Re: [security-onion] Re: Promiscuous mode not working
Matt Gregory
Did you let Security Onion configure your interfaces, or did you do it manually? Have you checked your /etc/network/interfaces configuration to make sure your monitor interface (s) are in promisc mode?
Matt
Update:
I booted the install CD, went to tty2 and promiscuous mode works from there...apparently I did something wrong....but what could have caused that.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Doug Burks
Is it possible you have eth0 and eth1 reversed?
Doug
On Fri, Mar 8, 2013 at 3:30 PM, Jerry Shenk <jerry...@gmail.com> wrote:
> I set them up with the SO setup wizard. If I run ifconfig, I see that the interface is in promiscuous mode (PROMISC is shown).
>
> Here is a copy of my /etc/network/interfaces script:
> # loopback network interface
> auto lo
> iface lo inet loopback
>
> # Management network interface
> auto eth1
> iface eth1 inet static
> address 172.19.39.24
> gateway 172.19.39.1
> netmask 255.255.255.0
> dns-nameservers 172.19.39.15
> dns-domain XXXXXX
>
> auto eth0
> iface eth0 inet manual
> up ifconfig $IFACE -arp up
> up ip link set $IFACE promisc on
> down ip link set $IFACE promisc off
> down ifconfig $IFACE down
> post-up ethtool -G $IFACE rx 511; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
> post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Doug Burks
http://securityonion.blogspot.com
Doug Burks
lro; do ethtool -K $IFACE $i off; done
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE
$i off; done
and then reboot.
Doug
On Sat, Mar 9, 2013 at 8:17 AM, Jerry Shenk <jerry...@gmail.com> wrote:
> The interfaces are not reveresed. I used a combination of mii-tool on the SO box and sh int 47 on the switch to verify that the correct (eth0) interface loses link in mii-tool and goes down on the switch when I unplug it.
Matt Gregory
On Tuesday, March 12, 2013 7:46:57 AM UTC-4, Jerry Shenk wrote:I finally got back to this - I changed that line in /etc/network/interfaces and I still can't see traffic on that interface. Â I see broadcasts but no "promiscuous traffic".
> I'll give that a try as soon as I can...won't be able to for a couple days. Â Thanks.
I then double-checked using ethtool and it looks like all those settings are active:
~# ethtool --show-offload eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
Doug Burks
Have you tried any other NICs?
Have you tried swapping the positions of the eth0 and eth1 stanzas in
/etc/network/interfaces? (I don't really think this would have any
effect, but it's worth a shot.)
Have you tried removing the following lines from the eth0 stanza?
lro; do ethtool -K $IFACE $i off; done
Have you tried swapping eth0 and eth1 altogether, making eth0 the
management interface and eth1 the sniffing interface?
Please send the output of the following (redacting sensitive info as necessary):
sudo sostat
Thanks,
Doug
On Wed, Apr 3, 2013 at 9:45 AM, Jerry Shenk <jerry...@gmail.com> wrote:
> No, not a VM, this is a hardware installation. Thanks for the idea though...I'm certainly out of my own;)
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Jerry Shenk
Here is the sostat output:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager 10.1.1.5 running 4466 2 18 Sep 15:59:16
proxy proxy 10.1.1.5 running 4636 2 18 Sep 15:59:18
HTM-001-S-eth1-1 worker 10.1.1.5 running 4802 2 18 Sep 15:59:21
Status: HTM-001-S-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ FAIL ]
* snort_agent-1 (sguil)[ FAIL ]
* snort-1 (alert data)[ FAIL ]
* barnyard2-1 (spooler, unified2 format)[ FAIL ]
* prads (sessions/assets)[ FAIL ]
* sancp_agent (sguil)[ FAIL ]
* pads_agent (sguil)[ FAIL ]
* argus[ FAIL ]
* http_agent (sguil)[ FAIL ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 90:2b:34:e2:7b:c3
inet addr:10.1.1.5 Bcast:10.1.255.255 Mask:255.255.0.0
inet6 addr: fe80::922b:34ff:fee2:7bc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4741 errors:0 dropped:0 overruns:0 frame:0
TX packets:842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:834210 (834.2 KB) TX bytes:347509 (347.5 KB)
Interrupt:81 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:15:17:76:6c:35
inet6 addr: fe80::215:17ff:fe76:6c35/64 Scope:Link
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:919 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:136118 (136.1 KB) TX bytes:3490 (3.4 KB)
Interrupt:20 Memory:fe840000-fe860000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:53754 (53.7 KB) TX bytes:53754 (53.7 KB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 908G 4.8G 857G 1% /
udev 4.9G 4.0K 4.9G 1% /dev
tmpfs 2.0G 904K 2.0G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 4.9G 0 4.9G 0% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1120 avahi 12u IPv4 1789 0t0 UDP *:5353
avahi-dae 1120 avahi 13u IPv6 1790 0t0 UDP *:5353
avahi-dae 1120 avahi 14u IPv4 1791 0t0 UDP *:51403
avahi-dae 1120 avahi 15u IPv6 1792 0t0 UDP *:33847
cupsd 1159 root 8u IPv6 3528 0t0 TCP [::1]:631 (LISTEN)
cupsd 1159 root 9u IPv4 3529 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 1351 root 3r IPv4 9757 0t0 TCP *:2022 (LISTEN)
sshd 1351 root 4u IPv6 9759 0t0 TCP *:2022 (LISTEN)
syslog-ng 1464 root 9u IPv4 1933 0t0 TCP *:514 (LISTEN)
syslog-ng 1464 root 10u IPv4 1934 0t0 UDP *:514
mysqld 1507 mysql 10u IPv4 12941 0t0 TCP 127.0.0.1:3306 (LISTEN)
searchd 1602 sphinxsearch 7u IPv4 3690 0t0 TCP *:9306 (LISTEN)
searchd 1602 sphinxsearch 8u IPv4 3691 0t0 TCP *:9312 (LISTEN)
exim4 1895 Debian-exim 3u IPv4 12589 0t0 TCP 10.1.1.5:25 (LISTEN)
exim4 1895 Debian-exim 4u IPv6 12590 0t0 TCP [::1]:25 (LISTEN)
ntop 1966 ntop 1u IPv4 12845 0t0 TCP *:3001 (LISTEN)
ossec-csy 2034 ossecm 5u IPv4 8727 0t0 UDP 127.0.0.1:50195->127.0.0.1:514
/usr/sbin 2424 root 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2424 root 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2424 root 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2424 root 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 2469 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2469 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2469 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2469 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 2470 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2470 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2470 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2470 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 2471 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2471 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2471 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2471 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 2472 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2472 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2472 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2472 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 2473 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 2473 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2473 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2473 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
sshd 2535 root 3r IPv4 8917 0t0 TCP 10.1.1.5:2022->10.1.2.75:61576 (ESTABLISHED)
sshd 3370 jas 3u IPv4 8917 0t0 TCP 10.1.1.5:2022->10.1.2.75:61576 (ESTABLISHED)
/usr/sbin 3717 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 3717 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3717 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3717 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
redir 3794 root 3u IPv4 17396 0t0 TCP *:10102 (LISTEN)
redir 3795 root 3u IPv4 19655 0t0 TCP *:10101 (LISTEN)
redir 3796 root 3u IPv4 18740 0t0 TCP *:27408 (LISTEN)
redir 3797 root 3u IPv4 16182 0t0 TCP *:27407 (LISTEN)
redir 3798 root 3u IPv4 17822 0t0 TCP *:5003 (LISTEN)
redir 3799 root 3u IPv4 18736 0t0 TCP *:502 (LISTEN)
redir 3800 root 3u IPv4 15277 0t0 TCP *:503 (LISTEN)
ntpd 3899 ntp 16u IPv4 15308 0t0 UDP *:123
ntpd 3899 ntp 17u IPv6 15309 0t0 UDP *:123
ntpd 3899 ntp 18u IPv4 15315 0t0 UDP 127.0.0.1:123
ntpd 3899 ntp 19u IPv4 15316 0t0 UDP 10.1.1.5:123
ntpd 3899 ntp 20u IPv6 15317 0t0 UDP [fe80::922b:34ff:fee2:7bc3]:123
ntpd 3899 ntp 21u IPv6 15318 0t0 UDP [fe80::215:17ff:fe76:6c35]:123
ntpd 3899 ntp 22u IPv6 15319 0t0 UDP [::1]:123
/usr/sbin 3939 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 3939 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3939 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3939 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 3940 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 3940 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3940 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3940 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 3941 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 3941 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3941 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3941 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
/usr/sbin 3942 www-data 4u IPv4 13583 0t0 TCP *:443 (LISTEN)
/usr/sbin 3942 www-data 5u IPv4 13586 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3942 www-data 6u IPv4 13588 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3942 www-data 7u IPv4 13592 0t0 TCP *:444 (LISTEN)
tclsh 4191 root 13u IPv4 23755 0t0 TCP *:7734 (LISTEN)
tclsh 4191 root 14u IPv4 23756 0t0 TCP *:7736 (LISTEN)
tclsh 4191 root 15u IPv4 23770 0t0 TCP 127.0.0.1:7736->127.0.0.1:52824 (ESTABLISHED)
tclsh 4233 root 3u IPv4 16361 0t0 TCP 127.0.0.1:52824->127.0.0.1:7736 (ESTABLISHED)
bro 4466 root 4u IPv4 18181 0t0 UDP 10.1.1.5:45030->10.1.1.34:53
bro 4475 root 0u IPv4 18184 0t0 TCP *:47761 (LISTEN)
bro 4475 root 1u IPv6 18185 0t0 TCP *:47761 (LISTEN)
bro 4475 root 2u IPv4 24635 0t0 TCP 10.1.1.5:47761->10.1.1.5:59419 (ESTABLISHED)
bro 4475 root 4u IPv4 18181 0t0 UDP 10.1.1.5:45030->10.1.1.34:53
bro 4475 root 10u IPv4 19050 0t0 TCP 10.1.1.5:47761->10.1.1.5:59421 (ESTABLISHED)
bro 4636 root 4u IPv4 18206 0t0 UDP 10.1.1.5:47965->10.1.1.34:53
bro 4644 root 0u IPv4 18954 0t0 TCP 10.1.1.5:59419->10.1.1.5:47761 (ESTABLISHED)
bro 4644 root 1u IPv4 18957 0t0 TCP *:47762 (LISTEN)
bro 4644 root 2u IPv6 18958 0t0 TCP *:47762 (LISTEN)
bro 4644 root 4u IPv4 18206 0t0 UDP 10.1.1.5:47965->10.1.1.34:53
bro 4644 root 9u IPv4 21931 0t0 TCP 10.1.1.5:47762->10.1.1.5:36245 (ESTABLISHED)
bro 4802 root 4u IPv4 18236 0t0 UDP 10.1.1.5:48702->10.1.1.34:53
bro 4806 root 0u IPv4 20105 0t0 TCP 10.1.1.5:36245->10.1.1.5:47762 (ESTABLISHED)
bro 4806 root 1u IPv4 20106 0t0 TCP 10.1.1.5:59421->10.1.1.5:47761 (ESTABLISHED)
bro 4806 root 2u IPv4 20109 0t0 TCP *:47763 (LISTEN)
bro 4806 root 4u IPv4 18236 0t0 UDP 10.1.1.5:48702->10.1.1.34:53
bro 4806 root 10u IPv6 20110 0t0 TCP *:47763 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
top - 15:59:27 up 1 min, 1 user, load average: 0.71, 0.30, 0.11
Tasks: 195 total, 2 running, 188 sleeping, 0 stopped, 5 zombie
Cpu(s): 3.2%us, 3.0%sy, 0.1%ni, 85.1%id, 8.5%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 10125408k total, 1167616k used, 8957792k free, 36588k buffers
Swap: 15495208k total, 0k used, 15495208k free, 230304k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4475 root 25 5 279m 18m 860 S 24 0.2 0:01.45 bro
4806 root 25 5 199m 82m 64m S 24 0.8 0:01.06 bro
4802 root 20 0 267m 85m 68m S 22 0.9 0:01.17 bro
4644 root 25 5 207m 18m 880 S 20 0.2 0:01.27 bro
4466 root 20 0 707m 21m 3924 S 2 0.2 0:00.30 bro
1 root 20 0 24600 2616 1376 S 0 0.0 0:01.10 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.03 ksoftirqd/0
4 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
5 root 20 0 0 0 0 S 0 0.0 0:00.31 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.06 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/1
9 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0
10 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/2
14 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0
15 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/3
18 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:0
19 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
21 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/4
22 root 20 0 0 0 0 S 0 0.0 0:00.06 kworker/4:0
23 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/4
24 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/4
25 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/5
26 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:0
27 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/5
28 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/5
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
31 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
33 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:1
34 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
35 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
36 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
37 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
38 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
39 root 20 0 0 0 0 S 0 0.0 0:00.02 khubd
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
41 root -51 0 0 0 0 S 0 0.0 0:00.00 irq/72-AMD-Vi
43 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
44 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
45 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
46 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
47 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
48 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
49 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
57 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
58 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
59 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
60 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
61 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
62 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:2
63 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:3
64 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:4
65 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:1
66 root 20 0 0 0 0 R 0 0.0 0:00.00 kworker/2:1
67 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:1
86 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/0:2
87 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:1
88 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:1
89 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
156 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/5:2
247 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
289 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
290 root 20 0 0 0 0 S 0 0.0 0:00.00 usb-storage
368 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:2
369 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/4:3
370 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:2
375 root 20 0 0 0 0 S 0 0.0 0:00.01 jbd2/sda1-8
377 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
419 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:2
420 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:3
421 root 20 0 0 0 0 S 0 0.0 0:00.00 flush-251:0
501 root 20 0 17232 632 448 S 0 0.0 0:00.07 upstart-udev-br
543 root 20 0 21856 1680 820 S 0 0.0 0:00.05 udevd
668 root 20 0 21956 1376 468 S 0 0.0 0:00.00 udevd
669 root 20 0 21956 1256 364 S 0 0.0 0:00.00 udevd
706 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/3:2
721 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
743 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
749 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
764 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
786 root 0 -20 0 0 0 S 0 0.0 0:00.00 hd-audio0
899 root 0 -20 0 0 0 S 0 0.0 0:00.00 hd-audio1
976 root 20 0 15188 396 204 S 0 0.0 0:00.01 upstart-socket-
1096 messageb 20 0 24264 1376 804 S 0 0.0 0:00.04 dbus-daemon
1111 root 20 0 21188 1728 1444 S 0 0.0 0:00.00 bluetoothd
1120 avahi 20 0 32304 1720 1416 S 0 0.0 0:00.01 avahi-daemon
1121 avahi 20 0 32180 468 212 S 0 0.0 0:00.00 avahi-daemon
1141 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1159 root 20 0 101m 3676 2720 S 0 0.0 0:00.00 cupsd
1351 root 20 0 50032 2892 2288 S 0 0.0 0:00.00 sshd
1439 root 20 0 20004 952 800 S 0 0.0 0:00.00 getty
1445 root 20 0 20008 964 800 S 0 0.0 0:00.00 getty
1463 root 20 0 26780 440 200 S 0 0.0 0:00.00 syslog-ng
1464 root 20 0 75624 5104 2976 S 0 0.1 0:00.35 syslog-ng
1465 root 20 0 20008 956 800 S 0 0.0 0:00.00 getty
1466 root 20 0 20004 956 800 S 0 0.0 0:00.00 getty
1469 root 20 0 20008 956 800 S 0 0.0 0:00.00 getty
1470 root 20 0 4396 604 508 S 0 0.0 0:00.00 sh
1482 root 20 0 4456 812 556 S 0 0.0 0:00.00 acpid
1485 root 20 0 19112 1000 768 S 0 0.0 0:00.00 cron
1487 daemon 20 0 16908 376 216 S 0 0.0 0:00.00 atd
1492 root 20 0 280m 4308 3512 S 0 0.0 0:00.00 lightdm
1498 root 20 0 15980 692 512 S 0 0.0 0:00.00 irqbalance
1507 mysql 20 0 1370m 58m 8252 S 0 0.6 0:00.84 mysqld
1524 sphinxse 20 0 72916 2032 1460 S 0 0.0 0:00.00 su
1526 root 20 0 3066m 3896 2828 S 0 0.0 0:00.02 console-kit-dae
1593 root 20 0 207m 4824 3620 S 0 0.0 0:00.02 polkitd
1602 sphinxse 20 0 315m 32m 14m S 0 0.3 0:01.28 searchd
1616 root 20 0 138m 18m 9836 S 0 0.2 0:00.23 Xorg
1628 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
1630 root 20 0 201m 37m 3708 S 0 0.4 0:01.67 perl
1895 Debian-e 20 0 47472 1024 576 S 0 0.0 0:00.00 exim4
1928 root 20 0 185m 4716 3716 S 0 0.0 0:00.00 lightdm
1931 root 20 0 132m 4324 3656 S 0 0.0 0:00.01 accounts-daemon
1949 lightdm 20 0 63176 868 448 S 0 0.0 0:00.00 gnome-keyring-d
1966 ntop 20 0 583m 28m 5832 S 0 0.3 0:00.04 ntop
1986 lightdm 20 0 4400 612 508 S 0 0.0 0:00.00 lightdm-greeter
1991 lightdm 20 0 23952 688 448 S 0 0.0 0:00.00 dbus-daemon
1993 lightdm 20 0 244m 13m 10m S 0 0.1 0:00.21 lightdm-gtk-gre
2004 lightdm 20 0 52404 2396 1996 S 0 0.0 0:00.00 gvfsd
2006 lightdm 20 0 215m 3612 2992 S 0 0.0 0:00.00 gvfs-fuse-daemo
2014 root 20 0 214m 4288 3332 S 0 0.0 0:00.08 upowerd
2034 ossecm 20 0 12916 616 428 S 0 0.0 0:00.00 ossec-csyslogd
2037 root 20 0 0 0 0 S 0 0.0 0:00.02 flush-8:0
2057 root 20 0 12804 536 352 S 0 0.0 0:00.00 ossec-execd
2068 ossec 20 0 14504 2344 784 S 0 0.0 0:00.05 ossec-analysisd
2077 root 20 0 4528 516 380 S 0 0.0 0:00.00 ossec-logcollec
2096 root 20 0 94656 2572 1888 S 0 0.0 0:00.00 lightdm
2244 root 20 0 4788 700 492 S 0 0.0 0:00.00 ossec-syscheckd
2249 ossec 20 0 13060 544 364 S 0 0.0 0:00.00 ossec-monitord
2353 nagios 25 5 27272 1748 688 S 0 0.0 0:00.01 nagios3
2424 root 20 0 181m 13m 7048 S 0 0.1 0:00.07 /usr/sbin/apach
2431 root 20 0 215m 2056 1760 S 0 0.0 0:00.00 PassengerWatchd
2438 root 20 0 288m 2284 2000 S 0 0.0 0:00.00 PassengerHelper
2446 root 20 0 108m 8180 2144 S 0 0.1 0:00.04 ruby1.9.1
2449 nobody 20 0 165m 4664 3636 S 0 0.0 0:00.00 PassengerLoggin
2469 www-data 20 0 187m 16m 4416 S 0 0.2 0:00.08 /usr/sbin/apach
2470 www-data 20 0 188m 17m 4356 S 0 0.2 0:00.08 /usr/sbin/apach
2471 www-data 20 0 187m 16m 4500 S 0 0.2 0:00.12 /usr/sbin/apach
2472 www-data 20 0 187m 16m 4212 S 0 0.2 0:00.08 /usr/sbin/apach
2473 www-data 20 0 187m 15m 4212 S 0 0.2 0:00.04 /usr/sbin/apach
2486 root 20 0 20008 960 800 S 0 0.0 0:00.00 getty
2535 root 20 0 101m 4392 3340 S 0 0.0 0:00.02 sshd
2816 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
2819 root 20 0 4400 320 216 S 0 0.0 0:00.00 sh
2825 root 20 0 4308 356 276 S 0 0.0 0:00.00 sleep
3370 jas 20 0 101m 1996 944 S 0 0.0 0:00.01 sshd
3373 jas 20 0 31800 8812 1688 S 0 0.1 0:00.30 bash
3717 www-data 20 0 187m 15m 4212 S 0 0.2 0:00.04 /usr/sbin/apach
3739 root 20 0 78380 2536 1816 S 0 0.0 0:00.00 sudo
3794 root 20 0 10640 776 648 S 0 0.0 0:00.00 redir
3795 root 20 0 10640 780 648 S 0 0.0 0:00.00 redir
3796 root 20 0 10640 776 648 S 0 0.0 0:00.00 redir
3797 root 20 0 10640 780 648 S 0 0.0 0:00.00 redir
3798 root 20 0 10640 772 648 S 0 0.0 0:00.00 redir
3799 root 20 0 10640 780 648 S 0 0.0 0:00.00 redir
3800 root 20 0 10640 784 648 S 0 0.0 0:00.00 redir
3801 root 20 0 79992 2088 1508 S 0 0.0 0:00.00 su
3808 root 20 0 27924 4964 1716 S 0 0.0 0:00.12 bash
3899 ntp 20 0 37772 2216 1584 S 0 0.0 0:00.00 ntpd
3939 www-data 20 0 181m 7968 1316 S 0 0.1 0:00.00 /usr/sbin/apach
3940 www-data 20 0 182m 10m 3508 S 0 0.1 0:00.00 /usr/sbin/apach
3941 www-data 20 0 181m 7248 664 S 0 0.1 0:00.00 /usr/sbin/apach
3942 www-data 20 0 181m 7248 664 S 0 0.1 0:00.00 /usr/sbin/apach
4143 root 20 0 17864 1456 1196 S 0 0.0 0:00.00 nsm
4146 root 20 0 18388 2044 1272 S 0 0.0 0:00.00 nsm
4191 root 20 0 118m 6548 3600 S 0 0.1 0:00.10 tclsh
4194 root 20 0 118m 3448 768 S 0 0.0 0:00.00 tclsh
4195 root 20 0 118m 3256 564 S 0 0.0 0:00.00 tclsh
4208 root 20 0 18372 2056 1292 S 0 0.0 0:00.00 nsm_sensor
4214 root 20 0 18548 2272 1308 S 0 0.0 0:00.02 nsm_sensor_ps-s
4233 root 20 0 37384 4480 2536 S 0 0.0 0:00.00 tclsh
4234 root 20 0 4340 352 280 S 0 0.0 0:00.00 tail
4456 root 20 0 17884 1576 1300 S 0 0.0 0:00.00 bash
4469 root 20 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
4472 root 20 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
4626 root 20 0 17884 1576 1300 S 0 0.0 0:00.00 bash
4636 root 20 0 275m 21m 3940 S 0 0.2 0:00.26 bro
4638 root 20 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
4640 root 20 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
4793 root 20 0 17884 1576 1300 S 0 0.0 0:00.00 bash
4804 root 20 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
4844 sguil 20 0 281m 255m 239m S 0 2.6 0:00.16 netsniff-ng
4867 root 20 0 4304 344 276 S 0 0.0 0:00.00 sleep
4868 root 20 0 16552 1480 1244 S 0 0.0 0:00.00 sostat
5052 root 20 0 17336 1304 908 R 0 0.0 0:00.00 top
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/HTM-001-S-eth1/dailylogs/
13M .
13M ./2013-09-18
/nsm/bro/logs/
536K .
448K ./2013-09-18
84K ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/HTM-001-S-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>
Tot Packets : 25
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
22
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
3 10000:1 PADS New Asset - unknown @domain
3 1:2012648 ET POLICY Dropbox Client Broadcasting
1 10000:1 PADS New Asset - unknown @https
1 1:2406708 ET RBN Known Russian Business Network IP TCP (355)
1 10000:1 PADS New Asset - unknown @syslog
Total
9
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
3 1:2012648 ET POLICY Dropbox Client Broadcasting
1 1:2406708 ET RBN Known Russian Business Network IP TCP (355)
Total
4
Doug Burks
/var/log/nsm/HTM-001-S-eth1/ to see why they failed. Is it possible
that eth1 hadn't established link with the span port when the
processes tried to start?
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 90:2b:34:e2:7b:c3
> inet addr:10.1.1.5 Bcast:10.1.255.255 Mask:255.255.0.0
> inet6 addr: fe80::922b:34ff:fee2:7bc3/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4741 errors:0 dropped:0 overruns:0 frame:0
> TX packets:842 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:834210 (834.2 KB) TX bytes:347509 (347.5 KB)
> Interrupt:81 Base address:0xe000
>
> eth1 Link encap:Ethernet HWaddr 00:15:17:76:6c:35
> inet6 addr: fe80::215:17ff:fe76:6c35/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:919 errors:0 dropped:0 overruns:0 frame:0
> TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:136118 (136.1 KB) TX bytes:3490 (3.4 KB)
port is configured properly?