Below you will find the output of Sensor and server
So please provide your recommendations. Couple of clarifications I needed
1. I should always have the internet connection on the server to download the rules
2. local rules need to be added only if I need tuning
Server sostat
---------------------
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
230987332 596610 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
230987332 596610 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:b0:06:84 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
86392783 198919 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
304620906 174261 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:b0:05:55 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1462316 16762 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
13129 119 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
IDS Rules Update
=========================================================================
Fri Nov 13 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 27 minutes to avoid overwhelming rule sites.
LOCAL_NIDS_RULE_TUNING is enabled.
This will cause PulledPork to use the existing rules in /opt/emergingthreats/
instead of downloading new rules from the Internet.
If you want PulledPork to download new rules from the Internet,
set the following in /etc/nsm/securityonion.conf:
LOCAL_NIDS_RULE_TUNING=no
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_
cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 38 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----17229
Dropped Rules:----0
Disabled Rules:---3891
Total Rules:------21120
No IP Blacklist Changes
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7545
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
4 1:2100366 GPL ICMP_INFO PING *NIX
3 1:2101603 GPL WEB_SERVER DELETE attempt
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2001219 ET SCAN Potential SSH Scan
============================================================================
Sensor -sostat
-------------------------------
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
10799460 34430 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
10799460 34430 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:b0:23:3d brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
173805335 213276 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
40916626 173613 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:b0:12:03 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
283513209 583661 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 4249
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/vm-nidsqtss1-prod-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/dailylogs/ - 3 days
465M .
30M ./2015-11-11
165M ./2015-11-12
270M ./2015-11-13
/nsm/bro/logs/ - 3 days
4.5M .
392K ./2015-11-11
1.9M ./2015-11-12
868K ./2015-11-13
1.4M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
vm-nidsqtss1-prod-eth1-1: 1447402577.043732 recvd=57990 dropped=0 link=57990
vm-nidsqtss1-prod-eth1-2: 1447402577.243877 recvd=74623 dropped=0 link=74623
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/snort-2.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 4
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/24145-eth1.86
Appl. Name : bro-eth1
Tot Packets : 74625
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/24146-eth1.87
Appl. Name : bro-eth1
Tot Packets : 57992
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 4249
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/vm-nidsqtss1-prod-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/dailylogs/ - 3 days
465M .
30M ./2015-11-11
165M ./2015-11-12
270M ./2015-11-13
/nsm/bro/logs/ - 3 days
4.5M .
392K ./2015-11-11
1.9M ./2015-11-12
868K ./2015-11-13
1.4M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
vm-nidsqtss1-prod-eth1-1: 1447402577.043732 recvd=57990 dropped=0 link=57990
vm-nidsqtss1-prod-eth1-2: 1447402577.243877 recvd=74623 dropped=0 link=74623
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/vm-nidsqtss1-prod-eth1/snort-2.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 4
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/24145-eth1.86
Appl. Name : bro-eth1
Tot Packets : 74625
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/24146-eth1.87
Appl. Name : bro-eth1
Tot Packets : 57992
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/24399-eth1.88
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 57764
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/24443-eth1.89
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 74482
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4096
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Last update
=========================================================================
Syslog-ng
Checking for process:
18515 supervising syslog-ng
18516 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
2212 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
2059 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
106M /nsm/elsa/data
2.8M /var/lib/mysql/syslog
2.3M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-11-11 20:16:59 2015-11-13 08:15:48
autossh
Checking for process:
4198 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:
127.0.0.1:3306 -R 50000:localhost:3154
sen...@10.210.12.10