Strange problem with Security Onion
Monah Baki
One of my security onion devices is acting weird. If I am physically on the device, I can login to Snorby, however if I try to access snorby remotely, it just sits there (I disabled the firewall).
I can SSH to the device, but if I run top, or sostat-redacted, after 2-3 seconds it freezes and after 5 minutes I get a 'Write failed: Broken pipe' message. As long as I do not run "top, sostat, dmesg", the SSH session does not break. I can even run the commands sudo nsm_sensor_ps-stop and sudo nsm_server_ps-stop with no problem.
I even rebooted the device couple of times, and my dmesg shows no errors
My sostat:
coonion@CO-Onion:~$ sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 4995 2 10 Nov 12:47:31
proxy proxy localhost running 5164 2 10 Nov 12:47:33
SO-server-eth0-1 worker localhost running 5335 2 10 Nov 12:47:35
Status: SO-server-eth0
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* argus[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:5652586708 errors:0 dropped:1 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2584306569601 (2.5 TB) TX bytes:3846 (3.8 KB)
Interrupt:20 Memory:f0600000-f0620000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1204451 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1172145268 (1.1 GB) TX bytes:66654847 (66.6 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:73563512 errors:0 dropped:0 overruns:0 frame:0
TX packets:73563512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:292113584575 (292.1 GB) TX bytes:292113584575 (292.1 GB)
wlan0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
292113584575 73563512 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
292113584575 73563512 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2584306569601 5652586708 0 0 0 34907904
RX errors: length crc frame fifo missed
0 0 0 0 1
TX: bytes packets errors dropped carrier collsns
3846 17 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1172145268 1204451 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
66654847 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 228G 172G 44G 80% /
udev 3.8G 4.0K 3.8G 1% /dev
tmpfs 768M 944K 767M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.8G 0 3.8G 0% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 829 root 3u IPv6 11277 0t0 TCP *:ssh_port (LISTEN)
sshd 829 root 4u IPv4 11279 0t0 TCP *:ssh_port (LISTEN)
avahi-dae 1245 avahi 12u IPv4 11645 0t0 UDP *:5353
avahi-dae 1245 avahi 13u IPv6 11646 0t0 UDP *:5353
avahi-dae 1245 avahi 14u IPv4 11647 0t0 UDP *:33581
avahi-dae 1245 avahi 15u IPv6 11648 0t0 UDP *:51530
cupsd 1261 root 8u IPv6 6037805 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1261 root 9u IPv4 6037806 0t0 TCP X.X.X.X:631 (LISTEN)
salt-mini 1393 root 10u IPv4 17406 0t0 TCP X.X.X.X:52042->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1393 root 21u IPv4 20516 0t0 TCP X.X.X.X:35887->X.X.X.X:4505 (ESTABLISHED)
mysqld 1605 mysql 10u IPv4 16435 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1605 mysql 46u IPv4 6033814 0t0 TCP X.X.X.X:3306->X.X.X.X:54110 (ESTABLISHED)
critical- 1611 critical-stack 5u IPv4 4965240 0t0 TCP X.X.X.X:37426->X.X.X.X:443 (CLOSE_WAIT)
critical- 1611 critical-stack 8u IPv4 6175358 0t0 TCP X.X.X.X:57426->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 9u IPv4 6176131 0t0 TCP X.X.X.X:41293->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 10u IPv4 6174683 0t0 TCP X.X.X.X:57428->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 11u IPv4 6175384 0t0 TCP X.X.X.X:41295->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 12u IPv4 6176330 0t0 TCP X.X.X.X:57430->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 13u IPv4 6176335 0t0 TCP X.X.X.X:41297->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 14u IPv4 6175415 0t0 TCP X.X.X.X:57432->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 15u IPv4 6175427 0t0 TCP X.X.X.X:41301->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 16u IPv4 6177858 0t0 TCP X.X.X.X:57437->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 17u IPv4 6177861 0t0 TCP X.X.X.X:41304->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 18u IPv4 6176352 0t0 TCP X.X.X.X:57439->X.X.X.X:443 (ESTABLISHED)
critical- 1611 critical-stack 19u IPv4 6175446 0t0 TCP X.X.X.X:41306->X.X.X.X:443 (SYN_SENT)
searchd 1618 sphinxsearch 7u IPv4 14619 0t0 TCP *:9306 (LISTEN)
searchd 1618 sphinxsearch 8u IPv4 14620 0t0 TCP *:9312 (LISTEN)
ossec-csy 1674 ossecm 5u IPv4 13385 0t0 UDP X.X.X.X:42121->X.X.X.X:514
salt-mast 1755 root 12u IPv4 11197 0t0 TCP *:4505 (LISTEN)
salt-mast 1755 root 14u IPv4 20517 0t0 TCP X.X.X.X:4505->X.X.X.X:35887 (ESTABLISHED)
salt-mast 1769 root 20u IPv4 11200 0t0 TCP *:4506 (LISTEN)
salt-mast 1769 root 22u IPv4 15337 0t0 TCP X.X.X.X:4506->X.X.X.X:52042 (ESTABLISHED)
/usr/sbin 2387 root 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 2387 root 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2387 root 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2387 root 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
barnyard2 2433 SO-user 3u IPv4 6035596 0t0 TCP X.X.X.X:60439->X.X.X.X:8001 (CLOSE_WAIT)
barnyard2 2433 SO-user 4u IPv4 6035600 0t0 TCP X.X.X.X:54110->X.X.X.X:3306 (ESTABLISHED)
dnsmasq 3121 nobody 4u IPv4 18209 0t0 UDP X.X.X.X:53
dnsmasq 3121 nobody 5u IPv4 18210 0t0 TCP X.X.X.X:53 (LISTEN)
ntpd 4354 ntp 16u IPv4 19430 0t0 UDP *:123
ntpd 4354 ntp 17u IPv6 19431 0t0 UDP *:123
ntpd 4354 ntp 18u IPv4 19437 0t0 UDP X.X.X.X:123
ntpd 4354 ntp 19u IPv4 19438 0t0 UDP X.X.X.X:123
ntpd 4354 ntp 20u IPv6 19439 0t0 UDP [X.X.X.X]:123
ntpd 4354 ntp 21u IPv6 19440 0t0 UDP [X.X.X.X]:123
ntpd 4354 ntp 22u IPv6 19441 0t0 UDP [X.X.X.X]:123
bro 4995 SO-user 4u IPv4 23199 0t0 UDP X.X.X.X:36966->X.X.X.X:53
bro 4997 SO-user 0u IPv4 23970 0t0 TCP *:47761 (LISTEN)
bro 4997 SO-user 1u IPv6 23971 0t0 TCP *:47761 (LISTEN)
bro 4997 SO-user 2u IPv4 24100 0t0 TCP X.X.X.X:47761->X.X.X.X:53204 (ESTABLISHED)
bro 4997 SO-user 4u IPv4 23199 0t0 UDP X.X.X.X:36966->X.X.X.X:53
bro 4997 SO-user 268u IPv4 23262 0t0 TCP X.X.X.X:47761->X.X.X.X:53205 (ESTABLISHED)
bro 5164 SO-user 4u IPv4 23232 0t0 UDP X.X.X.X:33327->X.X.X.X:53
bro 5167 SO-user 0u IPv4 24099 0t0 TCP X.X.X.X:53204->X.X.X.X:47761 (ESTABLISHED)
bro 5167 SO-user 4u IPv4 23232 0t0 UDP X.X.X.X:33327->X.X.X.X:53
bro 5167 SO-user 266u IPv4 24107 0t0 TCP *:47762 (LISTEN)
bro 5167 SO-user 267u IPv6 24108 0t0 TCP *:47762 (LISTEN)
bro 5167 SO-user 268u IPv4 23265 0t0 TCP X.X.X.X:47762->X.X.X.X:37641 (ESTABLISHED)
bro 5335 SO-user 4u IPv4 24230 0t0 UDP X.X.X.X:35340->X.X.X.X:53
bro 5336 SO-user 0u IPv4 24244 0t0 TCP X.X.X.X:53205->X.X.X.X:47761 (ESTABLISHED)
bro 5336 SO-user 4u IPv4 24230 0t0 UDP X.X.X.X:35340->X.X.X.X:53
bro 5336 SO-user 266u IPv4 24247 0t0 TCP X.X.X.X:37641->X.X.X.X:47762 (ESTABLISHED)
bro 5336 SO-user 271u IPv4 24252 0t0 TCP *:47763 (LISTEN)
bro 5336 SO-user 272u IPv6 24253 0t0 TCP *:47763 (LISTEN)
radium 6559 root 3u IPv4 27408 0t0 TCP *:561 (LISTEN)
radium 6559 root 4u IPv4 5651149 0t0 TCP X.X.X.X:55633->X.X.X.X:562 (ESTABLISHED)
httpd 6598 root 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 6599 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 6600 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 6601 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 6602 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 6603 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
tclsh 7293 SO-user 13u IPv4 5816509 0t0 TCP *:7734 (LISTEN)
tclsh 7293 SO-user 14u IPv4 5816510 0t0 TCP *:7736 (LISTEN)
tclsh 7293 SO-user 15u IPv4 6160811 0t0 TCP X.X.X.X:7736->X.X.X.X:46922 (ESTABLISHED)
tclsh 7293 SO-user 16u IPv4 6160543 0t0 TCP X.X.X.X:7736->X.X.X.X:46917 (ESTABLISHED)
httpd 11350 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
argus 13095 SO-user 3u IPv4 5652227 0t0 TCP *:562 (LISTEN)
argus 13095 SO-user 8u IPv4 5654645 0t0 TCP X.X.X.X:562->X.X.X.X:55633 (ESTABLISHED)
syslog-ng 17158 root 25u IPv4 5666638 0t0 TCP *:514 (LISTEN)
syslog-ng 17158 root 26u IPv4 5666639 0t0 UDP *:514
tclsh 17266 SO-user 3u IPv4 6155210 0t0 TCP X.X.X.X:46917->X.X.X.X:7736 (ESTABLISHED)
tclsh 17869 SO-user 3u IPv4 6158823 0t0 TCP X.X.X.X:46922->X.X.X.X:7736 (ESTABLISHED)
tclsh 17869 SO-user 4u IPv4 6158824 0t0 TCP X.X.X.X:8001 (LISTEN)
ruby1.9.1 19639 www-data 12u IPv4 5492003 0t0 TCP X.X.X.X:43917 (LISTEN)
httpd 21264 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 21270 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 21271 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
httpd 21272 SO-user 3u IPv4 29710 0t0 TCP *:80 (LISTEN)
/usr/sbin 23151 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23151 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23151 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23151 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23156 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23156 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23156 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23156 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23157 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23157 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23157 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23157 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23158 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23158 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23158 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23158 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23159 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23159 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23159 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23159 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23160 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23160 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23160 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23160 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23161 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23161 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23161 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23161 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
/usr/sbin 23162 www-data 5u IPv6 15030 0t0 TCP *:443 (LISTEN)
/usr/sbin 23162 www-data 7u IPv6 15035 0t0 TCP *:9876 (LISTEN)
/usr/sbin 23162 www-data 9u IPv6 15039 0t0 TCP *:3154 (LISTEN)
/usr/sbin 23162 www-data 11u IPv6 15045 0t0 TCP *:444 (LISTEN)
perl 23217 root 12u IPv4 6175098 0t0 TCP X.X.X.X:37109->X.X.X.X:3154 (CLOSE_WAIT)
sshd 23538 root 3u IPv4 6175193 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49578 (ESTABLISHED)
sshd 23760 SO-user 3u IPv4 6175193 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:49578 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Tue Nov 17 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 38 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
They Match
Done!
Rules tarball download of community-rules.tar.gz....
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2975.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 767 rules
Done
Setting Flowbit State....
Enabled 107 flowbits
Enabled 1 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------104
Deleted:---21
Enabled Rules:----26181
Dropped Rules:----0
Disabled Rules:---21675
Total Rules:------47856
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table...done.
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.88 0.94 0.80
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 12:46:36 up 7 days, 0 min, 1 user, load average: 1.81, 0.94, 0.80
Tasks: 240 total, 2 running, 238 sleeping, 0 stopped, 0 zombie
Cpu(s): 24.9%us, 2.5%sy, 0.2%ni, 66.8%id, 5.1%wa, 0.0%hi, 0.5%si, 0.0%st
Mem: 7860796k total, 7725868k used, 134928k free, 10096k buffers
Swap: 11997464k total, 902712k used, 11094752k free, 2737100k cached
%CPU %MEM COMMAND
23.4 9.5 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U
20.1 6.4 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
2.9 1.5 /usr/sbin/mysqld
2.7 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
2.3 0.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.2 2.2 /usr/bin/python /usr/bin/salt-master
2.1 18.7 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
2.1 0.7 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2015-11-17.log
1.9 1.2 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.2 0.2 /home/SO-user/bin/SO-user -g /home/SO-user/SO-user-web.conf -o /home/SO-user/data/30min/2015-11-17-12:30.txt
1.2 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.1 0.1 -bash
1.1 1.0 Rack: /opt/snorby
0.9 0.1 radium -S localhost:562 -P 561 -d -e SO-server
0.9 1.8 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.2 1.1 critical-stack-intel --debug pull --loop
0.2 0.0 [kswapd0]
0.2 11.3 /usr/bin/searchd --nodetach
0.2 1.2 delayed_job
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.4 /usr/sbin/apache2 -k start
0.0 0.0 PassengerHelperAgent
0.0 1.7 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 [rcu_sched]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/2:2]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/0:1]
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:1]
0.0 0.7 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/u16:0]
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/u16:1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/2]
0.0 0.0 [kworker/u16:2]
0.0 0.0 NetworkManager
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [rcuos/1]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [rcuos/3]
0.0 0.0 /sbin/wpa_supplicant -B -P /run/sendsigs.omit.d/wpasupplicant.pid -u -s -O /var/run/wpa_supplicant
0.0 0.0 [ksoftirqd/1]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /sbin/init
0.0 0.0 [irq/62-iwlwifi]
0.0 0.0 [kworker/1:0]
0.0 0.0 [khugepaged]
0.0 0.0 [kworker/3:1]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 [kworker/2:1]
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 [ksoftirqd/0]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 cron
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 [kworker/u17:1]
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/1]
0.0 0.0 [migration/3]
0.0 0.0 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=X.X.X.X --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus --conf-dir=/etc/NetworkManager/dnsmasq.d
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [migration/2]
0.0 0.0 [migration/0]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/3]
0.0 0.0 /usr/sbin/modem-manager
0.0 0.0 Passenger spawn server
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 [khungtaskd]
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/0:2]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kthreadd]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [rcuob/4]
0.0 0.0 [rcuob/5]
0.0 0.0 [rcuob/6]
0.0 0.0 [rcuob/7]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 [irq/61-mei_me]
0.0 0.0 [kpsmoused]
0.0 0.0 [hci0]
0.0 0.0 [hci0]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kmemstick]
0.0 0.0 [cfg80211]
0.0 0.0 [ktpacpid]
0.0 0.0 [hd-audio1]
0.0 0.0 [hd-audio0]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 lightdm
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 supervising syslog-ng
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 /bin/sh cron/cron30min
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 /usr/local/apache/bin/httpd -k start
0.0 0.0 [kworker/u17:0]
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/1:2]
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [kworker/u16:3]
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/u17:2]
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [xfsalloc]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [jfsIO]
0.0 0.0 [jfsCommit]
0.0 0.0 [jfsCommit]
0.0 0.0 [jfsCommit]
0.0 0.0 [jfsCommit]
0.0 0.0 [jfsSync]
0.0 0.0 PassengerWatchdog
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 962280
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-wlan0/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 6 days
5.3G .
1.2G ./2015-11-12
1.3G ./2015-11-13
659M ./2015-11-14
622M ./2015-11-15
1.3G ./2015-11-16
396M ./2015-11-17
18M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.450395
SO-server-eth0-1: 1447764397.055491 recvd=1202019646 dropped=5413836 link=1202019646
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 16384
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/2535-eth0.1965
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 26515219
Tot Pkt Lost : 22233
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 16386
Num Free Slots : 16278
/proc/net/pf_ring/5335-eth0.1
Appl. Name : bro-eth0
Tot Packets : 5502401538
Tot Pkt Lost : 5413836
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 16384
Num Free Slots : 16384
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
27201
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
57 1:6700 FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt
12 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
9 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
8 3:32113 SERVER-OTHER Cisco ASA IKEv2 denial of service attempt
5 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
5 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
4 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
3 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
3 1:2022082 ET POLICY External IP Lookup ip-api.com
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
2 1:2010066 ET POLICY Data POST to an image file (gif)
2 1:2010067 ET POLICY Data POST to an image file (jpg)
2 1:2009969 ET P2P eMule KAD Network Firewalled Request
1 1:2014304 ET POLICY External IP Lookup Attempt To Wipmania
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2017933 ET POLICY TraceMyIP IP lookup
1 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
1 1:2404152 ET CNC Zeus Tracker Reported CnC Server TCP group 2
1 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
1 1:34463 APP-DETECT TeamViewer remote administration tool outbound connection attempt
1 1:2523279 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 640
Total
122
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
7165 3:30881 MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt
5623 129:12 stream5: TCP Small Segment Threshold Exceeded
2640 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
2186 129:15 stream5: Reset outside window
1040 140:27 sip: Maximum dialogs in a session reached
808 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
808 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
726 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
566 1:2009702 ET POLICY DNS Update From External net
519 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
500 119:31 http_inspect: UNKNOWN METHOD
475 1:6700 FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt
383 3:32113 SERVER-OTHER Cisco ASA IKEv2 denial of service attempt
289 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
267 119:19 http_inspect: LONG HEADER
241 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
241 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
230 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
194 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
159 1:2010066 ET POLICY Data POST to an image file (gif)
149 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
138 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
133 3:34023 PROTOCOL-VOIP Unity Conversation Manager record-route INVITE anomaly denial of service attempt
119 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
114 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
86 1:2014726 ET POLICY Outdated Windows Flash Version IE
81 138:5 sensitive_data: sensitive data - eMail addresses
73 1:2014997 ET POLICY Pandora Usage
73 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
57 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
53 1:34463 APP-DETECT TeamViewer remote administration tool outbound connection attempt
50 120:8 http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
44 1:2010067 ET POLICY Data POST to an image file (jpg)
42 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
37 139:1 sensitive_data: sensitive data global threshold exceeded
36 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
36 129:14 stream5: TCP Timestamp is missing
36 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
36 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
32 1:2021418 ET TROJAN Bedep HTTP POST CnC Beacon
28 1:2016104 ET TROJAN DNS Reply for unallocated address space - Potentially Malicious X.X.X.X/24
22 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
18 119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
18 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
18 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
17 1:2007570 ET MALWARE User-Agent (Dummy)
16 3:31738 PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected
16 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
16 1:25459 FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt
14 1:2403317 ET CINS Active Threat Intelligence Poor Reputation IP UDP group 9
Total
27058
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
57 1:6700 FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt
12 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
9 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
6 1:32113 SERVER-OTHER Cisco ASA IKEv2 denial of service attempt
5 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
4 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
3 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
3 1:2022082 ET POLICY External IP Lookup ip-api.com
3 1:2012089 ET SHELLCODE Possible Call with No Offset UDP Shellcode
2 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
2 1:32111 SERVER-OTHER Cisco ASA IKEv2 denial of service attempt
2 1:2010067 ET POLICY Data POST to an image file (jpg)
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
2 1:2009969 ET P2P eMule KAD Network Firewalled Request
2 1:2010066 ET POLICY Data POST to an image file (gif)
1 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
1 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
1 1:34463 APP-DETECT TeamViewer remote administration tool outbound connection attempt
1 1:2017933 ET POLICY TraceMyIP IP lookup
1 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1 1:2014304 ET POLICY External IP Lookup Attempt To Wipmania
1 1:2404152 ET CNC Zeus Tracker Reported CnC Server TCP group 2
1 1:2523279 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 640
Total
122
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
7165 1:30881 MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt
5623 129:12 stream5: TCP Small Segment Threshold Exceeded
2640 1:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
2186 129:15 stream5: Reset outside window
1040 140:27 sip: Maximum dialogs in a session reached
808 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
808 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
726 120:3 http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
566 1:2009702 ET POLICY DNS Update From External net
519 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
500 119:31 http_inspect: UNKNOWN METHOD
475 1:6700 FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt
377 1:32113 SERVER-OTHER Cisco ASA IKEv2 denial of service attempt
289 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
267 119:19 http_inspect: LONG HEADER
241 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
241 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
230 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
194 1:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
159 1:2010066 ET POLICY Data POST to an image file (gif)
149 1:2019416 ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
138 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
133 1:34023 PROTOCOL-VOIP Unity Conversation Manager record-route INVITE anomaly denial of service attempt
119 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
114 129:5 stream5: Bad segment, overlap adjusted size less than/equal 0
81 138:5 sensitive_data: sensitive data - eMail addresses
81 1:2014726 ET POLICY Outdated Windows Flash Version IE
73 1:2014997 ET POLICY Pandora Usage
57 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
53 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
53 1:34463 APP-DETECT TeamViewer remote administration tool outbound connection attempt
50 120:8 http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
44 1:2010067 ET POLICY Data POST to an image file (jpg)
42 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
37 139:1 sensitive_data: sensitive data global threshold exceeded
36 129:14 stream5: TCP Timestamp is missing
36 1:2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
36 1:2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
36 1:2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
32 1:2021418 ET TROJAN Bedep HTTP POST CnC Beacon
28 1:2016104 ET TROJAN DNS Reply for unallocated address space - Potentially Malicious X.X.X.X/24
22 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
20 1:2012089 ET SHELLCODE Possible Call with No Offset UDP Shellcode
18 119:33 http_inspect: UNESCAPED SPACE IN HTTP URI
18 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
18 1:2007994 ET MALWARE Suspicious User-Agent (1 space)
17 1:2007570 ET MALWARE User-Agent (Dummy)
16 1:31738 PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected
16 1:25459 FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt
16 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
Total
27058
=========================================================================
Last update
=========================================================================
Start-Date: 2015-11-15 03:38:15
Commandline: apt-get -y dist-upgrade
Upgrade: libkrb5-3:amd64 (1.10+dfsg~beta1-2ubuntu0.6, 1.10+dfsg~beta1-2ubuntu0.7), libk5crypto3:amd64 (1.10+dfsg~beta1-2ubuntu0.6, 1.10+dfsg~beta1-2ubuntu0.7), libkrb5support0:amd64 (1.10+dfsg~beta1-2ubuntu0.6, 1.10+dfsg~beta1-2ubuntu0.7), krb5-locales:amd64 (1.10+dfsg~beta1-2ubuntu0.6, 1.10+dfsg~beta1-2ubuntu0.7), libgssapi-krb5-2:amd64 (1.10+dfsg~beta1-2ubuntu0.6, 1.10+dfsg~beta1-2ubuntu0.7)
End-Date: 2015-11-15 03:38:19
Start-Date: 2015-11-15 03:40:24
Commandline: apt-get autoremove
Remove: linux-image-3.13.0-62-generic:amd64 (3.13.0-62.102~precise1), linux-headers-3.13.0-62-generic:amd64 (3.13.0-62.102~precise1), linux-headers-3.13.0-62:amd64 (3.13.0-62.102~precise1)
End-Date: 2015-11-15 03:40:35
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
17157 supervising syslog-ng
17158 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1605 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1460 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
95G /nsm/elsa/data
37M /var/lib/mysql/syslog
1.7M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-11-16 23:39:27 2015-11-17 12:45:38
Doug Burks
It sounds like you may be experiencing OSSEC's Active Response
blocking your IP address. Please run the following command and see if
the timestamps correspond to the times you were experiencing issues:
sudo cat /var/ossec/logs/active-responses.log
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Monah Baki
Hi Doug,
soc@soc-ThinkPad-T430:~$ sudo ls -la /var/ossec/logs/active-responses.log
-rw-rw---- 1 ossec ossec 0 Oct 1 12:43 /var/ossec/logs/active-responses.log
It's empty
Doug Burks
Are you going through any network firewalls to access your Security Onion box?
Have you double-checked the network connection for your management
interface including the cable and the switchport it's connected to?
Could be something as simple as a duplex mismatch.
Monah Baki
> If it's not OSSEC Active Response, then I'd check for general networking issues.
>
> Are you going through any network firewalls to access your Security Onion box?
>
> Have you double-checked the network connection for your management
> interface including the cable and the switchport it's connected to?
> Could be something as simple as a duplex mismatch.
>
Hi Doug,
I ran a wireshark capture from my desktop to the security onion device. I attached the results. There is no firewall between my desktop and SecOnion
On a side note, we have a VPN server if I were to use the VPN (externally at home or internally) I can access the security onion server, no problem.
Shane Castle
is using a different routing path (maybe none at all) and has no problems. As to
what the routing issue could be, well, that is more difficult. I see that the
next hop up from your workstation is a Cisco device. The TTL shown in the
packets from that source is always 63, which implies the router between you and
the SO box is the only one. I'd really look carefully at the routing it is
using, any ACLs it might have, and how its interfaces are defined and actually
connected.
Sometimes, I have had to run a packet capture on both sides of a conversation
(at client end and at server end, for example) in order to see what is
happening. Capturing at only one end only tells half the story.
Mit besten Grüßen
Shane Castle