sguil, snorby not recording, and a rule gone wild?

[Jeff Nucciarone]

I am having a set of problems that may or may not be related. Both sguil and snorby have given up recording any data. This seems to have happened a couple of days ago when I started tuning out some noisy signatures in threshold.conf. Back out those changes and restarting seem to have had no effect.

The snippet from sostat:

=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0

(same for snorby)

I then noticed a problem similar to what I had previously with a very noisy signature that seemed to be clogging the database and filling /var/log/nsm to 100%.

This entry appears over and over and over in /var/log/nsm/sensor-ethX/snort_agent.log (host and ip's redacted):

Sending sguild (sock3) BYEventRcvd sock6 0 3 2853189 sensor-ethX 20513872 20513872 {2014-03-06 18:31:20} 1 2210020 1 {SURICATA STREAM ESTABLISHED packet out of window} {2014-03-06 18:31:20} 3 unknown 184485220 10.X.X.X 179309179 10.176.10.123 6 4 5 0 1500 17182 2 0 63 52592 {} {} {} {} {}

Now I'm trying to figure how this can be since I not only tuned out this signature in threshold.conf but also disabled it in /etc/nsm/pulledpork/disablesid.conf

# Disable ssh: Protocol mismatch
128:4
129:3, 129:8, 129:12, 129:15
# SURICATA STREAM Packet with invalid ack
1:2210045
# SURICATA STREAM ESTABLISHED invalid ack
1:2210029
# SURICATA STREAM ESTABLISHED packet out of window
1:2210020
# SURICATA STREAM ESTABLISHED retransmission packet before last ack
1:2210021

Even after several reboots I still have this noisy signature gone wild. It is even commented out in downloaded.rules:

# alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of window"; stream-event:est_packet_out_of_window; sid:2210020; rev:1;)
# alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission packet before last ack"; stream-event:est_pkt_before_last_ack; sid:2210021; rev:2;)

It still appears active in /etc/nsm/rules/stream-events.rules:

:alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission packet before last ack"; stream-event:est_pkt_before_last_ack; flowint:tcp.re
transmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210021; rev:3;)

It appears around the time this signature went rogue is when Snorby and Sguild stopped recording.

HELP!!!

--Jeff

[Jeff Nucciarone]

The problems were related and I think I have it solved.

After observing the data for a while I noticed that the snort_agent.log file was processing information from over a week ago. I went to /nsm/sensor_data/sensor-ethX/ and found a ton of snort.unified2.* files going all the way back.

For some reason (I'll need it explained to me here by the experts) sguild was processing these old files.

I stopped all SO related services, deleted the majority of the files, and restarted. Now mysql is properly populating with sguil (and hopefully snorby) events and the snort_agent.log file thankfully no longer has these noisy rules being processed.

I'm not sure what happened a few days ago and what caused sguild to to process those old files.

[Doug Burks]

On Wed, Mar 12, 2014 at 2:58 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> The problems were related and I think I have it solved.
>
> After observing the data for a while I noticed that the snort_agent.log file was processing information from over a week ago. I went to /nsm/sensor_data/sensor-ethX/ and found a ton of snort.unified2.* files going all the way back.
>
> For some reason (I'll need it explained to me here by the experts) sguild was processing these old files.

Hi Jeff,

The SURICATA STREAM rules can very quickly generate thousands and
thousands of alerts faster than barnyard2/sguild/snorby can process
them. This results in a backlog and barnyard2 will continue to
process that backlog since you don't want to miss any alerts.

[Jeff Nucciarone]

On Thursday, March 13, 2014 7:53:48 AM UTC-4, Doug Burks wrote:

>
>
> The SURICATA STREAM rules can very quickly generate thousands and
>
> thousands of alerts faster than barnyard2/sguild/snorby can process
>
> them. This results in a backlog and barnyard2 will continue to
>
> process that backlog since you don't want to miss any alerts.

Thousands and thousands? Try a few million ;-)

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
8012390 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
4561453 1:2210045 SURICATA STREAM Packet with invalid ack
4559380 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
4538544 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack

So now my question is -- now that I have stopped the onslaught how do I clean these out of the data base? I set a low number of days to keep and was able to clean out sguil's part of the house, but snorby still occupies a good 60 GB of the database. Is there a command to purge the snorby data or do I need to manually halt everything and run a massive delete command from the mysql command line?

[Doug Burks]

Have you looked at Snorby's "Prune database" option on the
"Administration" page?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Jeff Nucciarone]

On Monday, March 17, 2014 7:36:46 AM UTC-4, Doug Burks wrote:
> Have you looked at Snorby's "Prune database" option on the
>
> "Administration" page?

Sure did, I set it but I don't think it is working. System load went way up but I still have this many events:

mysql -uroot -e "use snorby; select count(*) as Total from event, signature where event.signature=signature.sig_id;"
+----------+
| Total |
+----------+
| 22049741 |
+----------+

The Snorby web interface is running terribly slow, likely because of all these events.

Something else also popped up. Today at about 05:30 UTC barnyward2 stopped working on this interface. This appears over and over in the snort_agent.log file:

Sending sguild (sock7) SystemMessage {Barnyard disconnected.}
Sending sguild (sock7) BarnyardDisConnect {2014-03-17 18:02:46}
Sending sguild (sock7) PING
Sensor Data Rcvd: PONG
PONG received
barnyard connected: sock5 127.0.0.1 50663
Sending sguild (sock7) AgentLastCidReq sock5 3
Sensor Data Rcvd: LastCidResults sock5 4512657
Unknown barnyard data:
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock7) SystemMessage {Barnyard disconnected.}
Sending sguild (sock7) BarnyardDisConnect {2014-03-17 18:07:04}

Every 5 minutes barnyard2 tries to restart and this same message appears in the log file each time.

barnyard2 stays up for 3 minutes and then dies.

barnyard2.log looks like this -- I don't see an overt message about why it dies, unless it doesn't like the 'missing' signature?

: Duplicate classification "shellcode-detect"found, ignoring this line
: Duplicate classification "string-detect"found, ignoring this line
: Duplicate classification "suspicious-filename-detect"found, ignoring this line
: Duplicate classification "suspicious-login"found, ignoring this line
: Duplicate classification "system-call-detect"found, ignoring this line
: Duplicate classification "tcp-connection"found, ignoring this line
: Duplicate classification "trojan-activity"found, ignoring this line
: Duplicate classification "unusual-client-port-connection"found, ignoring this line
: Duplicate classification "web-application-activity"found, ignoring this line
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /nsm/sensor_data/sensor-ethX
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
sguil: sensor name = sensor-ethX
sguil: agent port = 8000
sguil: Connected to localhost on 8000.
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = 127.0.0.1
database: user = root
database: database name = snorby
database: sensor name = bisporgera-eth2:1
database: sensor id = 1
database: sensor cid = 22727895
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "alert" facility

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.11 (Build 317) TCL
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2012 Ian Firns <fir...@securixlive.com>

Using waldo file '/etc/nsm/sensor-ethX/barnyard2.waldo':
spool directory = /nsm/sensor_data/sensor-ethX
spool filebase = snort.unified2
time_stamp = 1395009397
record_idx = 39736
Opened spool file '/nsm/sensor_data/sensor-ethX/snort.unified2.1395009397'
INFO [dbProcessSignatureInformation()]: [Event: 152815] with [gid: 1] [sid: 2200039] [rev: 1] [classification:
0] [priority: 3] Signature Message -> "[SURICATA UDP header length too small]"
was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted
in the database with the above information, this message should only be printed once for each signature that is not present in the database
The new inserted signature will not have its information present in the sig_reference table,it should be present on restart
if the information is present in the sid-msg.map file.
You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface

====

mysqld is verified to be running.

Post reboot it has same behaviour.

Argh....

[Doug Burks]

Replies inline.

On Mon, Mar 17, 2014 at 2:19 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> On Monday, March 17, 2014 7:36:46 AM UTC-4, Doug Burks wrote:
>> Have you looked at Snorby's "Prune database" option on the
>>
>> "Administration" page?
>
> Sure did, I set it but I don't think it is working. System load went way up but I still have this many events:
>
> mysql -uroot -e "use snorby; select count(*) as Total from event, signature where event.signature=signature.sig_id;"
> +----------+
> | Total |
> +----------+
> | 22049741 |
> +----------+
>
> The Snorby web interface is running terribly slow, likely because of all these events.

What did you set the "Prune database" option to?

Please send the output of the following:

sudo sostat-redacted

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.



--
Doug Burks

[Jeff Nucciarone]

Here you go:

======================begin=============

=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X running 5646 13 17 Mar 15:48:42
proxy proxy X.X.X.X running 5931 13 17 Mar 15:48:46
sensor-ethX-1 worker X.X.X.X running 7933 2 17 Mar 15:48:51
sensor-ethX-2 worker X.X.X.X running 7932 2 17 Mar 15:48:51
sensor-ethX-3 worker X.X.X.X running 7929 2 17 Mar 15:48:51
sensor-ethX-4 worker X.X.X.X running 7936 2 17 Mar 15:48:51
sensor-ethX-5 worker X.X.X.X running 7934 2 17 Mar 15:48:51
sensor-ethX-6 worker X.X.X.X running 7931 2 17 Mar 15:48:51
sensor-eth3-1 worker X.X.X.X running 7928 2 17 Mar 15:48:51
sensor-eth3-2 worker X.X.X.X running 7927 2 17 Mar 15:48:51
sensor-eth3-3 worker X.X.X.X running 7926 2 17 Mar 15:48:51
sensor-eth3-4 worker X.X.X.X running 7937 2 17 Mar 15:48:51
sensor-eth3-5 worker X.X.X.X running 7930 2 17 Mar 15:48:51
sensor-eth3-6 worker X.X.X.X running 7935 2 17 Mar 15:48:51
Status: sensor-ethX
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: sensor-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:328578 errors:0 dropped:0 overruns:0 frame:0
TX packets:41659 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69233980 (69.2 MB) TX bytes:6255290 (6.2 MB)
Interrupt:36 Memory:da000000-da012800

ethX Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1063810604 errors:0 dropped:2 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1350015649981 (1.3 TB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:df2c0000-df2e0000

eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:41 Memory:df3c0000-df3e0000

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2055498 errors:0 dropped:0 overruns:0 frame:0
TX packets:2055498 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15465530296 (15.4 GB) TX bytes:15465530296 (15.4 GB)

=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
15465581517 2055502 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15465581517 2055502 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
69233980 328578 0 0 0 136925
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
6255290 41659 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: ethX: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1350015868862 1063810816 0 0 0 129779
RX errors: length crc frame fifo missed
0 0 0 0 2
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 4.3G 137G 3% /
udev 16G 4.0K 16G 1% /dev
tmpfs 6.3G 856K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 16G 0 16G 0% /run/shm
/dev/sdb2 18T 11T 6.5T 63% /nsm
/dev/sda1 484M 70M 390M 16% /boot
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda5 29G 209M 27G 1% /tmp
/dev/sda11 19G 177M 18G 1% /home
/dev/sda7 29G 911M 26G 4% /var
/dev/sda8 29G 4.3G 23G 16% /var/log
/dev/sdb1 1.0T 72G 953G 7% /var/lib/mysql
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1872 avahi 12u IPv4 31241 0t0 UDP *:5353
avahi-dae 1872 avahi 13u IPv6 31242 0t0 UDP *:5353
avahi-dae 1872 avahi 14u IPv4 31243 0t0 UDP *:42560
avahi-dae 1872 avahi 15u IPv6 31244 0t0 UDP *:44687
cupsd 1874 root 8u IPv6 31259 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1874 root 9u IPv4 31260 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2033 root 3u IPv4 1509 0t0 TCP *:22 (LISTEN)
sshd 2033 root 4u IPv6 1511 0t0 TCP *:22 (LISTEN)
salt-mini 2139 root 16u IPv4 13678 0t0 TCP X.X.X.X:59804->X.X.X.X:4505 (ESTABLISHED)
salt-mast 2160 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
syslog-ng 2193 root 9u IPv4 31325 0t0 TCP *:514 (LISTEN)
syslog-ng 2193 root 10u IPv4 31326 0t0 UDP *:514
mysqld 2323 mysql 12u IPv4 20758 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2323 mysql 607u IPv4 754519 0t0 TCP X.X.X.X:3306->X.X.X.X:59793 (ESTABLISHED)
salt-mast 2389 root 27u IPv4 15522 0t0 TCP *:4505 (LISTEN)
salt-mast 2389 root 29u IPv4 19558 0t0 TCP X.X.X.X:4505->X.X.X.X:59804 (ESTABLISHED)
salt-mast 2395 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
salt-mast 2396 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
salt-mast 2399 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
salt-mast 2400 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
salt-mast 2405 root 19u IPv4 31355 0t0 TCP *:4506 (LISTEN)
snmpd 2757 snmp 8u IPv4 26762 0t0 UDP X.X.X.X:161
snmpd 2757 snmp 9u IPv4 20777 0t0 UDP *:56091
/usr/sbin 3961 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 3961 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3961 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3961 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
ntpd 4403 ntp 16u IPv4 21705 0t0 UDP *:123
ntpd 4403 ntp 17u IPv6 21706 0t0 UDP *:123
ntpd 4403 ntp 18u IPv4 21712 0t0 UDP X.X.X.X:123
ntpd 4403 ntp 19u IPv4 21713 0t0 UDP X.X.X.X:123
ntpd 4403 ntp 20u IPv6 21714 0t0 UDP [X.X.X.X]:123
ntpd 4403 ntp 21u IPv6 21715 0t0 UDP [X.X.X.X]:123
tclsh 5066 root 13u IPv4 34092 0t0 TCP *:7734 (LISTEN)
tclsh 5066 root 14u IPv4 34093 0t0 TCP *:7736 (LISTEN)
tclsh 5066 root 15u IPv4 32736 0t0 TCP X.X.X.X:7736->X.X.X.X:46054 (ESTABLISHED)
tclsh 5066 root 16u IPv4 25367 0t0 TCP X.X.X.X:7736->X.X.X.X:46055 (ESTABLISHED)
tclsh 5066 root 17u IPv4 28220 0t0 TCP X.X.X.X:7736->X.X.X.X:46056 (ESTABLISHED)
tclsh 5066 root 18u IPv4 44821 0t0 TCP X.X.X.X:7736->X.X.X.X:46057 (ESTABLISHED)
tclsh 5066 root 19u IPv4 11794 0t0 TCP X.X.X.X:7736->X.X.X.X:46058 (ESTABLISHED)
tclsh 5066 root 20u IPv4 29571 0t0 TCP X.X.X.X:7736->X.X.X.X:46059 (ESTABLISHED)
tclsh 5066 root 21u IPv4 17196 0t0 TCP X.X.X.X:7736->X.X.X.X:46061 (ESTABLISHED)
tclsh 5066 root 22u IPv4 34135 0t0 TCP X.X.X.X:7736->X.X.X.X:46064 (ESTABLISHED)
tclsh 5066 root 23u IPv4 49936 0t0 TCP X.X.X.X:7736->X.X.X.X:46065 (ESTABLISHED)
tclsh 5066 root 24u IPv4 49938 0t0 TCP X.X.X.X:7736->X.X.X.X:46066 (ESTABLISHED)
tclsh 5066 root 25u IPv4 48311 0t0 TCP X.X.X.X:7736->X.X.X.X:46067 (ESTABLISHED)
tclsh 5066 root 26u IPv4 48312 0t0 TCP X.X.X.X:7736->X.X.X.X:46068 (ESTABLISHED)
tclsh 5066 root 27u IPv4 48313 0t0 TCP X.X.X.X:7736->X.X.X.X:46069 (ESTABLISHED)
tclsh 5066 root 28u IPv4 48314 0t0 TCP X.X.X.X:7736->X.X.X.X:46070 (ESTABLISHED)
tclsh 5066 root 29u IPv4 48315 0t0 TCP X.X.X.X:7736->X.X.X.X:46071 (ESTABLISHED)
tclsh 5066 root 30u IPv4 48316 0t0 TCP X.X.X.X:7736->X.X.X.X:46072 (ESTABLISHED)
tclsh 5066 root 31u IPv4 34137 0t0 TCP X.X.X.X:7736->X.X.X.X:46073 (ESTABLISHED)
tclsh 5066 root 32u IPv4 34138 0t0 TCP X.X.X.X:7736->X.X.X.X:46074 (ESTABLISHED)
tclsh 5066 root 33u IPv4 29576 0t0 TCP X.X.X.X:7736->X.X.X.X:46075 (ESTABLISHED)
tclsh 5066 root 34u IPv4 49945 0t0 TCP X.X.X.X:7736->X.X.X.X:46076 (ESTABLISHED)
tclsh 5066 root 35u IPv4 9165 0t0 TCP X.X.X.X:7736->X.X.X.X:46077 (ESTABLISHED)
tclsh 5066 root 36u IPv4 48317 0t0 TCP X.X.X.X:7736->X.X.X.X:46078 (ESTABLISHED)
tclsh 5066 root 37u IPv4 48318 0t0 TCP X.X.X.X:7736->X.X.X.X:46079 (ESTABLISHED)
tclsh 5134 root 3u IPv4 41808 0t0 TCP X.X.X.X:46061->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 7u IPv4 15151 0t0 TCP X.X.X.X:46064->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 8u IPv4 48310 0t0 TCP X.X.X.X:46065->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 9u IPv4 49937 0t0 TCP X.X.X.X:46066->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 10u IPv4 49939 0t0 TCP X.X.X.X:46067->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 11u IPv4 49940 0t0 TCP X.X.X.X:46068->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 12u IPv4 49941 0t0 TCP X.X.X.X:46069->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 13u IPv4 49942 0t0 TCP X.X.X.X:46070->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 14u IPv4 49943 0t0 TCP X.X.X.X:46071->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 15u IPv4 49944 0t0 TCP X.X.X.X:46072->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 16u IPv4 34136 0t0 TCP X.X.X.X:46073->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 17u IPv4 9162 0t0 TCP X.X.X.X:46074->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 18u IPv4 9163 0t0 TCP X.X.X.X:46075->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 19u IPv4 9164 0t0 TCP X.X.X.X:46076->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 20u IPv4 29577 0t0 TCP X.X.X.X:46077->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 21u IPv4 49946 0t0 TCP X.X.X.X:46078->X.X.X.X:7736 (ESTABLISHED)
tclsh 5134 root 22u IPv4 49947 0t0 TCP X.X.X.X:46079->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 5616 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 5616 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5616 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5616 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
bro 5646 root 4u IPv4 14234 0t0 UDP X.X.X.X:38667->X.X.X.X:53
ossec-csy 5717 ossecm 5u IPv4 33442 0t0 UDP X.X.X.X:58969->X.X.X.X:514
bro 5727 root 0u IPv4 23046 0t0 TCP *:47761 (LISTEN)
bro 5727 root 1u IPv6 23047 0t0 TCP *:47761 (LISTEN)
bro 5727 root 2u IPv4 8733 0t0 TCP X.X.X.X:47761->X.X.X.X:40761 (ESTABLISHED)
bro 5727 root 4u IPv4 14234 0t0 UDP X.X.X.X:38667->X.X.X.X:53
bro 5727 root 19u IPv4 32606 0t0 TCP X.X.X.X:47761->X.X.X.X:40775 (ESTABLISHED)
bro 5727 root 21u IPv4 23987 0t0 TCP X.X.X.X:47761->X.X.X.X:40777 (ESTABLISHED)
bro 5727 root 22u IPv4 16965 0t0 TCP X.X.X.X:47761->X.X.X.X:40778 (ESTABLISHED)
bro 5727 root 23u IPv4 16966 0t0 TCP X.X.X.X:47761->X.X.X.X:40781 (ESTABLISHED)
bro 5727 root 24u IPv4 16970 0t0 TCP X.X.X.X:47761->X.X.X.X:40783 (ESTABLISHED)
bro 5727 root 25u IPv4 33588 0t0 TCP X.X.X.X:47761->X.X.X.X:40785 (ESTABLISHED)
bro 5727 root 26u IPv4 33589 0t0 TCP X.X.X.X:47761->X.X.X.X:40786 (ESTABLISHED)
bro 5727 root 27u IPv4 27047 0t0 TCP X.X.X.X:47761->X.X.X.X:40788 (ESTABLISHED)
bro 5727 root 28u IPv4 33590 0t0 TCP X.X.X.X:47761->X.X.X.X:40790 (ESTABLISHED)
bro 5727 root 29u IPv4 19012 0t0 TCP X.X.X.X:47761->X.X.X.X:40793 (ESTABLISHED)
bro 5727 root 30u IPv4 13008 0t0 TCP X.X.X.X:47761->X.X.X.X:40794 (ESTABLISHED)
bro 5727 root 31u IPv4 21824 0t0 TCP X.X.X.X:47761->X.X.X.X:40796 (ESTABLISHED)
bro 5931 root 4u IPv4 19716 0t0 UDP X.X.X.X:49883->X.X.X.X:53
bro 5938 root 0u IPv4 9647 0t0 TCP X.X.X.X:40761->X.X.X.X:47761 (ESTABLISHED)
bro 5938 root 1u IPv4 9652 0t0 TCP *:47762 (LISTEN)
bro 5938 root 2u IPv6 9653 0t0 TCP *:47762 (LISTEN)
bro 5938 root 4u IPv4 19716 0t0 UDP X.X.X.X:49883->X.X.X.X:53
bro 5938 root 19u IPv4 23136 0t0 TCP X.X.X.X:47762->X.X.X.X:53505 (ESTABLISHED)
bro 5938 root 21u IPv4 17738 0t0 TCP X.X.X.X:47762->X.X.X.X:53507 (ESTABLISHED)
bro 5938 root 22u IPv4 17751 0t0 TCP X.X.X.X:47762->X.X.X.X:53510 (ESTABLISHED)
bro 5938 root 23u IPv4 17752 0t0 TCP X.X.X.X:47762->X.X.X.X:53511 (ESTABLISHED)
bro 5938 root 24u IPv4 19904 0t0 TCP X.X.X.X:47762->X.X.X.X:53513 (ESTABLISHED)
bro 5938 root 25u IPv4 28068 0t0 TCP X.X.X.X:47762->X.X.X.X:53515 (ESTABLISHED)
bro 5938 root 26u IPv4 13007 0t0 TCP X.X.X.X:47762->X.X.X.X:53518 (ESTABLISHED)
bro 5938 root 27u IPv4 27048 0t0 TCP X.X.X.X:47762->X.X.X.X:53520 (ESTABLISHED)
bro 5938 root 28u IPv4 33591 0t0 TCP X.X.X.X:47762->X.X.X.X:53522 (ESTABLISHED)
bro 5938 root 29u IPv4 19011 0t0 TCP X.X.X.X:47762->X.X.X.X:53523 (ESTABLISHED)
bro 5938 root 30u IPv4 24110 0t0 TCP X.X.X.X:47762->X.X.X.X:53526 (ESTABLISHED)
bro 5938 root 31u IPv4 32612 0t0 TCP X.X.X.X:47762->X.X.X.X:53528 (ESTABLISHED)
/usr/sbin 6921 root 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 6921 root 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6921 root 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6921 root 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7331 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7331 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7331 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7331 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7369 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7369 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7369 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7369 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7407 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7407 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7407 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7407 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7432 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7432 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7432 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7432 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7437 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7437 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7437 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7437 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7471 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7471 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7471 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7471 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
/usr/sbin 7500 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 7500 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7500 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 7500 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
bro 7926 root 4u IPv4 17728 0t0 UDP X.X.X.X:38578->X.X.X.X:53
bro 7927 root 4u IPv4 21817 0t0 UDP X.X.X.X:40624->X.X.X.X:53
bro 7928 root 4u IPv4 35936 0t0 UDP X.X.X.X:37863->X.X.X.X:53
bro 7929 root 4u IPv4 16957 0t0 UDP X.X.X.X:37119->X.X.X.X:53
bro 7930 root 4u IPv4 12991 0t0 UDP X.X.X.X:40196->X.X.X.X:53
bro 7931 root 4u IPv4 18993 0t0 UDP X.X.X.X:38832->X.X.X.X:53
bro 7932 root 4u IPv4 23847 0t0 UDP X.X.X.X:60518->X.X.X.X:53
bro 7933 root 4u IPv4 29347 0t0 UDP X.X.X.X:37094->X.X.X.X:53
bro 7934 root 4u IPv4 26137 0t0 UDP X.X.X.X:53347->X.X.X.X:53
bro 7935 root 4u IPv4 19899 0t0 UDP X.X.X.X:55451->X.X.X.X:53
bro 7936 root 4u IPv4 37963 0t0 UDP X.X.X.X:44794->X.X.X.X:53
bro 7937 root 4u IPv4 27017 0t0 UDP X.X.X.X:33564->X.X.X.X:53
bro 8003 root 0u IPv4 33576 0t0 TCP X.X.X.X:53505->X.X.X.X:47762 (ESTABLISHED)
bro 8003 root 1u IPv4 33579 0t0 TCP X.X.X.X:40775->X.X.X.X:47761 (ESTABLISHED)
bro 8003 root 2u IPv4 33582 0t0 TCP *:47765 (LISTEN)
bro 8003 root 4u IPv4 16957 0t0 UDP X.X.X.X:37119->X.X.X.X:53
bro 8003 root 20u IPv6 33583 0t0 TCP *:47765 (LISTEN)
bro 8008 root 0u IPv4 37976 0t0 TCP X.X.X.X:53507->X.X.X.X:47762 (ESTABLISHED)
bro 8008 root 1u IPv4 37979 0t0 TCP X.X.X.X:40777->X.X.X.X:47761 (ESTABLISHED)
bro 8008 root 2u IPv4 37982 0t0 TCP *:47766 (LISTEN)
bro 8008 root 4u IPv4 37963 0t0 UDP X.X.X.X:44794->X.X.X.X:53
bro 8008 root 20u IPv6 37983 0t0 TCP *:47766 (LISTEN)
bro 8024 root 0u IPv4 25138 0t0 TCP X.X.X.X:40778->X.X.X.X:47761 (ESTABLISHED)
bro 8024 root 1u IPv4 12996 0t0 TCP X.X.X.X:53511->X.X.X.X:47762 (ESTABLISHED)
bro 8024 root 2u IPv4 12999 0t0 TCP *:47771 (LISTEN)
bro 8024 root 4u IPv4 17728 0t0 UDP X.X.X.X:38578->X.X.X.X:53
bro 8024 root 20u IPv6 13000 0t0 TCP *:47771 (LISTEN)
bro 8025 root 0u IPv4 29357 0t0 TCP X.X.X.X:53510->X.X.X.X:47762 (ESTABLISHED)
bro 8025 root 1u IPv4 29360 0t0 TCP X.X.X.X:40781->X.X.X.X:47761 (ESTABLISHED)
bro 8025 root 2u IPv4 29363 0t0 TCP *:47772 (LISTEN)
bro 8025 root 4u IPv4 27017 0t0 UDP X.X.X.X:33564->X.X.X.X:53
bro 8025 root 20u IPv6 29364 0t0 TCP *:47772 (LISTEN)
bro 8026 root 0u IPv4 29367 0t0 TCP X.X.X.X:53513->X.X.X.X:47762 (ESTABLISHED)
bro 8026 root 1u IPv4 14865 0t0 TCP X.X.X.X:40783->X.X.X.X:47761 (ESTABLISHED)
bro 8026 root 2u IPv4 14868 0t0 TCP *:47769 (LISTEN)
bro 8026 root 4u IPv4 35936 0t0 UDP X.X.X.X:37863->X.X.X.X:53
bro 8026 root 20u IPv6 14869 0t0 TCP *:47769 (LISTEN)
bro 8076 root 0u IPv4 19905 0t0 TCP X.X.X.X:53515->X.X.X.X:47762 (ESTABLISHED)
bro 8076 root 1u IPv4 19908 0t0 TCP X.X.X.X:40785->X.X.X.X:47761 (ESTABLISHED)
bro 8076 root 2u IPv4 19911 0t0 TCP *:47767 (LISTEN)
bro 8076 root 4u IPv4 26137 0t0 UDP X.X.X.X:53347->X.X.X.X:53
bro 8076 root 20u IPv6 19912 0t0 TCP *:47767 (LISTEN)
bro 8081 root 0u IPv4 14870 0t0 TCP X.X.X.X:40786->X.X.X.X:47761 (ESTABLISHED)
bro 8081 root 1u IPv4 29368 0t0 TCP X.X.X.X:53518->X.X.X.X:47762 (ESTABLISHED)
bro 8081 root 2u IPv4 29371 0t0 TCP *:47764 (LISTEN)
bro 8081 root 4u IPv4 23847 0t0 UDP X.X.X.X:60518->X.X.X.X:53
bro 8081 root 20u IPv6 29372 0t0 TCP *:47764 (LISTEN)
bro 8086 root 0u IPv4 19003 0t0 TCP X.X.X.X:40788->X.X.X.X:47761 (ESTABLISHED)
bro 8086 root 1u IPv4 19006 0t0 TCP X.X.X.X:53520->X.X.X.X:47762 (ESTABLISHED)
bro 8086 root 2u IPv4 19009 0t0 TCP *:47770 (LISTEN)
bro 8086 root 4u IPv4 21817 0t0 UDP X.X.X.X:40624->X.X.X.X:53
bro 8086 root 20u IPv6 19010 0t0 TCP *:47770 (LISTEN)
bro 8087 root 0u IPv4 35961 0t0 TCP X.X.X.X:40790->X.X.X.X:47761 (ESTABLISHED)
bro 8087 root 1u IPv4 35964 0t0 TCP X.X.X.X:53522->X.X.X.X:47762 (ESTABLISHED)
bro 8087 root 2u IPv4 35967 0t0 TCP *:47773 (LISTEN)
bro 8087 root 4u IPv4 12991 0t0 UDP X.X.X.X:40196->X.X.X.X:53
bro 8087 root 20u IPv6 35968 0t0 TCP *:47773 (LISTEN)
bro 8119 root 0u IPv4 38022 0t0 TCP X.X.X.X:53523->X.X.X.X:47762 (ESTABLISHED)
bro 8119 root 1u IPv4 38025 0t0 TCP X.X.X.X:40793->X.X.X.X:47761 (ESTABLISHED)
bro 8119 root 2u IPv4 38028 0t0 TCP *:47774 (LISTEN)
bro 8119 root 4u IPv4 19899 0t0 UDP X.X.X.X:55451->X.X.X.X:53
bro 8119 root 20u IPv6 38029 0t0 TCP *:47774 (LISTEN)
bro 8124 root 0u IPv4 25143 0t0 TCP X.X.X.X:40794->X.X.X.X:47761 (ESTABLISHED)
bro 8124 root 1u IPv4 25146 0t0 TCP X.X.X.X:53526->X.X.X.X:47762 (ESTABLISHED)
bro 8124 root 2u IPv4 25149 0t0 TCP *:47768 (LISTEN)
bro 8124 root 4u IPv4 18993 0t0 UDP X.X.X.X:38832->X.X.X.X:53
bro 8124 root 20u IPv6 25150 0t0 TCP *:47768 (LISTEN)
bro 8128 root 0u IPv4 23148 0t0 TCP X.X.X.X:40796->X.X.X.X:47761 (ESTABLISHED)
bro 8128 root 1u IPv4 23151 0t0 TCP X.X.X.X:53528->X.X.X.X:47762 (ESTABLISHED)
bro 8128 root 2u IPv4 23154 0t0 TCP *:47763 (LISTEN)
bro 8128 root 4u IPv4 29347 0t0 UDP X.X.X.X:37094->X.X.X.X:53
bro 8128 root 20u IPv6 23155 0t0 TCP *:47763 (LISTEN)
tclsh 8212 root 3u IPv4 25368 0t0 TCP X.X.X.X:46056->X.X.X.X:7736 (ESTABLISHED)
tclsh 8230 root 3u IPv4 32621 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 8230 root 7u IPv4 33684 0t0 TCP X.X.X.X:46057->X.X.X.X:7736 (ESTABLISHED)
tclsh 8316 root 3u IPv4 23476 0t0 TCP X.X.X.X:46059->X.X.X.X:7736 (ESTABLISHED)
tclsh 8398 root 3u IPv4 25366 0t0 TCP X.X.X.X:46054->X.X.X.X:7736 (ESTABLISHED)
tclsh 8415 root 3u IPv4 36099 0t0 TCP X.X.X.X:8100 (LISTEN)
tclsh 8415 root 5u IPv4 807141 0t0 TCP X.X.X.X:8100->X.X.X.X:58958 (ESTABLISHED)
tclsh 8415 root 7u IPv4 9127 0t0 TCP X.X.X.X:46055->X.X.X.X:7736 (ESTABLISHED)
tclsh 8502 root 3u IPv4 15146 0t0 TCP X.X.X.X:46058->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 11428 www-data 4u IPv4 33508 0t0 TCP *:443 (LISTEN)
/usr/sbin 11428 www-data 5u IPv4 33511 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11428 www-data 6u IPv4 33513 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11428 www-data 7u IPv4 33517 0t0 TCP *:444 (LISTEN)
sshd 13019 root 3u IPv4 506232 0t0 TCP X.X.X.X:22->X.X.X.X:34199 (ESTABLISHED)
sshd 13322 nuccilocal 3u IPv4 506232 0t0 TCP X.X.X.X:22->X.X.X.X:34199 (ESTABLISHED)
ruby1.9.1 14469 www-data 12u IPv4 10154 0t0 TCP X.X.X.X:35399 (LISTEN)
sshd 14677 root 3u IPv4 89912 0t0 TCP X.X.X.X:22->X.X.X.X:52369 (ESTABLISHED)
barnyard2 15222 root 3u IPv4 754515 0t0 TCP X.X.X.X:58958->X.X.X.X:8100 (ESTABLISHED)
barnyard2 15222 root 4u IPv4 754518 0t0 TCP X.X.X.X:59793->X.X.X.X:3306 (ESTABLISHED)
sshd 16366 nuccilocal 3u IPv4 89912 0t0 TCP X.X.X.X:22->X.X.X.X:52369 (ESTABLISHED)
sshd 29937 root 3r IPv4 660757 0t0 TCP X.X.X.X:22->X.X.X.X:55868 (ESTABLISHED)
sshd 30076 nuccilocal 3u IPv4 660757 0t0 TCP X.X.X.X:22->X.X.X.X:55868 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Mon Mar 17 06:01:01 UTC 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2956.tar.gz....
They Match
Done!
Prepping rules from snortrules-snapshot-2956.tar.gz for work....
Done!
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 12 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 98 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------1
Deleted:---1
Enabled Rules:----18866
Dropped Rules:----0
Disabled Rules:---18424
Total Rules:------37290
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: sensor-ethX
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: sensor-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: sensor-ethX
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]
Restarting: sensor-eth3
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
top - 19:14:50 up 3:27, 3 users, load average: 7.72, 8.59, 9.63
Tasks: 347 total, 10 running, 336 sleeping, 0 stopped, 1 zombie
Cpu(s): 23.1%us, 16.6%sy, 1.7%ni, 57.0%id, 0.4%wa, 0.0%hi, 1.3%si, 0.0%st
Mem: 32934960k total, 31691320k used, 1243640k free, 5664k buffers
Swap: 20466192k total, 1140504k used, 19325688k free, 8392972k cached

%CPU %MEM COMMAND
190 0.6 /usr/sbin/mysqld
93.8 1.0 /usr/bin/searchd --nodetach
92.3 6.2 suricata --user sguil --group sguil -c /etc/nsm/sensor-ethX/suricata.yaml --pfring=ethX -F /etc/nsm/sensor-ethX/bpf-ids.conf -l /nsm/sensor_data/sensor-ethX
38.6 0.0 argus -i ethX -F /etc/nsm/sensor-ethX/argus.conf -w /nsm/sensor_data/sensor-ethX/argus/2014-03-17.log
36.5 4.6 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
32.2 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
31.6 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
25.9 4.8 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
25.6 4.5 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
25.1 4.8 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
24.6 4.6 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
24.3 4.7 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
20.0 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.9 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.9 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.8 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.8 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
19.7 3.2 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.6 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.5 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.5 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.1 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 3.2 /opt/bro/bin/bro -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
14.0 1.6 netsniff-ng -i ethX -o /nsm/sensor_data/sensor-ethX/dailylogs/2014-03-17/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/sensor-ethX/bpf-pcap.ops
12.6 0.3 barnyard2 -c /etc/nsm/sensor-eth3/barnyard2.conf -d /nsm/sensor_data/sensor-eth3 -f snort.unified2 -w /etc/nsm/sensor-eth3/barnyard2.waldo -i 1 -U
8.5 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
4.6 6.0 suricata --user sguil --group sguil -c /etc/nsm/sensor-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/sensor-eth3/bpf-ids.conf -l /nsm/sensor_data/sensor-eth3
2.8 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.7 0.2 delayed_job
2.4 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
1.7 0.2 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1.2 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.9 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/sensor-ethX/http_agent.conf -e /etc/nsm/sensor-ethX/http_agent.exclude -f /nsm/bro/logs/current/http_ethX.log
0.3 0.0 PassengerHelperAgent
0.2 0.0 /sbin/init
0.2 0.0 /var/ossec/bin/ossec-syscheckd
0.2 0.0 [kswapd1]
0.2 0.0 [kswapd0]
0.1 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 argus -i eth3 -F /etc/nsm/sensor-eth3/argus.conf -w /nsm/sensor_data/sensor-eth3/argus/2014-03-17.log
0.1 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.1 Rack: /opt/snorby
0.1 0.0 [kworker/0:1]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:2]
0.0 0.0 [kworker/0:3]
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 [flush-8:16]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 avahi-daemon: running [sensor.local]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 mysql -uroot -Dsecurityonion_db
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 [xfsaild/sdb2]
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 -bash
0.0 0.0 [xfsaild/sdb1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/14:0]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 -bash
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/sensor-ethX/pcap_agent.conf
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 -bash
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_ethX.log
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/16:1]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/17:1]
0.0 0.0 [watchdog/0]
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/15:1]
0.0 0.0 [kworker/u:0]
0.0 0.0 [xfsbufd/sdb2]
0.0 0.0 [flush-8:0]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/18:2]
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [kworker/2:2]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [kworker/23:1]
0.0 0.0 sshd: nuccilocal@pts/4
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [migration/0]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/19:1]
0.0 0.0 [kworker/10:1]
0.0 0.0 Passenger spawn server
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [kworker/u:1]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/3:2]
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 1.5 netsniff-ng -i eth3 -o /nsm/sensor_data/sensor-eth3/dailylogs/2014-03-17/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/sensor-eth3/bpf-pcap.ops
0.0 0.0 [kworker/11:2]
0.0 0.0 sshd: nuccilocal@pts/3
0.0 0.0 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/7:0]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/9:1]
0.0 0.0 sshd: nuccilocal@pts/2
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [migration/16]
0.0 0.0 [migration/18]
0.0 0.0 [migration/20]
0.0 0.0 cron
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [migration/17]
0.0 0.0 [migration/19]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [migration/23]
0.0 0.0 sshd: nuccilocal [priv]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/sensor-ethX/snort_agent.conf
0.0 0.0 [migration/2]
0.0 0.0 [migration/4]
0.0 0.0 [migration/6]
0.0 0.0 [migration/8]
0.0 0.0 [migration/10]
0.0 0.0 [migration/12]
0.0 0.0 [migration/13]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/sensor-eth3/pcap_agent.conf
0.0 0.0 [migration/1]
0.0 0.0 [migration/3]
0.0 0.0 [migration/5]
0.0 0.0 [migration/7]
0.0 0.0 [migration/9]
0.0 0.0 [migration/11]
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/sensor-eth3/snort_agent.conf
0.0 0.0 sshd: nuccilocal [priv]
0.0 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/sensor-eth3/http_agent.conf -e /etc/nsm/sensor-eth3/http_agent.exclude -f /nsm/bro/logs/current/http_eth3.log
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 sshd: nuccilocal [priv]
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [sh] <defunct>
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [watchdog/6]
0.0 0.0 [watchdog/7]
0.0 0.0 [watchdog/8]
0.0 0.0 [watchdog/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [watchdog/11]
0.0 0.0 [watchdog/12]
0.0 0.0 [watchdog/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [watchdog/16]
0.0 0.0 [watchdog/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [watchdog/19]
0.0 0.0 [watchdog/20]
0.0 0.0 [watchdog/21]
0.0 0.0 [watchdog/22]
0.0 0.0 [watchdog/23]
0.0 0.0 [sync_supers]
0.0 0.0 lightdm
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/9:0]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/11:0]
0.0 0.0 [kworker/12:0]
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/16:0]
0.0 0.0 [kworker/17:0]
0.0 0.0 [kworker/19:0]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/21:0]
0.0 0.0 [kworker/22:0]
0.0 0.0 [kworker/23:0]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/4:2]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 supervising syslog-ng
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-6 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p sensor-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-5 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i ethX -U .status -p broctl -p broctl-live -p local -p sensor-ethX-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tail -n 1 -f /nsm/sensor_data/sensor-ethX/snort.stats
0.0 0.0 [kworker/6:2]
0.0 0.0 tail -n 1 -f /nsm/sensor_data/sensor-eth3/snort.stats
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_eth3.log
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sh -c grep -v "^#" /etc/nsm/sensortab |awk '{print $4}' |while read SENSOR; do echo -n "$SENSOR: "; RX1=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; sleep 600; RX2=`ifconfig $SENSOR |awk '/RX packets/ {print $2}' |cut -d\: -f2`; expr $RX2 - $RX1; done
0.0 0.0 sleep 600
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-zA-Z]{2}:){5}[0-9a-zA-Z]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/sensor-ethX/dailylogs/ - 8 days
8.6T .
1.3T ./2014-03-10
1.4T ./2014-03-11
984G ./2014-03-12
1012G ./2014-03-13
982G ./2014-03-14
957G ./2014-03-15
1.4T ./2014-03-16
827G ./2014-03-17

/nsm/sensor_data/sensor-eth3/dailylogs/ - 8 days
4.2M .
1.2M ./2014-03-10
344K ./2014-03-11
764K ./2014-03-12
504K ./2014-03-13
380K ./2014-03-14
380K ./2014-03-15
216K ./2014-03-16
420K ./2014-03-17

/nsm/bro/logs/ - 9 days
14G .
915M ./2014-03-09
1.3G ./2014-03-10
1.2G ./2014-03-11
1.4G ./2014-03-12
1.3G ./2014-03-13
1.3G ./2014-03-14
1.3G ./2014-03-15
2.2G ./2014-03-16
2.4G ./2014-03-17
46M ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

sensor-ethX-1: 1395083692.950066 recvd=91009544 dropped=0 link=91009544
sensor-ethX-2: 1395083693.150408 recvd=25796452 dropped=0 link=25796452
sensor-ethX-3: 1395083693.350341 recvd=32897053 dropped=0 link=32897053
sensor-ethX-4: 1395083693.550306 recvd=36462263 dropped=0 link=36462263
sensor-ethX-5: 1395083693.750425 recvd=18866335 dropped=0 link=18866335
sensor-ethX-6: 1395083693.950434 recvd=18413078 dropped=0 link=18413078
sensor-eth3-1: 1395083694.150422 recvd=0 dropped=0 link=0
sensor-eth3-2: 1395083694.354444 recvd=0 dropped=0 link=0
sensor-eth3-3: 1395083694.554400 recvd=0 dropped=0 link=0
sensor-eth3-4: 1395083694.754415 recvd=0 dropped=0 link=0
sensor-eth3-5: 1395083694.954436 recvd=0 dropped=0 link=0
sensor-eth3-6: 1395083695.154390 recvd=0 dropped=0 link=0

=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/sensor-ethX/stats.log
tcp.ssn_memcap_drop | RxPFRethX6 | 0
tcp.segment_memcap_drop | RxPFRethX6 | 106777

/nsm/sensor_data/sensor-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth36 | 0
tcp.segment_memcap_drop | RxPFReth36 | 0

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)
Total rings : 25

Standard (non DNA) Options
Ring slots : 65534
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 31695

/proc/net/pf_ring/15706-ethX.123
Appl. Name : Suricata
Tot Packets : 2297919
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 77982

/proc/net/pf_ring/15707-ethX.124
Appl. Name : Suricata
Tot Packets : 8240863
Tot Pkt Lost : 1015132
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78000

/proc/net/pf_ring/15708-ethX.125
Appl. Name : Suricata
Tot Packets : 1950346
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 77953

/proc/net/pf_ring/15709-ethX.126
Appl. Name : Suricata
Tot Packets : 1228806
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 77995

/proc/net/pf_ring/15710-ethX.127
Appl. Name : Suricata
Tot Packets : 8804950
Tot Pkt Lost : 675905
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 77934

/proc/net/pf_ring/15711-ethX.128
Appl. Name : Suricata
Tot Packets : 1714925
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 77988

/proc/net/pf_ring/16059-eth3.129
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/16060-eth3.130
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/16061-eth3.131
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/16062-eth3.132
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/16063-eth3.133
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/16064-eth3.134
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 78028
Num Free Slots : 78028

/proc/net/pf_ring/7926-eth3.7
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7927-eth3.10
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7928-eth3.2
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7929-ethX.3
Appl. Name : <unknown>
Tot Packets : 32901729
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7930-eth3.1
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7931-ethX.12
Appl. Name : <unknown>
Tot Packets : 18414387
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7932-ethX.9
Appl. Name : <unknown>
Tot Packets : 25799382
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7933-ethX.6
Appl. Name : <unknown>
Tot Packets : 91024320
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7934-ethX.8
Appl. Name : <unknown>
Tot Packets : 18869505
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7935-eth3.5
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7936-ethX.4
Appl. Name : <unknown>
Tot Packets : 36468483
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

/proc/net/pf_ring/7937-eth3.11
Appl. Name : <unknown>
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 130434
Num Free Slots : 130434

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
259849

=========================================================================
Sguil events summary for yesterday
=========================================================================

Totals GenID:SigID Signature
81366 1:2000419 ET POLICY PE EXE or DLL Windows file download
34293 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
11919 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
6700 1:2210015 SURICATA STREAM CLOSEWAIT ACK out of window
5870 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
3983 1:2200029 SURICATA ICMPv6 unknown type
3927 1:2210036 SURICATA STREAM FIN2 invalid ack
3742 1:2210044 SURICATA STREAM Packet with invalid timestamp
3317 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3274 1:2001219 ET SCAN Potential SSH Scan
2160 1:2210038 SURICATA STREAM FIN out of window
2063 1:2210033 SURICATA STREAM FIN1 invalid ack
1816 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
1740 1:2017936 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
1626 1:2009702 ET POLICY DNS Update From External net
837 1:2018087 ET INFO Control Panel Applet File Download
811 1:2009832 ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND
429 1:2210017 SURICATA STREAM CLOSEWAIT invalid ACK
182 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
165 1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
90 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
86 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
74 1:2210035 SURICATA STREAM FIN2 FIN with wrong seq
69 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
57 1:2210023 SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
53 1:2210027 SURICATA STREAM ESTABLISHED SYN resend with different seq
45 1:2002192 ET CHAT MSN status change
43 1:2210032 SURICATA STREAM FIN1 FIN with wrong seq
37 1:2210005 SURICATA STREAM 3way handshake SYNACK resend with different seq
37 1:2230003 SURICATA TLS invalid handshake message
32 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
23 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
23 1:2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
16 1:2210039 SURICATA STREAM Last ACK with wrong seq
16 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
13 1:2013298 ET POLICY Nessus Server SSL certificate detected
12 1:2000334 ET P2P BitTorrent peer sync
10 1:2230002 SURICATA TLS invalid record type
8 1:2220004 SURICATA SMTP invalid pipelined sequence
8 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
6 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
5 1:2221021 SURICATA HTTP response header invalid
5 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
5 1:2210007 SURICATA STREAM 3way handshake SYNACK with wrong ack
5 1:2001330 ET POLICY RDP connection confirm
5 1:2015743 ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen
4 1:2001329 ET POLICY RDP connection request
4 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
4 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
4 1:2003317 ET P2P Edonkey Search Request (any type file)
4 1:2210040 SURICATA STREAM Last ACK invalid ACK
4 1:2008116 ET TFTP Outbound TFTP Write Request
4 1:2009099 ET P2P ThunderNetwork UDP Traffic
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
3 1:2003310 ET P2P Edonkey Publicize File
2 1:2001664 ET P2P Gnutella Connect
2 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
2 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
1 1:2000032 ET NETBIOS LSA exploit
1 1:2009557 ET TROJAN Yoda's Protector Packed Binary - VERY Likely Hostile
1 1:23006 PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt
1 1:2006435 ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool
1 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
171053

=========================================================================
Top 50 All time Sguil Events

=========================================================================
Totals GenID:SigID Signature

2078911 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
1330779 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
320494 1:2210045 SURICATA STREAM Packet with invalid ack
320358 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
117677 1:2000419 ET POLICY PE EXE or DLL Windows file download
58372 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
44809 1:2210015 SURICATA STREAM CLOSEWAIT ACK out of window
37834 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
26476 1:2210036 SURICATA STREAM FIN2 invalid ack
23299 1:2210033 SURICATA STREAM FIN1 invalid ack
22151 1:2200029 SURICATA ICMPv6 unknown type
17677 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
16319 1:2210017 SURICATA STREAM CLOSEWAIT invalid ACK
13019 1:2210044 SURICATA STREAM Packet with invalid timestamp
12028 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
11132 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
10633 1:2001219 ET SCAN Potential SSH Scan
9460 1:2009702 ET POLICY DNS Update From External net
9316 1:2210038 SURICATA STREAM FIN out of window
6232 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
6217 1:2009832 ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND
3247 1:2017936 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
1736 1:2210039 SURICATA STREAM Last ACK with wrong seq
1429 1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
1174 1:2018087 ET INFO Control Panel Applet File Download
1107 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
923 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
854 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
804 1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir
758 1:2210010 SURICATA STREAM 3way handshake wrong seq wrong ack
714 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
671 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
595 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
551 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
433 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
357 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
351 1:2210035 SURICATA STREAM FIN2 FIN with wrong seq
266 1:2001330 ET POLICY RDP connection confirm
261 1:2013298 ET POLICY Nessus Server SSL certificate detected
247 1:2210027 SURICATA STREAM ESTABLISHED SYN resend with different seq
237 1:2220004 SURICATA SMTP invalid pipelined sequence
230 1:2210023 SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
193 1:2210032 SURICATA STREAM FIN1 FIN with wrong seq
182 1:2230003 SURICATA TLS invalid handshake message
170 1:2001329 ET POLICY RDP connection request
132 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
124 1:2210046 SURICATA STREAM SHUTDOWN RST invalid ack
119 1:2015743 ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen
111 1:2002192 ET CHAT MSN status change
109 1:2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
Total
4512659

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
6250 URL X.X.X.X
4628 URL exchange5.arl.psu.edu
2600 URL ds.download.windowsupdate.com
1337 URL fe1.update.microsoft.com
1335 URL us.archive.ubuntu.com
1075 URL pubdbs.arl.psu.edu
733 URL wsus.arl.psu.edu
630 URL csd-sep
495 URL liveupdate.symantecliveupdate.com
452 URL tools.google.com
260 URL pki.arl.psu.edu
204 URL data.alienvault.com
169 URL ctldl.windowsupdate.com
131 URL www.statecollege.com
114 URL safebrowsing-cache.google.com
104 URL download.windowsupdate.com
98 URL n1kace1000
92 URL weather.noaa.gov
78 URL ocsp.entrust.net
67 URL communityindex
62 URL init.ess.apple.com
60 URL community
59 URL security.ubuntu.com
53 URL crl.microsoft.com
46 URL srdd-hg
42 URL linux.dell.com
41 URL csd-vcenter.arl.psu.edu
39 URL clients2.google.com
38 URL cache.pack.google.com
37 URL arlatwork.arl.psu.edu
35 URL download.microsoft.com
34 URL update.microsoft.com
33 URL forecastfox3.accuweather.com
33 URL safebrowsing.clients.google.com
31 URL www.update.microsoft.com
29 URL securityresponse.symantec.com
24 URL widgets.freestockcharts.com
23 URL pixel.quantserve.com
22 URL mirrors.einstein.yu.edu
22 URL mirrors.rit.edu
20 URL kace.cdn.lumension.com
17 URL mirror.itc.virginia.edu
15 URL mirror.cs.vt.edu
12 URL configuration.apple.com
10 URL bison.csm.ornl.gov
10 URL watson.microsoft.com
10 URL centos.mirror.nac.net
10 URL kiddo.spicelabs.in
9 URL arltime
8 URL mirror.linux.duke.edu
Total
21884

=========================================================================
Snorby Events Summary for yesterday

=========================================================================
Totals GenID:SigID SignatureName

81366 1:2000419 ET POLICY PE EXE or DLL Windows file download
34148 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
11919 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
6700 1:2210015 SURICATA STREAM CLOSEWAIT ACK out of window
5870 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
3927 1:2210036 SURICATA STREAM FIN2 invalid ack
3742 1:2210044 SURICATA STREAM Packet with invalid timestamp
3317 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
3274 1:2001219 ET SCAN Potential SSH Scan
2160 1:2210038 SURICATA STREAM FIN out of window
2063 1:2210033 SURICATA STREAM FIN1 invalid ack
1816 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
1740 1:2017936 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
1626 1:2009702 ET POLICY DNS Update From External net
837 1:2018087 ET INFO Control Panel Applet File Download
811 1:2009832 Snort Alert [1:2009832:3]
429 1:2210017 SURICATA STREAM CLOSEWAIT invalid ACK
182 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
165 1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
139 1:2012092 ET SHELLCODE Possible Call with No Offset TCP Shellcode
90 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
86 1:2008517 Snort Alert [1:2008517:2]
74 1:2210035 SURICATA STREAM FIN2 FIN with wrong seq
69 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
57 1:2210023 SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
53 1:2210027 SURICATA STREAM ESTABLISHED SYN resend with different seq
45 1:2002192 ET CHAT MSN status change
43 1:2210032 SURICATA STREAM FIN1 FIN with wrong seq
37 1:2210005 SURICATA STREAM 3way handshake SYNACK resend with different seq
37 1:2230003 SURICATA TLS invalid handshake message
32 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
23 1:2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
23 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
16 1:2210039 SURICATA STREAM Last ACK with wrong seq
16 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
13 1:2013298 ET POLICY Nessus Server SSL certificate detected
12 1:2000334 ET P2P BitTorrent peer sync
10 1:2230002 SURICATA TLS invalid record type
8 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
8 1:2220004 SURICATA SMTP invalid pipelined sequence
6 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
6 1:2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
5 1:2015743 ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen
5 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
5 1:2221021 SURICATA HTTP response header invalid
5 1:2001330 ET POLICY RDP connection confirm
5 1:2210007 SURICATA STREAM 3way handshake SYNACK with wrong ack
4 1:2210040 SURICATA STREAM Last ACK invalid ACK
4 1:2003317 ET P2P Edonkey Search Request (any type file)
4 1:2009099 ET P2P ThunderNetwork UDP Traffic
4 1:2008116 ET TFTP Outbound TFTP Write Request
4 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
4 1:2001329 ET POLICY RDP connection request
4 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
3 1:2009970 ET P2P eMule Kademlia Hello Request
3 1:2003310 ET P2P Edonkey Publicize File
3 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
2 1:2001664 ET P2P Gnutella Connect
2 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
1 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
1 1:2009557 ET TROJAN Yoda's Protector Packed Binary - VERY Likely Hostile
1 1:2000032 ET NETBIOS LSA exploit
1 1:23006 PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt
1 1:2006435 ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool
Total
167070

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName

7599263 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
4537935 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
4372118 1:2210045 SURICATA STREAM Packet with invalid ack
4370232 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
118016 1:2000419 ET POLICY PE EXE or DLL Windows file download
58281 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
45260 1:2210015 SURICATA STREAM CLOSEWAIT ACK out of window
37834 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
26480 1:2210036 SURICATA STREAM FIN2 invalid ack
23299 1:2210033 SURICATA STREAM FIN1 invalid ack
17776 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
16370 1:2210017 SURICATA STREAM CLOSEWAIT invalid ACK
15707 1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir
14249 1:2210010 SURICATA STREAM 3way handshake wrong seq wrong ack
13152 1:2210044 SURICATA STREAM Packet with invalid timestamp
12397 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
11150 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
10634 1:2001219 ET SCAN Potential SSH Scan
10340 1:2009702 ET POLICY DNS Update From External net
9390 1:2210038 SURICATA STREAM FIN out of window
6614 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
6376 1:2009832 Snort Alert [1:2009832:3]
3268 1:2017936 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
2004 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
1913 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
1747 1:2210039 SURICATA STREAM Last ACK with wrong seq
1673 1:2210046 SURICATA STREAM SHUTDOWN RST invalid ack
1437 1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
1256 1:2210016 SURICATA STREAM CLOSEWAIT FIN out of window
1174 1:2018087 ET INFO Control Panel Applet File Download
871 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
737 1:2008517 Snort Alert [1:2008517:2]
675 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
551 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
528 1:2002087 ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
360 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
353 1:2210035 SURICATA STREAM FIN2 FIN with wrong seq
315 1:2210027 SURICATA STREAM ESTABLISHED SYN resend with different seq
298 1:2210023 SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
287 1:2220004 SURICATA SMTP invalid pipelined sequence
282 1:2001330 ET POLICY RDP connection confirm
267 1:2013298 ET POLICY Nessus Server SSL certificate detected
210 1:2012092 ET SHELLCODE Possible Call with No Offset TCP Shellcode
193 1:2210032 SURICATA STREAM FIN1 FIN with wrong seq
183 1:2001329 ET POLICY RDP connection request
183 1:2230003 SURICATA TLS invalid handshake message
158 1:2210030 SURICATA STREAM FIN invalid ack
151 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
119 1:2015743 ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen
111 1:2002192 ET CHAT MSN status change
Total
21355743

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2192 supervising syslog-ng
2193 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
2323 /usr/sbin/mysqld
20190 mysql -uroot -Dsecurityonion_db
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
25915 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
nc: connect to localhost port 9306 (tcp) failed: Connection refused

ELSA Buffers in Queue:
-rw-r--r-- 1 root root 958403 Mar 17 19:15 /nsm/elsa/data/elsa/tmp/buffers/1395083747.31464
-rw-r--r-- 1 root root 9922148 Mar 17 19:15 /nsm/elsa/data/elsa/tmp/buffers/1395083687.30613
-rw-r--r-- 1 root root 10033956 Mar 17 19:14 /nsm/elsa/data/elsa/tmp/buffers/1395083627.29939
-rw-r--r-- 1 root root 4609746 Mar 17 19:13 /nsm/elsa/data/elsa/tmp/buffers/1395083567.2911
-rw-r--r-- 1 root root 5464550 Mar 17 19:12 /nsm/elsa/data/elsa/tmp/buffers/1395083507.28178
-rw-r--r-- 1 root root 8948724 Mar 17 19:11 /nsm/elsa/data/elsa/tmp/buffers/1395083447.2243
-rw-r--r-- 1 root root 3334189 Mar 17 19:10 /nsm/elsa/data/elsa/tmp/buffers/1395083387.21913
-rw-r--r-- 1 root root 5025913 Mar 17 19:09 /nsm/elsa/data/elsa/tmp/buffers/1395083327.21307
-rw-r--r-- 1 root root 9333693 Mar 17 19:08 /nsm/elsa/data/elsa/tmp/buffers/1395083267.20737
-rw-r--r-- 1 root root 8907276 Mar 17 19:07 /nsm/elsa/data/elsa/tmp/buffers/1395083207.20207
-rw-r--r-- 1 root root 4097186 Mar 17 19:06 /nsm/elsa/data/elsa/tmp/buffers/1395083147.19625
-rw-r--r-- 1 root root 8923109 Mar 17 19:05 /nsm/elsa/data/elsa/tmp/buffers/1395083087.1899
-rw-r--r-- 1 root root 4677961 Mar 17 19:04 /nsm/elsa/data/elsa/tmp/buffers/1395083027.183
-rw-r--r-- 1 root root 5454143 Mar 17 19:03 /nsm/elsa/data/elsa/tmp/buffers/1395082967.17616
-rw-r--r-- 1 root root 6504005 Mar 17 19:02 /nsm/elsa/data/elsa/tmp/buffers/1395082907.17027
-rw-r--r-- 1 root root 10753765 Mar 17 19:01 /nsm/elsa/data/elsa/tmp/buffers/1395082847.161
-rw-r--r-- 1 root root 7127633 Mar 17 19:00 /nsm/elsa/data/elsa/tmp/buffers/1395082787.07542
-rw-r--r-- 1 root root 7287608 Mar 17 18:59 /nsm/elsa/data/elsa/tmp/buffers/1395082727.06856
-rw-r--r-- 1 root root 7461722 Mar 17 18:58 /nsm/elsa/data/elsa/tmp/buffers/1395082667.06056
-rw-r--r-- 1 root root 12573917 Mar 17 18:57 /nsm/elsa/data/elsa/tmp/buffers/1395082607.05394
-rw-r--r-- 1 root root 5657665 Mar 17 18:56 /nsm/elsa/data/elsa/tmp/buffers/1395082547.04505
-rw-r--r-- 1 root root 4475969 Mar 17 18:55 /nsm/elsa/data/elsa/tmp/buffers/1395082487.03909
-rw-r--r-- 1 root root 12615026 Mar 17 18:54 /nsm/elsa/data/elsa/tmp/buffers/1395082427.03224
-rw-r--r-- 1 root root 4518431 Mar 17 18:53 /nsm/elsa/data/elsa/tmp/buffers/1395082367.02638
-rw-r--r-- 1 root root 10093507 Mar 17 18:52 /nsm/elsa/data/elsa/tmp/buffers/1395082307.02065
-rw-r--r-- 1 root root 3345420 Mar 17 18:51 /nsm/elsa/data/elsa/tmp/buffers/1395082247.01458
-rw-r--r-- 1 root root 4755032 Mar 17 18:50 /nsm/elsa/data/elsa/tmp/buffers/1395082187.00673
-rw-r--r-- 1 root root 3012471 Mar 17 18:49 /nsm/elsa/data/elsa/tmp/buffers/1395082127.00075
-rw-r--r-- 1 root root 8980213 Mar 17 18:48 /nsm/elsa/data/elsa/tmp/buffers/1395082066.99491
-rw-r--r-- 1 root root 7278884 Mar 17 18:47 /nsm/elsa/data/elsa/tmp/buffers/1395082006.98758
-rw-r--r-- 1 root root 5778699 Mar 17 18:46 /nsm/elsa/data/elsa/tmp/buffers/1395081946.98125
-rw-r--r-- 1 root root 7021702 Mar 17 18:45 /nsm/elsa/data/elsa/tmp/buffers/1395081886.97383
-rw-r--r-- 1 root root 6184521 Mar 17 18:44 /nsm/elsa/data/elsa/tmp/buffers/1395081826.96634
-rw-r--r-- 1 root root 6256600 Mar 17 18:43 /nsm/elsa/data/elsa/tmp/buffers/1395081766.95905
-rw-r--r-- 1 root root 5019177 Mar 17 18:42 /nsm/elsa/data/elsa/tmp/buffers/1395081706.92796
-rw-r--r-- 1 root root 4211056 Mar 17 18:41 /nsm/elsa/data/elsa/tmp/buffers/1395081646.9217
-rw-r--r-- 1 root root 5890626 Mar 17 18:40 /nsm/elsa/data/elsa/tmp/buffers/1395081586.9163
-rw-r--r-- 1 root root 5569208 Mar 17 18:39 /nsm/elsa/data/elsa/tmp/buffers/1395081526.90826
-rw-r--r-- 1 root root 6013062 Mar 17 18:38 /nsm/elsa/data/elsa/tmp/buffers/1395081466.9011
-rw-r--r-- 1 root root 6205400 Mar 17 18:37 /nsm/elsa/data/elsa/tmp/buffers/1395081406.8932
-rw-r--r-- 1 root root 7362382 Mar 17 18:36 /nsm/elsa/data/elsa/tmp/buffers/1395081346.885
-rw-r--r-- 1 root root 4040072 Mar 17 18:35 /nsm/elsa/data/elsa/tmp/buffers/1395081286.87772
-rw-r--r-- 1 root root 3238557 Mar 17 18:34 /nsm/elsa/data/elsa/tmp/buffers/1395081226.82908
-rw-r--r-- 1 root root 7804607 Mar 17 18:33 /nsm/elsa/data/elsa/tmp/buffers/1395081166.80333
-rw-r--r-- 1 root root 6590118 Mar 17 18:32 /nsm/elsa/data/elsa/tmp/buffers/1395081106.79682
-rw-r--r-- 1 root root 5734250 Mar 17 18:31 /nsm/elsa/data/elsa/tmp/buffers/1395081046.7904
-rw-r--r-- 1 root root 5699752 Mar 17 18:30 /nsm/elsa/data/elsa/tmp/buffers/1395080986.7828
-rw-r--r-- 1 root root 5441913 Mar 17 18:29 /nsm/elsa/data/elsa/tmp/buffers/1395080926.77746
-rw-r--r-- 1 root root 5814917 Mar 17 18:28 /nsm/elsa/data/elsa/tmp/buffers/1395080866.77025
-rw-r--r-- 1 root root 9105630 Mar 17 18:27 /nsm/elsa/data/elsa/tmp/buffers/1395080806.76484
-rw-r--r-- 1 root root 4720145 Mar 17 18:26 /nsm/elsa/data/elsa/tmp/buffers/1395080746.7578
-rw-r--r-- 1 root root 6198578 Mar 17 18:25 /nsm/elsa/data/elsa/tmp/buffers/1395080686.75077
-rw-r--r-- 1 root root 6413746 Mar 17 18:24 /nsm/elsa/data/elsa/tmp/buffers/1395080626.74315
-rw-r--r-- 1 root root 5312866 Mar 17 18:23 /nsm/elsa/data/elsa/tmp/buffers/1395080566.73323
-rw-r--r-- 1 root root 5908179 Mar 17 18:22 /nsm/elsa/data/elsa/tmp/buffers/1395080506.72593
-rw-r--r-- 1 root root 3160051 Mar 17 18:21 /nsm/elsa/data/elsa/tmp/buffers/1395080446.70236
-rw-r--r-- 1 root root 8736720 Mar 17 18:20 /nsm/elsa/data/elsa/tmp/buffers/1395080386.69689
-rw-r--r-- 1 root root 4083426 Mar 17 18:19 /nsm/elsa/data/elsa/tmp/buffers/1395080326.6916
-rw-r--r-- 1 root root 7234448 Mar 17 18:18 /nsm/elsa/data/elsa/tmp/buffers/1395080266.68542
-rw-r--r-- 1 root root 4984014 Mar 17 18:17 /nsm/elsa/data/elsa/tmp/buffers/1395080206.67882
-rw-r--r-- 1 root root 8000941 Mar 17 18:16 /nsm/elsa/data/elsa/tmp/buffers/1395080146.67376
-rw-r--r-- 1 root root 6084499 Mar 17 18:15 /nsm/elsa/data/elsa/tmp/buffers/1395080086.66861
-rw-r--r-- 1 root root 5304101 Mar 17 18:14 /nsm/elsa/data/elsa/tmp/buffers/1395080026.66358
-rw-r--r-- 1 root root 4062962 Mar 17 18:13 /nsm/elsa/data/elsa/tmp/buffers/1395079966.65731
-rw-r--r-- 1 root root 3484825 Mar 17 18:12 /nsm/elsa/data/elsa/tmp/buffers/1395079906.64902
-rw-r--r-- 1 root root 9305113 Mar 17 18:11 /nsm/elsa/data/elsa/tmp/buffers/1395079846.64297
-rw-r--r-- 1 root root 11880415 Mar 17 18:10 /nsm/elsa/data/elsa/tmp/buffers/1395079786.63388
-rw-r--r-- 1 root root 5676302 Mar 17 18:09 /nsm/elsa/data/elsa/tmp/buffers/1395079726.62603
-rw-r--r-- 1 root root 9030077 Mar 17 18:08 /nsm/elsa/data/elsa/tmp/buffers/1395079666.61931
-rw-r--r-- 1 root root 7217482 Mar 17 18:07 /nsm/elsa/data/elsa/tmp/buffers/1395079606.61377
-rw-r--r-- 1 root root 3343105 Mar 17 18:06 /nsm/elsa/data/elsa/tmp/buffers/1395079546.6065
-rw-r--r-- 1 root root 4245025 Mar 17 18:05 /nsm/elsa/data/elsa/tmp/buffers/1395079486.60107
-rw-r--r-- 1 root root 4314200 Mar 17 18:04 /nsm/elsa/data/elsa/tmp/buffers/1395079426.59383
-rw-r--r-- 1 root root 6920190 Mar 17 18:03 /nsm/elsa/data/elsa/tmp/buffers/1395079366.58681
-rw-r--r-- 1 root root 14549321 Mar 17 18:02 /nsm/elsa/data/elsa/tmp/buffers/1395079306.57813
-rw-r--r-- 1 root root 4276387 Mar 17 18:01 /nsm/elsa/data/elsa/tmp/buffers/1395079246.56839
-rw-r--r-- 1 root root 6446246 Mar 17 18:00 /nsm/elsa/data/elsa/tmp/buffers/1395079186.50626
-rw-r--r-- 1 root root 3143877 Mar 17 17:59 /nsm/elsa/data/elsa/tmp/buffers/1395079126.49337
-rw-r--r-- 1 root root 9938790 Mar 17 17:58 /nsm/elsa/data/elsa/tmp/buffers/1395079066.46733
-rw-r--r-- 1 root root 7920026 Mar 17 17:57 /nsm/elsa/data/elsa/tmp/buffers/1395079006.46011
-rw-r--r-- 1 root root 9318664 Mar 17 17:56 /nsm/elsa/data/elsa/tmp/buffers/1395078946.4546
-rw-r--r-- 1 root root 7742978 Mar 17 17:55 /nsm/elsa/data/elsa/tmp/buffers/1395078886.41493
-rw-r--r-- 1 root root 7311898 Mar 17 17:54 /nsm/elsa/data/elsa/tmp/buffers/1395078826.38708
-rw-r--r-- 1 root root 3020689 Mar 17 17:53 /nsm/elsa/data/elsa/tmp/buffers/1395078766.38216
-rw-r--r-- 1 root root 5867258 Mar 17 17:52 /nsm/elsa/data/elsa/tmp/buffers/1395078706.37616
-rw-r--r-- 1 root root 3000254 Mar 17 17:51 /nsm/elsa/data/elsa/tmp/buffers/1395078646.37011
-rw-r--r-- 1 root root 4421870 Mar 17 17:50 /nsm/elsa/data/elsa/tmp/buffers/1395078586.36432
-rw-r--r-- 1 root root 3161453 Mar 17 17:49 /nsm/elsa/data/elsa/tmp/buffers/1395078526.35677
-rw-r--r-- 1 root root 6972506 Mar 17 17:48 /nsm/elsa/data/elsa/tmp/buffers/1395078466.34976
-rw-r--r-- 1 root root 7473761 Mar 17 17:47 /nsm/elsa/data/elsa/tmp/buffers/1395078406.34283
-rw-r--r-- 1 root root 8024436 Mar 17 17:46 /nsm/elsa/data/elsa/tmp/buffers/1395078346.33765
-rw-r--r-- 1 root root 4601345 Mar 17 17:45 /nsm/elsa/data/elsa/tmp/buffers/1395078286.33226
-rw-r--r-- 1 root root 2824190 Mar 17 17:44 /nsm/elsa/data/elsa/tmp/buffers/1395078226.32591
-rw-r--r-- 1 root root 8276130 Mar 17 17:43 /nsm/elsa/data/elsa/tmp/buffers/1395078166.32006
-rw-r--r-- 1 root root 7270536 Mar 17 17:42 /nsm/elsa/data/elsa/tmp/buffers/1395078106.31296
-rw-r--r-- 1 root root 8987197 Mar 17 17:41 /nsm/elsa/data/elsa/tmp/buffers/1395078046.30687
-rw-r--r-- 1 root root 5980438 Mar 17 17:40 /nsm/elsa/data/elsa/tmp/buffers/1395077986.30157
-rw-r--r-- 1 root root 11408110 Mar 17 17:39 /nsm/elsa/data/elsa/tmp/buffers/1395077926.29545
-rw-r--r-- 1 root root 3387011 Mar 17 17:38 /nsm/elsa/data/elsa/tmp/buffers/1395077866.28795
-rw-r--r-- 1 root root 4495221 Mar 17 17:37 /nsm/elsa/data/elsa/tmp/buffers/1395077806.28071
-rw-r--r-- 1 root root 9985011 Mar 17 17:36 /nsm/elsa/data/elsa/tmp/buffers/1395077746.27507
-rw-r--r-- 1 root root 5524029 Mar 17 17:35 /nsm/elsa/data/elsa/tmp/buffers/1395077686.24531
-rw-r--r-- 1 root root 7502512 Mar 17 17:34 /nsm/elsa/data/elsa/tmp/buffers/1395077626.23789
-rw-r--r-- 1 root root 5901432 Mar 17 17:33 /nsm/elsa/data/elsa/tmp/buffers/1395077566.23133
-rw-r--r-- 1 root root 8720493 Mar 17 17:32 /nsm/elsa/data/elsa/tmp/buffers/1395077506.22114
-rw-r--r-- 1 root root 9633387 Mar 17 17:31 /nsm/elsa/data/elsa/tmp/buffers/1395077446.19063
-rw-r--r-- 1 root root 5503885 Mar 17 17:30 /nsm/elsa/data/elsa/tmp/buffers/1395077386.16922
-rw-r--r-- 1 root root 5121238 Mar 17 17:29 /nsm/elsa/data/elsa/tmp/buffers/1395077326.14262
-rw-r--r-- 1 root root 7224683 Mar 17 17:28 /nsm/elsa/data/elsa/tmp/buffers/1395077266.12872
-rw-r--r-- 1 root root 3173567 Mar 17 17:27 /nsm/elsa/data/elsa/tmp/buffers/1395077206.09927
-rw-r--r-- 1 root root 5471755 Mar 17 17:26 /nsm/elsa/data/elsa/tmp/buffers/1395077146.08414
-rw-r--r-- 1 root root 3112872 Mar 17 17:25 /nsm/elsa/data/elsa/tmp/buffers/1395077086.07431
-rw-r--r-- 1 root root 2923901 Mar 17 17:24 /nsm/elsa/data/elsa/tmp/buffers/1395077026.06538
-rw-r--r-- 1 root root 6377734 Mar 17 17:23 /nsm/elsa/data/elsa/tmp/buffers/1395076966.05287
-rw-r--r-- 1 root root 3078192 Mar 17 17:22 /nsm/elsa/data/elsa/tmp/buffers/1395076906.04249
-rw-r--r-- 1 root root 3989189 Mar 17 17:21 /nsm/elsa/data/elsa/tmp/buffers/1395076846.03363
-rw-r--r-- 1 root root 6727391 Mar 17 17:20 /nsm/elsa/data/elsa/tmp/buffers/1395076786.01983
-rw-r--r-- 1 root root 9057441 Mar 17 17:19 /nsm/elsa/data/elsa/tmp/buffers/1395076726.0114
-rw-r--r-- 1 root root 3002050 Mar 17 17:18 /nsm/elsa/data/elsa/tmp/buffers/1395076666.00391
-rw-r--r-- 1 root root 7030986 Mar 17 17:17 /nsm/elsa/data/elsa/tmp/buffers/1395076605.99318
-rw-r--r-- 1 root root 3683809 Mar 17 17:16 /nsm/elsa/data/elsa/tmp/buffers/1395076545.9845
-rw-r--r-- 1 root root 5298485 Mar 17 17:15 /nsm/elsa/data/elsa/tmp/buffers/1395076485.96909
-rw-r--r-- 1 root root 6770887 Mar 17 17:14 /nsm/elsa/data/elsa/tmp/buffers/1395076425.96103
-rw-r--r-- 1 root root 4434223 Mar 17 17:13 /nsm/elsa/data/elsa/tmp/buffers/1395076365.95045
-rw-r--r-- 1 root root 5457900 Mar 17 17:12 /nsm/elsa/data/elsa/tmp/buffers/1395076305.94266
-rw-r--r-- 1 root root 4923811 Mar 17 17:11 /nsm/elsa/data/elsa/tmp/buffers/1395076245.92523
-rw-r--r-- 1 root root 9576611 Mar 17 17:10 /nsm/elsa/data/elsa/tmp/buffers/1395076185.91457
-rw-r--r-- 1 root root 8730455 Mar 17 17:09 /nsm/elsa/data/elsa/tmp/buffers/1395076125.90417
-rw-r--r-- 1 root root 3435342 Mar 17 17:08 /nsm/elsa/data/elsa/tmp/buffers/1395076065.8811
-rw-r--r-- 1 root root 5403397 Mar 17 17:07 /nsm/elsa/data/elsa/tmp/buffers/1395076005.87143
-rw-r--r-- 1 root root 5963702 Mar 17 17:06 /nsm/elsa/data/elsa/tmp/buffers/1395075945.64253
-rw-r--r-- 1 root root 6809115 Mar 17 17:05 /nsm/elsa/data/elsa/tmp/buffers/1395075885.63403
-rw-r--r-- 1 root root 7179291 Mar 17 17:04 /nsm/elsa/data/elsa/tmp/buffers/1395075825.62381
-rw-r--r-- 1 root root 6161101 Mar 17 17:03 /nsm/elsa/data/elsa/tmp/buffers/1395075765.59672
-rw-r--r-- 1 root root 5826976 Mar 17 17:02 /nsm/elsa/data/elsa/tmp/buffers/1395075705.58955
-rw-r--r-- 1 root root 5843555 Mar 17 17:01 /nsm/elsa/data/elsa/tmp/buffers/1395075645.47398
-rw-r--r-- 1 root root 3822989 Mar 17 17:00 /nsm/elsa/data/elsa/tmp/buffers/1395075585.44915
-rw-r--r-- 1 root root 4804417 Mar 17 16:59 /nsm/elsa/data/elsa/tmp/buffers/1395075525.43827
-rw-r--r-- 1 root root 5523388 Mar 17 16:58 /nsm/elsa/data/elsa/tmp/buffers/1395075465.42892
-rw-r--r-- 1 root root 5819980 Mar 17 16:57 /nsm/elsa/data/elsa/tmp/buffers/1395075405.42116
-rw-r--r-- 1 root root 4688226 Mar 17 16:56 /nsm/elsa/data/elsa/tmp/buffers/1395075345.41419
-rw-r--r-- 1 root root 5856531 Mar 17 16:55 /nsm/elsa/data/elsa/tmp/buffers/1395075285.40466
-rw-r--r-- 1 root root 4119693 Mar 17 16:54 /nsm/elsa/data/elsa/tmp/buffers/1395075225.39266
-rw-r--r-- 1 root root 4259816 Mar 17 16:53 /nsm/elsa/data/elsa/tmp/buffers/1395075165.38483
-rw-r--r-- 1 root root 7979082 Mar 17 16:52 /nsm/elsa/data/elsa/tmp/buffers/1395075105.37655
-rw-r--r-- 1 root root 8198232 Mar 17 16:51 /nsm/elsa/data/elsa/tmp/buffers/1395075045.36799
-rw-r--r-- 1 root root 5136235 Mar 17 16:50 /nsm/elsa/data/elsa/tmp/buffers/1395074985.34963
-rw-r--r-- 1 root root 4831058 Mar 17 16:49 /nsm/elsa/data/elsa/tmp/buffers/1395074925.34046
-rw-r--r-- 1 root root 4232468 Mar 17 16:48 /nsm/elsa/data/elsa/tmp/buffers/1395074865.3331
-rw-r--r-- 1 root root 5878758 Mar 17 16:47 /nsm/elsa/data/elsa/tmp/buffers/1395074805.32316
-rw-r--r-- 1 root root 5233775 Mar 17 16:46 /nsm/elsa/data/elsa/tmp/buffers/1395074745.30994
-rw-r--r-- 1 root root 6383992 Mar 17 16:45 /nsm/elsa/data/elsa/tmp/buffers/1395074685.30238
-rw-r--r-- 1 root root 5468536 Mar 17 16:44 /nsm/elsa/data/elsa/tmp/buffers/1395074625.29219
-rw-r--r-- 1 root root 4868994 Mar 17 16:43 /nsm/elsa/data/elsa/tmp/buffers/1395074565.28515
-rw-r--r-- 1 root root 5409719 Mar 17 16:42 /nsm/elsa/data/elsa/tmp/buffers/1395074505.27757
-rw-r--r-- 1 root root 3365446 Mar 17 16:41 /nsm/elsa/data/elsa/tmp/buffers/1395074445.26748
-rw-r--r-- 1 root root 4964513 Mar 17 16:40 /nsm/elsa/data/elsa/tmp/buffers/1395074385.25727
-rw-r--r-- 1 root root 6075961 Mar 17 16:39 /nsm/elsa/data/elsa/tmp/buffers/1395074325.24741
-rw-r--r-- 1 root root 6266970 Mar 17 16:38 /nsm/elsa/data/elsa/tmp/buffers/1395074265.23699
-rw-r--r-- 1 root root 5705883 Mar 17 16:37 /nsm/elsa/data/elsa/tmp/buffers/1395074205.22936
-rw-r--r-- 1 root root 4725833 Mar 17 16:36 /nsm/elsa/data/elsa/tmp/buffers/1395074145.21352
-rw-r--r-- 1 root root 6367739 Mar 17 16:35 /nsm/elsa/data/elsa/tmp/buffers/1395074084.99931
-rw-r--r-- 1 root root 3490986 Mar 17 16:34 /nsm/elsa/data/elsa/tmp/buffers/1395074024.98556
-rw-r--r-- 1 root root 4867774 Mar 17 16:33 /nsm/elsa/data/elsa/tmp/buffers/1395073964.96791
-rw-r--r-- 1 root root 3432587 Mar 17 16:32 /nsm/elsa/data/elsa/tmp/buffers/1395073904.95764
-rw-r--r-- 1 root root 5196802 Mar 17 16:31 /nsm/elsa/data/elsa/tmp/buffers/1395073844.94234
-rw-r--r-- 1 root root 3087820 Mar 17 16:30 /nsm/elsa/data/elsa/tmp/buffers/1395073784.9321
-rw-r--r-- 1 root root 3982212 Mar 17 16:29 /nsm/elsa/data/elsa/tmp/buffers/1395073724.90756
-rw-r--r-- 1 root root 6222721 Mar 17 16:28 /nsm/elsa/data/elsa/tmp/buffers/1395073664.89367
-rw-r--r-- 1 root root 4701304 Mar 17 16:27 /nsm/elsa/data/elsa/tmp/buffers/1395073604.88564
-rw-r--r-- 1 root root 4539328 Mar 17 16:26 /nsm/elsa/data/elsa/tmp/buffers/1395073544.87109
-rw-r--r-- 1 root root 5297307 Mar 17 16:25 /nsm/elsa/data/elsa/tmp/buffers/1395073484.86334
-rw-r--r-- 1 root root 4478008 Mar 17 16:24 /nsm/elsa/data/elsa/tmp/buffers/1395073424.85068
-rw-r--r-- 1 root root 4258639 Mar 17 16:23 /nsm/elsa/data/elsa/tmp/buffers/1395073364.82801
-rw-r--r-- 1 root root 4238353 Mar 17 16:22 /nsm/elsa/data/elsa/tmp/buffers/1395073304.81782
-rw-r--r-- 1 root root 4362299 Mar 17 16:21 /nsm/elsa/data/elsa/tmp/buffers/1395073244.80924
-rw-r--r-- 1 root root 3831520 Mar 17 16:20 /nsm/elsa/data/elsa/tmp/buffers/1395073184.80098
-rw-r--r-- 1 root root 3452040 Mar 17 16:19 /nsm/elsa/data/elsa/tmp/buffers/1395073124.7934
-rw-r--r-- 1 root root 3547855 Mar 17 16:18 /nsm/elsa/data/elsa/tmp/buffers/1395073064.78003
-rw-r--r-- 1 root root 6575934 Mar 17 16:17 /nsm/elsa/data/elsa/tmp/buffers/1395073004.76553
-rw-r--r-- 1 root root 4899933 Mar 17 16:16 /nsm/elsa/data/elsa/tmp/buffers/1395072944.75714
-rw-r--r-- 1 root root 4569876 Mar 17 16:15 /nsm/elsa/data/elsa/tmp/buffers/1395072884.74102
-rw-r--r-- 1 root root 3906373 Mar 17 16:14 /nsm/elsa/data/elsa/tmp/buffers/1395072824.7317
-rw-r--r-- 1 root root 4125651 Mar 17 16:13 /nsm/elsa/data/elsa/tmp/buffers/1395072764.7226
-rw-r--r-- 1 root root 3373449 Mar 17 16:12 /nsm/elsa/data/elsa/tmp/buffers/1395072704.7128
-rw-r--r-- 1 root root 4239218 Mar 17 16:11 /nsm/elsa/data/elsa/tmp/buffers/1395072644.69891
-rw-r--r-- 1 root root 3726072 Mar 17 16:10 /nsm/elsa/data/elsa/tmp/buffers/1395072584.66831
-rw-r--r-- 1 root root 5468535 Mar 17 16:09 /nsm/elsa/data/elsa/tmp/buffers/1395072524.65956
-rw-r--r-- 1 root root 4525778 Mar 17 16:08 /nsm/elsa/data/elsa/tmp/buffers/1395072464.64847
-rw-r--r-- 1 root root 3922619 Mar 17 16:07 /nsm/elsa/data/elsa/tmp/buffers/1395072404.63922
-rw-r--r-- 1 root root 4312211 Mar 17 16:06 /nsm/elsa/data/elsa/tmp/buffers/1395072344.63148
-rw-r--r-- 1 root root 4208570 Mar 17 16:05 /nsm/elsa/data/elsa/tmp/buffers/1395072284.62619
-rw-r--r-- 1 root root 4234743 Mar 17 16:04 /nsm/elsa/data/elsa/tmp/buffers/1395072224.62025
-rw-r--r-- 1 root root 4037311 Mar 17 16:03 /nsm/elsa/data/elsa/tmp/buffers/1395072164.61189
-rw-r--r-- 1 root root 3357787 Mar 17 16:02 /nsm/elsa/data/elsa/tmp/buffers/1395072104.60695
-rw-r--r-- 1 root root 4001795 Mar 17 16:01 /nsm/elsa/data/elsa/tmp/buffers/1395072044.60153
-rw-r--r-- 1 root root 4075054 Mar 17 16:00 /nsm/elsa/data/elsa/tmp/buffers/1395071984.59441
-rw-r--r-- 1 root root 2948131 Mar 17 15:59 /nsm/elsa/data/elsa/tmp/buffers/1395071924.58771
-rw-r--r-- 1 root root 4277455 Mar 17 15:58 /nsm/elsa/data/elsa/tmp/buffers/1395071864.58232
-rw-r--r-- 1 root root 3427870 Mar 17 15:57 /nsm/elsa/data/elsa/tmp/buffers/1395071804.57773
-rw-r--r-- 1 root root 3301056 Mar 17 15:56 /nsm/elsa/data/elsa/tmp/buffers/1395071744.5719
-rw-r--r-- 1 root root 3943785 Mar 17 15:55 /nsm/elsa/data/elsa/tmp/buffers/1395071684.56431
-rw-r--r-- 1 root root 3698856 Mar 17 15:54 /nsm/elsa/data/elsa/tmp/buffers/1395071624.55901
-rw-r--r-- 1 root root 3018390 Mar 17 15:53 /nsm/elsa/data/elsa/tmp/buffers/1395071564.55155
-rw-r--r-- 1 root root 3057621 Mar 17 15:52 /nsm/elsa/data/elsa/tmp/buffers/1395071504.54469
-rw-r--r-- 1 root root 3529776 Mar 17 15:51 /nsm/elsa/data/elsa/tmp/buffers/1395071444.53145
-rw-r--r-- 1 root root 3002065 Mar 17 15:50 /nsm/elsa/data/elsa/tmp/buffers/1395071384.5245
-rw-r--r-- 1 root root 1289844 Mar 17 15:49 /nsm/elsa/data/elsa/tmp/buffers/1395071324.51864
-rw-r--r-- 1 root root 50825980 Mar 17 15:42 /nsm/elsa/data/elsa/tmp/buffers/1395070893.53706
-rw-r--r-- 1 root root 82314037 Mar 17 15:41 /nsm/elsa/data/elsa/tmp/buffers/1395070833.48838
-rw-r--r-- 1 root root 273 Mar 17 15:41 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
-rw-r--r-- 1 root root 100732572 Mar 17 15:40 /nsm/elsa/data/elsa/tmp/buffers/1395070773.15867
-rw-r--r-- 1 root root 156060155 Mar 17 15:39 /nsm/elsa/data/elsa/tmp/buffers/1395070713.09063
-rw-r--r-- 1 root root 177084149 Mar 17 14:41 /nsm/elsa/data/elsa/tmp/buffers/1395067246.37437

ELSA Directory Sizes:
2.1T /nsm/elsa/data
24M /var/lib/mysql/syslog
3.0M /var/lib/mysql/syslog_data

ELSA Date Range:
MIN(start) MAX(end)
2014-03-04 21:52:08 2014-03-17 19:14:46

ELSA Log Node SSH Tunnels:
=================================end=====================

[Doug Burks]

Questions/observations inline.

On Mon, Mar 17, 2014 at 3:29 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:

> * argus[ OK ]
> * http_agent (sguil)[ OK ]

If you don't specifically use argus and http_agent, then you should
disable them.

> eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

Looks like eth3 isn't seeing any traffic, so the sniffing processes on
eth3 are just wasting CPU/RAM. If you're not going to use eth3, you
should disable those processes.

> Enabled Rules:----18866

18K rules is a LOT of rules. You should only run the rules necessary
for your environment. Try to reduce this number to 7K or less.

> =========================================================================
> CPU Usage
> =========================================================================
> top - 19:14:50 up 3:27, 3 users, load average: 7.72, 8.59, 9.63

Load average may be high. How any CPU cores do you have?

> %CPU %MEM COMMAND
> 190 0.6 /usr/sbin/mysqld

mysqld is using a LOT of CPU. It's possible that it's due to Snorby
trying to purge the old alerts. Is it still showing up this high
today? What did you set the Snorby purge option to?

> =========================================================================
> IDS Engine (suricata) packet drops
> =========================================================================
> /nsm/sensor_data/sensor-ethX/stats.log
> tcp.ssn_memcap_drop | RxPFRethX6 | 0
> tcp.segment_memcap_drop | RxPFRethX6 | 106777

High memcap drop possibly related to running too many rules.

> /proc/net/pf_ring/15707-ethX.124
> Appl. Name : Suricata
> Tot Packets : 8240863
> Tot Pkt Lost : 1015132

Dropping packets possibly related to running too many rules.

> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 259849

That's a LOT of Uncategorized Events. This will cause sguild to take
a long time to start up as it has to load all Uncategorized Events
into RAM, which may cause other issues. This may be related to
Suricata Gone Wild, so please see:
http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html

Once you have Uncategorized Events under control, remember to
categorize events on a daily basis.

When you're tuning rules, tune these first.

> Sphinx
> Checking for process:
> 25915 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
> Checking for connection:
> nc: connect to localhost port 9306 (tcp) failed: Connection refused

Sphinx is not responding and buffers are being queued:

> ELSA Buffers in Queue:

> -rw-r--r-- 1 root root 1289844 Mar 17 15:49 /nsm/elsa/data/elsa/tmp/buffers/1395071324.51864
> -rw-r--r-- 1 root root 50825980 Mar 17 15:42 /nsm/elsa/data/elsa/tmp/buffers/1395070893.53706
> -rw-r--r-- 1 root root 82314037 Mar 17 15:41 /nsm/elsa/data/elsa/tmp/buffers/1395070833.48838
> -rw-r--r-- 1 root root 273 Mar 17 15:41 /nsm/elsa/data/elsa/tmp/buffers/host_stats.tsv
> -rw-r--r-- 1 root root 100732572 Mar 17 15:40 /nsm/elsa/data/elsa/tmp/buffers/1395070773.15867
> -rw-r--r-- 1 root root 156060155 Mar 17 15:39 /nsm/elsa/data/elsa/tmp/buffers/1395070713.09063
> -rw-r--r-- 1 root root 177084149 Mar 17 14:41 /nsm/elsa/data/elsa/tmp/buffers/1395067246.37437

Please try the following:
sudo service sphinxsearch restart

Wait a few minutes and see if you can connect to port 9306:
nc localhost 9306



--
Doug Burks

[Jeff Nucciarone]

On Tuesday, March 18, 2014 7:36:53 AM UTC-4, Doug Burks wrote:
> Questions/observations inline.
>

> Looks like eth3 isn't seeing any traffic, so the sniffing processes on
>
> eth3 are just wasting CPU/RAM. If you're not going to use eth3, you
>
> should disable those processes.
>

eth3 is currently disconnected from the tap port. It will be reconnected once this gets working again.

>
>
> > Enabled Rules:----18866
>
>
>
> 18K rules is a LOT of rules. You should only run the rules necessary
>
> for your environment. Try to reduce this number to 7K or less.
>

Still tuning. What's the best way, just disable the id's? Snort and ET seem to just come loaded for bear!

>
>
> Load average may be high. How any CPU cores do you have?
>
>
>
> > %CPU %MEM COMMAND
>
> > 190 0.6 /usr/sbin/mysqld
>

12 physical, although HT is enabled so 24 virtual.

>
>
> mysqld is using a LOT of CPU. It's possible that it's due to Snorby
>
> trying to purge the old alerts. Is it still showing up this high
>
> today? What did you set the Snorby purge option to?
>

It was the snorby purge burning a lot of CPU. It took about 4 or 5 hours to clean it all out.

[packet drop section delted]

>
> > =========================================================================
>
> > Sguil Uncategorized Events
>
> > =========================================================================
>
> > COUNT(*)
>
> > 259849
>
>
>
> That's a LOT of Uncategorized Events. This will cause sguild to take
>
> a long time to start up as it has to load all Uncategorized Events
>
> into RAM, which may cause other issues. This may be related to
>
> Suricata Gone Wild, so please see:
>
> http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html
>
>
>
> Once you have Uncategorized Events under control, remember to
>
> categorize events on a daily basis.
>

I actually was in the process of doing this when barnyard2 decided to quit on me. You should have seen what this looked like last week.

>
>
> > =========================================================================
>
> > Sguil events summary for yesterday
>
> > =========================================================================
>
> > Totals GenID:SigID Signature
>
> > 81366 1:2000419 ET POLICY PE EXE or DLL Windows file download
>
> > 34293 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
>

I'm beginning to really hate the above 2 rules. I thought I filtered out the IP addresses of my file servers but I must have missed a few.

> > 11919 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
>

This one above is new. Not sure why the server is triggering it, but this rule is destined for the disabled sig id pile.

> > 6700 1:2210015 SURICATA STREAM CLOSEWAIT ACK out of window
>
> > 5870 1:2210002 SURICATA STREAM 3way handshake right seq wrong ack evasion
>
> > 3983 1:2200029 SURICATA ICMPv6 unknown type
>
> > 3927 1:2210036 SURICATA STREAM FIN2 invalid ack
>
> > 3742 1:2210044 SURICATA STREAM Packet with invalid timestamp
>

I hate Suricata stream rules.

>
> > Sphinx
>
> > Checking for process:
>
> > 25915 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
>
> > Checking for connection:
>
> > nc: connect to localhost port 9306 (tcp) failed: Connection refused
>
>
>
> Sphinx is not responding and buffers are being queued:
>

>

> Please try the following:
>
> sudo service sphinxsearch restart
>
>
>
> Wait a few minutes and see if you can connect to port 9306:
>
> nc localhost 9306

nc localhost 9306 returns immediately with no error message or anything. Even though it looks like it is running there is no response. Strange.

Everything was running fine until 05:30Z yesterday.... What the heck changed?

--Jeff

[Jeff Nucciarone]

Just a further update, barnyard2 is dying on a SEGV. I couldn't cut and paste frm the on screen crash report.

[Jeff Nucciarone]

Doug,

Sorry for intertwining events in here...

I trached down the problem with sphynxsearch.

I found this in the log file /nsm/elsa/data/elsa/log/searchd.log:

[Tue Mar 18 17:49:10.937 2014] [23387] listening on all interfaces, port=9306
[Tue Mar 18 17:49:10.937 2014] [23387] listening on all interfaces, port=9312
[Tue Mar 18 17:51:54.964 2014] [23387] binlog: replaying log /var/lib/sphinxsearch/data/binlog.001
[Tue Mar 18 17:51:55.006 2014] [23387] FATAL: binlog: log open error: failed to open /var/lib/sphinxsearch/data/binlog.001: No such file or directory

I'm not sure what happened to binlog.001.

I touched a new file and changed to the proper uid/gid. On the next restart this was in the log:

[Tue Mar 18 18:03:48.494 2014] [28867] listening on all interfaces, port=9306
[Tue Mar 18 18:03:48.494 2014] [28867] listening on all interfaces, port=9312
[Tue Mar 18 18:06:26.605 2014] [28867] binlog: replaying log /var/lib/sphinxsearch/data/binlog.001
[Tue Mar 18 18:06:26.605 2014] [28867] WARNING: binlog: empty binlog /var/lib/sphinxsearch/data/binlog.001 detected, skipping
[Tue Mar 18 18:06:26.605 2014] [28867] binlog: finished replaying total 1 in 0.000 sec
[Tue Mar 18 18:06:26.627 2014] [28867] accepting connections

Which is good news as nc on port 9306 works.

Hopefully it stays up and the full backlog of files gets processed.

Now to figure out why barnyard2 is stalling out.

Here's a snippet of the snort_agent.log file:

Sending sguild (sock7) BarnyardDisConnect {2014-03-18 18:02:02}

Sending sguild (sock7) PING
Sensor Data Rcvd: PONG
PONG received

barnyard connected: sock5 127.0.0.1 35200

Sending sguild (sock7) AgentLastCidReq sock5 3

Sensor Data Rcvd: LastCidResults sock5 4512659

Unknown barnyard data:
BYCmdRcvd: Barnyard disconnected.
Sending sguild (sock7) SystemMessage {Barnyard disconnected.}

Sending sguild (sock7) BarnyardDisConnect {2014-03-18 18:07:01}

I'm keying in that the message 'Unknown barnyard data:' (although whatever that data is is not printed) might be the problem. I'm kind of at a loss. What is a command to manually run barnyard2 so I can see the raw output?

Thanks again,

--Jeff

[Doug Burks]

Replies inline.

On Tue, Mar 18, 2014 at 9:52 AM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
>> 18K rules is a LOT of rules. You should only run the rules necessary
>>
>> for your environment. Try to reduce this number to 7K or less.
>>
>
> Still tuning. What's the best way, just disable the id's?

You may want to consider disabling entire categories that don't apply
to your environment.

> Snort and ET seem to just come loaded for bear!

You may also want to consider just running either VRT *or* ET rulesets
(not both at the same time).





--
Doug Burks

[Doug Burks]

On Tue, Mar 18, 2014 at 2:13 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> Now to figure out why barnyard2 is stalling out.
>
> Here's a snippet of the snort_agent.log file:
>
> Sending sguild (sock7) BarnyardDisConnect {2014-03-18 18:02:02}
> Sending sguild (sock7) PING
> Sensor Data Rcvd: PONG
> PONG received
> barnyard connected: sock5 127.0.0.1 35200
> Sending sguild (sock7) AgentLastCidReq sock5 3
> Sensor Data Rcvd: LastCidResults sock5 4512659
> Unknown barnyard data:
> BYCmdRcvd: Barnyard disconnected.
> Sending sguild (sock7) SystemMessage {Barnyard disconnected.}
> Sending sguild (sock7) BarnyardDisConnect {2014-03-18 18:07:01}
>
> I'm keying in that the message 'Unknown barnyard data:' (although whatever that data is is not printed) might be the problem. I'm kind of at a loss. What is a command to manually run barnyard2 so I can see the raw output?

There may be specific Suricata events that are causing barnyard to
crash. Please see:
https://groups.google.com/d/topic/security-onion/1rYOnxZ2Irs/discussion


--
Doug Burks

[Jeff Nucciarone]

>
> There may be specific Suricata events that are causing barnyard to
>
> crash. Please see:
>
> https://groups.google.com/d/topic/security-onion/1rYOnxZ2Irs/discussion
>

I went there and followed the instructions to build the newer version. I restarted and barnyard2 was running but I had another rule gone wild. I filtered out that rule and ran rule-update. Now barnyard2 won't run at all, with this error in barnyard2.log:

ERROR: database mysql_error: Duplicate entry '1502-17' for key 'PRIMARY'
SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('172090','1502','17');]
Fatal Error, Quitting..
Barnyard2 exiting
database: Closing connection to database "snorby"

I re-ran the command:

mysql -uroot -Dsnorby -e "delete from sig_reference; delete from reference;"

I've restarted and it is taking its time getting going. snort_agent.log isn't showing any rule hits yet, but it hasn't crashed either. It looks like it is hitting mysql pretty hard at the moment.

If it does start working, I'm hoping th
e daily rule update doesn't require me to constantly run the mysql delete command above....

[Jeff Nucciarone]

On Wednesday, March 19, 2014 11:26:42 AM UTC-4, Jeff Nucciarone wrote:

>
> If it does start working, I'm hoping th
> e daily rule update doesn't require me to constantly run the mysql delete command above....

It ran for a few hours and then stopped again.

Upon restart, barnyard2 concked out with this again:

ERROR: database mysql_error: Duplicate entry '1502-17' for key 'PRIMARY'

SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('228195','1502','17');]

Fatal Error, Quitting..
Barnyard2 exiting

Frustrating....

[Jeff Nucciarone]

Further followup.

It appears barnyard2 was dying because the system became memory starved and the system load shot thru the roof swapping. I thought 32 GB would be enough memory but perhaps not! I need to retune some things there.

Currently it appears fine:

total used free shared buffers cached
Mem: 32934960 30909752 2025208 0 736 1105900
-/+ buffers/cache: 29803116 3131844
Swap: 20466192 19827796 638396

although I expect it to start swapping again later since my free memory appears low.

However the 2.1-13 version barnyard2 I installed and built yesterday would not restart, even after manually cleaning the snorby database. I ended up returning back to the -11 version and oddly enough it is running fine now without the previous stop / crash that made me try the -13 release.

Its behavior is still baffling.

[Doug Burks]

Replies inline.

On Thu, Mar 20, 2014 at 3:42 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> Further followup.
>
> It appears barnyard2 was dying because the system became memory starved and the system load shot thru the roof swapping. I thought 32 GB would be enough memory but perhaps not! I need to retune some things there.
>
> Currently it appears fine:
>
> total used free shared buffers cached
> Mem: 32934960 30909752 2025208 0 736 1105900
> -/+ buffers/cache: 29803116 3131844
> Swap: 20466192 19827796 638396
>
>
> although I expect it to start swapping again later since my free memory appears low.

In general, Linux will try to use as much RAM as possible for caching
so just because your free memory is low does not necessarily indicate
a problem. However, you do appear to be using quite a bit of swap so
your memory requirements are greater than your actual physical memory.
It's most likely due to the fact that you're running 6 Bro workers
for each of your 2 sniffing interfaces.

Do you need 6 Bro workers?

How much traffic are you monitoring?

> However the 2.1-13 version barnyard2 I installed and built yesterday would not restart, even after manually cleaning the snorby database. I ended up returning back to the -11 version and oddly enough it is running fine now without the previous stop / crash that made me try the -13 release.
>
> Its behavior is still baffling.

It seems there are specific Suricata events that can sometimes cause
our current version of barnyard to crash. Perhaps you disabled this
event or the backlog finally got processed completely.



--
Doug Burks

[Jeff Nucciarone]

Replies inline.

On Thursday, March 20, 2014 5:07:43 PM UTC-4, Doug Burks wrote:
> Replies inline.

>
>
>
>
>
> It's most likely due to the fact that you're running 6 Bro workers
>
> for each of your 2 sniffing interfaces.
>
>
>
> Do you need 6 Bro workers?
>

Probably not. I took a stab in the dark at what I would need -- I went with half of my physical core count. What is a good recommendation? This box will also receive data from 1 or two more sensors if that factors in.

>
>
> How much traffic are you monitoring?
>

Some 9TB/day flies by my rather overwhelmed tap port. eth3 is set up so we can eventually split the monitoring duties. I use bpf to filter out all the backup traffic and that dramatically slowed what nsm was storing from 9TB to just a single TB per day.

>
>
> > However the 2.1-13 version barnyard2 I installed and built yesterday would not restart, even after manually cleaning the snorby database. I ended up returning back to the -11 version and oddly enough it is running fine now without the previous stop / crash that made me try the -13 release.
>
> >
>
> > Its behavior is still baffling.
>
>
>
> It seems there are specific Suricata events that can sometimes cause
>
> our current version of barnyard to crash. Perhaps you disabled this
>
> event or the backlog finally got processed completely.
>

Tuning has been a slow process but I still have a long way to go. It is like playing whack a mole with all the nuisance rules.

>
>
>
>
>
>
> --
>
> Doug Burks

[Doug Burks]

On Fri, Mar 21, 2014 at 9:47 AM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
>> Do you need 6 Bro workers?
>>
>
> Probably not. I took a stab in the dark at what I would need -- I went with half of my physical core count. What is a good recommendation? This box will also receive data from 1 or two more sensors if that factors in.

Try decreasing to 1 or 2 Bro workers and see if it can handle the load
without dropping packets. If not, increase the number of Bro workers
until you reach 0 packet loss. If all else fails, buy more RAM...it's
cheap! :)



--
Doug Burks

[Jeff Nucciarone]

On Friday, March 21, 2014 5:19:17 PM UTC-4, Doug Burks wrote:

>
> Try decreasing to 1 or 2 Bro workers and see if it can handle the load
> without dropping packets. If not, increase the number of Bro workers
> until you reach 0 packet loss. If all else fails, buy more RAM...it's
> cheap! :)

I put in the request to the boss for more memory so hopefully that gets a green light. In the interim my dropped packet count is soaring due to all the swapping. Since my eth3 is currently disconnected rather than de-configure it, can I instead just give it a smaller number of PF_RING instances and a smaller number of bro processes (such as 1) while keeping eth2 the same?

I know this sounds like a silly question as nothing appears to suggest I have to run the same number of instances for each interface. Right now I dropped it to 4 and 4 and the box seems a lot happier. I'll wait to see what happens to the number of dropped packets. Maybe now without system load racing to 40 it should get better!

[Doug Burks]

You don't have to de-configure eth3, you can simply disable the
processes running on that interface. Should be something like this:

# stop all sensor processes
sudo nsm_sensor_ps-stop

# edit /etc/nsm/sensortab and comment out the eth3 line
sudo nano /etc/nsm/sensortab

# edit /opt/bro/etc/node.cfg and comment out the eth3 lines
sudo nano /opt/bro/etc/node.cfg

# install the new Bro config
sudo broctl install

# reboot
sudo reboot

[Jeff Nucciarone]

On Monday, March 24, 2014 3:54:07 PM UTC-4, Doug Burks wrote:
> You don't have to de-configure eth3, you can simply disable the
>
> processes running on that interface. Should be something like this:
>

Many thanks. I'll do this at the next time I am ready to reboot. So far cutting back has freed up a lot of resources and I didn't lose any packets last night due to swapping. pf_ring is still dropping packets so I need to go look there but that is separate from this issue.

I think we can finally put this thread to bed ;)

Thanks again,

--Jeff