Re: [security-onion] snort-1 fail

[Doug Burks]

Please take a look at the Snort log file(s) for further clues as to
why Snort failed:
/var/log/nsm/$HOSTNAME-$INTERFACE/snortu-?.log

Doug

On Wed, Mar 20, 2013 at 3:41 PM, ido vxatre <psdtoh...@gmail.com> wrote:
> * snort-1 (alert data)[ FAIL ]
> * stale PID file found, process will be restarted at the next 5-minute interval!
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--
Doug Burks
http://securityonion.blogspot.com

[Doug Burks]

I don't see any errors there.

Is that the entire snortu-1.log?

Is that the only snortu* file you have?

Please send the output of the following (redacting sensitive info as necessary):
sudo sostat

Thanks,
Doug

On Wed, Mar 20, 2013 at 4:46 PM, ido vxatre <psdtoh...@gmail.com> wrote:
> snortu-1.log
>
>
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/nsm/dtt-eth0/snort.conf"
> PortVar 'HTTP_PORTS' defined : [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
> PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined : [ 22 ]
> PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
> PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
> Detection:
> Search-Method = AC-Full-Q
> Split Any/Any group = enabled
> Search-Method-Optimizations = enabled
> Maximum pattern length = 20
> Tagged Packet Limit: 256
> Reading filter from bpf file: /etc/nsm/dtt-eth0/bpf-ids.conf
> Snort BPF option:
> Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
> Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
> Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
> Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
> Log directory = /nsm/sensor_data/dtt-eth0/snort-1
> WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
> WARNING: ip6 normalizations disabled because not inline.
> WARNING: icmp6 normalizations disabled because not inline.
> Frag3 global config:
> Max frags: 65536
> Fragment memory cap: 4194304 bytes
> Frag3 engine config:
> Bound Address: default
> Target-based policy: WINDOWS
> Fragment timeout: 180 seconds
> Fragment min_ttl: 1
> Fragment Anomalies: Alert
> Overlap Limit: 10
> Min fragment Length: 100
> Stream5 global config:
> Track TCP sessions: ACTIVE
> Max TCP sessions: 262144
> Memcap (for reassembly packet storage): 8388608
> Track UDP sessions: ACTIVE
> Max UDP sessions: 131072
> Track ICMP sessions: INACTIVE
> Track IP sessions: INACTIVE
> Log info if session memory consumption exceeds 1048576
> Send up to 2 active responses
> Wait at least 5 seconds between responses
> Protocol Aware Flushing: ACTIVE
> Maximum Flush Point: 16000
> Stream5 TCP Policy config:
> Bound Address: default
> Reassembly Policy: WINDOWS
> Timeout: 180 seconds
> Limit on TCP Overlaps: 10
> Maximum number of bytes to queue per session: 1048576
> Maximum number of segs to queue per session: 2621
> Options:
> Require 3-Way Handshake: YES
> 3-Way Handshake Timeout: 180
> Detect Anomalies: YES
> Reassembly Ports:
> 21 client (Footprint)
> 22 client (Footprint)
> 23 client (Footprint)
> 25 client (Footprint)
> 42 client (Footprint)
> 53 client (Footprint)
> 79 client (Footprint)
> 80 client (Footprint) server (Footprint)
> 81 client (Footprint) server (Footprint)
> 109 client (Footprint)
> 110 client (Footprint)
> 111 client (Footprint)
> 113 client (Footprint)
> 119 client (Footprint)
> 135 client (Footprint)
> 136 client (Footprint)
> 137 client (Footprint)
> 139 client (Footprint)
> 143 client (Footprint)
> 161 client (Footprint)
> additional ports configured but not printed.
> Stream5 UDP Policy config:
> Timeout: 180 seconds
> PerfMonitor config:
> Time: 300 seconds
> Flow Stats: INACTIVE
> Flow IP Stats: INACTIVE
> Event Stats: INACTIVE
> Max Perf Stats: INACTIVE
> Console Mode: INACTIVE
> File Mode: /nsm/sensor_data/dtt-eth0/snort-1.stats
> SnortFile Mode: INACTIVE
> Packet Count: 10000
> Dump Summary: No
> Max file size: 2147483648
> HttpInspect Config:
> GLOBAL CONFIG
> Max Pipeline Requests: 0
> Inspection Type: STATELESS
> Detect Proxy Usage: NO
> IIS Unicode Map Filename: /etc/nsm/dtt-eth0/unicode.map
> IIS Unicode Map Codepage: 1252
> Memcap used for logging URI and Hostname: 150994944
> Max Gzip Memory: 838860
> Max Gzip Sessions: 5518
> Gzip Compress Depth: 65535
> Gzip Decompress Depth: 65535
> DEFAULT SERVER CONFIG:
> Server profile: All
> Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
> Server Flow Depth: 0
> Client Flow Depth: 0
> Max Chunk Length: 500000
> Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
> Max Header Field Length: 750
> Max Number Header Fields: 100
> Max Number of WhiteSpaces allowed with header folding: 0
> Inspect Pipeline Requests: YES
> URI Discovery Strict Mode: NO
> Allow Proxy Usage: NO
> Disable Alerting: NO
> Oversize Dir Length: 500
> Only inspect URI: NO
> Normalize HTTP Headers: NO
> Inspect HTTP Cookies: YES
> Inspect HTTP Responses: YES
> Extract Gzip from responses: YES
> Unlimited decompression of gzip data from responses: YES
> Normalize Javascripts in HTTP Responses: YES
> Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
> Normalize HTTP Cookies: NO
> Enable XFF and True Client IP: NO
> Log HTTP URI data: NO
> Log HTTP Hostname data: NO
> Extended ASCII code support in URI: NO
> Ascii: YES alert: NO
> Double Decoding: YES alert: NO
> %U Encoding: YES alert: YES
> Bare Byte: YES alert: NO
> UTF 8: YES alert: NO
> IIS Unicode: YES alert: NO
> Multiple Slash: YES alert: NO
> IIS Backslash: YES alert: NO
> Directory Traversal: YES alert: NO
> Web Root Traversal: YES alert: NO
> Apache WhiteSpace: YES alert: NO
> IIS Delimiter: YES alert: NO
> IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
> Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
> Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
> alert_fragments: INACTIVE
> alert_large_fragments: INACTIVE
> alert_incomplete: INACTIVE
> alert_multiple_requests: INACTIVE
> FTPTelnet Config:
> GLOBAL CONFIG
> Inspection Type: stateful
> Check for Encrypted Traffic: YES alert: NO
> Continue to check encrypted data: NO
> TELNET CONFIG:
> Ports: 23
> Are You There Threshold: 20
> Normalize: YES
> Detect Anomalies: YES
> FTP CONFIG:
> FTP Server: default
> Ports (PAF): 21 2100 3535
> Check for Telnet Cmds: YES alert: YES
> Ignore Telnet Cmd Operations: YES alert: YES
> Identify open data channels: NO
> FTP Client: default
> Check for Bounce Attacks: YES alert: YES
> Check for Telnet Cmds: YES alert: YES
> Ignore Telnet Cmd Operations: YES alert: YES
> Max Response Length: 256
> SMTP Config:
> Ports: 25 465 587 691
> Inspection Type: Stateful
> Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
> Ignore Data: No
> Ignore TLS Data: No
> Ignore SMTP Alerts: No
> Max Command Line Length: 512
> Max Specific Command Line Length:
> ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
> EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
> ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
> IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
> QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
> SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
> TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
> XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
> XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
> XUSR:246
> Max Header Line Length: 1000
> Max Response Line Length: 512
> X-Link2State Alert: Yes
> Drop on X-Link2State Alert: No
> Alert on commands: None
> Alert on unknown commands: No
> SMTP Memcap: 838860
> MIME Max Mem: 838860
> Base64 Decoding: Enabled
> Base64 Decoding Depth: Unlimited
> Quoted-Printable Decoding: Enabled
> Quoted-Printable Decoding Depth: Unlimited
> Unix-to-Unix Decoding: Enabled
> Unix-to-Unix Decoding Depth: Unlimited
> Non-Encoded MIME attachment Extraction: Enabled
> Non-Encoded MIME attachment Extraction Depth: Unlimited
> Log Attachment filename: Enabled
> Log MAIL FROM Address: Enabled
> Log RCPT TO Addresses: Enabled
> Log Email Headers: Enabled
> Email Hdrs Log Depth: 1464
> SSH config:
> Autodetection: ENABLED
> Challenge-Response Overflow Alert: ENABLED
> SSH1 CRC32 Alert: ENABLED
> Server Version String Overflow Alert: ENABLED
> Protocol Mismatch Alert: ENABLED
> Bad Message Direction Alert: DISABLED
> Bad Payload Size Alert: DISABLED
> Unrecognized Version Alert: DISABLED
> Max Encrypted Packets: 20
> Max Server Version String Length: 100
> MaxClientBytes: 19600 (Default)
> Ports:
> 22
> DCE/RPC 2 Preprocessor Configuration
> Global Configuration
> DCE/RPC Defragmentation: Enabled
> Memcap: 102400 KB
> Events: co
> SMB Fingerprint policy: Disabled
> Server Default Configuration
> Policy: WinXP
> Detect ports (PAF)
> SMB: 139 445
> TCP: 135
> UDP: 135
> RPC over HTTP server: 593
> RPC over HTTP proxy: None
> Autodetect ports (PAF)
> SMB: None
> TCP: 1025-65535
> UDP: 1025-65535
> RPC over HTTP server: 1025-65535
> RPC over HTTP proxy: None
> Invalid SMB shares: C$ D$ ADMIN$
> Maximum SMB command chaining: 3 commands
> DNS config:
> DNS Client rdata txt Overflow Alert: ACTIVE
> Obsolete DNS RR Types Alert: INACTIVE
> Experimental DNS RR Types Alert: INACTIVE
> Ports: 53
> SSLPP config:
> Encrypted packets: not inspected
> Ports:
> 443 465 563 636 989
> 992 993 994 995 7801
> 7802 7900 7901 7902 7903
> 7904 7905 7906 7907 7908
> 7909 7910 7911 7912 7913
> 7914 7915 7916 7917 7918
> 7919 7920
> Server side data is trusted
> Sensitive Data preprocessor config:
> Global Alert Threshold: 25
> Masked Output: DISABLED
> SIP config:
> Max number of sessions: 40000
> Max number of dialogs in a session: 4 (Default)
> Status: ENABLED
> Ignore media channel: DISABLED
> Max URI length: 512
> Max Call ID length: 80
> Max Request name length: 20 (Default)
> Max From length: 256 (Default)
> Max To length: 256 (Default)
> Max Via length: 1024 (Default)
> Max Contact length: 512
> Max Content length: 2048
> Ports:
> 5060 5061 5600
> Methods:
> invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack
> IMAP Config:
> Ports: 143
> IMAP Memcap: 838860
> Base64 Decoding: Enabled
> Base64 Decoding Depth: Unlimited
> Quoted-Printable Decoding: Enabled
> Quoted-Printable Decoding Depth: Unlimited
> Unix-to-Unix Decoding: Enabled
> Unix-to-Unix Decoding Depth: Unlimited
> Non-Encoded MIME attachment Extraction: Enabled
> Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
> Ports: 110
> POP Memcap: 838860
> Base64 Decoding: Enabled
> Base64 Decoding Depth: Unlimited
> Quoted-Printable Decoding: Enabled
> Quoted-Printable Decoding Depth: Unlimited
> Unix-to-Unix Decoding: Enabled
> Unix-to-Unix Decoding Depth: Unlimited
> Non-Encoded MIME attachment Extraction: Enabled
> Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
> Ports:
> 502
> DNP3 config:
> Memcap: 262144
> Check Link-Layer CRCs: ENABLED
> Ports:
> 20000
> Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> WARNING: /etc/nsm/rules/downloaded.rules(11) threshold (in rule) is deprecated; use detection_filter instead.
>
> WARNING: /etc/nsm/rules/downloaded.rules(12917) relative rule option used after fast_pattern:only
> 13642 Snort rules read
> 13642 detection rules
> 0 decoder rules
> 0 preprocessor rules
> 13642 Option Chains linked into 1820 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
> WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option.
> ICMP tracking disabled, no ICMP sessions allocated
> IP tracking disabled, no IP sessions allocated
> WARNING: flowbits key 'ET.Fareit.chk' is set but not ever checked.
> WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
> WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
> WARNING: flowbits key 'ET.http.rtf.download' is set but not ever checked.
> WARNING: flowbits key 'ET.iTunes.vuln' is set but not ever checked.
> WARNING: flowbits key 'ET.Evil' is set but not ever checked.
> WARNING: flowbits key 'ET.RBN' is set but not ever checked.
> WARNING: flowbits key 'ET.TorIP' is set but not ever checked.
> WARNING: flowbits key 'ET.HTTP.at.SSL' is set but not ever checked.
> WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
> WARNING: flowbits key 'is_ssh_server_banner' is set but not ever checked.
> WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
> WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
> 106 out of 1024 flowbits in use.
>
>
>
> //////////////////////////////

[Doug Burks]

Looks like you were having trouble with the PF_RING module. Please
try the following to make sure that it's up-to-date for your kernel:
sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot

If you continue to have problems, please send another "sudo sostat"
and the latest Snort log file.

Thanks,
Doug

On Wed, Mar 20, 2013 at 8:36 PM, ido vxatre <psdtoh...@gmail.com> wrote:
> pfring DAQ configured to passive.
> ERROR: Can't initialize DAQ pfring (-1) -
> Fatal Error, Quitting..
>
> in the file snort_agent-1.log.20130320
> i try to upload file but is give me error 340# in the comment

[Doug Burks]

You've got lots of failures there:

Status: dtt-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ FAIL ]

* snort-1 (alert data)[ FAIL ]

* barnyard2-1 (spooler, unified2 format)[ FAIL ]
* prads (sessions/assets)[ FAIL ]
* sancp_agent (sguil)[ FAIL ]
* pads_agent (sguil)[ FAIL ]
* argus[ FAIL ]
* http_agent (sguil)[ FAIL ]


And you only have one NIC:

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 08:00:27:2f:c0:7c
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe2f:c07c/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:92 errors:0 dropped:0 overruns:0 frame:0
TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12816 (12.8 KB) TX bytes:12719 (12.7 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10389 (10.3 KB) TX bytes:10389 (10.3 KB)

At this point, I'd recommend the following:

- make sure that you have at least two NICs, one for management and
one for sniffing

- perform a fresh installation using our ISO image and the instructions here:
https://code.google.com/p/security-onion/wiki/Installation

- you should probably follow the QUICK instructions just so you can
have the system up and running quickly:

What's the QUICKEST way to install Security Onion?

Download our ISO image (based on Xubuntu 12.04 64-bit) from
Sourceforge or via Torrent.
Boot the ISO image, follow the prompts in the Xubuntu installer to
install to your hard drive, and then reboot into your new
installation.
Double-click the Setup wizard on the Desktop and follow the prompts.

- once you've verified that everything works properly, you can try
again using one of the other installation methods

Hope that helps!

Thanks,
Doug

On Thu, Mar 21, 2013 at 8:38 AM, ido vxatre <psdtoh...@gmail.com> wrote:
> sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot.. i did that
> not helping
> and my last log file give the same error of DAQ
>
>
>
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 2753 0 21 Mar 12:34:19
> Status: dtt-eth0
> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]
> * snort_agent-1 (sguil)[ FAIL ]

> * snort-1 (alert data)[ FAIL ]

> * barnyard2-1 (spooler, unified2 format)[ FAIL ]
> * prads (sessions/assets)[ FAIL ]
> * sancp_agent (sguil)[ FAIL ]
> * pads_agent (sguil)[ FAIL ]
> * argus[ FAIL ]
> * http_agent (sguil)[ FAIL ]
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 08:00:27:2f:c0:7c
> inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::a00:27ff:fe2f:c07c/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:92 errors:0 dropped:0 overruns:0 frame:0
> TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:12816 (12.8 KB) TX bytes:12719 (12.7 KB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:84 errors:0 dropped:0 overruns:0 frame:0
> TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:10389 (10.3 KB) TX bytes:10389 (10.3 KB)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 9.9G 4.6G 4.8G 50% /
> udev 1.8G 4.0K 1.8G 1% /dev
> tmpfs 725M 780K 724M 1% /run
> none 5.0M 0 5.0M 0% /run/lock
> none 1.8G 88K 1.8G 1% /run/shm
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> cupsd 856 root 8u IPv6 8254 0t0 TCP [::1]:631 (LISTEN)
> cupsd 856 root 9u IPv4 8255 0t0 TCP 127.0.0.1:631 (LISTEN)
> avahi-dae 884 avahi 12u IPv4 8164 0t0 UDP *:5353
> avahi-dae 884 avahi 13u IPv6 8165 0t0 UDP *:5353
> avahi-dae 884 avahi 14u IPv4 8166 0t0 UDP *:52987
> avahi-dae 884 avahi 15u IPv6 8167 0t0 UDP *:58465
> dhclient3 1007 root 6u IPv4 8177 0t0 UDP *:68
> sshd 1069 root 3r IPv4 8759 0t0 TCP *:22 (LISTEN)
> sshd 1069 root 4u IPv6 8761 0t0 TCP *:22 (LISTEN)
> mysqld 1239 mysql 10u IPv4 9398 0t0 TCP 127.0.0.1:3306 (LISTEN)
> ntpd 1575 ntp 16u IPv4 9898 0t0 UDP *:123
> ntpd 1575 ntp 17u IPv6 9899 0t0 UDP *:123
> ntpd 1575 ntp 18u IPv4 9906 0t0 UDP 127.0.0.1:123
> ntpd 1575 ntp 19u IPv4 9907 0t0 UDP 192.168.1.7:123
> ntpd 1575 ntp 20u IPv6 9908 0t0 UDP [fe80::a00:27ff:fe2f:c07c]:123
> ntpd 1575 ntp 21u IPv6 9909 0t0 UDP [::1]:123
> /usr/sbin 1789 root 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1789 root 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1789 root 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1853 www-data 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1853 www-data 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1853 www-data 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1854 www-data 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1854 www-data 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1854 www-data 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1855 www-data 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1855 www-data 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1855 www-data 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1856 www-data 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1856 www-data 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1856 www-data 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1857 www-data 4u IPv4 10237 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1857 www-data 5u IPv4 10240 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1857 www-data 6u IPv4 10250 0t0 TCP *:444 (LISTEN)
> tclsh 2480 root 13u IPv4 14801 0t0 TCP *:7734 (LISTEN)
> tclsh 2480 root 14u IPv4 14802 0t0 TCP *:7736 (LISTEN)
> tclsh 2480 root 15u IPv4 14815 0t0 TCP 127.0.0.1:7736->127.0.0.1:57834 (ESTABLISHED)
> tclsh 2480 root 16u IPv4 15851 0t0 TCP 127.0.0.1:7736->127.0.0.1:57835 (ESTABLISHED)
> tclsh 2480 root 17u IPv4 16088 0t0 TCP 127.0.0.1:7736->127.0.0.1:57837 (ESTABLISHED)
> tclsh 2521 root 3u IPv4 14814 0t0 TCP 127.0.0.1:57834->127.0.0.1:7736 (ESTABLISHED)
> bro 2753 root 4u IPv4 15182 0t0 UDP 192.168.1.7:59347->213.57.2.5:53
> bro 2862 root 0u IPv4 15415 0t0 TCP *:47760 (LISTEN)
> bro 2862 root 1u IPv6 15416 0t0 TCP *:47760 (LISTEN)
> bro 2862 root 4u IPv4 15182 0t0 UDP 192.168.1.7:59347->213.57.2.5:53
> tclsh 2993 root 3u IPv4 15850 0t0 TCP 127.0.0.1:57835->127.0.0.1:7736 (ESTABLISHED)
> tclsh 3087 root 3u IPv4 16087 0t0 TCP 127.0.0.1:57837->127.0.0.1:7736 (ESTABLISHED)
> tclsh 3087 root 4u IPv4 16089 0t0 TCP 127.0.0.1:8001 (LISTEN)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 12:34:29 up 1 min, 1 user, load average: 2.95, 1.09, 0.40
> Tasks: 163 total, 1 running, 161 sleeping, 0 stopped, 1 zombie
> Cpu(s): 20.8%us, 30.8%sy, 2.0%ni, 25.6%id, 19.7%wa, 0.0%hi, 1.2%si, 0.0%st
> Mem: 3707972k total, 942924k used, 2765048k free, 31216k buffers
> Swap: 5700124k total, 0k used, 5700124k free, 257336k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 2753 root 20 0 654m 24m 8276 S 26.8 0.7 0:01.57 bro
> 3146 root 20 0 59892 11m 1608 D 19.2 0.3 0:00.10 snort
> 2862 root 25 5 206m 21m 4964 S 9.6 0.6 0:00.47 bro
> 2501 root 20 0 18508 2232 1316 S 3.8 0.1 0:00.12 nsm_sensor_ps-s
> 3 root 20 0 0 0 0 S 1.9 0.0 0:00.20 ksoftirqd/0
> 1 root 20 0 24592 2520 1372 S 0.0 0.1 0:01.92 init
> 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
> 4 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0
> 5 root 20 0 0 0 0 S 0.0 0.0 0:00.38 kworker/u:0
> 6 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
> 7 root RT 0 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
> 8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset
> 9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
> 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
> 11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
> 12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
> 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
> 14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
> 15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
> 16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
> 17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
> 18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
> 19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:1
> 20 root 20 0 0 0 0 S 0.0 0.0 0:00.15 kworker/0:1
> 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
> 22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
> 23 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
> 24 root 39 19 0 0 0 S 0.0 0.0 0:00.00 khugepaged
> 25 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
> 26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
> 27 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
> 35 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
> 36 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
> 37 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:2
> 38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
> 39 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
> 40 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:3
> 41 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:4
> 42 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:5
> 43 root 20 0 0 0 0 S 0.0 0.0 0:00.20 kworker/0:2
> 62 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 devfreq_wq
> 295 root 20 0 0 0 0 S 0.0 0.0 0:00.03 jbd2/sda1-8
> 296 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
> 364 root 20 0 0 0 0 S 0.0 0.0 0:00.03 flush-8:0
> 365 root 20 0 0 0 0 S 0.0 0.0 0:00.00 flush-251:0
> 402 root 20 0 17364 640 452 S 0.0 0.0 0:00.10 upstart-udev-br
> 407 root 20 0 21812 1524 824 S 0.0 0.0 0:00.17 udevd
> 609 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
> 675 root 20 0 21808 1092 384 S 0.0 0.0 0:00.00 udevd
> 690 root 20 0 21808 1072 364 S 0.0 0.0 0:00.00 udevd
> 699 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpathd
> 700 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd
> 768 root 20 0 15188 388 200 S 0.0 0.0 0:00.01 upstart-socket-
> 775 messageb 20 0 24596 1708 820 S 0.0 0.0 0:00.20 dbus-daemon
> 834 root 20 0 21320 1708 1428 S 0.0 0.0 0:00.00 bluetoothd
> 856 root 20 0 101m 3936 2940 S 0.0 0.1 0:00.07 cupsd
> 867 root 10 -10 0 0 0 S 0.0 0.0 0:00.00 krfcommd
> 884 avahi 20 0 32304 1740 1436 S 0.0 0.0 0:00.04 avahi-daemon
> 885 avahi 20 0 32180 468 212 S 0.0 0.0 0:00.00 avahi-daemon
> 1007 root 20 0 7264 600 108 S 0.0 0.0 0:00.00 dhclient3
> 1069 root 20 0 49956 2852 2248 S 0.0 0.1 0:00.01 sshd
> 1180 root 20 0 20024 964 804 S 0.0 0.0 0:00.01 getty
> 1184 root 20 0 20024 968 804 S 0.0 0.0 0:00.00 getty
> 1198 root 20 0 20024 960 804 S 0.0 0.0 0:00.00 getty
> 1199 root 20 0 20024 956 804 S 0.0 0.0 0:00.00 getty
> 1205 root 20 0 20024 964 804 S 0.0 0.0 0:00.00 getty
> 1206 root 20 0 4400 612 508 S 0.0 0.0 0:00.01 sh
> 1211 root 20 0 26780 440 200 S 0.0 0.0 0:00.00 syslog-ng
> 1212 root 20 0 84716 3700 2736 S 0.0 0.1 0:00.08 syslog-ng
> 1223 root 20 0 4460 820 556 S 0.0 0.0 0:00.01 acpid
> 1225 root 20 0 19112 1000 772 S 0.0 0.0 0:00.01 cron
> 1227 daemon 20 0 16908 380 220 S 0.0 0.0 0:00.00 atd
> 1228 root 20 0 280m 4284 3520 S 0.0 0.1 0:00.12 lightdm
> 1239 mysql 20 0 609m 52m 7604 S 0.0 1.4 0:00.67 mysqld
> 1291 root 20 0 172m 36m 11m S 0.0 1.0 0:02.35 Xorg
> 1332 root 20 0 12804 536 352 S 0.0 0.0 0:00.00 ossec-execd
> 1336 ossec 20 0 14508 2340 780 S 0.0 0.1 0:00.10 ossec-analysisd
> 1348 root 20 0 4528 516 376 S 0.0 0.0 0:00.00 ossec-logcollec
> 1374 root 20 0 4692 664 480 S 0.0 0.0 0:00.01 ossec-syscheckd
> 1378 root 20 0 183m 4880 3884 S 0.0 0.1 0:00.08 lightdm
> 1381 ossec 20 0 13060 548 364 S 0.0 0.0 0:00.00 ossec-monitord
> 1387 root 20 0 132m 4488 3720 S 0.0 0.1 0:00.11 accounts-daemon
> 1398 root 20 0 207m 4844 3640 S 0.0 0.1 0:00.13 polkitd
> 1475 root 20 0 570m 3868 2844 S 0.0 0.1 0:00.09 console-kit-dae
> 1575 ntp 20 0 37696 2200 1572 S 0.0 0.1 0:00.05 ntpd
> 1591 v2 20 0 4400 696 580 S 0.0 0.0 0:00.09 sh
> 1685 v2 20 0 12492 320 0 S 0.0 0.0 0:00.00 ssh-agent
> 1687 root 20 0 4400 616 512 S 0.0 0.0 0:00.00 sh
> 1691 root 20 0 4400 320 216 S 0.0 0.0 0:00.00 sh
> 1695 v2 20 0 26556 788 472 S 0.0 0.0 0:00.00 dbus-launch
> 1705 root 20 0 4308 356 276 S 0.0 0.0 0:00.00 sleep
> 1714 v2 20 0 25456 1804 608 S 0.0 0.0 0:00.23 dbus-daemon
> 1750 v2 20 0 47604 2748 2200 S 0.0 0.1 0:00.05 xfconfd
> 1780 v2 20 0 63860 2660 2032 S 0.0 0.1 0:00.09 xscreensaver
> 1782 v2 20 0 158m 6552 5140 S 0.0 0.2 0:00.18 xfce4-session
> 1789 root 20 0 176m 12m 6564 S 0.0 0.3 0:00.17 /usr/sbin/apach
> 1794 root 20 0 215m 2064 1772 S 0.0 0.1 0:00.01 PassengerWatchd
> 1797 root 20 0 288m 2284 1996 S 0.0 0.1 0:00.02 PassengerHelper
> 1799 root 20 0 108m 8168 2148 S 0.0 0.2 0:00.11 ruby1.9.1
> 1802 nobody 20 0 165m 4676 3648 S 0.0 0.1 0:00.04 PassengerLoggin
> 1832 v2 20 0 154m 10m 8132 S 0.0 0.3 0:00.32 xfwm4
> 1834 v2 20 0 296m 20m 10m S 0.0 0.6 0:00.50 xfce4-panel
> 1836 v2 20 0 161m 7596 6132 S 0.0 0.2 0:00.09 Thunar
> 1838 v2 20 0 305m 18m 11m S 0.0 0.5 0:00.56 xfdesktop
> 1844 v2 20 0 128m 3908 2672 S 0.0 0.1 0:00.03 xfsettingsd
> 1851 v2 20 0 383m 12m 9616 S 0.0 0.3 0:00.25 update-notifier
> 1853 www-data 20 0 176m 6852 660 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 1854 www-data 20 0 176m 6852 660 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 1855 www-data 20 0 176m 6852 660 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 1856 www-data 20 0 176m 6852 660 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 1857 www-data 20 0 176m 6852 660 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 1884 v2 20 0 212m 4472 3172 S 0.0 0.1 0:00.06 xfce4-power-man
> 1886 v2 20 0 52420 2452 2048 S 0.0 0.1 0:00.03 gvfsd
> 1893 v2 20 0 577m 31m 14m S 0.0 0.9 0:00.61 blueman-applet
> 1894 v2 20 0 737m 9480 6420 S 0.0 0.3 0:00.14 xfce4-volumed
> 1896 v2 20 0 215m 3612 2996 S 0.0 0.1 0:00.03 gvfs-fuse-daemo
> 1900 v2 20 0 256m 23m 11m S 0.0 0.6 0:00.36 applet.py
> 1902 v2 9 -11 348m 5652 3728 S 0.0 0.2 0:00.38 pulseaudio
> 1904 rtkit 21 1 164m 1312 1088 S 0.0 0.0 0:00.03 rtkit-daemon
> 1921 v2 20 0 451m 15m 11m S 0.0 0.4 0:00.23 nm-applet
> 1935 root 20 0 116m 3608 2892 S 0.0 0.1 0:00.07 udisks-daemon
> 1947 v2 20 0 186m 5656 4536 S 0.0 0.2 0:00.05 polkit-gnome-au
> 1948 v2 20 0 150m 3832 2436 S 0.0 0.1 0:00.09 xfce4-settings-
> 1952 v2 20 0 138m 5284 4200 S 0.0 0.1 0:00.05 xfce4-notifyd
> 1953 root 20 0 45516 804 448 S 0.0 0.0 0:00.00 udisks-daemon
> 1959 root 20 0 214m 4312 3344 S 0.0 0.1 0:00.08 upowerd
> 1972 v2 20 0 217m 8400 5536 S 0.0 0.2 0:00.10 tumblerd
> 1985 v2 20 0 149m 7200 5660 S 0.0 0.2 0:00.09 panel-4-systray
> 1992 v2 20 0 407m 13m 9916 S 0.0 0.4 0:00.21 xfce4-indicator
> 2007 v2 20 0 148m 8692 6952 S 0.0 0.2 0:00.10 panel-7-datetim
> 2033 v2 20 0 169m 9.8m 7292 S 0.0 0.3 0:00.11 panel-9-xfsm-lo
> 2044 root 20 0 4400 612 512 S 0.0 0.0 0:00.00 ondemand
> 2049 root 20 0 4308 356 276 S 0.0 0.0 0:00.00 sleep
> 2061 v2 20 0 57120 2700 1968 S 0.0 0.1 0:00.03 gconfd-2
> 2071 root 20 0 20024 960 800 S 0.0 0.0 0:00.00 getty
> 2092 v2 20 0 80680 4312 3508 S 0.0 0.1 0:00.04 gvfs-gdu-volume
> 2128 v2 20 0 190m 10m 7828 S 0.0 0.3 0:00.12 panel-24-thunar
> 2130 v2 20 0 138m 2512 2016 S 0.0 0.1 0:00.01 gvfs-afc-volume
> 2133 v2 20 0 60376 2440 1916 S 0.0 0.1 0:00.01 gvfs-gphoto2-vo
> 2135 v2 20 0 69508 4012 3340 S 0.0 0.1 0:00.03 gvfsd-trash
> 2138 v2 20 0 339m 4804 3820 S 0.0 0.1 0:00.08 indicator-appli
> 2141 v2 20 0 524m 7524 5932 S 0.0 0.2 0:00.09 indicator-sound
> 2142 v2 20 0 642m 6756 5164 S 0.0 0.2 0:00.11 indicator-messa
> 2176 v2 20 0 57824 2596 2144 S 0.0 0.1 0:00.02 obex-data-serve
> 2375 v2 20 0 259m 14m 10m S 0.0 0.4 0:00.29 xfce4-terminal
> 2376 v2 20 0 0 0 0 Z 0.0 0.0 0:00.00 xfce4-ter <defunct>
> 2377 v2 20 0 27432 4416 1680 S 0.0 0.1 0:00.24 bash
> 2432 root 20 0 17860 1456 1204 S 0.0 0.0 0:00.02 nsm
> 2435 root 20 0 18388 2064 1284 S 0.0 0.1 0:00.03 nsm
> 2480 root 20 0 120m 8564 3788 S 0.0 0.2 0:00.29 tclsh
> 2494 root 20 0 18372 2056 1292 S 0.0 0.1 0:00.02 nsm_sensor
> 2508 root 20 0 118m 3420 776 S 0.0 0.1 0:00.00 tclsh
> 2509 root 20 0 118m 3224 568 S 0.0 0.1 0:00.00 tclsh
> 2521 root 20 0 37872 5112 2600 S 0.0 0.1 0:00.02 tclsh
> 2522 root 20 0 4340 356 280 S 0.0 0.0 0:00.00 tail
> 2583 root 20 0 78400 2544 1812 S 0.0 0.1 0:00.03 sudo
> 2600 root 20 0 17884 1596 1316 S 0.0 0.0 0:00.02 bash
> 2861 root 20 0 16556 1472 1248 S 0.0 0.0 0:00.02 sostat
> 2930 root 20 0 267m 254m 239m S 0.0 7.0 0:00.22 netsniff-ng
> 2993 root 20 0 33408 5156 3020 S 0.0 0.1 0:00.07 tclsh
> 3087 root 20 0 33004 4844 2980 S 0.0 0.1 0:00.03 tclsh
> 3138 root 20 0 17336 1260 896 R 0.0 0.0 0:00.00 top
> 3147 root 20 0 4308 352 276 S 0.0 0.0 0:00.00 sleep
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/dtt-eth0/dailylogs/
> 58M .
> 39M ./2013-03-20
> 19M ./2013-03-21
>
> /nsm/bro/logs/
> 836K .
> 584K ./2013-03-20
> 192K ./2013-03-21
> 56K ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> grep: /nsm/sensor_data/*/snort-*.stats: No such file or directory
> ERROR: No stats found in /nsm/sensor_data/*/snort-*.stats
>
> =========================================================================
> pf_ring stats
> =========================================================================
> egrep: /proc/net/pf_ring/*: No such file or directory
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 62 |
> +----------+
>
> =========================================================================
> Sguil events summary for yesterday
> =========================================================================
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | Totals | GenID:SigID | Signature |
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | 2 | 10000:1 | PADS New Asset - smb Windows SMB |
> | 2 | 10000:1 | PADS New Asset - unknown @ntp |
> | 2 | 10000:1 | PADS New Asset - unknown @https |
> | 1 | 10000:1 | PADS New Asset - http Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 |
> | 1 | 10000:1 | PADS New Asset - ssl TLS 1.0 Client Hello |
> | 1 | 10000:1 | PADS New Asset - unknown @domain |
> | 1 | 10000:1 | PADS New Asset - http Ruby |
> | 1 | 10000:1 | PADS New Asset - unknown @ftp |
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> +-------+
> | Total |
> +-------+
> | 11 |
> +-------+
>
> =========================================================================
> Top 50 All time Sguil Events
> =========================================================================
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | Totals | GenID:SigID | Signature |
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | 4 | 10000:1 | PADS New Asset - unknown @https |
> | 3 | 10000:1 | PADS New Asset - http Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 |
> | 3 | 10000:1 | PADS New Asset - unknown @ntp |
> | 2 | 10000:1 | PADS New Asset - smb Windows SMB |
> | 1 | 10000:1 | PADS New Asset - unknown @ftp |
> | 1 | 10000:1 | PADS New Asset - ssl TLS 1.0 Client Hello |
> | 1 | 10000:1 | PADS New Asset - unknown @domain |
> | 1 | 10000:1 | PADS New Asset - http Ruby |
> +--------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
> +-------+
> | Total |
> +-------+
> | 16 |
> +-------+
>
> =========================================================================
> Top 50 URLs for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |

[Doug Burks]

Snort has to process a certain amount of traffic before it writes
snort.stats to disk, so this may only be a temporary error.

I did notice, however, that you're sniffing eth1 and it has an IP
address assigned. You want one NIC with an IP address for management
and a separate NIC with *no* IP address for sniffing traffic received
from a tap or span port.

Doug

On Fri, Mar 22, 2013 at 7:08 AM, ido vxatre <psdtoh...@gmail.com> wrote:
> i install again and i get new error
> ERROR: No stats found in /nsm/sensor_data/cold1-eth1/snort-1.stats

>
>
>
>
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started

> bro standalone localhost running 5198 0 22 Mar 10:53:51
> Status: cold1-eth1

> * netsniff-ng (full packet data)[ OK ]
> * pcap_agent (sguil)[ OK ]

> * snort_agent-1 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 08:00:27:0f:d8:eb
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:585 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:159664 (159.6 KB) TX bytes:1132 (1.1 KB)
>
> eth1 Link encap:Ethernet HWaddr 08:00:27:75:fd:36
> inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::a00:27ff:fe75:fd36/64 Scope:Link

> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

> RX packets:26399 errors:0 dropped:0 overruns:0 frame:0
> TX packets:12431 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:36341493 (36.3 MB) TX bytes:1086909 (1.0 MB)

>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1

> RX packets:129462 errors:0 dropped:0 overruns:0 frame:0
> TX packets:129462 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:13340608 (13.3 MB) TX bytes:13340608 (13.3 MB)

>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on

> /dev/sda1 12G 4.6G 6.0G 44% /

> udev 1.8G 4.0K 1.8G 1% /dev

> tmpfs 725M 812K 724M 1% /run

> none 5.0M 0 5.0M 0% /run/lock

> none 1.8G 220K 1.8G 1% /run/shm

>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

> avahi-dae 533 avahi 12u IPv4 7523 0t0 UDP *:5353
> avahi-dae 533 avahi 13u IPv6 7524 0t0 UDP *:5353
> avahi-dae 533 avahi 14u IPv4 7525 0t0 UDP *:48110
> avahi-dae 533 avahi 15u IPv6 7526 0t0 UDP *:55766
> cupsd 563 root 8u IPv4 7604 0t0 TCP 127.0.0.1:631 (LISTEN)
> dhclient3 981 root 6u IPv4 7834 0t0 UDP *:68
> sshd 1091 root 3r IPv4 8878 0t0 TCP *:22 (LISTEN)
> sshd 1091 root 4u IPv6 8880 0t0 TCP *:22 (LISTEN)
> mysqld 1297 mysql 10u IPv4 9759 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 1297 mysql 72u IPv4 20031 0t0 TCP 127.0.0.1:3306->127.0.0.1:44086 (ESTABLISHED)
> /usr/sbin 1775 root 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1775 root 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1775 root 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1775 root 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> ntpd 1949 ntp 16u IPv4 11477 0t0 UDP *:123
> ntpd 1949 ntp 17u IPv6 11479 0t0 UDP *:123
> ntpd 1949 ntp 18u IPv4 11489 0t0 UDP 127.0.0.1:123
> ntpd 1949 ntp 19u IPv4 11490 0t0 UDP 192.168.1.13:123
> ntpd 1949 ntp 20u IPv6 11491 0t0 UDP [fe80::a00:27ff:fe75:fd36]:123
> ntpd 1949 ntp 21u IPv6 11492 0t0 UDP [::1]:123
> tclsh 5100 root 13u IPv4 15689 0t0 TCP *:7734 (LISTEN)
> tclsh 5100 root 14u IPv4 15690 0t0 TCP *:7736 (LISTEN)
> tclsh 5100 root 15u IPv4 15817 0t0 TCP 127.0.0.1:7736->127.0.0.1:44759 (ESTABLISHED)
> tclsh 5100 root 16u IPv4 16630 0t0 TCP 127.0.0.1:7736->127.0.0.1:44760 (ESTABLISHED)
> tclsh 5100 root 17u IPv4 17106 0t0 TCP 127.0.0.1:7736->127.0.0.1:44761 (ESTABLISHED)
> tclsh 5100 root 18u IPv4 18978 0t0 TCP 127.0.0.1:7736->127.0.0.1:44765 (ESTABLISHED)
> tclsh 5100 root 19u IPv4 19156 0t0 TCP 127.0.0.1:7736->127.0.0.1:44766 (ESTABLISHED)
> tclsh 5100 root 20u IPv4 19513 0t0 TCP 127.0.0.1:7736->127.0.0.1:44767 (ESTABLISHED)
> tclsh 5144 root 3u IPv4 15816 0t0 TCP 127.0.0.1:44759->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5144 root 5u IPv4 38365 0t0 UDP *:57474
> bro 5198 root 4u IPv4 15982 0t0 UDP 192.168.1.13:50282->213.57.2.5:53
> bro 5208 root 0u IPv4 15994 0t0 TCP *:47760 (LISTEN)
> bro 5208 root 1u IPv6 15995 0t0 TCP *:47760 (LISTEN)
> bro 5208 root 4u IPv4 15982 0t0 UDP 192.168.1.13:50282->213.57.2.5:53
> tclsh 5271 root 3u IPv4 16629 0t0 TCP 127.0.0.1:44760->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5313 root 3u IPv4 17105 0t0 TCP 127.0.0.1:44761->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5313 root 4u IPv4 17107 0t0 TCP 127.0.0.1:8001 (LISTEN)
> tclsh 5313 root 5u IPv4 20027 0t0 TCP 127.0.0.1:8001->127.0.0.1:40732 (ESTABLISHED)
> searchd 5343 root 6u IPv4 17266 0t0 TCP *:9306 (LISTEN)
> searchd 5343 root 7u IPv4 17267 0t0 TCP *:3307 (LISTEN)
> searchd 5343 root 28u IPv4 38842 0t0 TCP 127.0.0.1:9306->127.0.0.1:49946 (ESTABLISHED)
> syslog-ng 5395 root 9u IPv4 18342 0t0 TCP *:514 (LISTEN)
> syslog-ng 5395 root 10u IPv4 18343 0t0 UDP *:514
> barnyard2 5443 root 3u IPv4 20025 0t0 TCP 127.0.0.1:40732->127.0.0.1:8001 (ESTABLISHED)
> barnyard2 5443 root 4u IPv4 20030 0t0 TCP 127.0.0.1:44086->127.0.0.1:3306 (ESTABLISHED)
> /usr/sbin 5557 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 5557 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 5557 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 5557 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 5559 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 5559 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 5559 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 5559 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 5561 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 5561 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 5561 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 5561 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 5562 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 5562 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 5562 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 5562 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 5563 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 5563 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 5563 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 5563 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> tclsh 5569 root 3u IPv4 18977 0t0 TCP 127.0.0.1:44765->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5603 root 3u IPv4 19155 0t0 TCP 127.0.0.1:44766->127.0.0.1:7736 (ESTABLISHED)
> tclsh 5684 root 3u IPv4 19512 0t0 TCP 127.0.0.1:44767->127.0.0.1:7736 (ESTABLISHED)
> chromium- 7204 iceman5 67u IPv4 36375 0t0 TCP 192.168.1.13:57731->173.194.66.84:443 (ESTABLISHED)
> chromium- 7204 iceman5 70u IPv4 36443 0t0 TCP 192.168.1.13:59537->173.194.45.40:443 (ESTABLISHED)
> chromium- 7204 iceman5 86u IPv4 34828 0t0 TCP 192.168.1.13:60045->173.194.45.47:443 (ESTABLISHED)
> chromium- 7204 iceman5 87u IPv4 36911 0t0 TCP 192.168.1.13:35221->173.194.34.39:80 (ESTABLISHED)
> chromium- 7204 iceman5 95u IPv4 36950 0t0 TCP 192.168.1.13:35787->173.194.66.94:443 (ESTABLISHED)
> chromium- 7204 iceman5 99u IPv4 36932 0t0 TCP 192.168.1.13:36281->173.194.34.47:80 (ESTABLISHED)
> chromium- 7204 iceman5 100u IPv4 36951 0t0 TCP 192.168.1.13:35788->173.194.66.94:443 (ESTABLISHED)
> chromium- 7204 iceman5 101u IPv4 36970 0t0 TCP 192.168.1.13:44660->173.194.66.132:443 (ESTABLISHED)
> chromium- 7204 iceman5 102u IPv4 34633 0t0 TCP 192.168.1.13:58591->173.194.45.55:443 (ESTABLISHED)
> chromium- 7204 iceman5 105u IPv4 36983 0t0 TCP 192.168.1.13:52653->173.194.34.50:443 (ESTABLISHED)
> chromium- 7204 iceman5 106u IPv4 36992 0t0 TCP 192.168.1.13:39220->173.194.34.39:443 (ESTABLISHED)
> chromium- 7204 iceman5 110u IPv4 37004 0t0 TCP 192.168.1.13:45725->173.194.45.34:443 (ESTABLISHED)
> chromium- 7204 iceman5 112u IPv4 37265 0t0 TCP 192.168.1.13:42798->173.194.66.138:443 (ESTABLISHED)
> chromium- 7204 iceman5 113u IPv4 37323 0t0 TCP 192.168.1.13:55248->173.194.41.158:443 (ESTABLISHED)
> chromium- 7204 iceman5 115u IPv4 37340 0t0 TCP 192.168.1.13:41730->173.194.34.36:443 (ESTABLISHED)
> chromium- 7204 iceman5 116u IPv4 37341 0t0 TCP 192.168.1.13:41731->173.194.34.36:443 (ESTABLISHED)
> chromium- 7204 iceman5 117u IPv4 37342 0t0 TCP 192.168.1.13:41732->173.194.34.36:443 (ESTABLISHED)
> chromium- 7204 iceman5 118u IPv4 36444 0t0 TCP 192.168.1.13:59538->173.194.45.40:443 (ESTABLISHED)
> chromium- 7204 iceman5 121u IPv4 35361 0t0 TCP 192.168.1.13:47925->212.29.254.195:80 (ESTABLISHED)
> chromium- 7204 iceman5 123u IPv4 35366 0t0 TCP 192.168.1.13:47926->212.29.254.195:80 (ESTABLISHED)
> chromium- 7204 iceman5 133u IPv4 35383 0t0 TCP 192.168.1.13:47934->212.29.254.195:80 (ESTABLISHED)
> chromium- 7204 iceman5 152u IPv4 35435 0t0 TCP 192.168.1.13:41404->90.84.60.57:80 (CLOSE_WAIT)
> chromium- 7204 iceman5 192u IPv4 36205 0t0 TCP 192.168.1.13:41600->23.37.50.127:80 (ESTABLISHED)
> /usr/sbin 7287 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 7287 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 7287 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 7287 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> ruby1.9.1 7315 www-data 12u IPv4 29672 0t0 TCP 127.0.0.1:57462 (LISTEN)
> /usr/sbin 7358 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 7358 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 7358 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 7358 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 7360 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 7360 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 7360 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 7360 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 7361 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 7361 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 7361 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 7361 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> /usr/sbin 7362 www-data 4u IPv4 10648 0t0 TCP *:443 (LISTEN)
> /usr/sbin 7362 www-data 5u IPv4 10651 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 7362 www-data 6u IPv4 10653 0t0 TCP *:444 (LISTEN)
> /usr/sbin 7362 www-data 7u IPv4 18696 0t0 TCP *:3154 (LISTEN)
> perl 8987 root 12u IPv4 38841 0t0 TCP 127.0.0.1:49946->127.0.0.1:9306 (ESTABLISHED)

>
> =========================================================================
> IDS Rules Update
> =========================================================================
>
> =========================================================================
> CPU Usage
> =========================================================================

> top - 11:05:28 up 16 min, 1 user, load average: 2.55, 4.10, 2.97
> Tasks: 180 total, 3 running, 176 sleeping, 0 stopped, 1 zombie
> Cpu(s): 49.8%us, 28.7%sy, 0.3%ni, 16.2%id, 3.8%wa, 0.1%hi, 1.0%si, 0.0%st
> Mem: 3707972k total, 2586336k used, 1121636k free, 80420k buffers
> Swap: 5700124k total, 0k used, 5700124k free, 906012k cached

>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

> 5198 root 20 0 751m 97m 70m R 33.2 2.7 2:35.04 bro
> 5208 root 25 5 266m 81m 64m R 11.1 2.2 0:53.79 bro
> 2540 ossec 20 0 14636 2488 816 S 5.5 0.1 0:03.74 ossec-analysisd
> 1297 mysql 20 0 867m 86m 8380 S 1.8 2.4 1:31.22 mysqld
> 1322 root 20 0 218m 47m 12m S 1.8 1.3 0:28.20 Xorg
> 5647 sguil 20 0 111m 7124 1148 S 1.8 0.2 0:02.25 argus
> 7204 iceman5 20 0 528m 73m 38m S 1.8 2.0 0:13.75 chromium-browse
> 1 root 20 0 24584 2508 1372 S 0.0 0.1 0:01.85 init

> 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd

> 3 root 20 0 0 0 0 S 0.0 0.0 0:15.46 ksoftirqd/0
> 4 root 20 0 0 0 0 S 0.0 0.0 0:00.62 kworker/0:0
> 5 root 20 0 0 0 0 S 0.0 0.0 0:00.40 kworker/u:0

> 6 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0

> 7 root RT 0 0 0 0 S 0.0 0.0 0:00.06 watchdog/0

> 8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset
> 9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
> 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
> 11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns

> 12 root 20 0 0 0 0 S 0.0 0.0 0:00.02 sync_supers

> 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
> 14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
> 15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
> 16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
> 17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
> 18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
> 19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:1

> 20 root 20 0 0 0 0 S 0.0 0.0 0:01.07 kworker/0:1

> 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
> 22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
> 23 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
> 24 root 39 19 0 0 0 S 0.0 0.0 0:00.00 khugepaged
> 25 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
> 26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
> 27 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
> 35 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
> 36 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0

> 38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
> 39 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2

> 62 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 devfreq_wq

> 299 root 20 0 0 0 0 S 0.0 0.0 0:01.00 jbd2/sda1-8
> 300 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
> 420 root 20 0 17232 636 448 S 0.0 0.0 0:00.12 upstart-udev-br
> 425 root 20 0 21696 1524 824 S 0.0 0.0 0:00.16 udevd
> 498 messageb 20 0 24732 1756 820 S 0.0 0.0 0:00.27 dbus-daemon
> 515 root 20 0 21324 1716 1432 S 0.0 0.0 0:00.01 bluetoothd
> 533 avahi 20 0 32300 1708 1396 S 0.0 0.0 0:00.09 avahi-daemon
> 535 avahi 20 0 32180 468 212 S 0.0 0.0 0:00.00 avahi-daemon
> 563 root 20 0 101m 4024 3004 S 0.0 0.1 0:00.05 cupsd
> 661 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
> 774 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpathd
> 784 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd
> 830 root 20 0 21692 1068 368 S 0.0 0.0 0:00.01 udevd
> 841 root 20 0 0 0 0 S 0.0 0.0 0:00.71 flush-8:0
> 855 root 20 0 21692 1068 364 S 0.0 0.0 0:00.00 udevd
> 940 root 20 0 15188 392 200 S 0.0 0.0 0:00.02 upstart-socket-
> 981 root 20 0 7264 604 108 S 0.0 0.0 0:00.00 dhclient3
> 1091 root 20 0 49956 2860 2252 S 0.0 0.1 0:00.03 sshd
> 1210 root 20 0 20024 964 804 S 0.0 0.0 0:00.00 getty
> 1215 root 20 0 20024 968 804 S 0.0 0.0 0:00.00 getty
> 1229 root 20 0 20024 964 804 S 0.0 0.0 0:00.01 getty
> 1231 root 20 0 20024 972 804 S 0.0 0.0 0:00.00 getty
> 1236 root 20 0 20024 968 804 S 0.0 0.0 0:00.00 getty
> 1252 root 20 0 4460 816 556 S 0.0 0.0 0:00.00 acpid
> 1256 daemon 20 0 16908 380 220 S 0.0 0.0 0:00.00 atd
> 1273 root 20 0 280m 4268 3508 S 0.0 0.1 0:00.08 lightdm
> 1385 root 20 0 183m 4672 3684 S 0.0 0.1 0:00.06 lightdm
> 1395 root 20 0 132m 4516 3732 S 0.0 0.1 0:00.18 accounts-daemon
> 1399 root 20 0 207m 4868 3640 S 0.0 0.1 0:00.20 polkitd
> 1424 root 20 0 570m 3932 2848 S 0.0 0.1 0:00.16 console-kit-dae
> 1506 iceman5 20 0 4400 700 580 S 0.0 0.0 0:00.09 sh
> 1560 iceman5 20 0 12492 316 0 S 0.0 0.0 0:00.04 ssh-agent
> 1564 iceman5 20 0 26556 784 472 S 0.0 0.0 0:00.00 dbus-launch
> 1568 iceman5 20 0 25492 1824 608 S 0.0 0.0 0:00.33 dbus-daemon
> 1581 iceman5 20 0 47604 2736 2200 S 0.0 0.1 0:00.05 xfconfd
> 1596 iceman5 20 0 63860 2656 2032 S 0.0 0.1 0:00.27 xscreensaver
> 1599 iceman5 20 0 158m 6552 5140 S 0.0 0.2 0:00.14 xfce4-session
> 1621 iceman5 20 0 154m 11m 8272 S 0.0 0.3 0:02.58 xfwm4
> 1626 iceman5 20 0 302m 22m 12m S 0.0 0.6 0:01.47 xfce4-panel
> 1630 iceman5 20 0 233m 7700 6184 S 0.0 0.2 0:00.13 Thunar
> 1635 iceman5 20 0 305m 18m 11m S 0.0 0.5 0:01.07 xfdesktop
> 1649 iceman5 20 0 577m 31m 14m S 0.0 0.9 0:00.53 blueman-applet
> 1657 iceman5 20 0 186m 5656 4536 S 0.0 0.2 0:00.08 polkit-gnome-au
> 1671 iceman5 20 0 128m 3912 2680 S 0.0 0.1 0:00.03 xfsettingsd
> 1676 iceman5 20 0 451m 15m 11m S 0.0 0.4 0:00.23 nm-applet
> 1695 iceman5 20 0 383m 12m 9604 S 0.0 0.3 0:00.35 update-notifier
> 1718 iceman5 20 0 256m 23m 11m S 0.0 0.6 0:00.35 applet.py
> 1745 iceman5 20 0 52420 2452 2048 S 0.0 0.1 0:00.03 gvfsd
> 1747 iceman5 20 0 215m 3616 2996 S 0.0 0.1 0:00.03 gvfs-fuse-daemo
> 1767 iceman5 20 0 150m 3820 2428 S 0.0 0.1 0:00.12 xfce4-settings-
> 1772 iceman5 20 0 737m 9628 6544 S 0.0 0.3 0:00.12 xfce4-volumed
> 1775 root 20 0 176m 15m 8772 S 0.0 0.4 0:00.49 /usr/sbin/apach
> 1790 iceman5 9 -11 348m 5648 3728 S 0.0 0.2 0:00.38 pulseaudio
> 1793 rtkit 21 1 164m 1316 1088 S 0.0 0.0 0:00.08 rtkit-daemon
> 1836 iceman5 20 0 212m 4532 3244 S 0.0 0.1 0:00.10 xfce4-power-man
> 1849 root 20 0 116m 3584 2868 S 0.0 0.1 0:00.07 udisks-daemon
> 1857 root 20 0 45516 804 448 S 0.0 0.0 0:00.00 udisks-daemon
> 1858 root 20 0 20024 968 800 S 0.0 0.0 0:00.00 getty
> 1859 iceman5 20 0 149m 7056 5520 S 0.0 0.2 0:00.09 panel-4-systray
> 1862 root 20 0 214m 4308 3344 S 0.0 0.1 0:00.08 upowerd
> 1865 iceman5 20 0 407m 13m 9812 S 0.0 0.4 0:00.22 xfce4-indicator
> 1867 iceman5 20 0 148m 8736 6984 S 0.0 0.2 0:00.12 panel-7-datetim
> 1897 iceman5 20 0 169m 9.8m 7304 S 0.0 0.3 0:00.12 panel-9-xfsm-lo
> 1916 iceman5 20 0 80820 4264 3484 S 0.0 0.1 0:00.05 gvfs-gdu-volume
> 1939 iceman5 20 0 138m 2512 2016 S 0.0 0.1 0:00.01 gvfs-afc-volume
> 1945 iceman5 20 0 57120 2700 1968 S 0.0 0.1 0:00.04 gconfd-2
> 1949 ntp 20 0 37700 2236 1608 S 0.0 0.1 0:00.22 ntpd
> 1958 iceman5 20 0 60376 2436 1916 S 0.0 0.1 0:00.01 gvfs-gphoto2-vo
> 2005 iceman5 20 0 69564 3892 3276 S 0.0 0.1 0:00.05 gvfsd-trash
> 2058 iceman5 20 0 190m 10m 7828 S 0.0 0.3 0:00.12 panel-24-thunar
> 2077 iceman5 20 0 524m 7524 5932 S 0.0 0.2 0:00.10 indicator-sound
> 2081 iceman5 20 0 411m 4812 3812 S 0.0 0.1 0:00.07 indicator-appli
> 2085 iceman5 20 0 578m 6496 5060 S 0.0 0.2 0:00.12 indicator-messa
> 2117 iceman5 20 0 57824 2596 2144 S 0.0 0.1 0:00.03 obex-data-serve
> 2121 root 10 -10 0 0 0 S 0.0 0.0 0:00.00 krfcommd
> 2536 root 20 0 12804 536 352 S 0.0 0.0 0:00.00 ossec-execd
> 2544 root 20 0 4528 556 416 S 0.0 0.0 0:00.01 ossec-logcollec
> 2555 root 20 0 5600 1656 492 S 0.0 0.0 0:07.83 ossec-syscheckd
> 2559 ossec 20 0 13060 544 364 S 0.0 0.0 0:00.00 ossec-monitord
> 5100 root 20 0 123m 10m 3832 S 0.0 0.3 0:00.37 tclsh
> 5105 root 20 0 118m 3560 928 S 0.0 0.1 0:00.08 tclsh
> 5106 root 20 0 118m 3220 588 S 0.0 0.1 0:00.00 tclsh
> 5144 root 20 0 38956 6392 2788 S 0.0 0.2 0:00.12 tclsh
> 5145 root 20 0 4344 360 280 S 0.0 0.0 0:00.02 tail
> 5188 root 20 0 17884 1596 1316 S 0.0 0.0 0:00.03 bash
> 5245 root 20 0 267m 254m 239m S 0.0 7.0 0:00.97 netsniff-ng
> 5271 root 20 0 33408 5156 3016 S 0.0 0.1 0:00.06 tclsh
> 5313 root 20 0 33356 5368 3036 S 0.0 0.1 0:00.07 tclsh
> 5342 root 20 0 102m 5468 208 S 0.0 0.1 0:00.00 searchd
> 5343 root 20 0 309m 23m 6264 S 0.0 0.7 0:09.38 searchd
> 5355 sguil 20 0 539m 208m 10m S 0.0 5.8 0:11.99 snort
> 5394 root 20 0 26780 436 200 S 0.0 0.0 0:00.00 syslog-ng
> 5395 root 20 0 70904 4440 2868 S 0.0 0.1 0:00.64 syslog-ng
> 5396 root 20 0 4400 612 512 S 0.0 0.0 0:00.00 sh
> 5398 root 20 0 209m 36m 3832 S 0.0 1.0 0:04.06 perl
> 5443 root 20 0 156m 51m 1784 S 0.0 1.4 0:42.95 barnyard2
> 5491 root 20 0 19112 1024 780 S 0.0 0.0 0:00.03 cron
> 5496 sguil 20 0 25864 6992 3720 S 0.0 0.2 0:00.72 prads
> 5519 root 20 0 215m 2048 1772 S 0.0 0.1 0:00.01 PassengerWatchd
> 5523 root 20 0 416m 2316 2012 S 0.0 0.1 0:00.63 PassengerHelper
> 5529 root 20 0 108m 9348 2220 S 0.0 0.3 0:00.12 ruby1.9.1
> 5532 nobody 20 0 165m 4672 3648 S 0.0 0.1 0:00.05 PassengerLoggin
> 5557 www-data 20 0 177m 9752 2496 S 0.0 0.3 0:00.04 /usr/sbin/apach
> 5559 www-data 20 0 176m 9000 2184 S 0.0 0.2 0:00.02 /usr/sbin/apach
> 5561 www-data 20 0 176m 8804 1988 S 0.0 0.2 0:00.01 /usr/sbin/apach
> 5562 www-data 20 0 177m 9560 2308 S 0.0 0.3 0:00.08 /usr/sbin/apach
> 5563 www-data 20 0 176m 8792 1988 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 5569 root 20 0 32980 4884 3012 S 0.0 0.1 0:00.06 tclsh
> 5576 root 20 0 4328 360 280 S 0.0 0.0 0:00.00 cat
> 5603 root 20 0 34080 6120 3060 S 0.0 0.2 0:00.20 tclsh
> 5684 root 20 0 33392 5268 3012 S 0.0 0.1 0:00.14 tclsh
> 5702 root 20 0 4344 612 512 S 0.0 0.0 0:00.00 tail
> 7206 iceman5 20 0 258m 7308 2132 S 0.0 0.2 0:00.38 chromium-browse
> 7207 iceman5 20 0 6464 408 320 S 0.0 0.0 0:00.00 chromium-browse
> 7208 iceman5 20 0 274m 17m 12m S 0.0 0.5 0:00.09 chromium-browse
> 7212 iceman5 20 0 282m 5896 716 S 0.0 0.2 0:00.03 chromium-browse
> 7237 root 20 0 0 0 0 S 0.0 0.0 0:00.32 kworker/0:3
> 7238 iceman5 20 0 866m 49m 20m S 0.0 1.4 0:08.39 chromium-browse
> 7284 www-data 20 0 281m 88m 5264 S 0.0 2.4 0:10.60 ruby1.9.1
> 7287 www-data 20 0 176m 8796 1984 S 0.0 0.2 0:00.01 /usr/sbin/apach
> 7290 root 20 0 4344 356 280 S 0.0 0.0 0:00.00 tail
> 7315 www-data 20 0 355m 89m 3532 S 0.0 2.5 0:01.23 ruby1.9.1
> 7320 iceman5 20 0 303m 4908 4064 S 0.0 0.1 0:00.06 gnome-keyring-d
> 7358 www-data 20 0 176m 8056 1268 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 7360 www-data 20 0 177m 9304 2268 S 0.0 0.3 0:00.01 /usr/sbin/apach
> 7361 www-data 20 0 176m 7336 620 S 0.0 0.2 0:00.02 /usr/sbin/apach
> 7362 www-data 20 0 176m 8056 1268 S 0.0 0.2 0:00.00 /usr/sbin/apach
> 7561 www-data 20 0 422m 86m 3752 S 0.0 2.4 0:02.34 ruby
> 8504 iceman5 20 0 995m 174m 24m S 0.0 4.8 0:16.29 chromium-browse
> 8574 root 20 0 4400 616 512 S 0.0 0.0 0:00.00 sh
> 8577 root 20 0 4400 324 220 S 0.0 0.0 0:00.00 sh
> 8582 root 20 0 11400 356 276 S 0.0 0.0 0:00.00 sleep
> 8599 root 20 0 0 0 0 S 0.0 0.0 0:00.13 kworker/0:2
> 8832 iceman5 20 0 259m 14m 10m S 0.0 0.4 0:00.28 xfce4-terminal
> 8847 iceman5 20 0 0 0 0 Z 0.0 0.0 0:00.00 xfce4-ter <defunct>
> 8849 iceman5 20 0 27432 4420 1688 S 0.0 0.1 0:00.21 bash
> 8954 root 20 0 78400 2540 1812 S 0.0 0.1 0:00.02 sudo
> 8956 root 20 0 16556 1472 1252 S 0.0 0.0 0:00.01 sostat
> 8987 root 20 0 209m 34m 1736 S 0.0 1.0 0:00.05 perl
> 8994 root 20 0 209m 34m 836 S 0.0 0.9 0:00.01 perl
> 9155 root 20 0 17336 1280 896 R 0.0 0.0 0:00.01 top
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/cold1-eth1/dailylogs/
> 35M .
> 35M ./2013-03-22
>
> /nsm/bro/logs/
> 72K .
> 52K ./2013-03-22
> 16K ./stats

>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================

> /nsm/sensor_data/cold1-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> pf_ring stats
> =========================================================================
> Appl. Name : <unknown>
> Tot Packets : 37149
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-51-socket-0
> Tot Packets : 18027
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0

>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+

> | 25 |

> +----------+
>
> =========================================================================
> Sguil events summary for yesterday
> =========================================================================

> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================

> Top 50 All time Sguil Events
> =========================================================================
> +--------+-------------+-----------------------------------------------------------------------------------------------------------------------------+
> | Totals | GenID:SigID | Signature |
> +--------+-------------+-----------------------------------------------------------------------------------------------------------------------------+

> | 1 | 10000:1 | PADS New Asset - unknown @ftp |

> | 1 | 10000:1 | PADS New Asset - unknown @ntp |

> | 1 | 10000:1 | PADS New Asset - unknown @domain |

> | 1 | 10000:1 | PADS New Asset - unknown @https |
> | 1 | 10000:1 | PADS New Asset - http curl/7.22.0 (x86_64-pc-linux (gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3) |
> +--------+-------------+-----------------------------------------------------------------------------------------------------------------------------+
> +-------+
> | Total |
> +-------+
> | 5 |

> +-------+
>
> =========================================================================
> Top 50 URLs for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |

> +-------+

[Doug Burks]

If this is a production system that's going to be sniffing live
traffic from a tap or span port, you'll want 2 or more physical NICs
in your host OS. In your Security Onion guest OS, the sniffing
interface should be bridged to the physical sniffing interface that is
connected to your tap or span port.

If this is just going to be a test system where you replay some pcaps,
you can probably get away with just one physical NIC in your host OS.

Doug

On Fri, Mar 22, 2013 at 7:28 AM, ido vxatre <psdtoh...@gmail.com> wrote:
> i have in my virtualbox 2 Adapter them both with
> Bridged Adapter
> so you mean i need make 1 Bridged Adapter and 2 Not attached ?

[Matt Gregory]

In VirtualBox, the "Not attached" adapter won't see any traffic at all because it's literally not attached to any network,  virtual or physical.

To do this in a VM, you need two physical adapters:

- attach one VirtualBox adapter to the physical adapter that receives the traffic you want to sniff - this physical adapter should in turn be configured in promiscuos mode with no IP address and be connected to a tap or span port.

- attach the other VirtualBox adapter to the physical adapter on which it can communicate on your network (with an IP address) for management purposes.

Since you are running VirtualBox, I assume you are managing the SO VM locally.  If that's the case you could connect the management virtual adapter to "host only" and manage it from your host machine. Alternatively, if you are running a graphical Desktop for SO you could manage the SO VM from its GUI and forego the management adapter.  This isn't recommended for production but could work for testing.

Matt

On Mar 22, 2013 10:09 AM, "ido vxatre" <psdtoh...@gmail.com> wrote:

snortu-1.log








Executing: snort -c /etc/nsm/cold1-eth1/snort.conf -u sguil -g sguil -i eth1 -F /etc/nsm/cold1-eth1/bpf-ids.conf -l /nsm/sensor_data/cold1-eth1/snort-1 --perfmon-file /nsm/sensor_data/cold1-eth1/snort-1.stats -U -m 112
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!

Parsing Rules file "/etc/nsm/cold1-eth1/snort.conf"

PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256

Reading filter from bpf file: /etc/nsm/cold1-eth1/bpf-ids.conf

Snort BPF option:
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done

  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

  Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/

Log directory = /nsm/sensor_data/cold1-eth1/snort-1

    File Mode:      /nsm/sensor_data/cold1-eth1/snort-1.stats

    SnortFile Mode: INACTIVE
    Packet Count:   10000
    Dump Summary:   No
    Max file size:  2147483648
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/nsm/cold1-eth1/unicode.map

      443      465      563      636      989

13678 Snort rules read
    13678 detection rules

    0 decoder rules
    0 preprocessor rules

13678 Option Chains linked into 1810 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src    1149      37       0       0
|     dst    9960     356       0       0
|     any    1348     823      58      23
|      nc     770     728       0       1
|     s+d      57      54       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
| none
+-----------------------[event-filter-local]-----------------------------------
| gen-id=1      sig-id=2404030    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404069    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406695    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406182    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406646    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406796    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406231    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500111    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408066    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408014    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2006546    type=Both      tracking=src count=5   seconds=30
| gen-id=1      sig-id=2404116    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406772    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406593    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014141    type=Both      tracking=src count=5   seconds=60
| gen-id=1      sig-id=2404144    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500070    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406167    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408011    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406438    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2402000    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406088    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500013    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403319    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2408026    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406853    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520066    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406768    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500074    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404140    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406116    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406017    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003271    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2010935    type=Limit     tracking=src count=5   seconds=60
| gen-id=1      sig-id=2009968    type=Limit     tracking=src count=5   seconds=600
| gen-id=1      sig-id=2408007    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011668    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406340    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011767    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003195    type=Both      tracking=dst count=50  seconds=300
| gen-id=1      sig-id=2406295    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406800    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406481    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400009    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406112    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011030    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520119    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400007    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2003255    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2520074    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003585    type=Limit     tracking=src count=3   seconds=300
| gen-id=1      sig-id=2406701    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406902    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404058    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2408056    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008262    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406224    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404107    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406582    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406723    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406522    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520018    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406810    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406694    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520112    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404005    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2008582    type=Both      tracking=src count=1   seconds=300
| gen-id=1      sig-id=2003497    type=Limit     tracking=src count=3   seconds=300
| gen-id=1      sig-id=2400011    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2001583    type=Both      tracking=src count=40  seconds=60
| gen-id=1      sig-id=2500046    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406379    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406650    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011403    type=Limit     tracking=src count=5   seconds=60
| gen-id=1      sig-id=2500031    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404034    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520050    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406515    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406761    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008578    type=Limit     tracking=src count=1   seconds=10
| gen-id=1      sig-id=2002664    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500027    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406586    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403317    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520161    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406643    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406864    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408018    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406430    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406558    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406631    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404062    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404109    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404001    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404050    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500055    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520147    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008097    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2404018    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500102    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404105    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2008919    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=100000877  type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2520073    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520116    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520115    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406873    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400016    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406666    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011736    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406002    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520084    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500039    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008912    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406765    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406368    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404149    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406244    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008228    type=Limit     tracking=src count=3   seconds=300
| gen-id=1      sig-id=2406130    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520060    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014783    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406487    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408021    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406273    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406624    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003275    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406216    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406372    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520077    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404043    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406423    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406344    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406171    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404003    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406551    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406737    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404052    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2012305    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009972    type=Limit     tracking=src count=5   seconds=600
| gen-id=1      sig-id=2520015    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406849    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406906    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406220    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2010488    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406052    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404019    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406480    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520126    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406635    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404015    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2002935    type=Both      tracking=src count=10  seconds=60
| gen-id=1      sig-id=2002878    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2009544    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500100    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406842    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406778    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406427    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404025    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404147    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406596    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520123    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2500103    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500059    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2007583    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2011809    type=Limit     tracking=src count=1   seconds=30
| gen-id=1      sig-id=2406891    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014103    type=Both      tracking=src count=15  seconds=30
| gen-id=1      sig-id=2003268    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2001841    type=Threshold tracking=src count=40  seconds=300
| gen-id=1      sig-id=2404123    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404045    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500088    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520081    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002827    type=Both      tracking=src count=10  seconds=60
| gen-id=1      sig-id=2520080    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2015986    type=Both      tracking=src count=100 seconds=1
| gen-id=1      sig-id=2003192    type=Both      tracking=src count=100 seconds=60
| gen-id=1      sig-id=2012080    type=Both      tracking=dst count=1   seconds=300
| gen-id=1      sig-id=2500020    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406564    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500106    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406301    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406838    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406209    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406152    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2016292    type=Both      tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400013    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520057    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500096    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002995    type=Both      tracking=src count=30  seconds=60
| gen-id=1      sig-id=2406006    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408060    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008847    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2008259    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2014997    type=Threshold tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406771    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404008    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406686    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406181    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403304    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404067    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2008353    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406880    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404092    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406820    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406213    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404017    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406185    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2013505    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2404047    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2012204    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003278    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406600    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002761    type=Both      tracking=src count=5   seconds=3600
| gen-id=1      sig-id=2406386    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406258    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406728    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520024    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406030    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406814    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406308    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406472    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500024    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406856    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520088    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406080    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404139    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406807    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406743    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008048    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406500    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2015577    type=Limit     tracking=src count=1   seconds=30
| gen-id=1      sig-id=2408049    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404143    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404010    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2000328    type=Threshold tracking=src count=10  seconds=120
| gen-id=1      sig-id=2408034    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002993    type=Both      tracking=src count=30  seconds=120
| gen-id=1      sig-id=2406628    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406679    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404021    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520143    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008342    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2008255    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406072    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001855    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2408025    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406529    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406129    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500073    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406476    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406166    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500110    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008266    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2520165    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520154    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011915    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404032    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406683    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406048    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406223    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406736    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406178    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406034    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2013547    type=Limit     tracking=src count=1   seconds=600
| gen-id=1      sig-id=2406408    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406336    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406286    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406785    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406122    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008609    type=Threshold tracking=src count=3   seconds=10
| gen-id=1      sig-id=2016033    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2500069    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406887    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406290    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406557    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406262    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404132    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404089    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500007    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406121    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404057    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500062    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500066    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406465    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011584    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406693    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408010    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2010508    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406469    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404095    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2408067    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406437    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500009    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408053    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008747    type=Limit     tracking=src count=1   seconds=30
| gen-id=1      sig-id=2500109    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406045    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404108    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2400018    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404136    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520108    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008073    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2404104    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2002823    type=Both      tracking=src count=10  seconds=60
| gen-id=1      sig-id=2520052    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014372    type=Both      tracking=src count=2   seconds=60
| gen-id=1      sig-id=2500038    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408041    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406441    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2102923    type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2008231    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2003273    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2009038    type=Threshold tracking=src count=2   seconds=3
| gen-id=1      sig-id=2404094    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2009537    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406037    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520093    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008503    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2008216    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406514    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404012    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406094    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2012303    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520069    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520130    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406079    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003068    type=Threshold tracking=src count=5   seconds=120
| gen-id=1      sig-id=2404085    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406756    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406076    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008423    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2520028    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500008    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406013    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500101    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2016212    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406335    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406168    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406198    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2015993    type=Both      tracking=dst count=10  seconds=1
| gen-id=1      sig-id=2406251    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008391    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2002825    type=Both      tracking=src count=10  seconds=60
| gen-id=1      sig-id=2520150    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404087    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2008560    type=Threshold tracking=dst count=4   seconds=15
| gen-id=1      sig-id=2003266    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2008454    type=Threshold tracking=src count=5   seconds=30
| gen-id=1      sig-id=2404049    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406426    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406328    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406549    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406227    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404054    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406884    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406385    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406194    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2103273    type=Threshold tracking=src count=5   seconds=2
| gen-id=1      sig-id=2406732    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406255    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406422    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406087    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406196    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406378    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520006    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002400    type=Limit     tracking=src count=2   seconds=360
| gen-id=1      sig-id=2010487    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406434    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2007618    type=Both      tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406243    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404060    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2012296    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400008    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406798    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406813    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406542    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520100    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520158    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404146    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404101    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406518    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406450    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404091    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520017    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406664    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520021    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403318    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406592    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408006    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406479    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406725    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008085    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2404006    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2406170    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003387    type=Limit     tracking=src count=5   seconds=60
| gen-id=1      sig-id=2011975    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500058    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500098    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008181    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2003267    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2404059    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406041    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2102523    type=Both      tracking=dst count=10  seconds=10
| gen-id=1      sig-id=2012297    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403311    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520157    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008564    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406721    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500011    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406774    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406339    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406163    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003263    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406044    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2012079    type=Both      tracking=dst count=1   seconds=300
| gen-id=1      sig-id=2406086    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404063    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406029    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406151    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406236    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406706    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2013492    type=Both      tracking=src count=2   seconds=120
| gen-id=1      sig-id=2406591    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406118    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500107    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404061    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406546    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406159    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400012    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406332    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011737    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2002945    type=Both      tracking=src count=10  seconds=60
| gen-id=1      sig-id=2406161    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406212    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520059    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500036    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404014    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404002    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406293    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406697    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500056    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520035    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001795    type=Limit     tracking=src count=30  seconds=60
| gen-id=1      sig-id=2500012    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406763    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500078    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520065    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406350    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408038    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406641    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400005    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2009971    type=Limit     tracking=src count=5   seconds=600
| gen-id=1      sig-id=2406507    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406208    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001872    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2406343    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406144    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406454    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406415    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520097    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406682    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408009    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404056    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2005320    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406483    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406424    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408048    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404121    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2003256    type=Both      tracking=src count=2   seconds=900
| gen-id=1      sig-id=2406805    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001581    type=Both      tracking=src count=70  seconds=60
| gen-id=1      sig-id=2001569    type=Both      tracking=src count=70  seconds=60
| gen-id=1      sig-id=2406269    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500105    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404117    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406848    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406680    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500051    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406690    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500023    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406678    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003397    type=Both      tracking=src count=1   seconds=300
| gen-id=1      sig-id=2520142    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406511    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408016    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406245    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500049    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520139    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406739    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003566    type=Limit     tracking=src count=3   seconds=300
| gen-id=1      sig-id=2404044    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406377    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406201    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406452    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400001    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406304    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008583    type=Both      tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406634    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406238    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406057    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008378    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2003457    type=Both      tracking=src count=5   seconds=300
| gen-id=1      sig-id=2520031    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002402    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2406671    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406285    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008209    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406083    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406071    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406136    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406026    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008771    type=Both      tracking=src count=5   seconds=120
| gen-id=1      sig-id=2003260    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2003258    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406496    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406619    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008344    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500084    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406556    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406297    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406499    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403303    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2003269    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2520091    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406177    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008585    type=Both      tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406300    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500021    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403315    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2403300    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406770    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406125    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500001    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406313    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500050    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500005    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500060    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500054    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011582    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2001809    type=Both      tracking=src count=1   seconds=360
| gen-id=1      sig-id=2408045    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408003    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003930    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406802    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406606    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406492    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406407    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406588    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406595    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406419    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008214    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2002994    type=Both      tracking=src count=30  seconds=60
| gen-id=1      sig-id=2500097    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406890    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003280    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406033    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500053    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2002952    type=Limit     tracking=src count=1   seconds=120
| gen-id=1      sig-id=2013036    type=Limit     tracking=src count=1   seconds=3
| gen-id=1      sig-id=2008084    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406468    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404009    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2002911    type=Threshold tracking=src count=5   seconds=60
| gen-id=1      sig-id=2404135    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406240    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408058    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520146    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500016    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406847    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520107    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008549    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406844    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406417    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520104    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406031    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404131    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500014    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500108    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520092    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406114    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406342    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009970    type=Limit     tracking=src count=5   seconds=600
| gen-id=1      sig-id=2406210    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406710    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406400    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406075    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406022    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008343    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500043    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406036    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406897    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008199    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406221    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520063    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406289    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406203    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009967    type=Limit     tracking=src count=5   seconds=600
| gen-id=1      sig-id=2404076    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406370    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406099    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406599    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406146    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008455    type=Threshold tracking=src count=5   seconds=30
| gen-id=1      sig-id=2406282    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008422    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406584    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520098    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406150    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404072    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406464    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406501    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2013894    type=Both      tracking=src count=100 seconds=10
| gen-id=1      sig-id=2008428    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406461    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008756    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406648    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406250    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008916    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500019    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009159    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406090    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406278    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500015    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406560    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2015482    type=Both      tracking=src count=10  seconds=600
| gen-id=1      sig-id=2520149    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2016031    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406381    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404086    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520048    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406767    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406633    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406457    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500025    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406024    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2000334    type=Limit     tracking=dst count=1   seconds=300
| gen-id=1      sig-id=2408052    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406553    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406708    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404124    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406541    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014140    type=Both      tracking=src count=5   seconds=60
| gen-id=1      sig-id=2406752    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500082    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404048    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406855    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520135    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520067    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406755    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008510    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500065    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500006    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003262    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2001562    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406637    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500018    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406433    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2007801    type=Both      tracking=src count=5   seconds=360
| gen-id=1      sig-id=2406392    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520140    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406875    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406132    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406851    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406193    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2012078    type=Both      tracking=dst count=1   seconds=300
| gen-id=1      sig-id=2500093    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520111    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406494    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406205    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2010142    type=Limit     tracking=dst count=10  seconds=600
| gen-id=1      sig-id=2520020    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520005    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008514    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406809    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406797    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408023    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406197    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404041    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404029    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2009833    type=Threshold tracking=dst count=30  seconds=30
| gen-id=1      sig-id=2406812    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406862    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406748    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406254    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406543    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406040    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406663    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008453    type=Threshold tracking=src count=5   seconds=30
| gen-id=1      sig-id=2406235    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406374    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406362    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406064    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406186    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406247    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406569    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404100    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406188    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406148    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406626    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406355    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500091    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404090    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2520094    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500034    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406724    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404037    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406007    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406750    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406404    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406545    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008495    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2520047    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404079    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406477    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406466    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406598    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404022    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406449    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003657    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406673    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404128    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2013336    type=Limit     tracking=src count=1   seconds=600
| gen-id=1      sig-id=2406287    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008413    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2011146    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406346    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520013    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008363    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406402    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404013    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406164    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003171    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406656    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500063    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406602    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406331    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500047    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406705    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500067    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404141    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2500003    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014020    type=Both      tracking=src count=5   seconds=60
| gen-id=1      sig-id=2520120    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500010    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406720    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406893    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406506    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406757    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406717    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406675    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406658    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406538    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500092    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406912    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406840    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406889    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408008    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406406    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406816    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406158    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008424    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2500085    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403310    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406103    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520002    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406713    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406190    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406904    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520105    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406459    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406162    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406059    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009099    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406715    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406762    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001580    type=Both      tracking=src count=70  seconds=60
| gen-id=1      sig-id=2406280    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406508    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520153    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406049    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520095    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406025    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408051    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406359    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011974    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520162    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406327    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009355    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406200    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406451    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400000    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406263    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406534    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406195    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406320    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014869    type=Threshold tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406919    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406106    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008460    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406267    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406192    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404055    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406689    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406153    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406011    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406510    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406799    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408036    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406414    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2000031    type=Limit     tracking=dst count=1   seconds=60
| gen-id=1      sig-id=2008770    type=Both      tracking=dst count=5   seconds=120
| gen-id=1      sig-id=2406665    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406388    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520012    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406442    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011497    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403314    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406858    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003257    type=Both      tracking=src count=2   seconds=900
| gen-id=1      sig-id=2520138    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406141    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500089    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406825    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406252    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406068    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406155    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2010486    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406239    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500083    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011581    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2520137    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406296    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406237    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520085    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406453    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406670    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406801    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500095    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406630    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406618    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404106    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2408012    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406503    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520096    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500076    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406444    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008208    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406722    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2402001    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406854    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011402    type=Limit     tracking=src count=5   seconds=60
| gen-id=1      sig-id=2406611    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520122    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406491    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406660    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520136    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2403307    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406117    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500061    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520089    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406882    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406058    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406014    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406914    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406009    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406110    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520127    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406098    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406053    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406056    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406051    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014471    type=Limit     tracking=src count=1   seconds=3
| gen-id=1      sig-id=2406113    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406733    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2101991    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406294    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406446    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406228    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406324    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2400004    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2404075    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406455    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406145    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500052    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406764    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406073    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404134    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406794    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406157    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406312    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406305    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520133    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406232    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520144    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406160    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404026    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406536    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406583    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406416    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008603    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2520000    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406027    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2013406    type=Limit     tracking=src count=1   seconds=600
| gen-id=1      sig-id=2406173    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408001    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406867    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406315    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520003    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406916    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520164    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406519    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520051    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406615    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406662    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2016030    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406448    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406775    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406644    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406587    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001316    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2406790    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406202    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500041    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500048    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406843    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406827    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404083    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2000340    type=Limit     tracking=dst count=1   seconds=600
| gen-id=1      sig-id=2008463    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406766    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520102    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520062    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406418    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404068    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2008494    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406576    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406707    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406234    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406874    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406281    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520044    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500080    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404071    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2003261    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406829    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406495    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003277    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2002951    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520101    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406886    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406409    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2001315    type=Limit     tracking=src count=1   seconds=360
| gen-id=1      sig-id=2520040    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520087    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2011887    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008276    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406204    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406704    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520055    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406456    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404064    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406832    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520134    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520166    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2014784    type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406023    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406523    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009646    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2009703    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2008584    type=Both      tracking=src count=1   seconds=300
| gen-id=1      sig-id=2406314    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=100000163  type=Both      tracking=src count=100 seconds=60
| gen-id=1      sig-id=2406095    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406021    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2408040    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406149    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406038    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500017    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406397    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406063    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406018    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406698    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406016    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008488    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2008577    type=Threshold tracking=dst count=5   seconds=15
| gen-id=1      sig-id=2520103    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2003270    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2406420    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406552    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406625    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406411    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008744    type=Limit     tracking=src count=1   seconds=30
| gen-id=1      sig-id=2406759    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2520045    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406277    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404040    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2406270    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2008464    type=Limit     tracking=src count=2   seconds=300
| gen-id=1      sig-id=2406128    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406521    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2404119    type=Limit     tracking=src count=1   seconds=3600
| gen-id=1      sig-id=2003254    type=Both      tracking=src count=1   seconds=900
| gen-id=1      sig-id=2520129    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406101    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406...

[Matt Gregory]

I think you are referring to the network adapters that you configure within VirtualBox.

 

How many physical network adapters do you have?  In other words, how many adapters do you have that you can plug a physical cable into?  Don't confuse this with the virtual adapters that you configure within VirtualBox.

Matt

On Fri, Mar 22, 2013 at 5:25 PM, ido vxatre <psdtoh...@gmail.com> wrote:

yes but which i need to chose
i have 2 Adapter

1 is management and 2 is for sniff traffic

so what i need to be  and 2 ?

NAT ?
Bridged Adapter?
internal network?
host-only adapter?

[Matt Gregory]

In that case there's really no good way for you to configure SO.  You could run SO on a GUI version of Ubuntu (e.g., Ubuntu Desktop, Xubuntu, etc.), bridge one virtual adapter (your sniffing adapter) to your one physical adapter, and then manage SO and run all its tools (Sguil, Snorby, ELSA, etc.) while logged into the SO VM.  However, your physical NIC needs to be connected to a tap or a SPAN port in order to see anything but local or broadcast traffic, in which case your host machine won't have any Internet/network connectivity (unless it's connecting over wifi).  And you still may run into issues passing traffic from your physical adapter to your virtual adapter - I'm not sure how VirtualBox will work with this.

On Sat, Mar 23, 2013 at 6:36 AM, ido vxatre <psdtoh...@gmail.com> wrote:

only 1 physical cable

[Doug Burks]

Most Security Onion deployments are done on true server class machines with multiple network interfaces but Security Onion can also run in a VM if properly configured. 

So let's take this one step at a time...

What is your goal in running Security Onion? 

Are you wanting to build a production sensor that monitors a production network?

Or are you just wanting to monitor the network traffic for your local machine?

Or are you just wanting to replay some pcap files?

Doug

On Saturday, March 23, 2013, ido vxatre wrote:

i dont understand in computer you have only 1 spot network adapter
i  want to run my security onion on my virtualbox so i cant do that if i dont have
2 physical adapter?
so how all do that?
them all use laptops?

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

[Matt Gregory]

So, there are a couple of things you'll need to do this, and there are both physical and virtual configuration issues you should be aware of.  The following instructions are based on the fact that you only have one physical network interface on the host computer that you are running Security Onion (SO) on.  If you are running SO on a desktop machine on which you can install a second physical network interface, that would be ideal and would change the below instructions a little bit.

Physical Configuration:

1.  If you just want to monitor the traffic coming into and out of your LAN (i.e., you don't care about traffic between computers on your LAN that doesn't leave your network), you need either a tap between your WAN (i.e., external) interface and your Internet provider, or you need a switch that can port mirror/SPAN traffic from an egress port on your switch to another port on the same switch where SO is connected.

2.  If you want to also monitor traffic between computers on your LAN that doesn't leave your network, you need the port mirror/span functionality on your switch so that you can copy traffic on one or more ports that you want to monitor to the SPAN port SO is connected to.

If you don't already have a tap or a switch with SPAN functionality, see the first entry at https://code.google.com/p/security-onion/wiki/Hardware for some suggestions.  There are many alternatives available, but these are known to work well.

In either of the above cases, you'll need a physical network cable running from the tap or span port to the physical network interface/adapter associated with your SO virtual machine (VM).

Virtual Configuration:

In order to monitor your tap/SPAN traffic, you only need to configure one virtual adapter, since you only have one physical adapter.  You should configure the virtual adapter as a "Bridged Adapter" and attach it to your one physical network adapter; also set the virtual adapter "Promiscuous Mode" to "Allow All".  You could also configure a second virtual adapter as "Not Attached" if you just want to replay packets on your SO VM without transmitting them on your physical network.

Now you should have a tap or SPAN port --> physical cable from tap/SPAN port connected to the physical adapter on the computer running SO --> SO running in VirtualBox with a virtual adapter in "promiscuous mode" and bridged to the physical adapter.

The only thing I'm not sure of, which I mentioned before, is if VirtualBox will see all traffic going to the physical adapter it's assigned to without the physical adapter being in promiscuous mode itself.  I've never tried this, so I don't know.

Let me know how this works for you and we'll go from there.  There really are a number of variables depending on your physical setup and what you are trying to accomplish.

Matt

P.S. - Doug/Brad:  If you think it would be worthwhile, I'll write up a post for the wiki covering a few configuration options for a lab setup.  I think that might be beneficial for folks who are unfamiliar with sensor placement and configuration and might not know where to begin to connect "all the things" to even begin to explore Security Onion itself.

On Sat, Mar 23, 2013 at 10:28 AM, ido vxatre <psdtoh...@gmail.com> wrote:

i have 3 computers on my lan
i want to monitor traffic for looking sign of attcks like port scan  etc/

[Matt Gregory]

some1 can saw my the configuration he made to his virtual box before he install security onion

I'm sorry, I don't follow you - are you asking about how to install or configure Security Onion in VirtualBox?

Matt 

On Sat, Mar 23, 2013 at 10:55 AM, ido vxatre <psdtoh...@gmail.com> wrote:

some1 can saw my the configuration he made to his virtual box before he install security onion