats.net/open/suricata-4.0.5/") called at /usr/bin/pulledpork.pl line 2007
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Restarting Barnyard2.
Restarting: SO-server-ens192
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-ens192
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
3.26 3.64 3.78
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 09:22:14 up 45 days, 1:33, 2 users, load average: 3.26, 3.64, 3.78
Tasks: 369 total, 2 running, 254 sleeping, 0 stopped, 0 zombie
%Cpu(s): 30.6 us, 5.4 sy, 0.0 ni, 59.6 id, 3.9 wa, 0.0 hi, 0.6 si, 0.0 st
KiB Mem : 13202872+total, 14620080 free, 39890240 used, 77518400 buff/cache
KiB Swap: 999420 total, 604268 free, 395152 used. 90600224 avail Mem
%CPU %MEM COMMAND
77.1 2.8 /bin/java -Xms4000m -Xmx4000m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -cp /usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash
36.5 23.4 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Xms24g -Xmx24g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch.CIjyEzXi -XX:+HeapDumpOnOutOfMemoryError -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:logs/gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32 -XX:GCLogFileSize=64m -Des.cgroups.hierarchy.override=/ -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=tar -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -Ecluster.name=SO-server -Ebootstrap.memory_lock=true -Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X
18.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.5 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.4 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.7 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.3 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.1 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
5.1 0.3 /usr/sbin/mysqld
3.3 0.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-ens192/suricata.yaml --pfring=ens192 -l /nsm/sensor_data/SO-server-ens192
3.1 0.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-ens192/suricata.yaml --pfring=ens192 -l /nsm/sensor_data/SO-server-ens192
2.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.6 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.5 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
1.2 0.2 netsniff-ng -i ens192 -o /nsm/sensor_data/SO-server-ens192/dailylogs/2019-03-10/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 256MiB --interval 250MiB --mmap
1.1 0.0 barnyard2 -c /etc/nsm/SO-server-ens192/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-ens192 -f snort.unified2 -w /etc/nsm/SO-server-ens192/barnyard2.waldo -i SO-server-ens192 -U
1.0 0.0 [jbd2/dm-0-8]
1.0 0.1 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
0.4 0.0 /usr/bin/dockerd -H fd://
0.4 0.0 [kworker/u32:2]
0.3 0.0 python -m elastalert.elastalert --config /etc/elastalert/conf/elastalert_config.yaml --verbose
0.3 0.0 /bin/bash /usr/sbin/sostat
0.2 0.0 docker-containerd --config /var/run/docker/containerd/containerd.toml
0.2 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 [rcu_sched]
0.1 0.0 [kswapd0]
0.1 0.0 [kswapd1]
0.1 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.1 0.0 /usr/bin/python /usr/bin/supervisord -c /etc/elastalert/conf/elastalert_supervisord.conf -n
0.1 0.0 /var/ossec/bin/ossec-remoted
0.0 0.0 /sbin/init splash
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [mm_percpu_wq]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [cpuhp/0]
0.0 0.0 [cpuhp/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [cpuhp/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [cpuhp/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [cpuhp/4]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [cpuhp/5]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [cpuhp/6]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [cpuhp/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [cpuhp/8]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [cpuhp/9]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [cpuhp/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [cpuhp/11]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [cpuhp/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [cpuhp/13]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [cpuhp/14]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [cpuhp/15]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [kauditd]
0.0 0.0 [khungtaskd]
0.0 0.0 [oom_reaper]
0.0 0.0 [writeback]
0.0 0.0 [kcompactd0]
0.0 0.0 [kcompactd1]
0.0 0.0 [kcompactd2]
0.0 0.0 [kcompactd3]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [edac-poller]
0.0 0.0 [devfreq_wq]
0.0 0.0 [watchdogd]
0.0 0.0 [kswapd2]
0.0 0.0 [kswapd3]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [kstrp]
0.0 0.0 [irq/16-vmwgfx]
0.0 0.0 [kworker/4:1H]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [kworker/11:1H]
0.0 0.0 [kworker/10:1H]
0.0 0.0 [kworker/12:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [raid5wq]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/8:1H]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/6:1H]
0.0 0.0 /lib/systemd/systemd-journald
0.0 0.0 [kworker/14:1H]
0.0 0.0 [iscsi_eh]
0.0 0.0 [ib-comp-wq]
0.0 0.0 [ib_mcast]
0.0 0.0 [ib_nl_sa_wq]
0.0 0.0 /lib/systemd/systemd-udevd
0.0 0.0 [rdma_cm]
0.0 0.0 /sbin/lvmetad -f
0.0 0.0 [kworker/u34:2]
0.0 0.0 [kworker/2:1]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kdmflush]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0.0 0.0 /usr/sbin/acpid
0.0 0.0 /usr/sbin/NetworkManager --no-daemon
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/atd -f
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/iscsid
0.0 0.0 /sbin/iscsid
0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
0.0 0.0 /usr/sbin/lightdm
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118
0.0 0.0 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /sbin/agetty --noclear tty1 linux
0.0 0.0 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
0.0 0.0 php-fpm: pool www
0.0 0.0 php-fpm: pool www
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/12:2]
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 [kworker/11:0]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-ens192/snort_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-ens192/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-ens192/snort.stats
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/u32:0]
0.0 0.0 [kworker/0:1]
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 [kworker/3:1]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9300 -container-ip X.X.X.X -container-port 9300
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9200 -container-ip X.X.X.X -container-port 9200
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/622b479a2746f8f3a207db067e9411ae8e51aa1fdb1bd62a369d3527853db288 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9600 -container-ip X.X.X.X -container-port 9600
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6053 -container-ip X.X.X.X -container-port 6053
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6052 -container-ip X.X.X.X -container-port 6052
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6051 -container-ip X.X.X.X -container-port 6051
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6050 -container-ip X.X.X.X -container-port 6050
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5044 -container-ip X.X.X.X -container-port 5044
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/b34101b3940823df8508aedb2d3c02e66a19afd5720d0c78c0f7e3844430222a -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/6:0]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5601 -container-ip X.X.X.X -container-port 5601
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/a80cd14eabe68a3ac0ef8b7bef30a038ca0b7aa1423794824bc6f2e7328a5476 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic
0.0 0.0 /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic
0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/ibus-daemon --daemonize --xim --address unix:tmpdir=/tmp/ibus
0.0 0.0 /usr/lib/gnome-session/gnome-session-binary --session gnome-classic
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/ibus/ibus-dconf
0.0 0.0 /usr/lib/ibus/ibus-ui-gtk3
0.0 0.0 /usr/lib/ibus/ibus-x11 --kill-daemon
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/ibus/ibus-engine-simple
0.0 0.0 /usr/bin/gnome-screensaver --no-daemon
0.0 0.0 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/colord/colord
0.0 0.0 /usr/bin/gnome-shell
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/04e32bcc4573915270742d8e7c2da70c08538c47222c9f2acc88c31b0a21ef17 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/lib/gnome-shell/gnome-shell-calendar-server
0.0 0.0 /usr/lib/evolution/evolution-source-registry
0.0 0.0 /usr/lib/telepathy/mission-control-5
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfs-goa-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 nautilus -n
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.1 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/17e063a283cd83b28d8595d4519d706505d3083a28a62375876c4e012f1169f0 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /bin/bash
0.0 0.0 /usr/lib/gvfs/gvfsd-metadata
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx12747x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/12747/2
0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx12747x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/12747/3
0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx13101x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/13101/2
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 /var/ossec/bin/wazuh-db
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /var/ossec/bin/wazuh-modulesd
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/u33:0]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/6:2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/u36:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/u34:0]
0.0 0.0 [kworker/u33:2]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/u35:0]
0.0 0.0 [kworker/u36:1]
0.0 0.0 [kworker/9:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u36:2]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/15:2]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 -bash
0.0 0.0 [kworker/u35:1]
0.0 0.0 [kworker/u33:1]
0.0 0.0 [kworker/4:2]
0.0 0.0 [kworker/10:1]
0.0 0.0 /usr/sbin/syslog-ng -F
0.0 0.0 [kworker/14:3]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/1:2]
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
ens192: 1286132
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
ens192:
RX packets:8774062061 dropped:0 TX packets:210978858 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name: bro-ens192
Tot Packets: 306741
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 694269
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 366785
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 586563
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 365648
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 159645
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 245619
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 783943377
Tot Pkt Lost: 70
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 180612
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 272542
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 64886
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 74970
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 43229
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 752002
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 196344
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 126383
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 103502
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 95273
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 178977
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 331733
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 219798
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 195447
Tot Pkt Lost: 0
Loss as a percentage: 0
-------------------------------------------------------------------------
IDS Engine (suricata) packet drops:
/nsm/sensor_data/SO-server-ens192/stats.log
No packet drops reported.
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000009
SO-server-ens192-1: 1552209735.646217 recvd=306805 dropped=0 link=306805
SO-server-ens192-2: 1552209735.838868 recvd=694611 dropped=0 link=694611
SO-server-ens192-3: 1552209736.043302 recvd=368316 dropped=0 link=368316
SO-server-ens192-4: 1552209736.247230 recvd=586791 dropped=0 link=586791
SO-server-ens192-5: 1552209736.446211 recvd=783945530 dropped=70 link=783945530
SO-server-ens192-6: 1552209736.646567 recvd=245768 dropped=0 link=245768
SO-server-ens192-7: 1552209736.850403 recvd=162089 dropped=0 link=162089
Capture Loss:
SO-server-ens192-1: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-2: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-3: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-4: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-5: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-6: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-7: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.6.0 (unknown)
Total rings : 22
Standard (non ZC) Options
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-ens192/dailylogs/ - 1 days
311M .
311M ./2019-03-10
/nsm/bro/logs/ - 1 days
302M .
19M ./2019-03-10
283M ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
139630
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
67981 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
47770 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
5996 1:2221033 SURICATA HTTP Request abnormal Content-Encoding header
3992 1:2026850 ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement
2416 1:2221010 SURICATA HTTP unable to match response to request
1747 1:2025451 ET POLICY Monero Mining Pool DNS Lookup
1740 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft
1166 1:2010935 ET SCAN Suspicious inbound to MSSQL port 1433
763 1:2200094 SURICATA zero length padN option
636 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
598 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
598 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
562 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
268 1:2220000 SURICATA SMTP invalid reply
137 1:2220004 SURICATA SMTP invalid pipelined sequence
114 1:2025707 ET POLICY SMB2 NT Create AndX Request For a .bat File
112 1:2025705 ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
96 1:2024910 ET TROJAN BadRabbit Ransomware Payment Onion Domain
84 1:2024291 ET TROJAN Possible WannaCry DNS Lookup 1
57 1:2025701 ET POLICY SMB2 NT Create AndX Request For an Executable File
39 1:2024620 ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)
37 1:2023953 ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)
33 1:2009702 ET POLICY DNS Update From External net
31 1:2200036 SURICATA TCP option invalid length
28 1:2101411 GPL SNMP public access udp
9 1:2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related
7 1:2403348 ET CINS Active Threat Intelligence Poor Reputation IP group 49
7 1:2023883 ET DNS Query to a *.top domain - Likely Hostile
7 1:2101201 GPL WEB_SERVER 403 Forbidden
6 1:2002157 ET CHAT Skype User-Agent detected
6 1:2014170 ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
6 1:2220008 SURICATA SMTP data command rejected
5 1:2025106 ET INFO DNS Query for Suspicious .ml Domain
5 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
5 1:2026888 ET INFO DNS Query for Suspicious .icu Domain
4 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
3 1:2403364 ET CINS Active Threat Intelligence Poor Reputation IP group 65
3 1:2220006 SURICATA SMTP no server welcome message
3 1:2101616 GPL DNS named version attempt
2 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
2 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
2 1:2403396 ET CINS Active Threat Intelligence Poor Reputation IP group 97
2 1:2403366 ET CINS Active Threat Intelligence Poor Reputation IP group 67
2 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
2 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
2 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 1:2001219 ET SCAN Potential SSH Scan
1 1:2019418 ET CURRENT_EVENTS SSL excessive fatal alerts (possible POODLE attack against server)
1 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
1 1:2403310 ET CINS Active Threat Intelligence Poor Reputation IP group 11
1 1:2403347 ET CINS Active Threat Intelligence Poor Reputation IP group 48
1 1:2000418 ET POLICY Executable and linking format (ELF) file download
1 1:2403325 ET CINS Active Threat Intelligence Poor Reputation IP group 26
1 1:2026849 ET POLICY WinRM wsman Access - Possible Lateral Movement
1 1:2403353 ET CINS Active Threat Intelligence Poor Reputation IP group 54
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic group 13
1 1:2002878 ET POLICY iTunes User Agent
1 1:2403361 ET CINS Active Threat Intelligence Poor Reputation IP group 62
Total
137110
=========================================================================
Top 50 All time Sguil Events
1816284 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
144947 1:2221033 SURICATA HTTP Request abnormal Content-Encoding header
86849 1:2025451 ET POLICY Monero Mining Pool DNS Lookup
64708 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft
54906 1:2220000 SURICATA SMTP invalid reply
48455 1:2221010 SURICATA HTTP unable to match response to request
47306 1:2025707 ET POLICY SMB2 NT Create AndX Request For a .bat File
28390 1:2026850 ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement
27633 1:2220004 SURICATA SMTP invalid pipelined sequence
26593 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
26593 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
26309 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
23729 1:2200094 SURICATA zero length padN option
17105 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
16390 1:2025705 ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
14350 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
7355 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5767 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
5420 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
4193 1:2025701 ET POLICY SMB2 NT Create AndX Request For an Executable File
2850 1:2200036 SURICATA TCP option invalid length
2690 1:2012870 ET POLICY HTTP Outbound Request contains pw
2687 1:2024910 ET TROJAN BadRabbit Ransomware Payment Onion Domain
2580 1:2010935 ET SCAN Suspicious inbound to MSSQL port 1433
2390 1:2024291 ET TROJAN Possible WannaCry DNS Lookup 1
2192 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2064 1:2009702 ET POLICY DNS Update From External net
1265 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
1097 1:2220006 SURICATA SMTP no server welcome message
1093 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
1080 1:2024620 ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)
1010 1:2023953 ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)
965 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
914 1:2101201 GPL WEB_SERVER 403 Forbidden
774 1:2023753 ET SCAN MS Terminal Server Traffic on Non-standard Port
580 1:2025627 ET INFO [eSentire] Possible Kali Linux Updates
534 1:2026992 ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1
515 1:2016778 ET DNS Query to a *.pw domain - Likely Hostile
440 1:2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related
430 1:2014726 ET POLICY Outdated Flash Version M1
428 1:2025330 ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
401 1:2221022 SURICATA HTTP multipart generic error
388 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
387 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
381 1:2101411 GPL SNMP public access udp
380 1:2402000 ET DROP Dshield Block Listed Source group 1
380 1:2014520 ET INFO EXE - Served Attached HTTP
372 1:2001330 ET POLICY RDP connection confirm
350 1:2220008 SURICATA SMTP data command rejected
Total
5128984
=========================================================================
Last update
=========================================================================
=========================================================================
Elasticsearch
=========================================================================
Elasticsearch is running.
Cluster Name: "SO-server"
Cluster Status: "red"
Total Nodes: 1
Failed Nodes: 0
Total Indices: 113
Total Shards: 188
Total Documents: 1355425473
Total Size: 2809722MB
Free Memory: 11%
Total Number of Events: 1398798870
Avg. Event Size (In Bytes): 2008
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
622b479a2746 so-elasticsearch 4.50% 25.63GiB / 125.9GiB 20.35% 19.1MB / 800MB 25.4GB / 23MB 150
=========================================================================
Logstash
=========================================================================
Logstash is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
b34101b39408 so-logstash 2.79% 3.539GiB / 125.9GiB 2.81% 13.7MB / 18MB 208MB / 11.2MB 201
Logstash Queue Stats:
Queue Type: memory
Queue settings can be modified in /etc/logstash/logstash.yml.
Event Summary (since restart):
Events In: 4010
Events Out: 0
=========================================================================
Kibana
=========================================================================
Kibana is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
a80cd14eabe6 so-kibana 0.80% 170MiB / 125.9GiB 0.13% 2.12MB / 3.74MB 174MB / 12.3kB 10
=========================================================================
ElastAlert
=========================================================================
ElastAlert is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
04e32bcc4573 so-elastalert 0.43% 65.67MiB / 125.9GiB 0.05% 7.4MB / 420kB 59.9MB / 61.4kB 2
=========================================================================
Curator
=========================================================================
Curator is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
17e063a283cd so-curator 0.00% 12.03MiB / 125.9GiB 0.01% 789MB / 1.28MB 7.42MB / 0B 1
=========================================================================
Version Information
=========================================================================
Ubuntu 16.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion111
seconion@seconion-master-virtual-machine:/tmp$ cat sostat-redacted.txt
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Service Status
=========================================================================
Status: securityonion
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 5207 10 Mar 08:53:47
proxy proxy localhost running 5312 10 Mar 08:53:49
SO-server-ens192-1 worker localhost running 5970 10 Mar 08:53:52
SO-server-ens192-2 worker localhost running 5977 10 Mar 08:53:52
SO-server-ens192-3 worker localhost running 5979 10 Mar 08:53:52
SO-server-ens192-4 worker localhost running 5987 10 Mar 08:53:52
SO-server-ens192-5 worker localhost running 5990 10 Mar 08:53:52
SO-server-ens192-6 worker localhost running 5992 10 Mar 08:53:52
SO-server-ens192-7 worker localhost running 5991 10 Mar 08:53:52
Status: SO-server-ens192
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: Elastic stack
* so-elasticsearch[ OK ]
* so-logstash[ OK ]
* so-kibana[ OK ]
* so-curator[ OK ]
* so-elastalert[ OK ]
=========================================================================
Interface Status
=========================================================================
br-ced1db549372 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:1091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:452 (452.0 B) TX bytes:76442 (76.4 KB)
docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:211222886 errors:0 dropped:0 overruns:0 frame:0
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:242948974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11222288675 (11.2 GB) TX bytes:1526910826106 (1.5 TB)
ens192 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
inet6 addr: X.X.X.X/64 Scope:Link
RX packets:8773990036 errors:0 dropped:0 overruns:0 frame:0
TX packets:210978833 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7564761972297 (7.5 TB) TX bytes:16134279541 (16.1 GB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
TX packets:403587076 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:622028404762 (622.0 GB) TX bytes:622028404762 (622.0 GB)
so-curator
-------------------------------------------------------------------------
(eth0)
vethc124f5d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1118 (1.1 KB)
(eth1)
veth3d517c2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5179 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:18139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1226432 (1.2 MB) TX bytes:757110070 (757.1 MB)
so-elastalert
-------------------------------------------------------------------------
(eth0)
vethd2ba9de Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:838 (838.0 B) TX bytes:1784 (1.7 KB)
(eth1)
vethfa726ca Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1629 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:1475 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:378253 (378.2 KB) TX bytes:7371139 (7.3 MB)
so-kibana
-------------------------------------------------------------------------
(eth0)
veth324e148 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:575 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:525 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3191989 (3.1 MB) TX bytes:84400 (84.4 KB)
(eth1)
veth2d6f84d Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3296 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:2837 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:509127 (509.1 KB) TX bytes:1894276 (1.8 MB)
so-logstash
-------------------------------------------------------------------------
(eth0)
veth7555e5e Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1974 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:2558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:280501 (280.5 KB) TX bytes:13465838 (13.4 MB)
(eth1)
veth6dfc87a Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2144 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:1656 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15225679 (15.2 MB) TX bytes:168955 (168.9 KB)
so-elasticsearch
-------------------------------------------------------------------------
(eth0)
veth490d0a9 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:223 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:333 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15963 (15.9 KB) TX bytes:24831 (24.8 KB)
(eth1)
veth93a4676 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24062 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:12294 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:766570959 (766.5 MB) TX bytes:17347469 (17.3 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
622028501548 403587167 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
622028501548 403587167 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0
2: ens192: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
7564819931740 8774055734 0 0 0 16733548
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
16134283248 210978857 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 1
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
11222289181 211222897 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1526910826700 242948985 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 4
4: br-ced1db549372: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
452 14 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
76442 1091 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 4
26: veth490d0a9@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0
RX: bytes packets errors dropped overrun mcast
15963 223 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
24831 333 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
28: veth93a4676@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ced1db549372 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 0
RX: bytes packets errors dropped overrun mcast
766570959 24062 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
17347469 12294 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
30: veth7555e5e@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
RX: bytes packets errors dropped overrun mcast
280681 1977 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
13466000 2561 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
32: veth6dfc87a@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ced1db549372 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 1
RX: bytes packets errors dropped overrun mcast
15225943 2148 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
169087 1658 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
34: veth324e148@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2
RX: bytes packets errors dropped overrun mcast
3191989 575 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
84400 525 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
36: veth2d6f84d@if35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ced1db549372 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 2
RX: bytes packets errors dropped overrun mcast
510835 3307 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1901192 2846 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
38: vethd2ba9de@if37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3
RX: bytes packets errors dropped overrun mcast
838 12 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1784 23 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
40: vethfa726ca@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ced1db549372 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 3
RX: bytes packets errors dropped overrun mcast
382016 1636 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
7373124 1481 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
42: vethc124f5d@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1118 15 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
44: veth3d517c2@if43: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ced1db549372 state UP mode DEFAULT group default
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM link-netnsid 4
RX: bytes packets errors dropped overrun mcast
1227419 5187 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
757132364 18145 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat transns
0 0 0 0 2
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 63G 0 63G 0% /dev
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
tmpfs 13G 138M 13G 2% /run
/dev/mapper/securityonion--vg-root 12T 11T 673G 95% /
tmpfs 63G 176K 63G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 63G 0 63G 0% /sys/fs/cgroup
/dev/sda2 721M 137M 548M 20% /boot
tmpfs 13G 0 13G 0% /run/user/1001
tmpfs 13G 8.0K 13G 1% /run/user/1000
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/b98bbae2e6560389cf5ff18348c2eb295856d5a64de12ad23fd0d9e85db78a9f/merged
shm 64M 0 64M 0% /var/lib/docker/containers/622b479a2746f8f3a207db067e9411ae8e51aa1fdb1bd62a369d3527853db288/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/8c41cfe1caa22f20d8a00d3218993091b732469e336126616290ac189e713a7f/merged
shm 64M 0 64M 0% /var/lib/docker/containers/b34101b3940823df8508aedb2d3c02e66a19afd5720d0c78c0f7e3844430222a/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/bd9a7687c3734d26aa943cba80c99f9204c9f72d7022cccd30b6d7bf2bca7b5e/merged
shm 64M 0 64M 0% /var/lib/docker/containers/a80cd14eabe68a3ac0ef8b7bef30a038ca0b7aa1423794824bc6f2e7328a5476/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/6c7ae6faee1fd57aab8dc4e6150df84625eac38b54b4d33caa32db8d2f0c19e0/merged
shm 64M 0 64M 0% /var/lib/docker/containers/04e32bcc4573915270742d8e7c2da70c08538c47222c9f2acc88c31b0a21ef17/mounts/shm
overlay 12T 11T 673G 95% /var/lib/docker/overlay2/69bd5d72f9149e4ed6e055c8a5242a2fd1c6806f9c9dd1f36e332062c6340a2e/merged
shm 64M 0 64M 0% /var/lib/docker/containers/17e063a283cd83b28d8595d4519d706505d3083a28a62375876c4e012f1169f0/mounts/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tclsh 926 SO-user 14u IPv6 71596010 0t0 TCP *:7734 (LISTEN)
tclsh 926 SO-user 15u IPv4 71596013 0t0 TCP *:7736 (LISTEN)
tclsh 926 SO-user 16u IPv6 71596014 0t0 TCP *:7736 (LISTEN)
tclsh 926 SO-user 17u IPv4 71607317 0t0 TCP X.X.X.X:7736->X.X.X.X:46485 (ESTABLISHED)
tclsh 926 SO-user 18u IPv4 71602070 0t0 TCP X.X.X.X:7736->X.X.X.X:41629 (ESTABLISHED)
tclsh 926 SO-user 19u IPv4 71603172 0t0 TCP X.X.X.X:7736->X.X.X.X:35873 (ESTABLISHED)
tclsh 926 SO-user 20u IPv4 71607320 0t0 TCP X.X.X.X:7736->X.X.X.X:45171 (ESTABLISHED)
tclsh 926 SO-user 21u IPv4 71607321 0t0 TCP X.X.X.X:7736->X.X.X.X:33153 (ESTABLISHED)
tclsh 926 SO-user 22u IPv4 71598750 0t0 TCP X.X.X.X:7736->X.X.X.X:34247 (ESTABLISHED)
tclsh 926 SO-user 23u IPv4 71606341 0t0 TCP X.X.X.X:7736->X.X.X.X:40141 (ESTABLISHED)
tclsh 999 SO-user 3u IPv4 71605377 0t0 TCP X.X.X.X:40141->X.X.X.X:7736 (ESTABLISHED)
sshd 1857 root 3u IPv4 29604 0t0 TCP *:ssh_port (LISTEN)
sshd 1857 root 4u IPv6 29606 0t0 TCP *:ssh_port (LISTEN)
mysqld 1913 mysql 14u IPv4 15964 0t0 TCP X.X.X.X:3306 (LISTEN)
ntpd 2364 ntp 16u IPv6 27234 0t0 UDP *:123
ntpd 2364 ntp 17u IPv4 27237 0t0 UDP *:123
ntpd 2364 ntp 18u IPv4 27242 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 19u IPv4 27244 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 20u IPv6 27246 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 21u IPv6 27248 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 25u IPv4 71608224 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 26u IPv6 71608228 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 27u IPv6 71615883 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 28u IPv4 71615916 0t0 UDP X.X.X.X:123
ntpd 2364 ntp 29u IPv6 71615921 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 30u IPv6 71615924 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 31u IPv6 71605156 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 32u IPv6 71622714 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 33u IPv6 71628900 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 34u IPv6 71628902 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 35u IPv6 71628979 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 36u IPv6 71616317 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 37u IPv6 71629064 0t0 UDP [X.X.X.X]:123
ntpd 2364 ntp 38u IPv6 71614293 0t0 UDP [X.X.X.X]:123
apache2 2540 root 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
bro 5207 SO-user 4u IPv4 71603076 0t0 UDP X.X.X.X:58332->X.X.X.X:53
bro 5278 SO-user 0u IPv4 71614488 0t0 TCP *:47761 (LISTEN)
bro 5278 SO-user 1u IPv6 71614489 0t0 TCP *:47761 (LISTEN)
bro 5278 SO-user 2u IPv4 71603854 0t0 TCP X.X.X.X:47761->X.X.X.X:37792 (ESTABLISHED)
bro 5278 SO-user 4u IPv4 71603076 0t0 UDP X.X.X.X:58332->X.X.X.X:53
bro 5278 SO-user 14u IPv4 71600096 0t0 TCP X.X.X.X:47761->X.X.X.X:37800 (ESTABLISHED)
bro 5278 SO-user 19u IPv4 71600101 0t0 TCP X.X.X.X:47761->X.X.X.X:37802 (ESTABLISHED)
bro 5278 SO-user 24u IPv4 71603892 0t0 TCP X.X.X.X:47761->X.X.X.X:37806 (ESTABLISHED)
bro 5278 SO-user 29u IPv4 71602041 0t0 TCP X.X.X.X:47761->X.X.X.X:37810 (ESTABLISHED)
bro 5278 SO-user 34u IPv4 71612523 0t0 TCP X.X.X.X:47761->X.X.X.X:37814 (ESTABLISHED)
bro 5278 SO-user 39u IPv4 71610779 0t0 TCP X.X.X.X:47761->X.X.X.X:37818 (ESTABLISHED)
bro 5278 SO-user 44u IPv4 71599082 0t0 TCP X.X.X.X:47761->X.X.X.X:37822 (ESTABLISHED)
bro 5278 SO-user 49u IPv4 71606140 0t0 TCP X.X.X.X:47761->X.X.X.X:37848 (ESTABLISHED)
bro 5312 SO-user 4u IPv4 71603084 0t0 UDP X.X.X.X:40952->X.X.X.X:53
bro 5314 SO-user 0u IPv4 71600037 0t0 TCP X.X.X.X:37792->X.X.X.X:47761 (ESTABLISHED)
bro 5314 SO-user 4u IPv4 71603084 0t0 UDP X.X.X.X:40952->X.X.X.X:53
bro 5314 SO-user 12u IPv4 71600042 0t0 TCP *:47762 (LISTEN)
bro 5314 SO-user 13u IPv6 71600043 0t0 TCP *:47762 (LISTEN)
bro 5314 SO-user 14u IPv4 71600093 0t0 TCP X.X.X.X:47762->X.X.X.X:56638 (ESTABLISHED)
bro 5314 SO-user 19u IPv4 71600104 0t0 TCP X.X.X.X:47762->X.X.X.X:56644 (ESTABLISHED)
bro 5314 SO-user 24u IPv4 71604791 0t0 TCP X.X.X.X:47762->X.X.X.X:56648 (ESTABLISHED)
bro 5314 SO-user 29u IPv4 71608843 0t0 TCP X.X.X.X:47762->X.X.X.X:56652 (ESTABLISHED)
bro 5314 SO-user 34u IPv4 71612526 0t0 TCP X.X.X.X:47762->X.X.X.X:56656 (ESTABLISHED)
bro 5314 SO-user 39u IPv4 71599070 0t0 TCP X.X.X.X:47762->X.X.X.X:56660 (ESTABLISHED)
bro 5314 SO-user 44u IPv4 71610782 0t0 TCP X.X.X.X:47762->X.X.X.X:56664 (ESTABLISHED)
bro 5314 SO-user 49u IPv4 71606856 0t0 TCP X.X.X.X:47762->X.X.X.X:56694 (ESTABLISHED)
bro 5970 SO-user 4u IPv4 71603116 0t0 UDP X.X.X.X:59727->X.X.X.X:53
bro 5977 SO-user 4u IPv4 71607715 0t0 UDP X.X.X.X:40581->X.X.X.X:53
bro 5979 SO-user 4u IPv4 71609901 0t0 UDP X.X.X.X:57320->X.X.X.X:53
bro 5987 SO-user 4u IPv4 71606642 0t0 UDP X.X.X.X:55235->X.X.X.X:53
bro 5990 SO-user 4u IPv4 71613559 0t0 UDP X.X.X.X:34186->X.X.X.X:53
bro 5991 SO-user 4u IPv4 71599058 0t0 UDP X.X.X.X:52531->X.X.X.X:53
bro 5992 SO-user 4u IPv4 71608842 0t0 UDP X.X.X.X:34260->X.X.X.X:53
bro 6002 SO-user 0u IPv4 71607721 0t0 TCP X.X.X.X:37802->X.X.X.X:47761 (ESTABLISHED)
bro 6002 SO-user 4u IPv4 71607715 0t0 UDP X.X.X.X:40581->X.X.X.X:53
bro 6002 SO-user 12u IPv4 71607724 0t0 TCP X.X.X.X:56644->X.X.X.X:47762 (ESTABLISHED)
bro 6002 SO-user 17u IPv4 71607729 0t0 TCP *:47764 (LISTEN)
bro 6002 SO-user 18u IPv6 71607730 0t0 TCP *:47764 (LISTEN)
bro 6003 SO-user 0u IPv4 71604781 0t0 TCP X.X.X.X:56638->X.X.X.X:47762 (ESTABLISHED)
bro 6003 SO-user 4u IPv4 71599058 0t0 UDP X.X.X.X:52531->X.X.X.X:53
bro 6003 SO-user 12u IPv4 71604784 0t0 TCP X.X.X.X:37800->X.X.X.X:47761 (ESTABLISHED)
bro 6003 SO-user 17u IPv4 71604789 0t0 TCP *:47769 (LISTEN)
bro 6003 SO-user 18u IPv6 71604790 0t0 TCP *:47769 (LISTEN)
bro 6006 SO-user 0u IPv4 71600107 0t0 TCP X.X.X.X:37806->X.X.X.X:47761 (ESTABLISHED)
bro 6006 SO-user 4u IPv4 71609901 0t0 UDP X.X.X.X:57320->X.X.X.X:53
bro 6006 SO-user 12u IPv4 71600110 0t0 TCP X.X.X.X:56648->X.X.X.X:47762 (ESTABLISHED)
bro 6006 SO-user 17u IPv4 71600115 0t0 TCP *:47765 (LISTEN)
bro 6006 SO-user 18u IPv6 71600116 0t0 TCP *:47765 (LISTEN)
bro 6008 SO-user 0u IPv4 71612499 0t0 TCP X.X.X.X:37810->X.X.X.X:47761 (ESTABLISHED)
bro 6008 SO-user 4u IPv4 71613559 0t0 UDP X.X.X.X:34186->X.X.X.X:53
bro 6008 SO-user 12u IPv4 71612502 0t0 TCP X.X.X.X:56652->X.X.X.X:47762 (ESTABLISHED)
bro 6041 SO-user 0u IPv4 71609909 0t0 TCP X.X.X.X:37814->X.X.X.X:47761 (ESTABLISHED)
bro 6041 SO-user 4u IPv4 71606642 0t0 UDP X.X.X.X:55235->X.X.X.X:53
bro 6041 SO-user 12u IPv4 71609912 0t0 TCP X.X.X.X:56656->X.X.X.X:47762 (ESTABLISHED)
bro 6041 SO-user 17u IPv4 71609917 0t0 TCP *:47766 (LISTEN)
bro 6041 SO-user 18u IPv6 71609918 0t0 TCP *:47766 (LISTEN)
bro 6043 SO-user 0u IPv4 71607742 0t0 TCP X.X.X.X:37818->X.X.X.X:47761 (ESTABLISHED)
bro 6043 SO-user 4u IPv4 71603116 0t0 UDP X.X.X.X:59727->X.X.X.X:53
bro 6043 SO-user 12u IPv4 71607745 0t0 TCP X.X.X.X:56660->X.X.X.X:47762 (ESTABLISHED)
bro 6043 SO-user 17u IPv4 71607750 0t0 TCP *:47763 (LISTEN)
bro 6043 SO-user 18u IPv6 71607751 0t0 TCP *:47763 (LISTEN)
bro 6092 SO-user 0u IPv4 71603128 0t0 TCP X.X.X.X:37822->X.X.X.X:47761 (ESTABLISHED)
bro 6092 SO-user 4u IPv4 71608842 0t0 UDP X.X.X.X:34260->X.X.X.X:53
bro 6092 SO-user 12u IPv4 71603131 0t0 TCP X.X.X.X:56664->X.X.X.X:47762 (ESTABLISHED)
bro 6092 SO-user 17u IPv4 71603136 0t0 TCP *:47768 (LISTEN)
bro 6092 SO-user 18u IPv6 71603137 0t0 TCP *:47768 (LISTEN)
bro 6174 SO-user 4u IPv4 46094 0t0 UDP X.X.X.X:49237->X.X.X.X:53
tclsh 6180 SO-user 3u IPv4 71611713 0t0 TCP X.X.X.X:35873->X.X.X.X:7736 (ESTABLISHED)
bro 6221 SO-user 0u IPv4 71614783 0t0 TCP X.X.X.X:37848->X.X.X.X:47761 (ESTABLISHED)
bro 6221 SO-user 4u IPv4 46094 0t0 UDP X.X.X.X:49237->X.X.X.X:53
bro 6221 SO-user 12u IPv4 71606163 0t0 TCP X.X.X.X:56694->X.X.X.X:47762 (ESTABLISHED)
bro 6221 SO-user 17u IPv4 32580 0t0 TCP *:47767 (LISTEN)
bro 6221 SO-user 18u IPv6 32581 0t0 TCP *:47767 (LISTEN)
tclsh 6226 SO-user 3u IPv4 71614603 0t0 TCP X.X.X.X:41629->X.X.X.X:7736 (ESTABLISHED)
tclsh 6226 SO-user 4u IPv4 71607780 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 6226 SO-user 6u IPv4 71616643 0t0 TCP X.X.X.X:8000->X.X.X.X:57108 (ESTABLISHED)
barnyard2 6846 SO-user 3u IPv4 71611917 0t0 TCP X.X.X.X:57108->X.X.X.X:8000 (ESTABLISHED)
docker-pr 9571 root 4u IPv4 71606271 0t0 TCP X.X.X.X:9300 (LISTEN)
docker-pr 9585 root 4u IPv4 71608176 0t0 TCP X.X.X.X:9200 (LISTEN)
docker-pr 10005 root 4u IPv6 71618738 0t0 TCP *:9600 (LISTEN)
docker-pr 10019 root 4u IPv6 71613128 0t0 TCP *:6053 (LISTEN)
docker-pr 10033 root 4u IPv6 71611216 0t0 TCP *:6052 (LISTEN)
docker-pr 10047 root 4u IPv6 71605112 0t0 TCP *:6051 (LISTEN)
docker-pr 10062 root 3u IPv6 71638573 0t0 TCP X.X.X.X:6050->X.X.X.X:38825 (ESTABLISHED)
docker-pr 10062 root 4u IPv6 71617012 0t0 TCP *:6050 (LISTEN)
docker-pr 10062 root 6u IPv4 71638575 0t0 TCP X.X.X.X:34580->X.X.X.X:6050 (ESTABLISHED)
docker-pr 10062 root 7u IPv6 71647386 0t0 TCP X.X.X.X:6050->X.X.X.X:34466 (ESTABLISHED)
docker-pr 10062 root 8u IPv4 71647388 0t0 TCP X.X.X.X:34584->X.X.X.X:6050 (ESTABLISHED)
docker-pr 10077 root 4u IPv6 71611231 0t0 TCP *:5044 (LISTEN)
docker-pr 11738 root 3u IPv4 71628565 0t0 TCP X.X.X.X:5601->X.X.X.X:42436 (FIN_WAIT2)
docker-pr 11738 root 4u IPv4 71627882 0t0 TCP X.X.X.X:5601 (LISTEN)
docker-pr 11738 root 6u IPv4 71628567 0t0 TCP X.X.X.X:44570->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 7u IPv4 71647327 0t0 TCP X.X.X.X:5601->X.X.X.X:42622 (FIN_WAIT2)
docker-pr 11738 root 8u IPv4 71647329 0t0 TCP X.X.X.X:44756->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 9u IPv4 71653447 0t0 TCP X.X.X.X:5601->X.X.X.X:42916 (FIN_WAIT2)
docker-pr 11738 root 10u IPv4 71653449 0t0 TCP X.X.X.X:45050->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 12u IPv4 71657352 0t0 TCP X.X.X.X:5601->X.X.X.X:43162 (FIN_WAIT2)
docker-pr 11738 root 13u IPv4 71657354 0t0 TCP X.X.X.X:45296->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 14u IPv4 71649226 0t0 TCP X.X.X.X:5601->X.X.X.X:43170 (FIN_WAIT2)
docker-pr 11738 root 15u IPv4 71649228 0t0 TCP X.X.X.X:45304->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 16u IPv4 71655703 0t0 TCP X.X.X.X:5601->X.X.X.X:43180 (FIN_WAIT2)
docker-pr 11738 root 17u IPv4 71655705 0t0 TCP X.X.X.X:45314->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 18u IPv4 71650948 0t0 TCP X.X.X.X:5601->X.X.X.X:43190 (FIN_WAIT2)
docker-pr 11738 root 19u IPv4 71650950 0t0 TCP X.X.X.X:45324->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 20u IPv4 71650951 0t0 TCP X.X.X.X:5601->X.X.X.X:43194 (FIN_WAIT2)
docker-pr 11738 root 21u IPv4 71650953 0t0 TCP X.X.X.X:45328->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 22u IPv4 71650954 0t0 TCP X.X.X.X:5601->X.X.X.X:43198 (FIN_WAIT2)
docker-pr 11738 root 23u IPv4 71650956 0t0 TCP X.X.X.X:45332->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 24u IPv4 71650957 0t0 TCP X.X.X.X:5601->X.X.X.X:43206 (FIN_WAIT2)
docker-pr 11738 root 25u IPv4 71650959 0t0 TCP X.X.X.X:45340->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 26u IPv4 71638827 0t0 TCP X.X.X.X:5601->X.X.X.X:43216 (FIN_WAIT2)
docker-pr 11738 root 27u IPv4 71638829 0t0 TCP X.X.X.X:45350->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 28u IPv4 71655712 0t0 TCP X.X.X.X:5601->X.X.X.X:43226 (FIN_WAIT2)
docker-pr 11738 root 29u IPv4 71655714 0t0 TCP X.X.X.X:45360->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 30u IPv4 71646718 0t0 TCP X.X.X.X:5601->X.X.X.X:43234 (FIN_WAIT2)
docker-pr 11738 root 31u IPv4 71646720 0t0 TCP X.X.X.X:45368->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 32u IPv4 71646721 0t0 TCP X.X.X.X:5601->X.X.X.X:43238 (FIN_WAIT2)
docker-pr 11738 root 33u IPv4 71646723 0t0 TCP X.X.X.X:45372->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 34u IPv4 71646725 0t0 TCP X.X.X.X:5601->X.X.X.X:43242 (FIN_WAIT2)
docker-pr 11738 root 35u IPv4 71646727 0t0 TCP X.X.X.X:45376->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 36u IPv4 71638839 0t0 TCP X.X.X.X:5601->X.X.X.X:43248 (FIN_WAIT2)
docker-pr 11738 root 37u IPv4 71638841 0t0 TCP X.X.X.X:45382->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 38u IPv4 71646728 0t0 TCP X.X.X.X:5601->X.X.X.X:43254 (FIN_WAIT2)
docker-pr 11738 root 39u IPv4 71646730 0t0 TCP X.X.X.X:45388->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 40u IPv4 71638843 0t0 TCP X.X.X.X:5601->X.X.X.X:43268 (FIN_WAIT2)
docker-pr 11738 root 41u IPv4 71638845 0t0 TCP X.X.X.X:45402->X.X.X.X:5601 (CLOSE_WAIT)
docker-pr 11738 root 42u IPv4 71655752 0t0 TCP X.X.X.X:5601->X.X.X.X:43438 (FIN_WAIT2)
docker-pr 11738 root 43u IPv4 71655754 0t0 TCP X.X.X.X:45572->X.X.X.X:5601 (CLOSE_WAIT)
ossec-rem 14597 ossecr 4u IPv4 40773723 0t0 UDP *:1514
apache2 19084 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 19084 www-data 15u IPv4 71637589 0t0 TCP X.X.X.X:42622->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 16u IPv4 71655706 0t0 TCP X.X.X.X:43198->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 17u IPv4 71586203 0t0 TCP X.X.X.X:40602->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 18u IPv4 71590188 0t0 TCP X.X.X.X:40594->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19084 www-data 19u IPv4 71655717 0t0 TCP X.X.X.X:43242->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 19094 www-data 15u IPv4 71607407 0t0 TCP X.X.X.X:41442->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 16u IPv4 71595310 0t0 TCP X.X.X.X:41038->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 17u IPv4 71652718 0t0 TCP X.X.X.X:43216->X.X.X.X:5601 (CLOSE_WAIT)
apache2 19094 www-data 18u IPv4 71638825 0t0 TCP X.X.X.X:43194->X.X.X.X:5601 (CLOSE_WAIT)
tclsh 20751 SO-user 3u IPv4 71602804 0t0 TCP X.X.X.X:33153->X.X.X.X:7736 (ESTABLISHED)
apache2 23201 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 23260 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 23308 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 25957 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 25957 www-data 14u IPv6 71660741 0t0 TCP X.X.X.X:443->X.X.X.X:52697 (ESTABLISHED)
apache2 25957 www-data 15u IPv4 71597161 0t0 TCP X.X.X.X:41046->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 16u IPv4 71658497 0t0 TCP X.X.X.X:43190->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 17u IPv4 71596219 0t0 TCP X.X.X.X:41070->X.X.X.X:5601 (CLOSE_WAIT)
apache2 25957 www-data 18u IPv4 71646096 0t0 TCP X.X.X.X:43238->X.X.X.X:5601 (CLOSE_WAIT)
sshd 28310 root 3u IPv4 71592112 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52895 (ESTABLISHED)
sshd 28409 SO-user 3u IPv4 71592112 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52895 (ESTABLISHED)
syslog-ng 31235 root 21u IPv4 71149191 0t0 TCP *:514 (LISTEN)
syslog-ng 31235 root 22u IPv4 71149192 0t0 UDP *:514
syslog-ng 31235 root 40u IPv4 71647385 0t0 TCP X.X.X.X:38825->X.X.X.X:6050 (ESTABLISHED)
sshd 32105 root 3u IPv4 71597409 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46550 (ESTABLISHED)
sshd 32118 SO-user 3u IPv4 71597409 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46550 (ESTABLISHED)
sshd 32118 SO-user 4u IPv4 71639939 0t0 TCP X.X.X.X:34466->X.X.X.X:6050 (ESTABLISHED)
apache2 32188 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32188 www-data 15u IPv4 71650896 0t0 TCP X.X.X.X:43162->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 16u IPv4 71591735 0t0 TCP X.X.X.X:41172->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 17u IPv4 71646093 0t0 TCP X.X.X.X:43234->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 18u IPv4 71600271 0t0 TCP X.X.X.X:41278->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 19u IPv4 71646030 0t0 TCP X.X.X.X:43170->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32188 www-data 20u IPv4 71652096 0t0 TCP X.X.X.X:43438->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32189 www-data 15u IPv4 71596504 0t0 TCP X.X.X.X:41274->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 16u IPv4 71636612 0t0 TCP X.X.X.X:42436->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 17u IPv4 71586957 0t0 TCP X.X.X.X:40514->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 18u IPv4 71595523 0t0 TCP X.X.X.X:41222->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32189 www-data 19u IPv4 71652038 0t0 TCP X.X.X.X:43248->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32190 www-data 15u IPv4 71646519 0t0 TCP X.X.X.X:42916->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 16u IPv4 71646637 0t0 TCP X.X.X.X:43180->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 17u IPv4 71655711 0t0 TCP X.X.X.X:43226->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32190 www-data 18u IPv4 71646089 0t0 TCP X.X.X.X:43206->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 4u IPv6 29106 0t0 TCP *:443 (LISTEN)
apache2 32192 www-data 15u IPv4 71652040 0t0 TCP X.X.X.X:43254->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 16u IPv4 71566332 0t0 TCP X.X.X.X:39462->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 17u IPv4 71652724 0t0 TCP X.X.X.X:43268->X.X.X.X:5601 (CLOSE_WAIT)
apache2 32192 www-data 18u IPv4 71589017 0t0 TCP X.X.X.X:40316->X.X.X.X:5601 (CLOSE_WAIT)
=========================================================================
IDS Rules Update
=========================================================================
ح مار 10 07:01:01 UTC 2019
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 45 minutes to avoid overwhelming rule sites.
ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.0.5.
Running PulledPork.
Error 500 when fetching https://rules.emergingthreats.net/open/suricata-4.0.5/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
mainX.X.X.Xmd5file("open", "emerging.rules.tar.gz", "/tmp/", "https://rules.emergingthreats.net/open/suricata-4.0.5/") called at /usr/bin/pulledpork.pl line 2007
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Restarting Barnyard2.
Restarting: SO-server-ens192
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-ens192
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
3.26 3.64 3.78
Processing units: 16
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 09:22:14 up 45 days, 1:33, 2 users, load average: 3.26, 3.64, 3.78
Tasks: 369 total, 2 running, 254 sleeping, 0 stopped, 0 zombie
%Cpu(s): 30.6 us, 5.4 sy, 0.0 ni, 59.6 id, 3.9 wa, 0.0 hi, 0.6 si, 0.0 st
KiB Mem : 13202872+total, 14620080 free, 39890240 used, 77518400 buff/cache
KiB Swap: 999420 total, 604268 free, 395152 used. 90600224 avail Mem
%CPU %MEM COMMAND
77.1 2.8 /bin/java -Xms4000m -Xmx4000m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -Djruby.jit.threshold=0 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -cp /usr/share/logstash/logstash-core/lib/jars/animal-sniffer-annotations-1.14.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.11.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.0.18.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/gradle-license-report-0.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-22.0.jar:/usr/share/logstash/logstash-core/lib/jars/j2objc-annotations-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-X.X.X.X.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-1.3.9.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar org.logstash.Logstash
36.5 23.4 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Xms24g -Xmx24g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch.CIjyEzXi -XX:+HeapDumpOnOutOfMemoryError -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:logs/gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32 -XX:GCLogFileSize=64m -Des.cgroups.hierarchy.override=/ -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/usr/share/elasticsearch/config -Des.distribution.flavor=oss -Des.distribution.type=tar -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -Ecluster.name=SO-server -Ebootstrap.memory_lock=true -Etransport.host=X.X.X.X -Ehttp.host=X.X.X.X
18.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.5 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
18.4 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.7 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.6 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.3 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.1 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
5.1 0.3 /usr/sbin/mysqld
3.3 0.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-ens192/suricata.yaml --pfring=ens192 -l /nsm/sensor_data/SO-server-ens192
3.1 0.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-ens192/suricata.yaml --pfring=ens192 -l /nsm/sensor_data/SO-server-ens192
2.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.6 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.5 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
1.2 0.2 netsniff-ng -i ens192 -o /nsm/sensor_data/SO-server-ens192/dailylogs/2019-03-10/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 256MiB --interval 250MiB --mmap
1.1 0.0 barnyard2 -c /etc/nsm/SO-server-ens192/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-ens192 -f snort.unified2 -w /etc/nsm/SO-server-ens192/barnyard2.waldo -i SO-server-ens192 -U
1.0 0.0 [jbd2/dm-0-8]
1.0 0.1 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --kibana.defaultAppId=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
0.4 0.0 /usr/bin/dockerd -H fd://
0.4 0.0 [kworker/u32:2]
0.3 0.0 python -m elastalert.elastalert --config /etc/elastalert/conf/elastalert_config.yaml --verbose
0.3 0.0 /bin/bash /usr/sbin/sostat
0.2 0.0 docker-containerd --config /var/run/docker/containerd/containerd.toml
0.2 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 [rcu_sched]
0.1 0.0 [kswapd0]
0.1 0.0 [kswapd1]
0.1 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.1 0.0 /usr/bin/python /usr/bin/supervisord -c /etc/elastalert/conf/elastalert_supervisord.conf -n
0.1 0.0 /var/ossec/bin/ossec-remoted
0.0 0.0 /sbin/init splash
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [mm_percpu_wq]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [cpuhp/0]
0.0 0.0 [cpuhp/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [cpuhp/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [cpuhp/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [cpuhp/4]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [cpuhp/5]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [cpuhp/6]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [cpuhp/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [cpuhp/8]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [cpuhp/9]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [cpuhp/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [cpuhp/11]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [cpuhp/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [cpuhp/13]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [cpuhp/14]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [cpuhp/15]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [rcu_tasks_kthre]
0.0 0.0 [netns]
0.0 0.0 [kauditd]
0.0 0.0 [khungtaskd]
0.0 0.0 [oom_reaper]
0.0 0.0 [writeback]
0.0 0.0 [kcompactd0]
0.0 0.0 [kcompactd1]
0.0 0.0 [kcompactd2]
0.0 0.0 [kcompactd3]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [ata_sff]
0.0 0.0 [edac-poller]
0.0 0.0 [devfreq_wq]
0.0 0.0 [watchdogd]
0.0 0.0 [kswapd2]
0.0 0.0 [kswapd3]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [kstrp]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [ttm_swap]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [irq/16-vmwgfx]
0.0 0.0 [kworker/4:1H]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [kworker/11:1H]
0.0 0.0 [kworker/10:1H]
0.0 0.0 [kworker/12:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [raid5wq]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/8:1H]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/6:1H]
0.0 0.0 /lib/systemd/systemd-journald
0.0 0.0 [kworker/14:1H]
0.0 0.0 [iscsi_eh]
0.0 0.0 [ib-comp-wq]
0.0 0.0 [ib_mcast]
0.0 0.0 [ib_nl_sa_wq]
0.0 0.0 /lib/systemd/systemd-udevd
0.0 0.0 [rdma_cm]
0.0 0.0 /sbin/lvmetad -f
0.0 0.0 [kworker/u34:2]
0.0 0.0 [kworker/2:1]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /usr/sbin/cron -f
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0.0 0.0 /usr/sbin/acpid
0.0 0.0 /usr/sbin/NetworkManager --no-daemon
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/atd -f
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/iscsid
0.0 0.0 /sbin/iscsid
0.0 0.0 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
0.0 0.0 /usr/sbin/lightdm
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118
0.0 0.0 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /sbin/agetty --noclear tty1 linux
0.0 0.0 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
0.0 0.0 php-fpm: pool www
0.0 0.0 php-fpm: pool www
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/12:2]
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-7 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 [kworker/11:0]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.4 /opt/bro/bin/bro -i ens192 -U .status -p broctl -p broctl-live -p local -p SO-server-ens192-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-ens192/snort_agent.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-ens192/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-ens192/snort.stats
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/u32:0]
0.0 0.0 [kworker/0:1]
0.0 0.0 /lib/systemd/systemd --user
0.0 0.0 (sd-pam)
0.0 0.0 [kworker/3:1]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9300 -container-ip X.X.X.X -container-port 9300
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9200 -container-ip X.X.X.X -container-port 9200
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/622b479a2746f8f3a207db067e9411ae8e51aa1fdb1bd62a369d3527853db288 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 9600 -container-ip X.X.X.X -container-port 9600
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6053 -container-ip X.X.X.X -container-port 6053
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6052 -container-ip X.X.X.X -container-port 6052
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6051 -container-ip X.X.X.X -container-port 6051
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 6050 -container-ip X.X.X.X -container-port 6050
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5044 -container-ip X.X.X.X -container-port 5044
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/b34101b3940823df8508aedb2d3c02e66a19afd5720d0c78c0f7e3844430222a -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/6:0]
0.0 0.0 /usr/bin/docker-proxy -proto tcp -host-ip X.X.X.X -host-port 5601 -container-ip X.X.X.X -container-port 5601
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/a80cd14eabe68a3ac0ef8b7bef30a038ca0b7aa1423794824bc6f2e7328a5476 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 /bin/sh /usr/bin/gnome-session-classic
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic
0.0 0.0 /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session-classic
0.0 0.0 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/ibus-daemon --daemonize --xim --address unix:tmpdir=/tmp/ibus
0.0 0.0 /usr/lib/gnome-session/gnome-session-binary --session gnome-classic
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/ibus/ibus-dconf
0.0 0.0 /usr/lib/ibus/ibus-ui-gtk3
0.0 0.0 /usr/lib/ibus/ibus-x11 --kill-daemon
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/ibus/ibus-engine-simple
0.0 0.0 /usr/bin/gnome-screensaver --no-daemon
0.0 0.0 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/colord/colord
0.0 0.0 /usr/bin/gnome-shell
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/04e32bcc4573915270742d8e7c2da70c08538c47222c9f2acc88c31b0a21ef17 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /usr/lib/gnome-shell/gnome-shell-calendar-server
0.0 0.0 /usr/lib/evolution/evolution-source-registry
0.0 0.0 /usr/lib/telepathy/mission-control-5
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfs-goa-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 nautilus -n
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.1 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/17e063a283cd83b28d8595d4519d706505d3083a28a62375876c4e012f1169f0 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
0.0 0.0 /bin/bash
0.0 0.0 /usr/lib/gvfs/gvfsd-metadata
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx12747x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/12747/2
0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory
0.0 0.0 /usr/lib/evolution/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx12747x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/12747/3
0.0 0.0 /usr/lib/evolution/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx13101x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/13101/2
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 /var/ossec/bin/wazuh-db
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /var/ossec/bin/wazuh-modulesd
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/u33:0]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/6:2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/u36:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/u34:0]
0.0 0.0 [kworker/u33:2]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-ens192/pcap_agent.conf
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/u35:0]
0.0 0.0 [kworker/u36:1]
0.0 0.0 [kworker/9:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u36:2]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/15:2]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/13:2]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 -bash
0.0 0.0 [kworker/u35:1]
0.0 0.0 [kworker/u33:1]
0.0 0.0 [kworker/4:2]
0.0 0.0 [kworker/10:1]
0.0 0.0 /usr/sbin/syslog-ng -F
0.0 0.0 [kworker/14:3]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/1:2]
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
ens192:
RX packets:8774062061 dropped:0 TX packets:210978858 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name: bro-ens192
Tot Packets: 306741
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 694269
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 366785
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 586563
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 365648
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 159645
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 245619
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: bro-ens192
Tot Packets: 783943377
Tot Pkt Lost: 70
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 180612
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 272542
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 64886
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 74970
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 43229
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 752002
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 196344
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 126383
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 103502
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 95273
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 178977
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 331733
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 219798
Tot Pkt Lost: 0
Loss as a percentage: 0
Appl. Name: Suricata
Tot Packets: 195447
Tot Pkt Lost: 0
Loss as a percentage: 0
-------------------------------------------------------------------------
IDS Engine (suricata) packet drops:
/nsm/sensor_data/SO-server-ens192/stats.log
No packet drops reported.
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000009
SO-server-ens192-1: 1552209735.646217 recvd=306805 dropped=0 link=306805
SO-server-ens192-2: 1552209735.838868 recvd=694611 dropped=0 link=694611
SO-server-ens192-3: 1552209736.043302 recvd=368316 dropped=0 link=368316
SO-server-ens192-4: 1552209736.247230 recvd=586791 dropped=0 link=586791
SO-server-ens192-5: 1552209736.446211 recvd=783945530 dropped=70 link=783945530
SO-server-ens192-6: 1552209736.646567 recvd=245768 dropped=0 link=245768
SO-server-ens192-7: 1552209736.850403 recvd=162089 dropped=0 link=162089
Capture Loss:
SO-server-ens192-1: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-2: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-3: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-4: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-5: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-6: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
SO-server-ens192-7: 34.822229
73.351655
75.544209
76.802939
77.355501
79.386955
80.241751
80.635345
80.720647
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.6.0 (unknown)
Total rings : 22
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Cluster Fragment Discard : 0
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-ens192/dailylogs/ - 1 days
311M .
311M ./2019-03-10
/nsm/bro/logs/ - 1 days
302M .
19M ./2019-03-10
283M ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
47770 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
5996 1:2221033 SURICATA HTTP Request abnormal Content-Encoding header
3992 1:2026850 ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement
2416 1:2221010 SURICATA HTTP unable to match response to request
1747 1:2025451 ET POLICY Monero Mining Pool DNS Lookup
1740 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft
1166 1:2010935 ET SCAN Suspicious inbound to MSSQL port 1433
763 1:2200094 SURICATA zero length padN option
636 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
598 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
598 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
562 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
268 1:2220000 SURICATA SMTP invalid reply
137 1:2220004 SURICATA SMTP invalid pipelined sequence
114 1:2025707 ET POLICY SMB2 NT Create AndX Request For a .bat File
112 1:2025705 ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
96 1:2024910 ET TROJAN BadRabbit Ransomware Payment Onion Domain
84 1:2024291 ET TROJAN Possible WannaCry DNS Lookup 1
57 1:2025701 ET POLICY SMB2 NT Create AndX Request For an Executable File
39 1:2024620 ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)
37 1:2023953 ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)
33 1:2009702 ET POLICY DNS Update From External net
31 1:2200036 SURICATA TCP option invalid length
28 1:2101411 GPL SNMP public access udp
9 1:2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related
7 1:2403348 ET CINS Active Threat Intelligence Poor Reputation IP group 49
7 1:2023883 ET DNS Query to a *.top domain - Likely Hostile
7 1:2101201 GPL WEB_SERVER 403 Forbidden
6 1:2002157 ET CHAT Skype User-Agent detected
6 1:2014170 ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
6 1:2220008 SURICATA SMTP data command rejected
5 1:2025106 ET INFO DNS Query for Suspicious .ml Domain
5 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
5 1:2026888 ET INFO DNS Query for Suspicious .icu Domain
4 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
3 1:2403364 ET CINS Active Threat Intelligence Poor Reputation IP group 65
3 1:2220006 SURICATA SMTP no server welcome message
3 1:2101616 GPL DNS named version attempt
2 1:2017783 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener
2 1:2017780 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2017777 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture
2 1:2403396 ET CINS Active Threat Intelligence Poor Reputation IP group 97
2 1:2403366 ET CINS Active Threat Intelligence Poor Reputation IP group 67
2 1:2017781 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail
2 1:2017778 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage
2 1:2017782 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS
2 1:2017779 ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall
2 1:2001219 ET SCAN Potential SSH Scan
1 1:2019418 ET CURRENT_EVENTS SSL excessive fatal alerts (possible POODLE attack against server)
1 1:2101424 GPL SHELLCODE x86 0xEB0C NOOP
1 1:2403310 ET CINS Active Threat Intelligence Poor Reputation IP group 11
1 1:2403347 ET CINS Active Threat Intelligence Poor Reputation IP group 48
1 1:2000418 ET POLICY Executable and linking format (ELF) file download
1 1:2403325 ET CINS Active Threat Intelligence Poor Reputation IP group 26
1 1:2026849 ET POLICY WinRM wsman Access - Possible Lateral Movement
1 1:2403353 ET CINS Active Threat Intelligence Poor Reputation IP group 54
1 1:2500024 ET COMPROMISED Known Compromised or Hostile Host Traffic group 13
1 1:2002878 ET POLICY iTunes User Agent
1 1:2403361 ET CINS Active Threat Intelligence Poor Reputation IP group 62
Total
137110
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
2597331 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
Totals GenID:SigID Signature
1816284 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
144947 1:2221033 SURICATA HTTP Request abnormal Content-Encoding header
86849 1:2025451 ET POLICY Monero Mining Pool DNS Lookup
64708 1:2025275 ET INFO Windows OS Submitting USB Metadata to Microsoft
54906 1:2220000 SURICATA SMTP invalid reply
48455 1:2221010 SURICATA HTTP unable to match response to request
47306 1:2025707 ET POLICY SMB2 NT Create AndX Request For a .bat File
28390 1:2026850 ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement
27633 1:2220004 SURICATA SMTP invalid pipelined sequence
26593 1:2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
26593 1:2014703 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
26309 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
23729 1:2200094 SURICATA zero length padN option
17105 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
16390 1:2025705 ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
14350 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
7355 1:2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5767 1:2002945 ET POLICY Java Url Lib User Agent Web Crawl
5420 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
4193 1:2025701 ET POLICY SMB2 NT Create AndX Request For an Executable File
2850 1:2200036 SURICATA TCP option invalid length
2690 1:2012870 ET POLICY HTTP Outbound Request contains pw
2687 1:2024910 ET TROJAN BadRabbit Ransomware Payment Onion Domain
2580 1:2010935 ET SCAN Suspicious inbound to MSSQL port 1433
2390 1:2024291 ET TROJAN Possible WannaCry DNS Lookup 1
2192 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2064 1:2009702 ET POLICY DNS Update From External net
1265 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
1097 1:2220006 SURICATA SMTP no server welcome message
1093 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
1080 1:2024620 ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)
1010 1:2023953 ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)
965 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
914 1:2101201 GPL WEB_SERVER 403 Forbidden
774 1:2023753 ET SCAN MS Terminal Server Traffic on Non-standard Port
580 1:2025627 ET INFO [eSentire] Possible Kali Linux Updates
534 1:2026992 ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1
515 1:2016778 ET DNS Query to a *.pw domain - Likely Hostile
440 1:2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related
430 1:2014726 ET POLICY Outdated Flash Version M1
428 1:2025330 ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
401 1:2221022 SURICATA HTTP multipart generic error
388 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
387 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
381 1:2101411 GPL SNMP public access udp
380 1:2402000 ET DROP Dshield Block Listed Source group 1
380 1:2014520 ET INFO EXE - Served Attached HTTP
372 1:2001330 ET POLICY RDP connection confirm
350 1:2220008 SURICATA SMTP data command rejected
Total
5128984
=========================================================================
Last update
=========================================================================
=========================================================================
Elasticsearch
=========================================================================
Elasticsearch is running.
Cluster Name: "SO-server"
Cluster Status: "red"
Total Nodes: 1
Failed Nodes: 0
Total Indices: 113
Total Shards: 188
Total Documents: 1355425473
Total Size: 2809722MB
Free Memory: 11%
Total Number of Events: 1398798870
Avg. Event Size (In Bytes): 2008
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
622b479a2746 so-elasticsearch 4.50% 25.63GiB / 125.9GiB 20.35% 19.1MB / 800MB 25.4GB / 23MB 150
=========================================================================
Logstash
=========================================================================
Logstash is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
b34101b39408 so-logstash 2.79% 3.539GiB / 125.9GiB 2.81% 13.7MB / 18MB 208MB / 11.2MB 201
Logstash Queue Stats:
Queue Type: memory
Queue settings can be modified in /etc/logstash/logstash.yml.
Event Summary (since restart):
Events In: 4010
Events Out: 0
=========================================================================
Kibana
=========================================================================
Kibana is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
a80cd14eabe6 so-kibana 0.80% 170MiB / 125.9GiB 0.13% 2.12MB / 3.74MB 174MB / 12.3kB 10
=========================================================================
ElastAlert
=========================================================================
ElastAlert is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
04e32bcc4573 so-elastalert 0.43% 65.67MiB / 125.9GiB 0.05% 7.4MB / 420kB 59.9MB / 61.4kB 2
=========================================================================
Curator
=========================================================================
Curator is running.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
17e063a283cd so-curator 0.00% 12.03MiB / 125.9GiB 0.01% 789MB / 1.28MB 7.42MB / 0B 1
=========================================================================
Version Information
=========================================================================
Ubuntu 16.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion111
Dustin Lee
Mar 11, 2019, 7:48:15 AM3/11/19
to securit...@googlegroups.com
Prashant,
I read your email traffic from January, but did not see a resolution from that time. I'm going to assume that was resolved and this is a new issue. Please kindly share a recent output of sostat-redacted. Thanks!
- Dustin
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
Message has been deleted
Message has been deleted
David Boucher
Jun 27, 2019, 9:22:42 AM6/27/19
to security-onion
Hi, I'm having the same issue. I repeatedly see netsnif--ng Fail to start. Using sudo nsm_sensor_ps-restart --only-pcap does resolve this but it is only temporary as it then falls over again.
This is the content of the netsniff-ng.log file:
/var/log/nsm/bluemonkey-virtualbox-enp0s8$ cat netsniff-ngf.log
Executing: netsniff-ng --no-hwtimestamp -i enp0s8 -o /nsm/sensor_data/bluemonkey-virtualbox-enp0s8/dailylogs/2019-06-27/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64MiB --interval 150MiB -c
pcap file I/O method: read/write
RX,V3: 64.00 MiB, 1024 Blocks, each 65536 Byte allocated
Running! Hang up with ^C!
0 packets incoming (0 unread on exit)
0 packets passed filter
0 packets failed filter (out of space)
14 sec, 964189 usec in total
Doug Burks
Jun 27, 2019, 9:28:13 AM6/27/19
to securit...@googlegroups.com
Hi David,
Instead of resurrecting Prashant's thread from March, please start a new thread for your issue and include full sostat-redacted output:
Thanks!
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/f81b225f-0cd4-4bda-80bf-a06bcfd932d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
David Boucher
Jun 27, 2019, 12:16:40 PM6/27/19
to security-onion
Sure, will do. Cheers.
Reply all
Reply to author
Forward
0 new messages