Squil server [OK] but Unable to connect to localhost on port 7734

2,697 views
Skip to first unread message

djpec...@gmail.com

unread,
Feb 21, 2016, 7:03:54 PM2/21/16
to security-onion
Fresh build from the latest 14.04 with everything running perfect and then I cannot connect to Squil.

sudo netstat -na | grep 7734
NOTHING

Status: securityonion
* sguil server[ OK ]

I did create some auto-cats through gui but couldn't verify via auto-cat viewer so I did via autocat.conf for high hit counts.

I noticed the squild.log is growing by adding the following to the end...

2016-02-21 23:06:54 pid(4430) Archived Alert: 0 3 protocol-command-dec so20160220-eth0-3 {2016-02-21 15:20:33} 5 265157 {stream5: Data sent on stream not accepting data} 192.168.1.120 192.168.1.199 6 50762 445 129 3 1 1674 1674
2016-02-21 23:06:54 pid(4430) AUTO MARKING EVENT AS : 1


Did I create a DOS condition for myself with autocat?

I still can't access Squil.

Wes

unread,
Feb 21, 2016, 7:33:10 PM2/21/16
to security-onion

djpeck6402,


#Have you tried restarting the sguil server?

sudo nsm_server_ps-restart


#Do you have a high number of uncategorized alerts in Sguil?

You can check the output of sostat for this.


#You could try running a mysqlcheck on securityonion_db

sudo mysqlcheck -c securityonion_db


#You could try running sguil-db purge. First, change the DAYSTOKEEP variable in /etc/nsm/securityonion.conf to the desired number of days. Then run:

sudo sguil-db-purge


#Lastly, you could try removing any offending autocat entries from securityonion_db:

https://groups.google.com/d/msg/security-onion/touCa1eR_EE/WdZ4JicUAQAJ


Also, please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your terminal's scroll buffer OR redirect the output of the command to a file:

sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.

Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.

Thanks,
Wes

djpec...@gmail.com

unread,
Feb 21, 2016, 8:23:50 PM2/21/16
to security-onion
On Sunday, February 21, 2016 at 7:03:54 PM UTC-5, djpec...@gmail.com wrote:

Thanks Wes,
It did come back online after about 30-45 minutes

Barnyard is hit 100% cpu on occasions (4cores)
squild.log is still growing (505mb)

Answers inline

#Have you tried restarting the sguil server? yes

#Do you have a high number of uncategorized alerts in Sguil? 32937

#You could try running a mysqlcheck on securityonion_db - All OK

#You could try running sguil-db purge. First, change the DAYSTOKEEP variable in /etc/nsm/securityonion.conf to the desired number of days. Then run:

sudo sguil-db-purge The DB is one day old and set at 30. Ran the purge repair status ok

#Lastly, you could try removing any offending autocat entries from securityonion_db: I will research this

David Peck

unread,
Feb 21, 2016, 8:24:58 PM2/21/16
to security-onion
On Sunday, February 21, 2016 at 7:03:54 PM UTC-5, djpec...@gmail.com wrote:

sostat redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 5280 5 21 Feb 23:48:13
proxy proxy localhost running 5973 5 21 Feb 23:53:53
SO-server-eth0-1 worker localhost running 13045 2 22 Feb 00:16:21
SO-server-eth0-2 worker localhost running 13050 2 22 Feb 00:16:21
SO-server-eth0-3 worker localhost running 13041 2 22 Feb 00:16:21
SO-server-eth0-4 worker localhost running 13054 2 22 Feb 00:16:21
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:19307 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2977242 (2.9 MB) TX bytes:90 (90.0 B)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11640 errors:0 dropped:0 overruns:0 frame:0
TX packets:8495 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:878802 (878.8 KB) TX bytes:379100 (379.1 KB)
Interrupt:16 Base address:0x2000

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:747232 errors:0 dropped:0 overruns:0 frame:0
TX packets:747232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:958892726 (958.8 MB) TX bytes:958892726 (958.8 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
958892726 747232 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
958892726 747232 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2977242 19307 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
878802 11640 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
379100 8495 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 16G 4.0K 16G 1% /dev
tmpfs 3.2G 3.7M 3.2G 1% /run
/dev/mapper/securityonion--vg-root 230G 11G 209G 5% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 16G 76K 16G 1% /run/shm
none 100M 24K 100M 1% /run/user
/dev/sda1 236M 45M 179M 21% /boot
/dev/sdb1 4.9T 1.1T 3.6T 23% /nsm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1291 avahi 12u IPv4 939 0t0 UDP *:5353
avahi-dae 1291 avahi 13u IPv6 940 0t0 UDP *:5353
avahi-dae 1291 avahi 14u IPv4 941 0t0 UDP *:33360
avahi-dae 1291 avahi 15u IPv6 942 0t0 UDP *:58452
sshd 1681 root 3u IPv4 14867 0t0 TCP *:ssh_port (LISTEN)
sshd 1681 root 4u IPv6 14869 0t0 TCP *:ssh_port (LISTEN)
searchd 1755 sphinxsearch 7u IPv4 17027 0t0 TCP *:9306 (LISTEN)
searchd 1755 sphinxsearch 8u IPv4 17028 0t0 TCP *:9312 (LISTEN)
searchd 1755 sphinxsearch 129u IPv4 258072 0t0 TCP X.X.X.X:9306->X.X.X.X:52955 (ESTABLISHED)
cups-brow 1756 root 6u IPv6 15840 0t0 TCP [X.X.X.X]:47934->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1756 root 8u IPv4 14099 0t0 UDP *:631
mysqld 1776 mysql 12u IPv4 17134 0t0 TCP X.X.X.X:3306 (LISTEN)
nessusd 1809 root 12u IPv4 18319 0t0 TCP *:8834 (LISTEN)
nessusd 1809 root 13u IPv6 18320 0t0 TCP *:8834 (LISTEN)
ossec-csy 1852 ossecm 5u IPv4 17105 0t0 UDP X.X.X.X:52837->X.X.X.X:514
cupsd 1884 root 10u IPv6 15829 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1884 root 11u IPv4 15830 0t0 TCP X.X.X.X:631 (LISTEN)
sendmail- 4284 root 3u IPv4 23316 0t0 TCP X.X.X.X:25 (LISTEN)
sendmail- 4284 root 5u IPv4 23317 0t0 TCP X.X.X.X:587 (LISTEN)
tclsh 4328 SO-user 3u IPv4 25433 0t0 TCP X.X.X.X:42574->X.X.X.X:7736 (CLOSE_WAIT)
wish 4799 SO-user 4u IPv4 255282 0t0 TCP X.X.X.X:45158->X.X.X.X:7734 (ESTABLISHED)
ntpd 4936 ntp 16u IPv4 26823 0t0 UDP *:123
ntpd 4936 ntp 17u IPv6 26824 0t0 UDP *:123
ntpd 4936 ntp 18u IPv4 26830 0t0 UDP X.X.X.X:123
ntpd 4936 ntp 19u IPv4 26831 0t0 UDP X.X.X.X:123
ntpd 4936 ntp 20u IPv6 26832 0t0 UDP [X.X.X.X]:123
/usr/sbin 5021 root 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5021 root 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5021 root 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5048 www-data 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5048 www-data 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5048 www-data 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5049 www-data 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5049 www-data 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5049 www-data 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5050 www-data 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5050 www-data 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5050 www-data 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5051 www-data 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5051 www-data 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5051 www-data 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
/usr/sbin 5052 www-data 5u IPv6 27840 0t0 TCP *:443 (LISTEN)
/usr/sbin 5052 www-data 7u IPv6 27844 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5052 www-data 9u IPv6 27850 0t0 TCP *:3154 (LISTEN)
bro 5280 SO-user 4u IPv4 29862 0t0 UDP X.X.X.X:38956->X.X.X.X:53
bro 5300 SO-user 0u IPv4 29881 0t0 TCP *:47761 (LISTEN)
bro 5300 SO-user 1u IPv6 29882 0t0 TCP *:47761 (LISTEN)
bro 5300 SO-user 2u IPv4 30274 0t0 TCP X.X.X.X:47761->X.X.X.X:43835 (ESTABLISHED)
bro 5300 SO-user 4u IPv4 29862 0t0 UDP X.X.X.X:38956->X.X.X.X:53
bro 5300 SO-user 268u IPv4 209089 0t0 TCP X.X.X.X:47761->X.X.X.X:43871 (ESTABLISHED)
bro 5300 SO-user 273u IPv4 189253 0t0 TCP X.X.X.X:47761->X.X.X.X:43872 (ESTABLISHED)
bro 5300 SO-user 278u IPv4 207616 0t0 TCP X.X.X.X:47761->X.X.X.X:43875 (ESTABLISHED)
bro 5300 SO-user 283u IPv4 207619 0t0 TCP X.X.X.X:47761->X.X.X.X:43877 (ESTABLISHED)
bro 5973 SO-user 4u IPv4 28632 0t0 UDP X.X.X.X:56345->X.X.X.X:53
bro 5975 SO-user 0u IPv4 30273 0t0 TCP X.X.X.X:43835->X.X.X.X:47761 (ESTABLISHED)
bro 5975 SO-user 4u IPv4 28632 0t0 UDP X.X.X.X:56345->X.X.X.X:53
bro 5975 SO-user 266u IPv4 30281 0t0 TCP *:47762 (LISTEN)
bro 5975 SO-user 267u IPv6 30282 0t0 TCP *:47762 (LISTEN)
bro 5975 SO-user 268u IPv4 207592 0t0 TCP X.X.X.X:47762->X.X.X.X:50651 (ESTABLISHED)
bro 5975 SO-user 273u IPv4 209092 0t0 TCP X.X.X.X:47762->X.X.X.X:50652 (ESTABLISHED)
bro 5975 SO-user 278u IPv4 208113 0t0 TCP X.X.X.X:47762->X.X.X.X:50654 (ESTABLISHED)
bro 5975 SO-user 283u IPv4 208135 0t0 TCP X.X.X.X:47762->X.X.X.X:50656 (ESTABLISHED)
syslog-ng 10984 root 9u IPv4 68668 0t0 TCP *:514 (LISTEN)
syslog-ng 10984 root 10u IPv4 68669 0t0 UDP *:514
bro 13041 SO-user 4u IPv4 209023 0t0 UDP X.X.X.X:60826->X.X.X.X:53
bro 13045 SO-user 4u IPv4 208070 0t0 UDP X.X.X.X:35627->X.X.X.X:53
bro 13050 SO-user 4u IPv4 189225 0t0 UDP X.X.X.X:56825->X.X.X.X:53
bro 13054 SO-user 4u IPv4 209018 0t0 UDP X.X.X.X:49305->X.X.X.X:53
bro 13072 SO-user 0u IPv4 207589 0t0 TCP X.X.X.X:43871->X.X.X.X:47761 (ESTABLISHED)
bro 13072 SO-user 4u IPv4 208070 0t0 UDP X.X.X.X:35627->X.X.X.X:53
bro 13072 SO-user 266u IPv4 207595 0t0 TCP X.X.X.X:50652->X.X.X.X:47762 (ESTABLISHED)
bro 13072 SO-user 271u IPv4 207600 0t0 TCP *:47763 (LISTEN)
bro 13072 SO-user 272u IPv6 207601 0t0 TCP *:47763 (LISTEN)
bro 13075 SO-user 0u IPv4 208092 0t0 TCP X.X.X.X:43872->X.X.X.X:47761 (ESTABLISHED)
bro 13075 SO-user 4u IPv4 209018 0t0 UDP X.X.X.X:49305->X.X.X.X:53
bro 13075 SO-user 266u IPv4 208095 0t0 TCP X.X.X.X:50651->X.X.X.X:47762 (ESTABLISHED)
bro 13075 SO-user 271u IPv4 208100 0t0 TCP *:47766 (LISTEN)
bro 13075 SO-user 272u IPv6 208101 0t0 TCP *:47766 (LISTEN)
bro 13084 SO-user 0u IPv4 208109 0t0 TCP X.X.X.X:43875->X.X.X.X:47761 (ESTABLISHED)
bro 13084 SO-user 4u IPv4 209023 0t0 UDP X.X.X.X:60826->X.X.X.X:53
bro 13084 SO-user 266u IPv4 208112 0t0 TCP X.X.X.X:50654->X.X.X.X:47762 (ESTABLISHED)
bro 13084 SO-user 271u IPv4 208120 0t0 TCP *:47765 (LISTEN)
bro 13084 SO-user 272u IPv6 208121 0t0 TCP *:47765 (LISTEN)
bro 13089 SO-user 0u IPv4 189285 0t0 TCP X.X.X.X:43877->X.X.X.X:47761 (ESTABLISHED)
bro 13089 SO-user 4u IPv4 189225 0t0 UDP X.X.X.X:56825->X.X.X.X:53
bro 13089 SO-user 266u IPv4 189288 0t0 TCP X.X.X.X:50656->X.X.X.X:47762 (ESTABLISHED)
bro 13089 SO-user 271u IPv4 189293 0t0 TCP *:47764 (LISTEN)
bro 13089 SO-user 272u IPv6 189294 0t0 TCP *:47764 (LISTEN)
tclsh 13153 SO-user 3u IPv4 253263 0t0 TCP X.X.X.X:57156->X.X.X.X:7736 (ESTABLISHED)
tclsh 13172 SO-user 3u IPv4 252397 0t0 TCP X.X.X.X:47277->X.X.X.X:7736 (ESTABLISHED)
tclsh 13172 SO-user 4u IPv4 207657 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 13172 SO-user 6u IPv4 247261 0t0 TCP X.X.X.X:8001->X.X.X.X:39877 (ESTABLISHED)
tclsh 13190 SO-user 3u IPv4 251854 0t0 TCP X.X.X.X:40426->X.X.X.X:7736 (ESTABLISHED)
tclsh 13190 SO-user 4u IPv4 208238 0t0 TCP X.X.X.X:8002 (LISTEN)
tclsh 13190 SO-user 6u IPv4 217797 0t0 TCP X.X.X.X:8002->X.X.X.X:44337 (ESTABLISHED)
tclsh 13208 SO-user 3u IPv4 252400 0t0 TCP X.X.X.X:43774->X.X.X.X:7736 (ESTABLISHED)
tclsh 13208 SO-user 4u IPv4 208274 0t0 TCP X.X.X.X:8003 (LISTEN)
tclsh 13208 SO-user 6u IPv4 217909 0t0 TCP X.X.X.X:8003->X.X.X.X:58211 (ESTABLISHED)
tclsh 13226 SO-user 3u IPv4 253260 0t0 TCP X.X.X.X:42796->X.X.X.X:7736 (ESTABLISHED)
tclsh 13226 SO-user 4u IPv4 189360 0t0 TCP X.X.X.X:8004 (LISTEN)
tclsh 13226 SO-user 6u IPv4 248902 0t0 TCP X.X.X.X:8004->X.X.X.X:32846 (ESTABLISHED)
barnyard2 13331 SO-user 3u IPv4 219340 0t0 TCP X.X.X.X:44337->X.X.X.X:8002 (ESTABLISHED)
barnyard2 13347 SO-user 3u IPv4 217908 0t0 TCP X.X.X.X:58211->X.X.X.X:8003 (ESTABLISHED)
barnyard2 22408 SO-user 3u IPv4 247990 0t0 TCP X.X.X.X:39877->X.X.X.X:8001 (ESTABLISHED)
barnyard2 22453 SO-user 3u IPv4 244689 0t0 TCP X.X.X.X:32846->X.X.X.X:8004 (ESTABLISHED)
tclsh 24427 SO-user 13u IPv4 251843 0t0 TCP *:7734 (LISTEN)
tclsh 24427 SO-user 14u IPv6 251844 0t0 TCP *:7734 (LISTEN)
tclsh 24427 SO-user 15u IPv4 251847 0t0 TCP *:7736 (LISTEN)
tclsh 24427 SO-user 16u IPv6 251848 0t0 TCP *:7736 (LISTEN)
tclsh 24427 SO-user 17u IPv4 253257 0t0 TCP X.X.X.X:7736->X.X.X.X:47277 (ESTABLISHED)
tclsh 24427 SO-user 18u IPv4 253264 0t0 TCP X.X.X.X:7736->X.X.X.X:42796 (ESTABLISHED)
tclsh 24427 SO-user 19u IPv4 254020 0t0 TCP X.X.X.X:7736->X.X.X.X:57156 (ESTABLISHED)
tclsh 24427 SO-user 20u IPv4 252401 0t0 TCP X.X.X.X:7736->X.X.X.X:40426 (ESTABLISHED)
tclsh 24427 SO-user 21u IPv4 254021 0t0 TCP X.X.X.X:7736->X.X.X.X:43774 (ESTABLISHED)
tclsh 24427 SO-user 22u IPv4 255283 0t0 TCP X.X.X.X:7734->X.X.X.X:45158 (ESTABLISHED)
sendmail- 25176 smmsp 4u IPv4 256236 0t0 UDP X.X.X.X:41069->X.X.X.X:53
sendmail- 25176 smmsp 5u IPv4 255821 0t0 UDP X.X.X.X:39061->X.X.X.X:53
perl 25506 root 6u IPv4 255833 0t0 TCP X.X.X.X:52955->X.X.X.X:9306 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.27 1.75 2.45
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 01:21:04 up 1:40, 4 users, load average: 1.27, 1.75, 2.45
Tasks: 332 total, 2 running, 330 sleeping, 0 stopped, 0 zombie
%Cpu(s): 21.4 us, 4.2 sy, 0.0 ni, 70.5 id, 3.3 wa, 0.0 hi, 0.6 si, 0.0 st
KiB Mem: 32932032 total, 10582336 used, 22349696 free, 215680 buffers
KiB Swap: 16777212 total, 0 used, 16777212 free. 5468116 cached Mem

%CPU %MEM COMMAND
51.6 0.2 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
40.2 0.0 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-3 -i 3 -U
21.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-4 -i 4 -U
21.2 0.0 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
14.4 0.0 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-2 -i 2 -U
9.9 0.6 /usr/sbin/mysqld
6.4 0.1 wish /usr/bin/SO-user.tk
6.4 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
6.3 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
6.3 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
6.3 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
4.0 1.2 /usr/bin/searchd --nodetach
3.7 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-3.conf
3.1 0.0 /usr/bin/vmtoolsd -n vmusr
3.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
2.9 0.1 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
2.9 0.0 /usr/bin/vmtoolsd
2.8 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
2.6 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
2.3 1.9 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U
2.2 1.9 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-2.stats -U
2.2 1.9 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-4.stats -U
2.1 1.9 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-3.stats -U
2.1 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
1.6 0.1 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
1.4 0.0 [rcu_sched]
1.3 0.0 [jbd2/dm-0-8]
1.3 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystemload.so 8 10485795 systemload System Load Monitor Monitor CPU load, swap usage and memory footprint
1.2 0.2 nessusd -q
0.8 0.0 [rcuos/0]
0.7 0.0 [watchdog/1]
0.7 0.0 [watchdog/2]
0.6 0.0 [ksoftirqd/0]
0.6 0.0 [watchdog/0]
0.5 0.0 [watchdog/3]
0.5 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-2.conf
0.4 0.0 [ksoftirqd/2]
0.4 0.0 /var/ossec/bin/ossec-syscheckd
0.3 0.1 xfce4-terminal
0.2 0.0 [ksoftirqd/1]
0.2 0.0 [ksoftirqd/3]
0.2 0.0 init --user
0.2 0.1 Thunar --sm-client-id 21fe4e762-abdd-4a6f-b1ce-532b8ad1446c --daemon
0.2 0.0 [kworker/2:0]
0.2 0.0 sudo sostat-redacted
0.1 0.0 [rcuos/1]
0.1 0.0 [rcuos/2]
0.1 0.0 [rcuos/3]
0.1 0.0 [khugepaged]
0.1 0.0 /var/ossec/bin/ossec-analysisd
0.1 0.0 [kworker/u256:2]
0.1 0.0 [kworker/u256:1]
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [migration/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuob/1]
0.0 0.0 [migration/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuob/2]
0.0 0.0 [migration/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuob/3]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [kpsmoused]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_tmf_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_tmf_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_tmf_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_tmf_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_tmf_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_tmf_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_tmf_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_tmf_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_tmf_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_tmf_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_tmf_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_tmf_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_tmf_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_tmf_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_tmf_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_tmf_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_tmf_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_tmf_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_tmf_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_tmf_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_tmf_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_tmf_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_tmf_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_tmf_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_tmf_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_tmf_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_tmf_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [scsi_tmf_32]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [jbd2/sdb1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cron
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /opt/nessus/sbin/nessus-service -D -q
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-maild
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 lightdm
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 12 15
0.0 0.0 dbus-launch --autolaunch=b2cbdc0240a6788817140d9856c879ce --binary-syntax --close-stderr
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-X3Ss834dDu
0.0 0.0 upstart-event-bridge
0.0 0.0 gnome-keyring-daemon --start --components gpg
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.0 xfwm4 --display :0.0 --sm-client-id 2cc11d037-85dc-49af-9fae-9a99a18c9c84
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 xfce4-panel --display :0.0 --sm-client-id 2dca688cc-0bcc-4a87-af4c-e7ad123691f7
0.0 0.1 xfdesktop --display :0.0 --sm-client-id 25df2c7a3-3c72-4d4c-973a-0de0e13752fe
0.0 0.0 xfsettingsd --display :0.0 --sm-client-id 24cd96385-8fdf-4f15-9878-7ca736121e86
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 10485792 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 10485793 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 10485794 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 xfce4-power-manager --restart --sm-client-id 22ae0fdf6-7cf3-4f8f-af1d-5d2726b69cd2
0.0 0.0 nm-applet
0.0 0.1 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 xfce4-volumed
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 update-notifier
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.14 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 sendmail: MTA: accepting connections
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 [kworker/0:1H]
0.0 0.2 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2016-02-22/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB --mmap
0.0 0.0 [kworker/2:1H]
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/3:0]
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 [kworker/2:1]
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-2.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-3.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-4.stats
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/3:1]
0.0 0.0 gnome-pty-helper
0.0 0.0 bash
0.0 0.0 mousepad /home/SO-user/Desktop/SO-user
0.0 0.0 bash
0.0 0.0 bash
0.0 0.0 [kworker/0:2]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/u256:3]
0.0 0.0 [kworker/1:2]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 CRON
0.0 0.0 /bin/sh -c test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp
0.0 0.0 /bin/sh /usr/share/sendmail/sendmail cron-msp
0.0 0.0 sendmail: MSP: ./u1M11oZg022106 from queue
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/1:1]
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 2403

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 3 days
1.1T .
97G ./2016-02-20
954G ./2016-02-21
2.6M ./2016-02-22

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 3 days
24M .
4.1M ./2016-02-20
19M ./2016-02-21
164K ./2016-02-22
1.4M ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

SO-server-eth0-1: 1456104065.362125 recvd=4150 dropped=0 link=4150
SO-server-eth0-2: 1456104065.401744 recvd=854 dropped=0 link=854
SO-server-eth0-3: 1456104065.601563 recvd=6512 dropped=0 link=6512
SO-server-eth0-4: 1456104065.801395 recvd=1175 dropped=0 link=1175

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth0/snort-2.stats last reported pkt_drop_percent as 28.849
/nsm/sensor_data/SO-server-eth0/snort-3.stats last reported pkt_drop_percent as 3.303
/nsm/sensor_data/SO-server-eth0/snort-4.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 8

Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/13041-eth0.4
Appl. Name : bro-eth0
Tot Packets : 6513
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

/proc/net/pf_ring/13045-eth0.1
Appl. Name : bro-eth0
Tot Packets : 4150
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

/proc/net/pf_ring/13050-eth0.3
Appl. Name : bro-eth0
Tot Packets : 854
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

/proc/net/pf_ring/13054-eth0.2
Appl. Name : bro-eth0
Tot Packets : 1175
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

/proc/net/pf_ring/13252-eth0.9
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 6251
Tot Pkt Lost : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

/proc/net/pf_ring/13268-eth0.6
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 3912
Tot Pkt Lost : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

/proc/net/pf_ring/13283-eth0.7
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 1110
Tot Pkt Lost : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

/proc/net/pf_ring/13298-eth0.8
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 814
Tot Pkt Lost : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
33474

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
714682 129:3 stream5: Data sent on stream not accepting data
32760 129:12 stream5: TCP Small Segment Threshold Exceeded
23332 129:17 stream5: ACK number is greater than prior FIN
3631 1:2101411 GPL SNMP public access udp
651 129:15 stream5: Reset outside window
620 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
219 119:19 http_inspect: LONG HEADER
165 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
112 1:2100651 GPL SHELLCODE x86 stealth NOOP
110 138:5 sensitive_data: sensitive data - eMail addresses
52 139:1 sensitive_data: sensitive data global threshold exceeded
41 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
39 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
36 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
33 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
31 119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
30 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
25 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
18 129:14 stream5: TCP Timestamp is missing
18 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
15 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
13 1:2000418 ET POLICY Executable and linking format (ELF) file download
12 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
11 119:15 http_inspect: OVERSIZE REQUEST-URI DIRECTORY
11 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
10 1:2002910 ET SCAN Potential VNC Scan 5800-5820
9 1:2002911 ET SCAN Potential VNC Scan 5900-5920
8 129:19 stream5: TCP window closed before receiving data
7 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
6 1:2001219 ET SCAN Potential SSH Scan
5 1:2013929 ET POLICY HTTP traffic on port 443 (OPTIONS)
4 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
4 125:1 ftp_pp: Telnet command on FTP command channel
3 1:2100366 GPL ICMP_INFO PING *NIX
3 1:2100651 Snort Alert [1:2100651:10]
2 1:2002192 ET CHAT MSN status change
2 125:2 ftp_pp: Invalid FTP command
2 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
1 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
1 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
1 129:2 stream5: Data on SYN packet
1 1:2000032 ET NETBIOS LSA exploit
Total
776736

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
714682 129:3 stream5: Data sent on stream not accepting data
32760 129:12 stream5: TCP Small Segment Threshold Exceeded
23332 129:17 stream5: ACK number is greater than prior FIN
4614 1:2101411 GPL SNMP public access udp
673 129:15 stream5: Reset outside window
623 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
219 119:19 http_inspect: LONG HEADER
165 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
112 1:2100651 GPL SHELLCODE x86 stealth NOOP
110 138:5 sensitive_data: sensitive data - eMail addresses
52 139:1 sensitive_data: sensitive data global threshold exceeded
41 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
40 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
39 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
33 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
31 119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
30 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
25 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
22 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
18 129:14 stream5: TCP Timestamp is missing
17 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
15 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
13 1:2102123 GPL EXPLOIT Microsoft cmd.exe banner
13 1:2000418 ET POLICY Executable and linking format (ELF) file download
11 119:15 http_inspect: OVERSIZE REQUEST-URI DIRECTORY
11 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
10 1:2002910 ET SCAN Potential VNC Scan 5800-5820
9 1:2002911 ET SCAN Potential VNC Scan 5900-5920
8 129:19 stream5: TCP window closed before receiving data
7 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
6 1:2001219 ET SCAN Potential SSH Scan
5 1:2013929 ET POLICY HTTP traffic on port 443 (OPTIONS)
5 1:2100366 GPL ICMP_INFO PING *NIX
4 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
4 125:1 ftp_pp: Telnet command on FTP command channel
3 1:2100651 Snort Alert [1:2100651:10]
3 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
2 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
2 1:2002192 ET CHAT MSN status change
2 125:2 ftp_pp: Invalid FTP command
1 1:2102314 GPL SHELLCODE x86 0x90 NOOP unicode
1 1:2100498 GPL ATTACK_RESPONSE id check returned root
1 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
1 1:2000032 ET NETBIOS LSA exploit
1 129:2 stream5: Data on SYN packet
Total
777776

=========================================================================
Last update
=========================================================================

Start-Date: 2016-02-21 04:08:24
Commandline: apt-get install mailutils
Install: libmailutils4:amd64 (2.99.98-1.1, automatic), libgc1c2:amd64 (7.2d-5ubuntu2, automatic), mailutils:amd64 (2.99.98-1.1), guile-2.0-libs:amd64 (2.0.9+1-1ubuntu1, automatic), mailutils-common:amd64 (2.99.98-1.1, automatic), libkyotocabinet16:amd64 (1.2.76-4, automatic), libgsasl7:amd64 (1.8.0-2ubuntu2, automatic), libntlm0:amd64 (1.4-1, automatic)
End-Date: 2016-02-21 04:08:36

Start-Date: 2016-02-21 15:01:47
Commandline: apt-get autoremove
Remove: gir1.2-json-1.0:amd64 (0.16.2-1ubuntu1), gir1.2-timezonemap-1.0:amd64 (0.4.1), libtimezonemap1:amd64 (0.4.1), linux-image-extra-3.19.0-43-generic:amd64 (3.19.0-43.49~14.04.1), linux-image-3.19.0-43-generic:amd64 (3.19.0-43.49~14.04.1), gir1.2-xkl-1.0:amd64 (5.4-0ubuntu1), linux-headers-3.19.0-43-generic:amd64 (3.19.0-43.49~14.04.1), linux-headers-3.19.0-43:amd64 (3.19.0-43.49~14.04.1)
End-Date: 2016-02-21 15:03:15

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
10984 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1776 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1725 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1755 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
1.3G /nsm/elsa/data
3.5M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-02-20 15:31:13 2016-02-22 01:20:49

Wes

unread,
Feb 21, 2016, 8:52:02 PM2/21/16
to security-onion

David,

That seems to be a very large number of Sguil alerts that are un-categorized. It is important to categorize these alerts, either through Autocat, or by logging into the console and F8'ing events as you see fit. Failure to do so could result in large load time for securityonion_db (sguild), delay in connections to the sguild server, and/or potential corruption of tables within securityonion_db. I would do what I can to get these remaining un-categorized alerts categorized immediately.

Also, I wouldn't be too worried about sguild.log growing unless you are receiving a large amount of error messages.

You load/CPU usage doesn't appear to be terrible, based on the output.

In regard to barnyard2, it seems to be using a decent amount of CPU due to the fact that you are running several Snort IDS processes. Out of curiosity, how much traffic are you monitoring?

One thing you can do to assist with the load in regard to IDS processes is to ensure you prune rules so that you are only using rules relative to/necessary for your environment. I'm not sure what you are running at the moment, but the default is around 19-20k. You should be able to easily disable half of those, as they will likely not be applicable.

Thanks,
Wes


David J. Peck

unread,
Feb 21, 2016, 9:11:27 PM2/21/16
to securit...@googlegroups.com
Thanks Wes.

I just stood this up about 24 hours ago and only monitoring about 15 systems (test network).

I will get in to the F8 to get those categorized. I was surprised it blew up that quick. It may have been a NMAP scan earlier that caused some.

I will also research on reducing the signatures. Not sure on how to do that yet.

Also I am running this in a VM with NSM mounted to another 5TB vmdsk.

I am running in a VM so I can snapshot back should the kernel get a little wonky. Is this ok or should I go for a machine and not VM?

Thanks for the help
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/ftJSIKOLSKE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

Wes

unread,
Feb 21, 2016, 9:28:33 PM2/21/16
to security-onion
On Sunday, February 21, 2016 at 9:11:27 PM UTC-5, David wrote:
> Thanks Wes.
>
> I just stood this up about 24 hours ago and only monitoring about 15 systems (test network).
>
> I will get in to the F8 to get those categorized. I was surprised it blew up that quick. It may have been a NMAP scan earlier that caused some.
>
> I will also research on reducing the signatures. Not sure on how to do that yet.
>
> Also I am running this in a VM with NSM mounted to another 5TB vmdsk.
>
> I am running in a VM so I can snapshot back should the kernel get a little wonky. Is this ok or should I go for a machine and not VM?
>
> Thanks for the help
>

David,

Once you get your autocats setup in Sguil, you probably won't have to manually F8 so many events, but you will still need to review them at least daily to ensure you they don't continue to build.

You can try having a look here to tune your rules/manage your alerts:

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts

With /nsm mounted to another disk you do gain the benefit of not corrupting/affecting the main partition if a disk capacity issue were to occur, so that's good.

Running a VM is fine in several cases. There are many folks who run Security Onion in VMs in Production environments, monitoring large amounts of traffic. VMs do provide the ability to conveniently backup/take a snapshot as well. I think that physical machines may perform better than VMs, but that is my opinion--I am sure this is hotly debated in several arenas.

Many individuals like to put their master server on a VM and have their sensors deployed on physical machines, which is something to think about. It seems as though you are running a standalone now, which depending on the amount of traffic, you could go either way. You also have to think about how you would mirror traffic in each manner, so I would think about that and also and determine what best fits your organization's needs and budget. Again, these are just my personal opinions. Others may have different, duly supported ones. Hope this helps!

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages