Unable to access Sql database in SO & SANCP Query failing
111 views
Skip to first unread message
BelleCrosse
Nov 2, 2016, 5:33:30 PM11/2/16
to security-onion
Hello Everyone,
And thank you in advance for your assistance on this inquiry of mine. It has been a very interesting journey learning about SO,then deploying it in a virtual lab, then a live production environment.
However, I'm at the stage where when i run a "SANCP" query in Sguil, i get the message that the "mysql_db database doesn't exist". Also, i get the error message below when i run the command to show available databases on the system. I do know from reading the output below that "SANCP" & "PADS" agent are set to "no". Therefore my question is asking if anyone knows how to enable those functions so queries could be run?
Also, is there a way to reinstall "MySql", then configure it to be able to communicate with the SO tools suite when it comes to running queries, reports etc....
Thanks to everyone for their time in looking into this.
****** Legend: /////// (Used to separate outputs) *******
[OUTPUTS BELOW]
Below is the output from
mysql -uroot -e 'show databases;'
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
////////////// /////////////////// //////////////////// ////////////////
This is the output of
grep ENABLED /etc/nsm/*/sensor.conf
PCAP_ENABLED="yes"
PCAP_AGENT_ENABLED="yes"
SNORT_AGENT_ENABLED="yes"
IDS_ENGINE_ENABLED="yes"
BARNYARD2_ENABLED="yes"
PRADS_ENABLED="no"
SANCP_AGENT_ENABLED="yes"
PADS_AGENT_ENABLED="no"
ARGUS_ENABLED="no"
HTTP_AGENT_ENABLED="no"
///////////////////////// //////////////////////// //////////////
Below is the output from sudo sostat-redacted
root@SoMaster-02:~# sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 5589 2 02 Nov 20:48:47
proxy proxy localhost running 5758 2 02 Nov 20:48:49
SO-server-eth0-1 worker localhost running 5928 2 02 Nov 20:48:50
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* sancp_agent (SO-user)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:5097 errors:0 dropped:0 overruns:0 frame:0
TX packets:3988 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3399690 (3.3 MB) TX bytes:918618 (918.6 KB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3435 errors:0 dropped:0 overruns:0 frame:0
TX packets:3435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1294279 (1.2 MB) TX bytes:1294279 (1.2 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1294279 3435 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1294279 3435 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3399690 5097 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
918618 3988 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 968K 395M 1% /run
/dev/dm-0 19G 6.3G 12G 36% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 37M 1.9G 2% /run/shm
none 100M 24K 100M 1% /run/user
/dev/vda1 236M 94M 130M 42% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 656 avahi 12u IPv4 11801 0t0 UDP *:5353
avahi-dae 656 avahi 13u IPv6 11802 0t0 UDP *:5353
avahi-dae 656 avahi 14u IPv4 11803 0t0 UDP *:56316
avahi-dae 656 avahi 15u IPv6 11804 0t0 UDP *:37945
sshd 1318 root 3u IPv4 8721 0t0 TCP *:ssh_port (LISTEN)
sshd 1318 root 4u IPv6 8723 0t0 TCP *:ssh_port (LISTEN)
searchd 1335 sphinxsearch 7u IPv4 11887 0t0 TCP *:9306 (LISTEN)
searchd 1335 sphinxsearch 8u IPv4 11888 0t0 TCP *:9312 (LISTEN)
cups-brow 1356 root 6u IPv6 22234 0t0 TCP [X.X.X.X]:59900->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1356 root 8u IPv4 22236 0t0 UDP *:631
syslog-ng 1388 root 14u IPv4 12014 0t0 TCP *:514 (LISTEN)
syslog-ng 1388 root 15u IPv4 12015 0t0 UDP *:514
mysqld 1400 mysql 14u IPv4 13789 0t0 TCP X.X.X.X:3306 (LISTEN)
salt-mini 1425 root 13u IPv4 11062 0t0 TCP X.X.X.X:34884->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1425 root 24u IPv4 15001 0t0 TCP X.X.X.X:33852->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1538 ossecm 5u IPv4 14406 0t0 UDP X.X.X.X:40163->X.X.X.X:514
salt-mast 1614 root 12u IPv4 14451 0t0 TCP *:4505 (LISTEN)
salt-mast 1614 root 14u IPv4 15002 0t0 TCP X.X.X.X:4505->X.X.X.X:33852 (ESTABLISHED)
salt-mast 1614 root 15u IPv4 20910 0t0 TCP X.X.X.X:4505->X.X.X.X:52025 (ESTABLISHED)
salt-mast 1614 root 16u IPv4 42009 0t0 TCP X.X.X.X:4505->X.X.X.X:59634 (ESTABLISHED)
salt-mast 1627 root 20u IPv4 14489 0t0 TCP *:4506 (LISTEN)
salt-mast 1627 root 22u IPv4 14948 0t0 TCP X.X.X.X:4506->X.X.X.X:34884 (ESTABLISHED)
salt-mast 1627 root 28u IPv4 20577 0t0 TCP X.X.X.X:4506->X.X.X.X:50776 (ESTABLISHED)
salt-mast 1627 root 29u IPv4 42008 0t0 TCP X.X.X.X:4506->X.X.X.X:55028 (ESTABLISHED)
xrdp 2463 xrdp 6u IPv4 17463 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2465 root 6u IPv4 11218 0t0 TCP X.X.X.X:3350 (LISTEN)
ntpd 4658 ntp 16u IPv4 23896 0t0 UDP *:123
ntpd 4658 ntp 17u IPv6 23897 0t0 UDP *:123
ntpd 4658 ntp 18u IPv4 23903 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 19u IPv4 23904 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 20u IPv6 23905 0t0 UDP [X.X.X.X]:123
ntpd 4658 ntp 21u IPv6 23906 0t0 UDP [X.X.X.X]:123
cupsd 4675 root 10u IPv6 23218 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 4675 root 11u IPv4 23219 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 4680 root 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 9u IPv6 23242 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 4732 SO-user 10u IPv4 23243 0t0 TCP X.X.X.X:50000 (LISTEN)
/usr/sbin 4786 root 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4786 root 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4786 root 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4793 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4793 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4793 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4794 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4794 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4794 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4795 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4795 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4795 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4796 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4796 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4796 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4797 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4797 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4797 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
tclsh 4893 SO-user 13u IPv4 23410 0t0 TCP *:7734 (LISTEN)
tclsh 4893 SO-user 14u IPv6 23411 0t0 TCP *:7734 (LISTEN)
tclsh 4893 SO-user 15u IPv4 23414 0t0 TCP *:7736 (LISTEN)
tclsh 4893 SO-user 16u IPv6 23415 0t0 TCP *:7736 (LISTEN)
tclsh 4893 SO-user 17u IPv4 23416 0t0 TCP X.X.X.X:7736->X.X.X.X:49410 (ESTABLISHED)
tclsh 4893 SO-user 18u IPv4 23429 0t0 TCP X.X.X.X:7736->X.X.X.X:44019 (ESTABLISHED)
tclsh 4893 SO-user 19u IPv4 23434 0t0 TCP X.X.X.X:7736->X.X.X.X:33608 (ESTABLISHED)
tclsh 4893 SO-user 20u IPv4 23486 0t0 TCP X.X.X.X:7736->X.X.X.X:46842 (ESTABLISHED)
tclsh 4893 SO-user 21u IPv4 27728 0t0 TCP X.X.X.X:7736->X.X.X.X:32854 (ESTABLISHED)
tclsh 4893 SO-user 22u IPv4 27741 0t0 TCP X.X.X.X:7736->X.X.X.X:55881 (ESTABLISHED)
tclsh 4893 SO-user 23u IPv4 27742 0t0 TCP X.X.X.X:7736->X.X.X.X:34691 (ESTABLISHED)
tclsh 4893 SO-user 24u IPv4 27743 0t0 TCP X.X.X.X:7736->X.X.X.X:43829 (ESTABLISHED)
tclsh 4893 SO-user 25u IPv4 27748 0t0 TCP X.X.X.X:7736->X.X.X.X:38739 (ESTABLISHED)
tclsh 4893 SO-user 26u IPv4 27911 0t0 TCP X.X.X.X:7736->X.X.X.X:39292 (ESTABLISHED)
tclsh 4893 SO-user 27u IPv4 27912 0t0 TCP X.X.X.X:7736->X.X.X.X:57175 (ESTABLISHED)
tclsh 4893 SO-user 28u IPv4 40572 0t0 TCP X.X.X.X:7736->X.X.X.X:34491 (ESTABLISHED)
tclsh 4893 SO-user 29u IPv4 40598 0t0 TCP X.X.X.X:7736->X.X.X.X:38190 (ESTABLISHED)
tclsh 4893 SO-user 30u IPv4 40599 0t0 TCP X.X.X.X:7736->X.X.X.X:45728 (ESTABLISHED)
tclsh 4940 SO-user 3u IPv4 25084 0t0 TCP X.X.X.X:46842->X.X.X.X:7736 (ESTABLISHED)
bro 5589 SO-user 4u IPv4 25642 0t0 UDP X.X.X.X:46100->X.X.X.X:53
bro 5591 SO-user 0u IPv4 24273 0t0 TCP *:47761 (LISTEN)
bro 5591 SO-user 1u IPv6 24274 0t0 TCP *:47761 (LISTEN)
bro 5591 SO-user 2u IPv4 24338 0t0 TCP X.X.X.X:47761->X.X.X.X:50016 (ESTABLISHED)
bro 5591 SO-user 4u IPv4 25642 0t0 UDP X.X.X.X:46100->X.X.X.X:53
bro 5591 SO-user 268u IPv4 24431 0t0 TCP X.X.X.X:47761->X.X.X.X:50020 (ESTABLISHED)
bro 5758 SO-user 4u IPv4 25717 0t0 UDP X.X.X.X:57155->X.X.X.X:53
bro 5760 SO-user 0u IPv4 24337 0t0 TCP X.X.X.X:50016->X.X.X.X:47761 (ESTABLISHED)
bro 5760 SO-user 4u IPv4 25717 0t0 UDP X.X.X.X:57155->X.X.X.X:53
bro 5760 SO-user 266u IPv4 24345 0t0 TCP *:47762 (LISTEN)
bro 5760 SO-user 267u IPv6 24346 0t0 TCP *:47762 (LISTEN)
bro 5760 SO-user 268u IPv4 24428 0t0 TCP X.X.X.X:47762->X.X.X.X:52424 (ESTABLISHED)
bro 5928 SO-user 4u IPv4 24419 0t0 UDP X.X.X.X:55167->X.X.X.X:53
bro 5929 SO-user 0u IPv4 25012 0t0 TCP X.X.X.X:52424->X.X.X.X:47762 (ESTABLISHED)
bro 5929 SO-user 4u IPv4 24419 0t0 UDP X.X.X.X:55167->X.X.X.X:53
bro 5929 SO-user 266u IPv4 25015 0t0 TCP X.X.X.X:50020->X.X.X.X:47761 (ESTABLISHED)
bro 5929 SO-user 271u IPv4 25020 0t0 TCP *:47763 (LISTEN)
bro 5929 SO-user 272u IPv6 25021 0t0 TCP *:47763 (LISTEN)
tclsh 6022 SO-user 3u IPv4 24546 0t0 TCP X.X.X.X:44019->X.X.X.X:7736 (ESTABLISHED)
tclsh 6041 SO-user 3u IPv4 24568 0t0 TCP X.X.X.X:33608->X.X.X.X:7736 (ESTABLISHED)
tclsh 6041 SO-user 4u IPv4 24569 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 6041 SO-user 6u IPv4 26690 0t0 TCP X.X.X.X:8001->X.X.X.X:50568 (ESTABLISHED)
barnyard2 6198 SO-user 3u IPv4 25237 0t0 TCP X.X.X.X:50568->X.X.X.X:8001 (ESTABLISHED)
tclsh 6288 SO-user 3u IPv4 26131 0t0 TCP X.X.X.X:32854->X.X.X.X:7736 (ESTABLISHED)
chromium- 6859 SO-user 79u IPv4 40947 0t0 TCP X.X.X.X:33590->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 86u IPv4 46357 0t0 TCP X.X.X.X:39260->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 87u IPv4 44979 0t0 UDP X.X.X.X:54707->X.X.X.X:443
chromium- 6859 SO-user 89u IPv4 44980 0t0 UDP X.X.X.X:41286->X.X.X.X:443
chromium- 6859 SO-user 90u IPv4 44471 0t0 TCP X.X.X.X:60050->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 91u IPv4 42996 0t0 TCP X.X.X.X:33594->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 115u IPv4 59833 0t0 TCP X.X.X.X:46324->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 125u IPv4 72982 0t0 TCP X.X.X.X:33610->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 158u IPv4 29941 0t0 UDP *:5353
sshd 10272 root 3u IPv4 41544 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54798 (ESTABLISHED)
sshd 10325 SO-user 3u IPv4 41544 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54798 (ESTABLISHED)
sshd 10325 SO-user 9u IPv6 41568 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 10325 SO-user 10u IPv4 41569 0t0 TCP X.X.X.X:50001 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Wed Nov 2 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 24 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking laSO-user MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------31
Deleted:---0
Enabled Rules:----20277
Dropped Rules:----0
Disabled Rules:---4273
Total Rules:------24550
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.31 0.28 0.26
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 21:11:10 up 23 min, 2 users, load average: 0.31, 0.28, 0.26
Tasks: 280 total, 1 running, 279 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 1.7 sy, 0.1 ni, 91.8 id, 0.2 wa, 0.0 hi, 0.0 si, 0.1 st
KiB Mem: 4046484 total, 3311368 used, 735116 free, 43824 buffers
KiB Swap: 1044476 total, 48640 used, 995836 free. 316712 cached Mem
%CPU %MEM COMMAND
10.2 14.3 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
4.1 4.1 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
3.7 12.4 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U --snaplen 1524
2.6 4.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
1.4 3.0 /usr/lib/chromium-browser/chromium-browser --enable-pinch
0.9 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.9 1.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.8 5.6 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.7 2.0 /usr/sbin/mysqld
0.7 0.2 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.6 0.0 /var/ossec/bin/ossec-syscheckd
0.4 7.5 /usr/bin/searchd --nodetach
0.4 0.7 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.2 0.0 /var/ossec/bin/ossec-analysisd
0.2 0.6 /usr/bin/python /usr/bin/salt-SO-user
0.2 1.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.0 /sbin/init
0.1 3.5 /usr/sbin/apache2 -k start
0.1 2.4 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/2:1]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kpsmoused]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kworker/0:2]
0.0 0.0 [bioset]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [hwrng]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.1 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 cron
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 supervising syslog-ng
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.1 lightdm
0.0 0.5 /usr/bin/python /usr/bin/salt-minion
0.0 0.1 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/kerneloops
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kworker/0:1H]
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.3 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.3 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.6 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.1 lightdm --session-child 12 21
0.0 0.1 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-WBZ27cJVpF
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.1 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.2 xfwm4
0.0 0.3 xfce4-panel
0.0 0.2 Thunar --daemon
0.0 0.4 xfdesktop
0.0 0.1 xfce4-power-manager
0.0 0.2 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.3 update-notifier
0.0 0.1 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.3 nm-applet
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.1 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.1 /usr/lib/upower/upowerd
0.0 0.1 xfce4-volumed
0.0 0.6 /usr/bin/python /usr/bin/blueman-applet
0.0 0.4 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.1 light-locker
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.2 xfsettingsd
0.0 0.3 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 12582947 actions Action Buttons Log out, lock or other system actions
0.0 0.2 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.1 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.1 /usr/lib/gvfs/gvfsd-trash --spawner :1.20 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 1.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 14.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 2.0 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2016-11-02/ --user 1003 --group 1003 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.1 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.3 xfce4-terminal
0.0 0.0 gnome-pty-helper
0.0 0.1 bash
0.0 0.0 sudo -i
0.0 0.1 -bash
0.0 0.5 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.3 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 1.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 1.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/u8:2]
0.0 0.8 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=6859.5.1916113813 --mojo-application-channel-token=EA7A55476A82F4644257B0FF4B9F2762 --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC bleWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/*SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,56 --gpu-vendor-id=0x1013 --gpu-device-id=0x00b8 --gpu-driver-vendor=Mesa --gpu-driver-version=11.2.0 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 [kworker/2:2]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/u8:0]
0.0 0.0 [kworker/3:2]
0.0 0.1 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 2691
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth0:
RX packets:5098 dropped:0 TX packets:3989 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth0
Tot Packets : 8313
Tot Pkt Lost : 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 8164
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1478121071.373519 recvd=8314 dropped=0 link=8314
Capture Loss:
SO-server-eth0-1 0.0
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 8 days
668M .
71M ./2016-10-26
65M ./2016-10-27
62M ./2016-10-28
61M ./2016-10-29
72M ./2016-10-30
96M ./2016-10-31
119M ./2016-11-01
125M ./2016-11-02
/nsm/bro/logs/ - 8 days
20M .
1.7M ./2016-10-26
1.7M ./2016-10-27
1.7M ./2016-10-28
1.7M ./2016-10-29
1.9M ./2016-10-30
2.4M ./2016-10-31
1.9M ./2016-11-01
1.9M ./2016-11-02
5.1M ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
109550
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
10308 1:2001330 ET POLICY RDP connection confirm
239 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
180 1:2012648 ET POLICY Dropbox Client Broadcasting
174 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
134 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
35 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
26 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 41
20 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
8 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
7 1:2403372 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 37
6 1:2000419 ET POLICY PE EXE or DLL Windows file download
5 1:2018124 ET TROJAN MS Remote Desktop micros User Login Request
3 1:2402000 ET DROP Dshield Block Listed Source group 1
2 1:2009702 ET POLICY DNS Update From External net
1 1:2520170 ET TOR Known Tor Exit Node TCP Traffic group 86
1 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 1:2403450 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 76
1 1:2522170 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 86
Total
11152
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
94834 1:2001330 ET POLICY RDP connection confirm
3501 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
1869 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
1287 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
717 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
410 1:2012648 ET POLICY Dropbox Client Broadcasting
216 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
78 1:2012711 ET POLICY MS Remote Desktop POS User Login Request
61 1:2402000 ET DROP Dshield Block Listed Source group 1
47 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 41
42 1:2018124 ET TROJAN MS Remote Desktop micros User Login Request
33 1:2403372 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 37
25 1:2403384 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 43
17 1:2403386 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 44
16 1:2009702 ET POLICY DNS Update From External net
13 1:2000419 ET POLICY PE EXE or DLL Windows file download
12 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
12 1:2403374 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38
10 1:2012710 ET POLICY MS Terminal Server Root login
9 1:2100366 GPL ICMP_INFO PING *NIX
9 1:2012712 ET POLICY MS Remote Desktop Service User Login Request
4 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
4 1:2403342 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 22
3 1:2403336 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 19
3 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2403442 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 72
2 1:2018116 ET TROJAN MS Remote Desktop edc User Login Request
1 1:2403416 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 59
1 1:2403326 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 14
1 1:2403454 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 78
1 1:2403392 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 47
1 1:2520170 ET TOR Known Tor Exit Node TCP Traffic group 86
1 1:2522016 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 9
1 1:2520074 ET TOR Known Tor Exit Node TCP Traffic group 38
1 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
1 1:2403414 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 58
1 1:2403490 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 96
1 1:2403412 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 57
1 1:2403388 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 45
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 1:2520014 ET TOR Known Tor Exit Node TCP Traffic group 8
1 1:2403362 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 32
1 1:2403450 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 76
1 1:2403350 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 26
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2403320 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 11
1 1:2403358 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
1 1:2403452 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 77
1 1:2522170 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 86
Total
103261
=========================================================================
Last update
=========================================================================
Start-Date: 2016-11-02 20:30:15
Commandline: apt-get install xrdp
Install: xrdp:amd64 (0.6.0-1), vnc4server:amd64 (4.1.1+xorg4.3.0-37ubuntu5.0.2, automatic), xbase-clients:amd64 (7.7+1ubuntu8.1, automatic)
End-Date: 2016-11-02 20:30:16
Start-Date: 2016-11-02 20:47:21
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libnl-genl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), dbus:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libdbus-1-3:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libgd3:amd64 (2.1.0-3ubuntu0.3, 2.1.0-3ubuntu0.5), dbus-x11:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-route-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10)
End-Date: 2016-11-02 20:47:23
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1388 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1400 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1323 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1335 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
423M /nsm/elsa/data
14M /var/lib/mysql/syslog
17M /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-10-26 00:52:40 2016-11-02 21:10:09
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
=========================================================================
Version Information
=========================================================================
Ubuntu 14.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion63
And thank you in advance for your assistance on this inquiry of mine. It has been a very interesting journey learning about SO,then deploying it in a virtual lab, then a live production environment.
However, I'm at the stage where when i run a "SANCP" query in Sguil, i get the message that the "mysql_db database doesn't exist". Also, i get the error message below when i run the command to show available databases on the system. I do know from reading the output below that "SANCP" & "PADS" agent are set to "no". Therefore my question is asking if anyone knows how to enable those functions so queries could be run?
Also, is there a way to reinstall "MySql", then configure it to be able to communicate with the SO tools suite when it comes to running queries, reports etc....
Thanks to everyone for their time in looking into this.
****** Legend: /////// (Used to separate outputs) *******
[OUTPUTS BELOW]
Below is the output from
mysql -uroot -e 'show databases;'
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
////////////// /////////////////// //////////////////// ////////////////
This is the output of
grep ENABLED /etc/nsm/*/sensor.conf
PCAP_ENABLED="yes"
PCAP_AGENT_ENABLED="yes"
SNORT_AGENT_ENABLED="yes"
IDS_ENGINE_ENABLED="yes"
BARNYARD2_ENABLED="yes"
PRADS_ENABLED="no"
SANCP_AGENT_ENABLED="yes"
PADS_AGENT_ENABLED="no"
ARGUS_ENABLED="no"
HTTP_AGENT_ENABLED="no"
///////////////////////// //////////////////////// //////////////
Below is the output from sudo sostat-redacted
root@SoMaster-02:~# sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 5589 2 02 Nov 20:48:47
proxy proxy localhost running 5758 2 02 Nov 20:48:49
SO-server-eth0-1 worker localhost running 5928 2 02 Nov 20:48:50
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* sancp_agent (SO-user)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:5097 errors:0 dropped:0 overruns:0 frame:0
TX packets:3988 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3399690 (3.3 MB) TX bytes:918618 (918.6 KB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3435 errors:0 dropped:0 overruns:0 frame:0
TX packets:3435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1294279 (1.2 MB) TX bytes:1294279 (1.2 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1294279 3435 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1294279 3435 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3399690 5097 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
918618 3988 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 968K 395M 1% /run
/dev/dm-0 19G 6.3G 12G 36% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 37M 1.9G 2% /run/shm
none 100M 24K 100M 1% /run/user
/dev/vda1 236M 94M 130M 42% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 656 avahi 12u IPv4 11801 0t0 UDP *:5353
avahi-dae 656 avahi 13u IPv6 11802 0t0 UDP *:5353
avahi-dae 656 avahi 14u IPv4 11803 0t0 UDP *:56316
avahi-dae 656 avahi 15u IPv6 11804 0t0 UDP *:37945
sshd 1318 root 3u IPv4 8721 0t0 TCP *:ssh_port (LISTEN)
sshd 1318 root 4u IPv6 8723 0t0 TCP *:ssh_port (LISTEN)
searchd 1335 sphinxsearch 7u IPv4 11887 0t0 TCP *:9306 (LISTEN)
searchd 1335 sphinxsearch 8u IPv4 11888 0t0 TCP *:9312 (LISTEN)
cups-brow 1356 root 6u IPv6 22234 0t0 TCP [X.X.X.X]:59900->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1356 root 8u IPv4 22236 0t0 UDP *:631
syslog-ng 1388 root 14u IPv4 12014 0t0 TCP *:514 (LISTEN)
syslog-ng 1388 root 15u IPv4 12015 0t0 UDP *:514
mysqld 1400 mysql 14u IPv4 13789 0t0 TCP X.X.X.X:3306 (LISTEN)
salt-mini 1425 root 13u IPv4 11062 0t0 TCP X.X.X.X:34884->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1425 root 24u IPv4 15001 0t0 TCP X.X.X.X:33852->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1538 ossecm 5u IPv4 14406 0t0 UDP X.X.X.X:40163->X.X.X.X:514
salt-mast 1614 root 12u IPv4 14451 0t0 TCP *:4505 (LISTEN)
salt-mast 1614 root 14u IPv4 15002 0t0 TCP X.X.X.X:4505->X.X.X.X:33852 (ESTABLISHED)
salt-mast 1614 root 15u IPv4 20910 0t0 TCP X.X.X.X:4505->X.X.X.X:52025 (ESTABLISHED)
salt-mast 1614 root 16u IPv4 42009 0t0 TCP X.X.X.X:4505->X.X.X.X:59634 (ESTABLISHED)
salt-mast 1627 root 20u IPv4 14489 0t0 TCP *:4506 (LISTEN)
salt-mast 1627 root 22u IPv4 14948 0t0 TCP X.X.X.X:4506->X.X.X.X:34884 (ESTABLISHED)
salt-mast 1627 root 28u IPv4 20577 0t0 TCP X.X.X.X:4506->X.X.X.X:50776 (ESTABLISHED)
salt-mast 1627 root 29u IPv4 42008 0t0 TCP X.X.X.X:4506->X.X.X.X:55028 (ESTABLISHED)
xrdp 2463 xrdp 6u IPv4 17463 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2465 root 6u IPv4 11218 0t0 TCP X.X.X.X:3350 (LISTEN)
ntpd 4658 ntp 16u IPv4 23896 0t0 UDP *:123
ntpd 4658 ntp 17u IPv6 23897 0t0 UDP *:123
ntpd 4658 ntp 18u IPv4 23903 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 19u IPv4 23904 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 20u IPv6 23905 0t0 UDP [X.X.X.X]:123
ntpd 4658 ntp 21u IPv6 23906 0t0 UDP [X.X.X.X]:123
cupsd 4675 root 10u IPv6 23218 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 4675 root 11u IPv4 23219 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 4680 root 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 9u IPv6 23242 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 4732 SO-user 10u IPv4 23243 0t0 TCP X.X.X.X:50000 (LISTEN)
/usr/sbin 4786 root 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4786 root 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4786 root 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4793 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4793 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4793 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4794 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4794 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4794 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4795 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4795 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4795 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4796 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4796 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4796 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4797 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 4797 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4797 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
tclsh 4893 SO-user 13u IPv4 23410 0t0 TCP *:7734 (LISTEN)
tclsh 4893 SO-user 14u IPv6 23411 0t0 TCP *:7734 (LISTEN)
tclsh 4893 SO-user 15u IPv4 23414 0t0 TCP *:7736 (LISTEN)
tclsh 4893 SO-user 16u IPv6 23415 0t0 TCP *:7736 (LISTEN)
tclsh 4893 SO-user 17u IPv4 23416 0t0 TCP X.X.X.X:7736->X.X.X.X:49410 (ESTABLISHED)
tclsh 4893 SO-user 18u IPv4 23429 0t0 TCP X.X.X.X:7736->X.X.X.X:44019 (ESTABLISHED)
tclsh 4893 SO-user 19u IPv4 23434 0t0 TCP X.X.X.X:7736->X.X.X.X:33608 (ESTABLISHED)
tclsh 4893 SO-user 20u IPv4 23486 0t0 TCP X.X.X.X:7736->X.X.X.X:46842 (ESTABLISHED)
tclsh 4893 SO-user 21u IPv4 27728 0t0 TCP X.X.X.X:7736->X.X.X.X:32854 (ESTABLISHED)
tclsh 4893 SO-user 22u IPv4 27741 0t0 TCP X.X.X.X:7736->X.X.X.X:55881 (ESTABLISHED)
tclsh 4893 SO-user 23u IPv4 27742 0t0 TCP X.X.X.X:7736->X.X.X.X:34691 (ESTABLISHED)
tclsh 4893 SO-user 24u IPv4 27743 0t0 TCP X.X.X.X:7736->X.X.X.X:43829 (ESTABLISHED)
tclsh 4893 SO-user 25u IPv4 27748 0t0 TCP X.X.X.X:7736->X.X.X.X:38739 (ESTABLISHED)
tclsh 4893 SO-user 26u IPv4 27911 0t0 TCP X.X.X.X:7736->X.X.X.X:39292 (ESTABLISHED)
tclsh 4893 SO-user 27u IPv4 27912 0t0 TCP X.X.X.X:7736->X.X.X.X:57175 (ESTABLISHED)
tclsh 4893 SO-user 28u IPv4 40572 0t0 TCP X.X.X.X:7736->X.X.X.X:34491 (ESTABLISHED)
tclsh 4893 SO-user 29u IPv4 40598 0t0 TCP X.X.X.X:7736->X.X.X.X:38190 (ESTABLISHED)
tclsh 4893 SO-user 30u IPv4 40599 0t0 TCP X.X.X.X:7736->X.X.X.X:45728 (ESTABLISHED)
tclsh 4940 SO-user 3u IPv4 25084 0t0 TCP X.X.X.X:46842->X.X.X.X:7736 (ESTABLISHED)
bro 5589 SO-user 4u IPv4 25642 0t0 UDP X.X.X.X:46100->X.X.X.X:53
bro 5591 SO-user 0u IPv4 24273 0t0 TCP *:47761 (LISTEN)
bro 5591 SO-user 1u IPv6 24274 0t0 TCP *:47761 (LISTEN)
bro 5591 SO-user 2u IPv4 24338 0t0 TCP X.X.X.X:47761->X.X.X.X:50016 (ESTABLISHED)
bro 5591 SO-user 4u IPv4 25642 0t0 UDP X.X.X.X:46100->X.X.X.X:53
bro 5591 SO-user 268u IPv4 24431 0t0 TCP X.X.X.X:47761->X.X.X.X:50020 (ESTABLISHED)
bro 5758 SO-user 4u IPv4 25717 0t0 UDP X.X.X.X:57155->X.X.X.X:53
bro 5760 SO-user 0u IPv4 24337 0t0 TCP X.X.X.X:50016->X.X.X.X:47761 (ESTABLISHED)
bro 5760 SO-user 4u IPv4 25717 0t0 UDP X.X.X.X:57155->X.X.X.X:53
bro 5760 SO-user 266u IPv4 24345 0t0 TCP *:47762 (LISTEN)
bro 5760 SO-user 267u IPv6 24346 0t0 TCP *:47762 (LISTEN)
bro 5760 SO-user 268u IPv4 24428 0t0 TCP X.X.X.X:47762->X.X.X.X:52424 (ESTABLISHED)
bro 5928 SO-user 4u IPv4 24419 0t0 UDP X.X.X.X:55167->X.X.X.X:53
bro 5929 SO-user 0u IPv4 25012 0t0 TCP X.X.X.X:52424->X.X.X.X:47762 (ESTABLISHED)
bro 5929 SO-user 4u IPv4 24419 0t0 UDP X.X.X.X:55167->X.X.X.X:53
bro 5929 SO-user 266u IPv4 25015 0t0 TCP X.X.X.X:50020->X.X.X.X:47761 (ESTABLISHED)
bro 5929 SO-user 271u IPv4 25020 0t0 TCP *:47763 (LISTEN)
bro 5929 SO-user 272u IPv6 25021 0t0 TCP *:47763 (LISTEN)
tclsh 6022 SO-user 3u IPv4 24546 0t0 TCP X.X.X.X:44019->X.X.X.X:7736 (ESTABLISHED)
tclsh 6041 SO-user 3u IPv4 24568 0t0 TCP X.X.X.X:33608->X.X.X.X:7736 (ESTABLISHED)
tclsh 6041 SO-user 4u IPv4 24569 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 6041 SO-user 6u IPv4 26690 0t0 TCP X.X.X.X:8001->X.X.X.X:50568 (ESTABLISHED)
barnyard2 6198 SO-user 3u IPv4 25237 0t0 TCP X.X.X.X:50568->X.X.X.X:8001 (ESTABLISHED)
tclsh 6288 SO-user 3u IPv4 26131 0t0 TCP X.X.X.X:32854->X.X.X.X:7736 (ESTABLISHED)
chromium- 6859 SO-user 79u IPv4 40947 0t0 TCP X.X.X.X:33590->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 86u IPv4 46357 0t0 TCP X.X.X.X:39260->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 87u IPv4 44979 0t0 UDP X.X.X.X:54707->X.X.X.X:443
chromium- 6859 SO-user 89u IPv4 44980 0t0 UDP X.X.X.X:41286->X.X.X.X:443
chromium- 6859 SO-user 90u IPv4 44471 0t0 TCP X.X.X.X:60050->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 91u IPv4 42996 0t0 TCP X.X.X.X:33594->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 115u IPv4 59833 0t0 TCP X.X.X.X:46324->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 125u IPv4 72982 0t0 TCP X.X.X.X:33610->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 158u IPv4 29941 0t0 UDP *:5353
sshd 10272 root 3u IPv4 41544 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54798 (ESTABLISHED)
sshd 10325 SO-user 3u IPv4 41544 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:54798 (ESTABLISHED)
sshd 10325 SO-user 9u IPv6 41568 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 10325 SO-user 10u IPv4 41569 0t0 TCP X.X.X.X:50001 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Wed Nov 2 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 24 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking laSO-user MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 88 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------31
Deleted:---0
Enabled Rules:----20277
Dropped Rules:----0
Disabled Rules:---4273
Total Rules:------24550
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.31 0.28 0.26
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 21:11:10 up 23 min, 2 users, load average: 0.31, 0.28, 0.26
Tasks: 280 total, 1 running, 279 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 1.7 sy, 0.1 ni, 91.8 id, 0.2 wa, 0.0 hi, 0.0 si, 0.1 st
KiB Mem: 4046484 total, 3311368 used, 735116 free, 43824 buffers
KiB Swap: 1044476 total, 48640 used, 995836 free. 316712 cached Mem
%CPU %MEM COMMAND
10.2 14.3 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
4.1 4.1 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
3.7 12.4 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U --snaplen 1524
2.6 4.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
1.4 3.0 /usr/lib/chromium-browser/chromium-browser --enable-pinch
0.9 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.9 1.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.8 5.6 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.7 2.0 /usr/sbin/mysqld
0.7 0.2 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.6 0.0 /var/ossec/bin/ossec-syscheckd
0.4 7.5 /usr/bin/searchd --nodetach
0.4 0.7 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.2 0.0 /var/ossec/bin/ossec-analysisd
0.2 0.6 /usr/bin/python /usr/bin/salt-SO-user
0.2 1.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.0 /sbin/init
0.1 3.5 /usr/sbin/apache2 -k start
0.1 2.4 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/2:1]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kpsmoused]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kworker/0:2]
0.0 0.0 [bioset]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/2:1H]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [hwrng]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.1 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 cron
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 supervising syslog-ng
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.1 lightdm
0.0 0.5 /usr/bin/python /usr/bin/salt-minion
0.0 0.1 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/kerneloops
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kworker/0:1H]
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.3 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.3 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.6 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.7 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.4 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.1 lightdm --session-child 12 21
0.0 0.1 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-WBZ27cJVpF
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.1 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.2 xfwm4
0.0 0.3 xfce4-panel
0.0 0.2 Thunar --daemon
0.0 0.4 xfdesktop
0.0 0.1 xfce4-power-manager
0.0 0.2 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.3 update-notifier
0.0 0.1 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.3 nm-applet
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.1 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.1 /usr/lib/upower/upowerd
0.0 0.1 xfce4-volumed
0.0 0.6 /usr/bin/python /usr/bin/blueman-applet
0.0 0.4 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.1 light-locker
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.2 xfsettingsd
0.0 0.3 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 12582947 actions Action Buttons Log out, lock or other system actions
0.0 0.2 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.1 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.1 /usr/lib/gvfs/gvfsd-trash --spawner :1.20 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 1.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 14.2 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 2.0 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2016-11-02/ --user 1003 --group 1003 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.1 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.3 xfce4-terminal
0.0 0.0 gnome-pty-helper
0.0 0.1 bash
0.0 0.0 sudo -i
0.0 0.1 -bash
0.0 0.5 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.3 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 1.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 1.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/u8:2]
0.0 0.8 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=6859.5.1916113813 --mojo-application-channel-token=EA7A55476A82F4644257B0FF4B9F2762 --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC bleWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/*SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,56 --gpu-vendor-id=0x1013 --gpu-device-id=0x00b8 --gpu-driver-vendor=Mesa --gpu-driver-version=11.2.0 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 [kworker/2:2]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/u8:0]
0.0 0.0 [kworker/3:2]
0.0 0.1 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 2691
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth0:
RX packets:5098 dropped:0 TX packets:3989 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth0
Tot Packets : 8313
Tot Pkt Lost : 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 8164
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1478121071.373519 recvd=8314 dropped=0 link=8314
Capture Loss:
SO-server-eth0-1 0.0
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 8 days
668M .
71M ./2016-10-26
65M ./2016-10-27
62M ./2016-10-28
61M ./2016-10-29
72M ./2016-10-30
96M ./2016-10-31
119M ./2016-11-01
125M ./2016-11-02
/nsm/bro/logs/ - 8 days
20M .
1.7M ./2016-10-26
1.7M ./2016-10-27
1.7M ./2016-10-28
1.7M ./2016-10-29
1.9M ./2016-10-30
2.4M ./2016-10-31
1.9M ./2016-11-01
1.9M ./2016-11-02
5.1M ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
109550
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
10308 1:2001330 ET POLICY RDP connection confirm
239 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
180 1:2012648 ET POLICY Dropbox Client Broadcasting
174 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
134 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
35 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
26 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 41
20 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
8 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
7 1:2403372 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 37
6 1:2000419 ET POLICY PE EXE or DLL Windows file download
5 1:2018124 ET TROJAN MS Remote Desktop micros User Login Request
3 1:2402000 ET DROP Dshield Block Listed Source group 1
2 1:2009702 ET POLICY DNS Update From External net
1 1:2520170 ET TOR Known Tor Exit Node TCP Traffic group 86
1 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 1:2403450 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 76
1 1:2522170 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 86
Total
11152
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
94834 1:2001330 ET POLICY RDP connection confirm
3501 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
1869 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
1287 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
717 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
410 1:2012648 ET POLICY Dropbox Client Broadcasting
216 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
78 1:2012711 ET POLICY MS Remote Desktop POS User Login Request
61 1:2402000 ET DROP Dshield Block Listed Source group 1
47 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 41
42 1:2018124 ET TROJAN MS Remote Desktop micros User Login Request
33 1:2403372 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 37
25 1:2403384 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 43
17 1:2403386 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 44
16 1:2009702 ET POLICY DNS Update From External net
13 1:2000419 ET POLICY PE EXE or DLL Windows file download
12 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
12 1:2403374 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38
10 1:2012710 ET POLICY MS Terminal Server Root login
9 1:2100366 GPL ICMP_INFO PING *NIX
9 1:2012712 ET POLICY MS Remote Desktop Service User Login Request
4 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
4 1:2403342 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 22
3 1:2403336 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 19
3 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2403442 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 72
2 1:2018116 ET TROJAN MS Remote Desktop edc User Login Request
1 1:2403416 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 59
1 1:2403326 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 14
1 1:2403454 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 78
1 1:2403392 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 47
1 1:2520170 ET TOR Known Tor Exit Node TCP Traffic group 86
1 1:2522016 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 9
1 1:2520074 ET TOR Known Tor Exit Node TCP Traffic group 38
1 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
1 1:2403414 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 58
1 1:2403490 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 96
1 1:2403412 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 57
1 1:2403388 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 45
1 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
1 1:2520014 ET TOR Known Tor Exit Node TCP Traffic group 8
1 1:2403362 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 32
1 1:2403450 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 76
1 1:2403350 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 26
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2403320 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 11
1 1:2403358 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
1 1:2403452 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 77
1 1:2522170 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 86
Total
103261
=========================================================================
Last update
=========================================================================
Start-Date: 2016-11-02 20:30:15
Commandline: apt-get install xrdp
Install: xrdp:amd64 (0.6.0-1), vnc4server:amd64 (4.1.1+xorg4.3.0-37ubuntu5.0.2, automatic), xbase-clients:amd64 (7.7+1ubuntu8.1, automatic)
End-Date: 2016-11-02 20:30:16
Start-Date: 2016-11-02 20:47:21
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libnl-genl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), dbus:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libdbus-1-3:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libgd3:amd64 (2.1.0-3ubuntu0.3, 2.1.0-3ubuntu0.5), dbus-x11:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-route-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10)
End-Date: 2016-11-02 20:47:23
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1388 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1400 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1323 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1335 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
423M /nsm/elsa/data
14M /var/lib/mysql/syslog
17M /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-10-26 00:52:40 2016-11-02 21:10:09
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
=========================================================================
Version Information
=========================================================================
Ubuntu 14.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion63
Wes
Nov 2, 2016, 7:03:13 PM11/2/16
to security-onion
To enable PADS/SANCP, etc., you can do the opposite of the described technique found here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices
Keep in mind, if you are already using Bro/ELSA, this will create duplication of effort.
You may also want to consider increasing the number of CPU cores/RAM if you are deploying this in Production (dependent on the amount of traffic, of course.)
------
What happens if you perform the following?
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
Are you able to connect to securityonion_db?
------
How about if you run the following?
sudo mysqlcheck -c securityonion_db
Does everything look okay?
Furthermore, try having a look in /var/log/nsm/securityonion/sguild.log for clues, if things look strange.
If nothing seems to stand out, try adjusting the DAYSTOKEEP variable in /etc/nsm/securityonion/conf and running 'sguild-db-purge' to see if it resolves your issue.
One thing I just noticed -- did you configure a monitor interface for your standalone? I do not see a secondary interface -- only eth0.
Thanks,
Wes
BelleCrosse
Nov 3, 2016, 9:30:04 AM11/3/16
to security-onion
[REPLY SHOWN BELOW]
Thank you for the prompt reply Wes, I apologize for the late reply. I answered your questions per slashes (/) & [REPLY] sections.
Thanks for your time.
//////////// ////////////////////////////////////////// ///////////////
To enable PADS/SANCP, etc., you can do the opposite of the described technique found here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices
Keep in mind, if you are already using Bro/ELSA, this will create duplication of effort.
You may also want to consider increasing the number of CPU cores/RAM if you are deploying this in Production (dependent on the amount of traffic, of course.)
------
What happens if you perform the following?
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
Are you able to connect to securityonion_db?
sudo mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13247
Server version: 5.5.53-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
------
How about if you run the following?
sudo mysqlcheck -c securityonion_db
Does everything look okay?
mysqlcheck: Got error: 1045: Access denied for user 'root'@'localhost' (using password: NO) when trying to connect
//////////////////
Furthermore, try having a look in /var/log/nsm/securityonion/sguild.log for clues, if things look strange.
Executing: /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
2016-11-03 13:23:58 pid(30508) Loading access list: /etc/nsm/securityonion/sguild.access
2016-11-03 13:23:58 pid(30508) Sensor access list set to ALLOW ANY.
2016-11-03 13:23:58 pid(30508) Client access list set to ALLOW ANY.
2016-11-03 13:23:58 pid(30508) Email Configuration:
2016-11-03 13:23:58 pid(30508) Config file: /etc/sguild/sguild.email
2016-11-03 13:23:58 pid(30508) Enabled: No
2016-11-03 13:23:58 pid(30508) Connecting to localhost on 3306 as sguil
2016-11-03 13:23:58 pid(30508) MySQL Version: version 5.5.53-0ubuntu0.14.04.1
2016-11-03 13:23:58 pid(30508) SguilDB Version: 0.14
2016-11-03 13:23:58 pid(30508) Creating event MERGE table.
2016-11-03 13:23:58 pid(30508) Creating tcphdr MERGE table.
2016-11-03 13:23:58 pid(30508) Creating udphdr MERGE table.
2016-11-03 13:23:58 pid(30508) Creating icmphdr MERGE table.
2016-11-03 13:23:58 pid(30508) Creating data MERGE table.
2016-11-03 13:23:58 pid(30510) Loaderd Forked
2016-11-03 13:23:58 pid(30511) Queryd Forked
2016-11-03 13:23:58 pid(30508) Retrieving DB info...
2016-11-03 13:23:58 pid(30508) SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=12
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=13
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=11
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=5
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=6
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=7
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=8
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=9
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=10
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=4
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=2
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=3
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM pads WHERE sid=14
2016-11-03 13:23:58 pid(30508) SELECT MAX(timestamp) FROM event WHERE sid=1
2016-11-03 13:23:58 pid(30508) Querying DB for archived events...
2016-11-03 13:24:09 pid(30508) Querying DB for escalated events...
2016-11-03 13:24:09 pid(30508) Retrieving DB info...
2016-11-03 13:24:09 pid(30508) Getting a list of tables.
2016-11-03 13:24:09 pid(30508) ...Getting info on autocat.
2016-11-03 13:24:09 pid(30508) ...Getting info on data.
2016-11-03 13:24:09 pid(30508) ...Getting info on event.
2016-11-03 13:24:09 pid(30508) ...Getting info on filters.
2016-11-03 13:24:09 pid(30508) ...Getting info on history.
2016-11-03 13:24:09 pid(30508) ...Getting info on icmphdr.
2016-11-03 13:24:09 pid(30508) ...Getting info on ip2c.
2016-11-03 13:24:09 pid(30508) ...Getting info on mappings.
2016-11-03 13:24:09 pid(30508) ...Getting info on nessus.
2016-11-03 13:24:09 pid(30508) ...Getting info on nessus_data.
2016-11-03 13:24:09 pid(30508) ...Getting info on object_mappings.
2016-11-03 13:24:09 pid(30508) ...Getting info on pads.
2016-11-03 13:24:09 pid(30508) ...Getting info on portscan.
2016-11-03 13:24:09 pid(30508) ...Getting info on sensor.
2016-11-03 13:24:09 pid(30508) ...Getting info on stat_types.
2016-11-03 13:24:09 pid(30508) ...Getting info on stats.
2016-11-03 13:24:09 pid(30508) ...Getting info on status.
2016-11-03 13:24:09 pid(30508) ...Getting info on tcphdr.
2016-11-03 13:24:09 pid(30508) ...Getting info on udphdr.
2016-11-03 13:24:09 pid(30508) ...Getting info on user_info.
2016-11-03 13:24:09 pid(30508) ...Getting info on version.
2016-11-03 13:24:09 pid(30508) Sguild Initialized.
2016-11-03 13:24:10 pid(30508) Sensor agent connect from 127.0.0.1:42269 sock1d60e00
2016-11-03 13:24:10 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:10 pid(30508) Valid sensor agent: 127.0.0.1
2016-11-03 13:24:11 pid(30508) Sensor agent connect from 127.0.0.1:40466 sockec42dc0
2016-11-03 13:24:11 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:11 pid(30508) Valid sensor agent: 127.0.0.1
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 127.0.0.1:38053 sockec6d360
2016-11-03 13:24:13 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 127.0.0.1
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 127.0.0.1:45266 sockec5dd40
2016-11-03 13:24:13 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 127.0.0.1
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:41075 sockec969e0
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:56766 sockec820c0
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:58620 sockec96030
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:44249 sockec96370
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:48461 sockec966a0
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:13 pid(30508) Sensor agent connect from 216.177.188.178:35618 sockec70910
2016-11-03 13:24:13 pid(30508) Validating sensor access: 216.177.188.178 :
2016-11-03 13:24:13 pid(30508) Valid sensor agent: 216.177.188.178
2016-11-03 13:24:14 pid(30508) Sensor agent connect from 127.0.0.1:38170 sockec739e0
2016-11-03 13:24:14 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:14 pid(30508) Valid sensor agent: 127.0.0.1
2016-11-03 13:24:16 pid(30508) Sensor agent connect from 127.0.0.1:37473 sock1d5f690
2016-11-03 13:24:16 pid(30508) Validating sensor access: 127.0.0.1 :
2016-11-03 13:24:16 pid(30508) Valid sensor agent: 127.0.0.1
--------------
One thing I just noticed -- did you configure a monitor interface for your standalone? I do not see a secondary interface -- only eth0.
Wes Lambert
Nov 3, 2016, 6:14:48 PM11/3/16
to securit...@googlegroups.com
If you have no specific need for sancp or pads, then I would leave them disabled.
Were you trying to initiate the mysqlcheck from the mysql prompt, or a bash prompt?
If you are looking to configure a server, then you will only need one NIC (management interface), however, it looks like you configured a standalone (server + sensor) during setup.
If you are looking to configure a server only, I would re-run setup.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
BelleCrosse
Nov 4, 2016, 9:23:13 AM11/4/16
to security-onion
Thank you so much for your assistance Wes, and please accept my apology for the late reply, busy days.
And in response to your reply please follow below:
Were you trying to initiate the mysqlcheck from the mysql prompt, or a bash prompt?
--------
If you are looking to configure a server, then you will only need one NIC (management interface), however, it looks like you configured a standalone (server + sensor) during setup.
[ On Another Note ]
Wes, I have been trying to access ELSA from within Sguil "ELSA IP Lookup" option from one of my analysts machine and I'm getting the error message below:
Internal Server Error
The server encountered an internal Error or misconfiguration and was unable to complete your request. Etc....
Apache/2.4.7 (Ubuntu)Server at 127.0.0.1 Port 3154
Thank you so much for your assistance Wes, and please accept my apology for the late reply, busy days.
And in response to your reply please follow below:
Were you trying to initiate the mysqlcheck from the mysql prompt, or a bash prompt?
--------
If you are looking to configure a server, then you will only need one NIC (management interface), however, it looks like you configured a standalone (server + sensor) during setup.
[ On Another Note ]
Wes, I have been trying to access ELSA from within Sguil "ELSA IP Lookup" option from one of my analysts machine and I'm getting the error message below. Do you have any idea why?
Additionally, I attached the sostat-redacted output of the analyst machine at the end of the message
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 3154
/////////////// ////////////////////////////// //////////////////
[sostat-redacted OUTPUT BELOW]
sudo sostat-redacted
grep: /etc/nsm/sensortab: No such file or directory
=========================================================================
Service Status
=========================================================================
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
RX packets:73522 errors:0 dropped:0 overruns:0 frame:0
TX packets:52728 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:130335148 (130.3 MB) TX bytes:19323447 (19.3 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
TX packets:3495 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:335772 (335.7 KB) TX bytes:335772 (335.7 KB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
335772 3495 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
335772 3495 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
130335148 73522 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
19323447 52728 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 483M 12K 483M 1% /dev
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
tmpfs 100M 896K 99M 1% /run
/dev/dm-0 19G 5.0G 13G 29% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 497M 38M 459M 8% /run/shm
none 5.0M 0 5.0M 0% /run/lock
none 100M 32K 100M 1% /run/user
/dev/vda1 236M 90M 134M 41% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 592 avahi 13u IPv6 10355 0t0 UDP *:5353
avahi-dae 592 avahi 14u IPv4 10356 0t0 UDP *:49398
avahi-dae 592 avahi 15u IPv6 10357 0t0 UDP *:42269
cups-brow 624 root 8u IPv4 10473 0t0 UDP *:631
dhclient 926 root 5u IPv4 11109 0t0 UDP *:68
dhclient 926 root 20u IPv4 11073 0t0 UDP *:37301
dhclient 926 root 21u IPv6 11074 0t0 UDP *:65402
sshd 1185 root 3u IPv4 11980 0t0 TCP *:ssh_port (LISTEN)
sshd 1185 root 4u IPv6 11984 0t0 TCP *:ssh_port (LISTEN)
dnsmasq 1303 nobody 4u IPv4 12239 0t0 UDP X.X.X.X:53
dnsmasq 1303 nobody 5u IPv4 12240 0t0 TCP X.X.X.X:53 (LISTEN)
mysqld 1422 mysql 10u IPv4 14900 0t0 TCP X.X.X.X:3306 (LISTEN)
ntpd 2059 ntp 16u IPv4 15305 0t0 UDP *:123
ntpd 2059 ntp 17u IPv6 15306 0t0 UDP *:123
ntpd 2059 ntp 18u IPv4 15312 0t0 UDP X.X.X.X:123
ntpd 2059 ntp 19u IPv4 15313 0t0 UDP X.X.X.X:123
ntpd 2059 ntp 20u IPv6 15314 0t0 UDP [X.X.X.X]:123
ntpd 2059 ntp 21u IPv6 15315 0t0 UDP [X.X.X.X]:123
/usr/sbin 2114 root 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 2114 root 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
chromium- 2949 SO-user 85u IPv4 1073764 0t0 UDP X.X.X.X:57107->X.X.X.X:443
chromium- 2949 SO-user 107u IPv4 18801 0t0 UDP *:5353
chromium- 2949 SO-user 109u IPv4 1073303 0t0 TCP X.X.X.X:37287->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 121u IPv4 1073705 0t0 TCP X.X.X.X:51889->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 133u IPv4 1073749 0t0 UDP X.X.X.X:45339->X.X.X.X:443
chromium- 2949 SO-user 134u IPv4 1073757 0t0 TCP X.X.X.X:33461->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 137u IPv4 1073755 0t0 UDP X.X.X.X:58877->X.X.X.X:443
chromium- 2949 SO-user 155u IPv4 1072230 0t0 TCP X.X.X.X:33496->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 167u IPv4 1072158 0t0 TCP X.X.X.X:53864->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 169u IPv4 1072160 0t0 TCP X.X.X.X:53865->X.X.X.X:443 (ESTABLISHED)
chromium- 2949 SO-user 201u IPv4 1072703 0t0 UDP X.X.X.X:37928->X.X.X.X:443
/usr/sbin 5346 www-data 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5346 www-data 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5347 www-data 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5347 www-data 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
cupsd 5348 root 10u IPv6 382034 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 5348 root 11u IPv4 382035 0t0 TCP X.X.X.X:631 (LISTEN)
/usr/sbin 5356 www-data 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5356 www-data 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5360 www-data 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5360 www-data 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5364 www-data 5u IPv6 15428 0t0 TCP *:443 (LISTEN)
/usr/sbin 5364 www-data 7u IPv6 15432 0t0 TCP *:9876 (LISTEN)
wish 10511 SO-user 4u IPv4 1056678 0t0 TCP X.X.X.X:45281->X.X.X.X:7734 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.22 0.34 0.22
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
Processing units: 1
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 09:21:24 up 4 days, 1 min, 2 users, load average: 0.22, 0.34, 0.22
then tune until load average is lower than processing units.
Tasks: 195 total, 1 running, 192 sleeping, 0 stopped, 2 zombie
%Cpu(s): 0.3 us, 0.2 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.2 st
KiB Mem: 1016964 total, 921348 used, 95616 free, 8052 buffers
KiB Swap: 1044476 total, 426728 used, 617748 free. 193668 cached Mem
%CPU %MEM COMMAND
6.6 33.0 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/*ReportCertificateErrors/ShowAndPossiblySend/*SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspicio
1.2 2.0 wish /usr/bin/SO-user.tk
0.4 1.8 /usr/bin/python3 /usr/bin/update-manager --no-update
0.2 1.9 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=2949.13.242077605 --mojo-application-channel-token=B1F31EA442F842A0D0640DA8A8BD7125 --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC- -H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/*ReportCertificateErrors/ShowAndPossiblySend/*SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/*SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,26,56 --gpu-vendor-id=0x1013 --gpu-device-id=0x00b8 --gpu-driver-vendor=Mesa --gpu-driver-version=10.5.9 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.1 11.7 /usr/lib/chromium-browser/chromium-browser --enable-pinch
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [khelper]
0.0 0.0 [watchdog/0]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/0:2]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kpsmoused]
0.0 0.0 [ttm_swap]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [hwrng]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [kmpathd]
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 /usr/sbin/ModemManager
0.0 0.0 NetworkManager
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /sbin/dhclient -d -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /run/sendsigs.omit.d/network-manager.dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-220eb685-2fa6-4711-8dfa-89a2878cf6e6-eth0.lease -cf /var/lib/NetworkManager/dhclient-eth0.conf eth0
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cron
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=X.X.X.X --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
0.0 0.0 lightdm
0.0 1.7 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.9 /usr/sbin/mysqld
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.1 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.1 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.1 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-uIPc4o2BsE
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.6 xfwm4
0.0 0.0 /usr/bin/ssh-agent -s
0.0 1.0 xfce4-panel
0.0 0.2 Thunar --daemon
0.0 1.0 xfdesktop
0.0 0.3 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.1 nm-applet
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.2 update-notifier
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 xfce4-power-manager
0.0 0.1 light-locker
0.0 0.1 xfsettingsd
0.0 0.2 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.1 xfce4-volumed
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 1.9 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.5 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.6 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 12582947 actions Action Buttons Log out, lock or other system actions
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.24 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.4 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.4 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 2.7 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousMod
0.0 18.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousMod
0.0 0.0 supervising syslog-ng
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 3.7 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousMo
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 dbus-launch --autolaunch=8883342bbce3c9365dd594e458173f90 --binary-syntax --close-stderr
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [chromium-browse] <defunct>
0.0 3.2 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousMo
0.0 3.5 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/*ReportCertificateErrors/ShowAndPossiblySend/*SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciou
0.0 0.9 xfce4-terminal
0.0 0.0 gnome-pty-helper
0.0 0.0 bash
0.0 0.0 sudo -i
0.0 0.1 -bash
0.0 0.0 [kworker/u2:0]
0.0 0.1 -bash
0.0 0.0 [kworker/0:1]
0.0 0.1 /usr/lib/chromium-browser/chromium-browser --type=gpu-broker -H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/*ReportCertificateErrors/ShowAndPossiblySend/*SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/*SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,26,56 --gpu-vendor-id=0x1013 --gpu-device-id=0x00b8 --gpu-driver-vendor=Mesa --gpu-driver-version=10.5.9 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.0 0.0 [kworker/0:0]
0.0 0.4 sudo sostat-redacted
0.0 0.2 /bin/bash /usr/bin/sostat-redacted
0.0 0.2 /bin/bash /usr/bin/sostat
0.0 0.1 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.1 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.2 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.1 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.1 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.1 sed -r s/SO-server/SO-server/g
0.0 0.1 sed -r s/SO-node/SO-node/g
0.0 0.1 sed -r s/SO-user|SO-user|SO-user/SO-user/g
0.0 0.2 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/u2:2]
0.0 0.1 /usr/bin/python /usr/lib/update-notifier/backend_helper.py show_updates
0.0 0.0 /usr/lib/dconf/dconf-service
0.0 0.0 [debconf-communi] <defunct>
0.0 0.0 [xfsalloc]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [jfsIO]
0.0 0.0 [jfsCommit]
0.0 0.0 [jfsSync]
=========================================================================
Last update
=========================================================================
Start-Date: 2016-11-04 08:31:39
Commandline: aptdaemon role='role-commit-packages' sender=':1.143'
Install: xserver-xorg-video-mach64-lts-xenial:amd64 (6.9.5-1build2~trusty1, automatic), libdrm-amdgpu1:amd64 (2.4.67-1ubuntu0.14.04.1), xserver-xorg-video-all-lts-xenial:amd64 (7.7+13ubuntu3~trusty2, automatic), xserver-xorg-video-amdgpu-lts-xenial:amd64 (1.1.0-1~trusty1, automatic), linux-headers-4.4.0-45-generic:amd64 (4.4.0-45.66~14.04.1, automatic), xserver-xorg-video-cirrus-lts-xenial:amd64 (1.5.3-1ubuntu3~trusty1, automatic), xserver-xorg-video-radeon-lts-xenial:amd64 (7.7.0-1~trusty2, automatic), xserver-xorg-video-mga-lts-xenial:amd64 (1.6.4-1build2~trusty1, automatic), xserver-xorg-video-trident-lts-xenial:amd64 (1.3.7-1build2~trusty1, automatic), xserver-xorg-video-fbdev-lts-xenial:amd64 (0.4.4-1build5~trusty1, automatic), xserver-xorg-video-tdfx-lts-xenial:amd64 (1.4.6-1build2~trusty1, automatic), libllvm3.4:amd64 (3.4-1ubuntu3), libglapi-mesa-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1, automatic), xserver-xorg-video-ati-lts-xenial:amd64 (7.7.0-1~trusty2, automatic), linux-image-4.4.0-45-generic:amd64 (4.4.0-45.66~14.04.1, automatic), libwayland-egl1-mesa-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1), xserver-xorg-input-all-lts-xenial:amd64 (7.7+13ubuntu3~trusty2, automatic), linux-headers-4.4.0-45:amd64 (4.4.0-45.66~14.04.1, automatic), xserver-xorg-video-neomagic-lts-xenial:amd64 (1.2.9-1build2~trusty1, automatic), xserver-xorg-video-savage-lts-xenial:amd64 (2.3.8-1ubuntu3~trusty1, automatic), linux-generic-lts-xenial:amd64 (X.X.X.X.33), libegl1-mesa-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1), xserver-xorg-input-vmmouse-lts-xenial:amd64 (13.1.0-1ubuntu2~trusty1), thermald:amd64 (1.4.3-5~14.04.4, automatic), xserver-xorg-input-evdev-lts-xenial:amd64 (2.10.1-1ubuntu2~trusty1), libgles2-mesa-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1, automatic), linux-headers-generic-lts-xenial:amd64 (X.X.X.X.33, automatic), xserver-xorg-video-vesa-lts-xenial:amd64 (2.3.4-1build2~trusty1, automatic), xserver-xorg-video-siliconmotion-lts-xenial:amd64 (1.7.8-1ubuntu6~trusty1, automatic), linux-image-extra-4.4.0-45-generic:amd64 (4.4.0-45.66~14.04.1, automatic), libxatracker2-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1), xserver-xorg-input-wacom-lts-xenial:amd64 (0.32.0-0ubuntu3~trusty1, automatic), xserver-xorg-video-nouveau-lts-xenial:amd64 (1.0.12-1build2~trusty1, automatic), xserver-xorg-video-openchrome-lts-xenial:amd64 (0.3.3+git20160310-1~trusty1, automatic), xserver-xorg-video-qxl-lts-xenial:amd64 (0.1.4-3ubuntu3~trusty1, automatic), libgbm1:amd64 (10.1.3-0ubuntu0.6), libgbm1-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1, automatic), xserver-xorg-video-intel-lts-xenial:amd64 (2.99.917+git20160325-1ubuntu1~trusty1, automatic), xserver-xorg-video-sisusb-lts-xenial:amd64 (0.9.6-2build5~trusty1, automatic), libgl1-mesa-dri-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1, automatic), libgl1-mesa-glx-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1), linux-image-generic-lts-xenial:amd64 (X.X.X.X.33, automatic), xserver-xorg-video-vmware-lts-xenial:amd64 (13.1.0-2ubuntu3~trusty1, automatic), xserver-xorg-core-lts-xenial:amd64 (1.18.3-1ubuntu2.2~trusty3), xserver-xorg-video-r128-lts-xenial:amd64 (6.10.0-1build2~trusty1, automatic), libgles1-mesa-lts-xenial:amd64 (11.2.0-1ubuntu2~trusty1, automatic), xserver-xorg-lts-xenial:amd64 (7.7+13ubuntu3~trusty2), xserver-xorg-input-synaptics-lts-xenial:amd64 (1.8.2-1ubuntu3~trusty1, automatic), libllvm3.8v4:amd64 (3.8-2ubuntu3~trusty4, automatic)
Remove: xserver-xorg-video-neomagic-lts-vivid:amd64 (1.2.8-1ubuntu1~trusty1), libgl1-mesa-dri-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), libgl1-mesa-glx-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), libglapi-mesa-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-input-mouse-lts-vivid:amd64 (1.9.1-1~trusty1), xserver-xorg-video-sisusb-lts-vivid:amd64 (0.9.6-2build3~trusty1), libgles1-mesa-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-input-synaptics-lts-vivid:amd64 (1.8.1-1ubuntu1~trusty1), xserver-xorg-video-nouveau-lts-vivid:amd64 (1.0.11-1ubuntu2build1~trusty1), xserver-xorg-video-all-lts-vivid:amd64 (7.7+7ubuntu3~trusty1), xserver-xorg-input-vmmouse-lts-vivid:amd64 (13.0.0-1ubuntu1~trusty1), xserver-xorg-lts-vivid:amd64 (7.7+7ubuntu3~trusty1), xserver-xorg-input-wacom-lts-vivid:amd64 (0.25.0-0ubuntu1.1~trusty1), xserver-xorg-video-radeon-lts-vivid:amd64 (7.5.0-1ubuntu2~trusty1), xserver-xorg-video-r128-lts-vivid:amd64 (6.9.2-1ubuntu1~trusty1), xserver-xorg-video-tdfx-lts-vivid:amd64 (1.4.6-0ubuntu1~trusty1), xserver-xorg-video-mach64-lts-vivid:amd64 (6.9.4-2ubuntu1~trusty1), libwayland-egl1-mesa-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-video-siliconmotion-lts-vivid:amd64 (1.7.7-2ubuntu2~trusty1), xserver-xorg-video-savage-lts-vivid:amd64 (2.3.7-2ubuntu4~trusty1), libgbm1-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-input-all-lts-vivid:amd64 (7.7+7ubuntu3~trusty1), xserver-xorg-video-vmware-lts-vivid:amd64 (13.1.0-0ubuntu1build1~trusty1), xserver-xorg-video-ati-lts-vivid:amd64 (7.5.0-1ubuntu2~trusty1), xserver-xorg-input-evdev-lts-vivid:amd64 (2.9.0-1ubuntu2~trusty1), libgles2-mesa-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1.1), xserver-xorg-video-intel-lts-vivid:amd64 (2.99.917-1~exp1ubuntu2.2~trusty1), xserver-xorg-video-vesa-lts-vivid:amd64 (2.3.3-1build3~trusty1), xserver-xorg-video-trident-lts-vivid:amd64 (1.3.6-0ubuntu6build1~trusty1), libegl1-mesa-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-video-mga-lts-vivid:amd64 (1.6.3-2ubuntu1~trusty1), xserver-xorg-video-openchrome-lts-vivid:amd64 (0.3.3-1ubuntu1~trusty1), xserver-xorg-video-cirrus-lts-vivid:amd64 (1.5.2-2ubuntu1~trusty1), libxatracker2-lts-vivid:amd64 (10.5.9-2ubuntu1~trusty2), xserver-xorg-video-fbdev-lts-vivid:amd64 (0.4.4-1build3~trusty1)
End-Date: 2016-11-04 08:33:51
=========================================================================
Time Zone
=========================================================================
WARNING! Timezone is NOT set to UTC!
Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TimeZones
Wes
Nov 5, 2016, 9:42:06 AM11/5/16
to security-onion
It looks like you have a few errors from your sostat output:
sudo sostat-redacted
grep: /etc/nsm/sensortab: No such file or directory
=========================================================================
Service Status
=========================================================================
=========================================================================
Time Zone
=========================================================================
WARNING! Timezone is NOT set to UTC!
Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TimeZones
Also, please attach the output of sostat-redacted for each machine (master, sensor, etc.) as a plain text file, if possible.
=========================================================================
WARNING! Timezone is NOT set to UTC!
Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/TimeZones
You said you were joining a standalone to a master -- you should be able to join a sensor to a standalone just fine, but at the moment, joining a master/standalone to another master is not supported configuration.
Thanks,
Wes
Franck DANVIDE
Nov 5, 2016, 10:37:03 AM11/5/16
to securit...@googlegroups.com
Thank you Wes. I will gather the outputs and send it back to you.
BelleCrosse
Nov 7, 2016, 9:38:29 AM11/7/16
to security-onion
Good Morning Wes, and thank you for your patience. Below is the output from the master server.
[Master Server sostat redacted OUPUT]
root@SoMaster-02:~# sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 21127 2 07 Nov 14:28:57
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
proxy proxy localhost running 21248 2 07 Nov 14:28:59
SO-server-eth0-1 worker localhost running 21483 2 07 Nov 14:29:00
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* sancp_agent (SO-user)[ OK ]
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* sancp_agent (SO-user)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
RX packets:1064864 errors:0 dropped:0 overruns:0 frame:0
TX packets:887616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:268670517 (268.6 MB) TX bytes:593680953 (593.6 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
TX packets:992151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:363319121 (363.3 MB) TX bytes:363319121 (363.3 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
363319121 992151 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
363319121 992151 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
268670517 1064864 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
593680953 887616 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
tmpfs 396M 952K 395M 1% /run
/dev/dm-0 19G 7.2G 11G 42% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 41M 1.9G 3% /run/shm
none 5.0M 0 5.0M 0% /run/lock
none 100M 24K 100M 1% /run/user
/dev/vda1 236M 94M 130M 42% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 392 SO-user 9u IPv6 2619060 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 392 SO-user 10u IPv4 2619061 0t0 TCP X.X.X.X:50001 (LISTEN)
avahi-dae 656 avahi 12u IPv4 11801 0t0 UDP *:5353
avahi-dae 656 avahi 13u IPv6 11802 0t0 UDP *:5353
avahi-dae 656 avahi 14u IPv4 11803 0t0 UDP *:56316
avahi-dae 656 avahi 15u IPv6 11804 0t0 UDP *:37945
sshd 1318 root 3u IPv4 8721 0t0 TCP *:ssh_port (LISTEN)
sshd 1318 root 4u IPv6 8723 0t0 TCP *:ssh_port (LISTEN)
searchd 1335 sphinxsearch 7u IPv4 11887 0t0 TCP *:9306 (LISTEN)
searchd 1335 sphinxsearch 8u IPv4 11888 0t0 TCP *:9312 (LISTEN)
cups-brow 1356 root 6u IPv6 22234 0t0 TCP [X.X.X.X]:59900->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1356 root 8u IPv4 22236 0t0 UDP *:631
mysqld 1400 mysql 14u IPv4 13789 0t0 TCP X.X.X.X:3306 (LISTEN)
searchd 1335 sphinxsearch 8u IPv4 11888 0t0 TCP *:9312 (LISTEN)
cups-brow 1356 root 6u IPv6 22234 0t0 TCP [X.X.X.X]:59900->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1356 root 8u IPv4 22236 0t0 UDP *:631
salt-mini 1425 root 13u IPv4 11062 0t0 TCP X.X.X.X:34884->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1425 root 24u IPv4 15001 0t0 TCP X.X.X.X:33852->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1538 ossecm 5u IPv4 14406 0t0 UDP X.X.X.X:40163->X.X.X.X:514
salt-mast 1614 root 12u IPv4 14451 0t0 TCP *:4505 (LISTEN)
salt-mast 1614 root 14u IPv4 15002 0t0 TCP X.X.X.X:4505->X.X.X.X:33852 (ESTABLISHED)
salt-mast 1614 root 15u IPv4 20910 0t0 TCP X.X.X.X:4505->X.X.X.X:52025 (ESTABLISHED)
salt-mast 1614 root 16u IPv4 42009 0t0 TCP X.X.X.X:4505->X.X.X.X:59634 (ESTABLISHED)
salt-mast 1614 root 17u IPv4 756367 0t0 TCP X.X.X.X:4505->X.X.X.X:59278 (ESTABLISHED)
salt-mini 1425 root 24u IPv4 15001 0t0 TCP X.X.X.X:33852->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1538 ossecm 5u IPv4 14406 0t0 UDP X.X.X.X:40163->X.X.X.X:514
salt-mast 1614 root 12u IPv4 14451 0t0 TCP *:4505 (LISTEN)
salt-mast 1614 root 14u IPv4 15002 0t0 TCP X.X.X.X:4505->X.X.X.X:33852 (ESTABLISHED)
salt-mast 1614 root 15u IPv4 20910 0t0 TCP X.X.X.X:4505->X.X.X.X:52025 (ESTABLISHED)
salt-mast 1614 root 16u IPv4 42009 0t0 TCP X.X.X.X:4505->X.X.X.X:59634 (ESTABLISHED)
salt-mast 1614 root 18u IPv4 2616904 0t0 TCP X.X.X.X:4505->X.X.X.X:42104 (ESTABLISHED)
salt-mast 1627 root 20u IPv4 14489 0t0 TCP *:4506 (LISTEN)
salt-mast 1627 root 22u IPv4 14948 0t0 TCP X.X.X.X:4506->X.X.X.X:34884 (ESTABLISHED)
salt-mast 1627 root 28u IPv4 20577 0t0 TCP X.X.X.X:4506->X.X.X.X:50776 (ESTABLISHED)
salt-mast 1627 root 29u IPv4 42008 0t0 TCP X.X.X.X:4506->X.X.X.X:55028 (ESTABLISHED)
salt-mast 1627 root 30u IPv4 755581 0t0 TCP X.X.X.X:4506->X.X.X.X:51370 (ESTABLISHED)
salt-mast 1627 root 22u IPv4 14948 0t0 TCP X.X.X.X:4506->X.X.X.X:34884 (ESTABLISHED)
salt-mast 1627 root 28u IPv4 20577 0t0 TCP X.X.X.X:4506->X.X.X.X:50776 (ESTABLISHED)
salt-mast 1627 root 29u IPv4 42008 0t0 TCP X.X.X.X:4506->X.X.X.X:55028 (ESTABLISHED)
salt-mast 1627 root 31u IPv4 2618097 0t0 TCP X.X.X.X:4506->X.X.X.X:59094 (ESTABLISHED)
xrdp 2463 xrdp 6u IPv4 17463 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2465 root 6u IPv4 11218 0t0 TCP X.X.X.X:3350 (LISTEN)
ntpd 4658 ntp 16u IPv4 23896 0t0 UDP *:123
xrdp-sesm 2465 root 6u IPv4 11218 0t0 TCP X.X.X.X:3350 (LISTEN)
ntpd 4658 ntp 17u IPv6 23897 0t0 UDP *:123
ntpd 4658 ntp 18u IPv4 23903 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 19u IPv4 23904 0t0 UDP X.X.X.X:123
ntpd 4658 ntp 20u IPv6 23905 0t0 UDP [X.X.X.X]:123
ntpd 4658 ntp 21u IPv6 23906 0t0 UDP [X.X.X.X]:123
cupsd 4675 root 10u IPv6 23218 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 4675 root 11u IPv4 23219 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 4680 root 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 9u IPv6 23242 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 4732 SO-user 10u IPv4 23243 0t0 TCP X.X.X.X:50000 (LISTEN)
/usr/sbin 4786 root 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
sshd 4732 SO-user 3u IPv4 22237 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:38588 (ESTABLISHED)
sshd 4732 SO-user 9u IPv6 23242 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 4732 SO-user 10u IPv4 23243 0t0 TCP X.X.X.X:50000 (LISTEN)
/usr/sbin 4786 root 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4786 root 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
chromium- 6859 SO-user 95u IPv4 7673907 0t0 TCP X.X.X.X:54864->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 103u IPv4 7673966 0t0 TCP X.X.X.X:47254->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 116u IPv4 7687466 0t0 UDP X.X.X.X:56745->X.X.X.X:443
chromium- 6859 SO-user 118u IPv4 7680608 0t0 TCP X.X.X.X:53244->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 128u IPv4 7687470 0t0 UDP X.X.X.X:43009->X.X.X.X:443
chromium- 6859 SO-user 130u IPv4 7673962 0t0 TCP X.X.X.X:40192->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 146u IPv4 7669107 0t0 TCP X.X.X.X:48954->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 151u IPv4 7669293 0t0 TCP X.X.X.X:48484->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 158u IPv4 29941 0t0 UDP *:5353
chromium- 6859 SO-user 172u IPv4 7675988 0t0 TCP X.X.X.X:54726->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 180u IPv4 7675985 0t0 TCP X.X.X.X:59366->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 185u IPv4 7674978 0t0 TCP X.X.X.X:45206->X.X.X.X:443 (ESTABLISHED)
chromium- 6859 SO-user 187u IPv4 7674980 0t0 TCP X.X.X.X:47268->X.X.X.X:443 (ESTABLISHED)
tclsh 13627 SO-user 3u IPv4 7686242 0t0 TCP X.X.X.X:43757->X.X.X.X:7736 (ESTABLISHED)
syslog-ng 17311 root 14u IPv4 6568112 0t0 TCP *:514 (LISTEN)
syslog-ng 17311 root 15u IPv4 6568113 0t0 UDP *:514
/usr/sbin 18861 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 18861 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18861 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18967 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 18967 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18967 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18983 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 18983 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18983 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18985 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 18985 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18985 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
tclsh 19165 SO-user 3u IPv4 7684655 0t0 TCP X.X.X.X:36000->X.X.X.X:7736 (ESTABLISHED)
tclsh 20133 SO-user 13u IPv4 7680713 0t0 TCP *:7734 (LISTEN)
tclsh 20133 SO-user 14u IPv6 7680714 0t0 TCP *:7734 (LISTEN)
tclsh 20133 SO-user 15u IPv4 7680717 0t0 TCP *:7736 (LISTEN)
tclsh 20133 SO-user 16u IPv6 7680718 0t0 TCP *:7736 (LISTEN)
tclsh 20133 SO-user 17u IPv4 7685206 0t0 TCP X.X.X.X:7736->X.X.X.X:35143 (ESTABLISHED)
tclsh 20133 SO-user 18u IPv4 7686239 0t0 TCP X.X.X.X:7736->X.X.X.X:44753 (ESTABLISHED)
tclsh 20133 SO-user 19u IPv4 7686243 0t0 TCP X.X.X.X:7736->X.X.X.X:43757 (ESTABLISHED)
tclsh 20133 SO-user 20u IPv4 7685460 0t0 TCP X.X.X.X:7736->X.X.X.X:36584 (ESTABLISHED)
tclsh 20133 SO-user 21u IPv4 7686245 0t0 TCP X.X.X.X:7736->X.X.X.X:36000 (ESTABLISHED)
tclsh 20133 SO-user 22u IPv4 7686246 0t0 TCP X.X.X.X:7736->X.X.X.X:58759 (ESTABLISHED)
tclsh 20133 SO-user 23u IPv4 7686247 0t0 TCP X.X.X.X:7736->X.X.X.X:60880 (ESTABLISHED)
tclsh 20133 SO-user 24u IPv4 7686248 0t0 TCP X.X.X.X:7736->X.X.X.X:55132 (ESTABLISHED)
tclsh 20133 SO-user 25u IPv4 7685251 0t0 TCP X.X.X.X:7736->X.X.X.X:52508 (ESTABLISHED)
tclsh 20133 SO-user 26u IPv4 7685252 0t0 TCP X.X.X.X:7736->X.X.X.X:50478 (ESTABLISHED)
tclsh 20133 SO-user 27u IPv4 7685253 0t0 TCP X.X.X.X:7736->X.X.X.X:52165 (ESTABLISHED)
tclsh 20133 SO-user 28u IPv4 7685254 0t0 TCP X.X.X.X:7736->X.X.X.X:38371 (ESTABLISHED)
tclsh 20133 SO-user 29u IPv4 7685255 0t0 TCP X.X.X.X:7736->X.X.X.X:38681 (ESTABLISHED)
tclsh 20133 SO-user 30u IPv4 7685256 0t0 TCP X.X.X.X:7736->X.X.X.X:40834 (ESTABLISHED)
tclsh 20133 SO-user 31u IPv4 7685265 0t0 TCP X.X.X.X:7736->X.X.X.X:41784 (ESTABLISHED)
tclsh 20133 SO-user 32u IPv4 7685329 0t0 TCP X.X.X.X:7736->X.X.X.X:39569 (ESTABLISHED)
tclsh 20133 SO-user 33u IPv4 7685530 0t0 TCP X.X.X.X:7734->X.X.X.X:36118 (ESTABLISHED)
tclsh 20266 SO-user 3u IPv4 7686309 0t0 TCP X.X.X.X:39569->X.X.X.X:7736 (ESTABLISHED)
bro 21127 SO-user 4u IPv4 7683711 0t0 UDP X.X.X.X:42356->X.X.X.X:53
bro 21154 SO-user 0u IPv4 7680723 0t0 TCP *:47761 (LISTEN)
bro 21154 SO-user 1u IPv6 7680724 0t0 TCP *:47761 (LISTEN)
bro 21154 SO-user 2u IPv4 7680753 0t0 TCP X.X.X.X:47761->X.X.X.X:35644 (ESTABLISHED)
bro 21154 SO-user 4u IPv4 7683711 0t0 UDP X.X.X.X:42356->X.X.X.X:53
bro 21154 SO-user 268u IPv4 7680994 0t0 TCP X.X.X.X:47761->X.X.X.X:35646 (ESTABLISHED)
bro 21248 SO-user 4u IPv4 7682953 0t0 UDP X.X.X.X:37911->X.X.X.X:53
bro 21269 SO-user 0u IPv4 7682975 0t0 TCP X.X.X.X:35644->X.X.X.X:47761 (ESTABLISHED)
bro 21269 SO-user 4u IPv4 7682953 0t0 UDP X.X.X.X:37911->X.X.X.X:53
bro 21269 SO-user 266u IPv4 7682980 0t0 TCP *:47762 (LISTEN)
bro 21269 SO-user 267u IPv6 7682981 0t0 TCP *:47762 (LISTEN)
bro 21269 SO-user 268u IPv4 7683032 0t0 TCP X.X.X.X:47762->X.X.X.X:38054 (ESTABLISHED)
bro 21483 SO-user 4u IPv4 7684006 0t0 UDP X.X.X.X:37889->X.X.X.X:53
bro 21484 SO-user 0u IPv4 7680993 0t0 TCP X.X.X.X:35646->X.X.X.X:47761 (ESTABLISHED)
bro 21484 SO-user 4u IPv4 7684006 0t0 UDP X.X.X.X:37889->X.X.X.X:53
bro 21484 SO-user 266u IPv4 7680999 0t0 TCP X.X.X.X:38054->X.X.X.X:47762 (ESTABLISHED)
bro 21484 SO-user 271u IPv4 7681004 0t0 TCP *:47763 (LISTEN)
bro 21484 SO-user 272u IPv6 7681005 0t0 TCP *:47763 (LISTEN)
tclsh 21596 SO-user 3u IPv4 7686171 0t0 TCP X.X.X.X:35143->X.X.X.X:7736 (ESTABLISHED)
tclsh 21643 SO-user 3u IPv4 7687219 0t0 TCP X.X.X.X:44753->X.X.X.X:7736 (ESTABLISHED)
tclsh 21643 SO-user 4u IPv4 7687220 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 21643 SO-user 6u IPv4 7687463 0t0 TCP X.X.X.X:8001->X.X.X.X:36196 (ESTABLISHED)
barnyard2 21826 SO-user 3u IPv4 7687462 0t0 TCP X.X.X.X:36196->X.X.X.X:8001 (ESTABLISHED)
tclsh 21867 SO-user 3u IPv4 7685459 0t0 TCP X.X.X.X:36584->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 21881 www-data 5u IPv6 23289 0t0 TCP *:443 (LISTEN)
/usr/sbin 21881 www-data 7u IPv6 23293 0t0 TCP *:9876 (LISTEN)
/usr/sbin 21881 www-data 9u IPv6 23299 0t0 TCP *:3154 (LISTEN)
sshd 32754 root 3u IPv4 2619009 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:51864 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 20 minutes to avoid overwhelming rule sites.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking laSO-user MD5 for emerging.rules.tar.gz....
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking laSO-user MD5 for emerging.rules.tar.gz....
Deleted:---0
Enabled Rules:----20341
Dropped Rules:----0
Disabled Rules:---4273
Total Rules:------24614
Disabled Rules:---4273
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.20 0.67 0.38
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 14:29:40 up 4 days, 17:41, 2 users, load average: 1.20, 0.67, 0.38
then tune until load average is lower than processing units.
Tasks: 287 total, 2 running, 285 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.9 us, 1.1 sy, 0.0 ni, 95.8 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 4046484 total, 3592912 used, 453572 free, 24992 buffers
KiB Swap: 1044476 total, 973920 used, 70556 free. 464048 cached Mem
%CPU %MEM COMMAND
95.8 7.1 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U --snaplen 1524
26.3 0.2 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
13.8 5.5 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
12.1 14.3 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
4.3 5.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
1.8 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.5 1.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.6 2.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
0.2 3.9 /usr/sbin/mysqld
0.2 0.9 /usr/bin/python /usr/bin/salt-SO-user
0.2 0.2 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.1 8.5 /usr/bin/searchd --nodetach
0.1 2.4 /usr/lib/chromium-browser/chromium-browser --enable-pinch
0.1 2.0 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2016-11-07/ --user 1003 --group 1003 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.1 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.1 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.1 0.1 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [vballoon]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kpsmoused]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/2:1H]
0.0 0.0 sshd: SO-user
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [hwrng]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/3:2]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 cron
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 [kauditd]
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm
0.0 0.4 /usr/bin/python /usr/bin/salt-minion
0.0 0.6 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/kerneloops
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kworker/0:1H]
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.1 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.9 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.8 /usr/bin/python /usr/bin/salt-SO-user
0.0 1.2 /usr/bin/python /usr/bin/salt-SO-user
0.0 1.2 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.8 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.0 /usr/bin/python /usr/bin/salt-SO-user
0.0 0.3 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 [kworker/3:0]
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-WBZ27cJVpF
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.1 xfwm4
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.1 xfce4-panel
0.0 0.3 Thunar --daemon
0.0 0.0 xfdesktop
0.0 0.0 xfce4-power-manager
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 update-notifier
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 nm-applet
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 xfce4-volumed
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 light-locker
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 xfsettingsd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 12582947 actions Action Buttons Log out, lock or other system actions
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.20 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.0 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.7 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.4 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrow
0.0 0.1 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=6859.5.1916113813 --mojo-application-channel-token=EA7A55476A82F4644257B0FF4B9F2762 --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC bleWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/*SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,56 --gpu-vendor-id=0x1013 --gpu-device-id=0x00b8 --gpu-driver-vendor=Mesa --gpu-driver-version=11.2.0 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.0 0.0 [kworker/1:1]
0.0 3.5 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/*EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBr
0.0 0.2 xfce4-terminal
0.0 0.0 gnome-pty-helper
0.0 0.0 bash
0.0 0.0 sudo -i
0.0 0.0 -bash
0.0 0.0 bash
0.0 0.0 sudo -i
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 [kworker/2:2]
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 [kworker/u8:2]
0.0 0.0 supervising syslog-ng
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/2:0]
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/u8:0]
0.0 0.0 [kworker/1:0]
0.0 2.6 /usr/sbin/apache2 -k start
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u8:1]
0.0 2.6 /usr/sbin/apache2 -k start
0.0 2.6 /usr/sbin/apache2 -k start
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 [kworker/1:2]
0.0 0.1 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 1.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 1.3 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 1.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 14.1 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.1 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.1 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.1 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 [kworker/3:1]
0.0 2.7 /usr/sbin/apache2 -k start
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:1]
0.0 0.1 mousepad
0.0 0.0 sshd: SO-user [priv]
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth0:
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth0
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth0-1: 1478528981.041527 recvd=414 dropped=0 link=414
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
No capture loss reported.
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
1.3G .
71M ./2016-10-26
65M ./2016-10-27
62M ./2016-10-28
61M ./2016-10-29
72M ./2016-10-30
96M ./2016-10-31
119M ./2016-11-01
139M ./2016-11-02
65M ./2016-10-27
62M ./2016-10-28
61M ./2016-10-29
72M ./2016-10-30
96M ./2016-10-31
119M ./2016-11-01
150M ./2016-11-03
166M ./2016-11-04
132M ./2016-11-05
115M ./2016-11-06
70M ./2016-11-07
/nsm/bro/logs/ - 13 days
35M .
1.7M ./2016-10-26
1.7M ./2016-10-27
1.7M ./2016-10-28
1.7M ./2016-10-29
1.9M ./2016-10-30
2.4M ./2016-10-31
1.9M ./2016-11-01
2.2M ./2016-11-02
1.7M ./2016-10-27
1.7M ./2016-10-28
1.7M ./2016-10-29
1.9M ./2016-10-30
2.4M ./2016-10-31
1.9M ./2016-11-01
2.1M ./2016-11-03
2.7M ./2016-11-04
2.8M ./2016-11-05
2.9M ./2016-11-06
1.6M ./2016-11-07
8.1M ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
238 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
144 1:2012648 ET POLICY Dropbox Client Broadcasting
102 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
42 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
35 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
31 1:2012710 ET POLICY MS Terminal Server Root login
24 1:2402000 ET DROP Dshield Block Listed Source group 1
23 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
10 1:2403406 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 54
8 1:2403550 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 126
7 1:2403334 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 18
2 1:2403356 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 29
2 1:2009702 ET POLICY DNS Update From External net
2 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
1 1:2009099 ET P2P ThunderNetwork UDP Traffic
1 1:2012711 ET POLICY MS Remote Desktop POS User Login Request
1 1:2500044 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 23
1 1:2403502 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 102
Total
17331
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
4278 1:2021630 ET TROJAN MS Terminal Server Single Character Login, possible Morto inbound
2995 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
2026 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
1154 1:2012648 ET POLICY Dropbox Client Broadcasting
806 1:2001972 ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)
350 1:2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
124 1:2402000 ET DROP Dshield Block Listed Source group 1
110 1:2012711 ET POLICY MS Remote Desktop POS User Login Request
71 1:2012710 ET POLICY MS Terminal Server Root login
47 1:2403380 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 41
43 1:2018124 ET TROJAN MS Remote Desktop micros User Login Request
35 1:2403384 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 43
33 1:2403372 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 37
26 1:2009702 ET POLICY DNS Update From External net
25 1:2403406 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 54
20 1:2000419 ET POLICY PE EXE or DLL Windows file download
17 1:2403386 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 44
16 1:2403394 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 48
16 1:2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
15 1:2403334 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 18
13 1:2403374 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38
12 1:2014520 ET INFO EXE - Served Attached HTTP
11 1:2403402 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 52
9 1:2012712 ET POLICY MS Remote Desktop Service User Login Request
9 1:2100366 GPL ICMP_INFO PING *NIX
8 1:2403550 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 126
9 1:2100366 GPL ICMP_INFO PING *NIX
4 1:2403342 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 22
4 1:2403356 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 29
4 1:2017919 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
4 1:2403346 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24
3 1:2403336 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 19
3 1:2009099 ET P2P ThunderNetwork UDP Traffic
3 1:2403358 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
3 1:2400004 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2 1:2403340 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 21
2 1:2403352 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 27
2 1:2018116 ET TROJAN MS Remote Desktop edc User Login Request
2 1:2403496 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 99
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2403442 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 72
2 1:2403354 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 28
2 1:2403442 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 72
2 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
2 1:2403434 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 68
1 1:2403490 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 96
1 1:2403412 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 57
1 1:2403388 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 45
1 1:2500006 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 4
1 1:2403412 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 57
1 1:2403388 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 45
1 1:2520014 ET TOR Known Tor Exit Node TCP Traffic group 8
1 1:2403362 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 32
Total
1 1:2403362 ET CINS Active Threat Intelligence Poor Reputation IP TCP group 32
179345
=========================================================================
Last update
=========================================================================
Start-Date: 2016-11-02 20:30:15
Commandline: apt-get install xrdp
Install: xrdp:amd64 (0.6.0-1), vnc4server:amd64 (4.1.1+xorg4.3.0-37ubuntu5.0.2, automatic), xbase-clients:amd64 (7.7+1ubuntu8.1, automatic)
End-Date: 2016-11-02 20:30:16
Start-Date: 2016-11-02 20:47:21
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libnl-genl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), dbus:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libdbus-1-3:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libgd3:amd64 (2.1.0-3ubuntu0.3, 2.1.0-3ubuntu0.5), dbus-x11:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libnl-route-3-200:amd64 (3.2.21-1ubuntu3, 3.2.21-1ubuntu4), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10)
End-Date: 2016-11-02 20:47:23
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1400 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1323 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1335 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1400 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1323 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1335 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
553M /nsm/elsa/data
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
17M /var/lib/mysql/syslog
31M /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
BelleCrosse
Nov 7, 2016, 11:06:20 AM11/7/16
to security-onion
This is the output from the [Stand-alone Server-Sensor]
[Stand-Alone Server/Sensor Output]
sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 3651 2 04 Nov 21:16:12
proxy proxy localhost running 3880 ??? 04 Nov 21:16:14
SO-server-eth1-1 worker localhost running 4107 2 04 Nov 21:16:16
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3267131 errors:0 dropped:0 overruns:0 frame:0
TX packets:150055 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:359075728 (359.0 MB) TX bytes:27515794 (27.5 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6433783 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:534255407 (534.2 MB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:797562 errors:0 dropped:0 overruns:0 frame:0
TX packets:797562 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:462142211 (462.1 MB) TX bytes:462142211 (462.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
462142211 797562 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
462142211 797562 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
359075728 3267131 0 0 0 139402
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
27515794 150055 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
534255572 6433784 0 0 0 921662
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 1.6G 4.0K 1.6G 1% /dev
tmpfs 326M 1.3M 324M 1% /run
/dev/dm-0 914G 7.5G 860G 1% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 1.6G 88K 1.6G 1% /run/shm
none 100M 24K 100M 1% /run/user
/dev/sda1 236M 90M 134M 41% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1178 avahi 12u IPv4 11116 0t0 UDP *:5353
avahi-dae 1178 avahi 13u IPv6 11117 0t0 UDP *:5353
avahi-dae 1178 avahi 14u IPv4 11118 0t0 UDP *:45143
avahi-dae 1178 avahi 15u IPv6 11119 0t0 UDP *:50288
sshd 1382 root 3u IPv4 12277 0t0 TCP *:ssh_port (LISTEN)
sshd 1382 root 4u IPv6 12279 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1478 root 6u IPv6 13950 0t0 TCP [X.X.X.X]:59214->[X.X.X.X]:631 (ESTABLISHED)
cups-brow 1478 root 8u IPv4 13952 0t0 UDP *:631
searchd 1644 sphinxsearch 7u IPv4 13176 0t0 TCP *:9306 (LISTEN)
searchd 1644 sphinxsearch 8u IPv4 13177 0t0 TCP *:9312 (LISTEN)
mysqld 1652 mysql 10u IPv4 15022 0t0 TCP X.X.X.X:50000 (LISTEN)
salt-mini 1657 root 13u IPv4 13200 0t0 TCP X.X.X.X:59094->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1657 root 24u IPv4 14820 0t0 TCP X.X.X.X:42104->X.X.X.X:4505 (ESTABLISHED)
ossec-csy 1747 ossecm 5u IPv4 13547 0t0 UDP X.X.X.X:38150->X.X.X.X:514
starman 1907 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
starman 1935 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
starman 1936 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
starman 1937 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
starman 1938 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
starman 1939 www-data 5u IPv6 13610 0t0 TCP *:3154 (LISTEN)
cupsd 2174 root 10u IPv6 15124 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2174 root 11u IPv4 15125 0t0 TCP X.X.X.X:631 (LISTEN)
cupsd 2174 root 16u IPv6 15137 0t0 TCP [X.X.X.X]:631->[X.X.X.X]:59214 (ESTABLISHED)
ntpd 2700 ntp 16u IPv4 17767 0t0 UDP *:123
ntpd 2700 ntp 17u IPv6 17768 0t0 UDP *:123
ntpd 2700 ntp 18u IPv4 17774 0t0 UDP X.X.X.X:123
ntpd 2700 ntp 19u IPv4 17775 0t0 UDP X.X.X.X:123
ntpd 2700 ntp 20u IPv6 17776 0t0 UDP [X.X.X.X]:123
ntpd 2700 ntp 21u IPv6 17777 0t0 UDP [X.X.X.X]:123
ssh 3239 root 3u IPv4 19170 0t0 TCP X.X.X.X:51864->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3239 root 4u IPv6 19299 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3239 root 5u IPv4 19300 0t0 TCP X.X.X.X:3306 (LISTEN)
bro 3651 SO-user 4u IPv4 20765 0t0 UDP X.X.X.X:35999->X.X.X.X:53
bro 3687 SO-user 0u IPv4 20819 0t0 TCP *:47761 (LISTEN)
bro 3687 SO-user 1u IPv6 20820 0t0 TCP *:47761 (LISTEN)
bro 3687 SO-user 2u IPv4 21055 0t0 TCP X.X.X.X:47761->X.X.X.X:39648 (ESTABLISHED)
bro 3687 SO-user 4u IPv4 20765 0t0 UDP X.X.X.X:35999->X.X.X.X:53
bro 3687 SO-user 267u IPv4 21371 0t0 TCP X.X.X.X:47761->X.X.X.X:39650 (ESTABLISHED)
bro 3880 SO-user 4u IPv4 21019 0t0 UDP X.X.X.X:51059->X.X.X.X:53
bro 3903 SO-user 0u IPv4 21054 0t0 TCP X.X.X.X:39648->X.X.X.X:47761 (ESTABLISHED)
bro 3903 SO-user 4u IPv4 21019 0t0 UDP X.X.X.X:51059->X.X.X.X:53
bro 3903 SO-user 265u IPv4 21062 0t0 TCP *:47762 (LISTEN)
bro 3903 SO-user 266u IPv6 21063 0t0 TCP *:47762 (LISTEN)
bro 3903 SO-user 267u IPv4 21377 0t0 TCP X.X.X.X:47762->X.X.X.X:34482 (ESTABLISHED)
bro 4107 SO-user 4u IPv4 21305 0t0 UDP X.X.X.X:50113->X.X.X.X:53
bro 4143 SO-user 0u IPv4 21370 0t0 TCP X.X.X.X:39650->X.X.X.X:47761 (ESTABLISHED)
bro 4143 SO-user 4u IPv4 21305 0t0 UDP X.X.X.X:50113->X.X.X.X:53
bro 4143 SO-user 266u IPv4 21376 0t0 TCP X.X.X.X:34482->X.X.X.X:47762 (ESTABLISHED)
bro 4143 SO-user 271u IPv4 21384 0t0 TCP *:47763 (LISTEN)
bro 4143 SO-user 272u IPv6 21385 0t0 TCP *:47763 (LISTEN)
tclsh 6396 SO-user 3u IPv4 2326689 0t0 TCP X.X.X.X:38681->X.X.X.X:7736 (ESTABLISHED)
tclsh 6425 SO-user 3u IPv4 2326692 0t0 TCP X.X.X.X:40834->X.X.X.X:7736 (ESTABLISHED)
tclsh 6695 SO-user 3u IPv4 2325320 0t0 TCP X.X.X.X:41784->X.X.X.X:7736 (ESTABLISHED)
tclsh 6695 SO-user 4u IPv4 2271994 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 6695 SO-user 6u IPv4 2290832 0t0 TCP X.X.X.X:8101->X.X.X.X:52660 (ESTABLISHED)
wish 9089 SO-user 4u IPv4 2325328 0t0 TCP X.X.X.X:36118->X.X.X.X:7734 (ESTABLISHED)
barnyard2 15490 SO-user 3u IPv4 2290831 0t0 TCP X.X.X.X:52660->X.X.X.X:8101 (ESTABLISHED)
tclsh 15985 SO-user 3u IPv4 2325317 0t0 TCP X.X.X.X:38371->X.X.X.X:7736 (ESTABLISHED)
syslog-ng 17722 root 13u IPv4 1838108 0t0 TCP *:514 (LISTEN)
syslog-ng 17722 root 14u IPv4 1838109 0t0 UDP *:514
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.73 0.93 0.81
Processing units: 2
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 14:39:37 up 2 days, 17:24, 2 users, load average: 1.73, 0.93, 0.81
Tasks: 236 total, 4 running, 232 sleeping, 0 stopped, 0 zombie
%Cpu(s): 12.0 us, 7.4 sy, 0.0 ni, 79.8 id, 0.8 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 3329024 total, 2592336 used, 736688 free, 52156 buffers
KiB Swap: 3395580 total, 1195676 used, 2199904 free. 923436 cached Mem
%CPU %MEM COMMAND
20.7 16.6 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
2.0 1.0 /usr/lib/chromium-browser/chromium-browser --enable-pinch
1.5 8.0 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U --snaplen 1524
1.1 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.1 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.5 0.7 xfce4-terminal
0.3 1.6 /usr/sbin/mysqld
0.3 0.9 wish /usr/bin/SO-user.tk
0.2 0.1 -bash
0.1 12.2 /usr/bin/searchd --nodetach
0.1 0.1 bash
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kpsmoused]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [usb-storage]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 cron
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 [kauditd]
0.0 0.1 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /usr/sbin/kerneloops
0.0 0.8 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 starman SO-user -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.1 lightdm
0.0 0.4 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50001:localhost:3154 SO-...@X.X.X.X
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50001:localhost:3154 SO-...@X.X.X.X
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 16.0 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 1.8 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-CZBD9bxYKU
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.1 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.4 xfwm4 --display :0.0 --sm-client-id 2c86aa4e8-0c6b-49e0-af4d-f91ba3c5b124
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 Thunar --sm-client-id 2b8e14616-2498-4af9-8999-fa43a668db1e --daemon
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.3 xfce4-panel --display :0.0 --sm-client-id 25ec218e8-0be1-40bc-a5b7-04d70c52abf3
0.0 0.3 xfdesktop --display :0.0 --sm-client-id 261ec5289-0b5b-4a1c-be40-79fd16891cd3
0.0 0.0 xfsettingsd --display :0.0 --sm-client-id 228181d5c-f1cb-4bc2-9950-90d51800bb7c
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.4 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 10485792 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 xfce4-power-manager --restart --sm-client-id 22741e134-06f7-4133-a492-3ab6f71aeae8
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 10485793 systray Notification Area Area where notification icons appear
0.0 0.3 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 10485794 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 10485795 actions Action Buttons Log out, lock or other system actions
0.0 0.0 /usr/bin/python /usr/bin/blueman-applet
0.0 0.1 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 update-notifier
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.2 light-locker
0.0 0.0 xfce4-volumed
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.1 nm-applet
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.1 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.9 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.4 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.1 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.2 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.1 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.2 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.1 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.2 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 [kworker/1:2]
0.0 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
0.0 2.3 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2016-11-07/ --user 1002 --group 1002 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 supervising syslog-ng
0.0 0.2 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/u8:2]
0.0 0.0 [kworker/0:2]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/u8:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/1:0]
0.0 0.0 gnome-pty-helper
0.0 0.1 sudo -i
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 17588
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
RX packets:6433803 dropped:0 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 5420348
Tot Pkt Lost : 0
Appl. Name : bro-eth1
Tot Packets : 6431770
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth1-1: 1478529578.527749 recvd=6431798 dropped=0 link=6431798
Capture Loss:
SO-server-eth1-1 0.0
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 8 days
1.4G .
36M ./2016-10-31
170M ./2016-11-01
174M ./2016-11-02
154M ./2016-11-03
241M ./2016-11-04
223M ./2016-11-05
223M ./2016-11-06
137M ./2016-11-07
/nsm/bro/logs/ - 8 days
46M .
1.3M ./2016-10-31
6.0M ./2016-11-01
7.3M ./2016-11-02
5.4M ./2016-11-03
7.1M ./2016-11-04
5.5M ./2016-11-05
5.6M ./2016-11-06
3.3M ./2016-11-07
4.1M ./stats
=========================================================================
Last update
=========================================================================
Start-Date: 2016-11-02 17:28:02
Commandline: aptdaemon role='role-commit-packages' sender=':1.88'
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), dbus:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libdbus-1-3:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libgd3:amd64 (2.1.0-3ubuntu0.3, 2.1.0-3ubuntu0.5), dbus-x11:amd64 (1.6.18-0ubuntu4.3, 1.6.18-0ubuntu4.4), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.9, 9.9.5.dfsg-3ubuntu0.10)
End-Date: 2016-11-02 17:28:14
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
17722 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1652 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
1416 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1644 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
929M /nsm/elsa/data
13M /var/lib/mysql/syslog
56M /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-10-31 18:54:43 2016-11-07 14:38:07
autossh
Checking for process:
3238 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50001:localhost:3154 SO-...@X.X.X.X
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
1907 starman SO-user -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1935 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1936 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1937 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1938 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1939 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Wes
Nov 8, 2016, 12:21:07 PM11/8/16
to security-onion
Following back up on this -- apologies for the delay -- what issues are you still experiencing?
Thanks,
Wes
BelleCrosse
Nov 9, 2016, 7:17:50 PM11/9/16
to security-onion
Good Evening Wes, and sorry for the delay. It's been a busy week. The issue I am having is that I am unable to access ELSA from my analyst machine connected to my sensors. Also, I'm unable to run query from within Sguil because i get the message that "the MySQL database doesn't exist". So you asked for the "sostat-redacted" output of my master server, my sensor1, and standalone sensor/master. Which I have posted except the output for sensor1 which is below:
Thank you so much for your time.
[ SENSOR 1 OUTPUT ]
sensor1@InnoveSensor:~$ sudo -i
root@InnoveSensor:~# sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 11636 4 26 Oct 00:58:54
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
proxy proxy localhost running 11676 4 26 Oct 00:58:56
SO-server-eth1-1 worker localhost running 11738 2 26 Oct 00:58:58
SO-server-eth2-1 worker localhost running 11740 2 26 Oct 00:58:58
SO-server-eth3-1 worker localhost running 11743 2 26 Oct 00:58:58
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2512840 errors:0 dropped:0 overruns:0 frame:0
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:1256234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:918246566 (918.2 MB) TX bytes:309951783 (309.9 MB)
Interrupt:33
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9561391535 (9.5 GB) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Interrupt:35
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Interrupt:36
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Interrupt:37
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
TX packets:5128156 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2575495601 (2.5 GB) TX bytes:2575495601 (2.5 GB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2575495601 5128156 0 0 0 0
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2575495601 5128156 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
918246566 2512840 0 0 0 1101817
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
309951783 1256234 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
9561391535 32562970 0 3 0 1417234
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 16G 4.0K 16G 1% /dev
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
tmpfs 3.2G 1.4M 3.2G 1% /run
/dev/dm-0 427G 18G 388G 5% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
tmpfs 16G 132M 16G 1% /run/shm
none 5.0M 0 5.0M 0% /run/lock
none 100M 24K 100M 1% /run/user
/dev/sda1 236M 48M 177M 22% /boot
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 945 avahi 13u IPv6 11472 0t0 UDP *:5353
avahi-dae 945 avahi 14u IPv4 11473 0t0 UDP *:44125
avahi-dae 945 avahi 15u IPv6 11474 0t0 UDP *:54753
sshd 1844 root 3u IPv4 21512 0t0 TCP *:ssh_port (LISTEN)
sshd 1844 root 4u IPv6 21514 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1888 root 6u IPv6 21262 0t0 TCP [X.X.X.X]:57205->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1888 root 8u IPv4 21535 0t0 UDP *:631
cupsd 1910 root 10u IPv6 17858 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1910 root 11u IPv4 17859 0t0 TCP X.X.X.X:631 (LISTEN)
ntpd 4652 ntp 16u IPv4 29701 0t0 UDP *:123
ntpd 4652 ntp 17u IPv6 29702 0t0 UDP *:123
ntpd 4652 ntp 18u IPv4 29708 0t0 UDP X.X.X.X:123
ntpd 4652 ntp 19u IPv4 29709 0t0 UDP X.X.X.X:123
ntpd 4652 ntp 20u IPv6 29710 0t0 UDP [X.X.X.X]:123
ntpd 4652 ntp 21u IPv6 29711 0t0 UDP [X.X.X.X]:123
salt-mini 11482 root 12u IPv4 10278588 0t0 TCP X.X.X.X:34132->X.X.X.X:4506 (ESTABLISHED)
salt-mini 11482 root 13u IPv4 10278589 0t0 TCP X.X.X.X:35380->X.X.X.X:4505 (ESTABLISHED)
bro 11636 SO-user 4u IPv4 73203 0t0 UDP X.X.X.X:33498->X.X.X.X:53
bro 11638 SO-user 0u IPv4 55046 0t0 TCP *:47761 (LISTEN)
bro 11638 SO-user 1u IPv6 55047 0t0 TCP *:47761 (LISTEN)
bro 11638 SO-user 2u IPv4 69230 0t0 TCP X.X.X.X:47761->X.X.X.X:37028 (ESTABLISHED)
bro 11638 SO-user 4u IPv4 73203 0t0 UDP X.X.X.X:33498->X.X.X.X:53
bro 11638 SO-user 268u IPv4 55057 0t0 TCP X.X.X.X:47761->X.X.X.X:37029 (ESTABLISHED)
bro 11638 SO-user 273u IPv4 55063 0t0 TCP X.X.X.X:47761->X.X.X.X:37031 (ESTABLISHED)
bro 11638 SO-user 278u IPv4 55066 0t0 TCP X.X.X.X:47761->X.X.X.X:37034 (ESTABLISHED)
bro 11676 SO-user 4u IPv4 73246 0t0 UDP X.X.X.X:37038->X.X.X.X:53
bro 11678 SO-user 0u IPv4 55050 0t0 TCP X.X.X.X:37028->X.X.X.X:47761 (ESTABLISHED)
bro 11678 SO-user 4u IPv4 73246 0t0 UDP X.X.X.X:37038->X.X.X.X:53
bro 11678 SO-user 266u IPv4 55055 0t0 TCP *:47762 (LISTEN)
bro 11678 SO-user 267u IPv6 55056 0t0 TCP *:47762 (LISTEN)
bro 11678 SO-user 268u IPv4 55060 0t0 TCP X.X.X.X:47762->X.X.X.X:55459 (ESTABLISHED)
bro 11678 SO-user 273u IPv4 69248 0t0 TCP X.X.X.X:47762->X.X.X.X:55461 (ESTABLISHED)
bro 11678 SO-user 278u IPv4 54203 0t0 TCP X.X.X.X:47762->X.X.X.X:55462 (ESTABLISHED)
bro 11738 SO-user 4u IPv4 56447 0t0 UDP X.X.X.X:53279->X.X.X.X:53
bro 11740 SO-user 4u IPv4 69237 0t0 UDP X.X.X.X:39042->X.X.X.X:53
bro 11743 SO-user 4u IPv4 56141 0t0 UDP X.X.X.X:42076->X.X.X.X:53
mysqld 11782 mysql 10u IPv4 69251 0t0 TCP X.X.X.X:50000 (LISTEN)
bro 11814 SO-user 0u IPv4 56454 0t0 TCP X.X.X.X:37029->X.X.X.X:47761 (ESTABLISHED)
bro 11814 SO-user 4u IPv4 69237 0t0 UDP X.X.X.X:39042->X.X.X.X:53
bro 11814 SO-user 266u IPv4 56457 0t0 TCP X.X.X.X:55459->X.X.X.X:47762 (ESTABLISHED)
bro 11814 SO-user 271u IPv4 56462 0t0 TCP *:47764 (LISTEN)
bro 11814 SO-user 272u IPv6 56463 0t0 TCP *:47764 (LISTEN)
bro 11817 SO-user 0u IPv4 73298 0t0 TCP X.X.X.X:37031->X.X.X.X:47761 (ESTABLISHED)
bro 11817 SO-user 4u IPv4 56447 0t0 UDP X.X.X.X:53279->X.X.X.X:53
bro 11817 SO-user 266u IPv4 73301 0t0 TCP X.X.X.X:55461->X.X.X.X:47762 (ESTABLISHED)
bro 11817 SO-user 271u IPv4 73306 0t0 TCP *:47763 (LISTEN)
bro 11817 SO-user 272u IPv6 73307 0t0 TCP *:47763 (LISTEN)
bro 11818 SO-user 0u IPv4 56466 0t0 TCP X.X.X.X:55462->X.X.X.X:47762 (ESTABLISHED)
bro 11818 SO-user 4u IPv4 56141 0t0 UDP X.X.X.X:42076->X.X.X.X:53
bro 11818 SO-user 266u IPv4 56469 0t0 TCP X.X.X.X:37034->X.X.X.X:47761 (ESTABLISHED)
bro 11818 SO-user 271u IPv4 56474 0t0 TCP *:47765 (LISTEN)
bro 11818 SO-user 272u IPv6 56475 0t0 TCP *:47765 (LISTEN)
searchd 13181 sphinxsearch 7u IPv4 78854 0t0 TCP *:9306 (LISTEN)
searchd 13181 sphinxsearch 8u IPv4 78855 0t0 TCP *:9312 (LISTEN)
starman 14728 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14731 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14731 www-data 14u IPv4 3862991 0t0 TCP X.X.X.X:34632->X.X.X.X:3154 (CLOSE_WAIT)
starman 14732 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14733 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14735 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14736 www-data 5u IPv6 77253 0t0 TCP *:3154 (LISTEN)
starman 14736 www-data 14u IPv4 3861155 0t0 TCP X.X.X.X:34643->X.X.X.X:3154 (CLOSE_WAIT)
ossec-csy 15491 ossecm 5u IPv4 56923 0t0 UDP X.X.X.X:52008->X.X.X.X:514
ssh 18109 root 3u IPv4 10269350 0t0 TCP X.X.X.X:50172->X.X.X.X:ssh_port (ESTABLISHED)
ssh 18109 root 4u IPv6 10273736 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 18109 root 5u IPv4 10273737 0t0 TCP X.X.X.X:3306 (LISTEN)
tclsh 27708 SO-user 3u IPv4 11514769 0t0 TCP X.X.X.X:47871->X.X.X.X:7736 (ESTABLISHED)
tclsh 28175 SO-user 3u IPv4 11521434 0t0 TCP X.X.X.X:51293->X.X.X.X:7736 (ESTABLISHED)
tclsh 28439 SO-user 3u IPv4 11517941 0t0 TCP X.X.X.X:51912->X.X.X.X:7736 (ESTABLISHED)
tclsh 28527 SO-user 3u IPv4 11526288 0t0 TCP X.X.X.X:53304->X.X.X.X:7736 (ESTABLISHED)
tclsh 28726 SO-user 3u IPv4 11525315 0t0 TCP X.X.X.X:58307->X.X.X.X:7736 (ESTABLISHED)
tclsh 28726 SO-user 4u IPv4 11523353 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 28726 SO-user 6u IPv4 11694334 0t0 TCP X.X.X.X:8101->X.X.X.X:37315 (ESTABLISHED)
tclsh 28866 SO-user 3u IPv4 11525344 0t0 TCP X.X.X.X:32854->X.X.X.X:7736 (ESTABLISHED)
tclsh 28866 SO-user 4u IPv4 11527269 0t0 TCP X.X.X.X:8201 (LISTEN)
tclsh 28954 SO-user 3u IPv4 11518664 0t0 TCP X.X.X.X:54072->X.X.X.X:7736 (ESTABLISHED)
tclsh 28954 SO-user 4u IPv4 11527272 0t0 TCP X.X.X.X:8301 (LISTEN)
barnyard2 32919 SO-user 3u IPv4 11262682 0t0 TCP X.X.X.X:54828->X.X.X.X:8201 (CLOSE_WAIT)
barnyard2 32998 SO-user 3u IPv4 11260792 0t0 TCP X.X.X.X:38068->X.X.X.X:8301 (CLOSE_WAIT)
barnyard2 41175 SO-user 3u IPv4 11690681 0t0 TCP X.X.X.X:37315->X.X.X.X:8101 (ESTABLISHED)
chromium- 41400 SO-user 80u IPv4 11841242 0t0 TCP X.X.X.X:36304->X.X.X.X:443 (ESTABLISHED)
chromium- 41400 SO-user 85u IPv4 11846261 0t0 UDP X.X.X.X:53908->X.X.X.X:443
chromium- 41400 SO-user 89u IPv4 11841240 0t0 UDP X.X.X.X:38435->X.X.X.X:443
chromium- 41400 SO-user 91u IPv4 11844345 0t0 TCP X.X.X.X:43545->X.X.X.X:443 (ESTABLISHED)
chromium- 41400 SO-user 108u IPv4 11831099 0t0 UDP X.X.X.X:42880->X.X.X.X:443
chromium- 41400 SO-user 131u IPv4 11824501 0t0 UDP *:5353
syslog-ng 43829 root 22u IPv4 11844627 0t0 TCP *:514 (LISTEN)
syslog-ng 43829 root 23u IPv4 11844628 0t0 UDP *:514
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
Processing units: 12
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 00:12:41 up 14 days, 23:40, 2 users, load average: 0.62, 0.74, 0.71
then tune until load average is lower than processing units.
Tasks: 333 total, 2 running, 331 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.7 us, 1.8 sy, 0.0 ni, 95.3 id, 0.2 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 32896516 total, 22536300 used, 10360216 free, 272948 buffers
KiB Swap: 33505276 total, 0 used, 33505276 free. 15474320 cached Mem
%CPU %MEM COMMAND
16.7 2.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.6 1.7 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
16.5 1.7 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
8.1 1.0 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/Safe
3.7 0.6 /usr/lib/chromium-browser/chromium-browser --enable-pinch
3.7 1.4 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/Saf
1.8 0.1 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.3 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.0 0.0 xfce4-terminal
0.6 1.7 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U --snaplen 1524
0.6 0.0 -bash
0.3 0.2 /usr/sbin/mysqld
0.2 2.1 /usr/bin/searchd --nodetach
0.2 0.0 bash
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_sched]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuob/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuob/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuob/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuob/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuob/5]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuob/6]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuob/7]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuob/8]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuob/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuob/10]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuob/11]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_tmf_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_tmf_4]
0.0 0.0 [scsi_tmf_5]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/dm-0-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/0:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 [kworker/9:1H]
0.0 0.0 [edac-poller]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/10:1H]
0.0 0.0 [kworker/4:1H]
0.0 0.0 lightdm
0.0 0.0 [kworker/5:1H]
0.0 0.1 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-WqG9Kbdy1M
0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 xfce4-session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.0 xfwm4 --display :0.0 --sm-client-id 2e70d63a7-208f-45ec-b1ed-c79ef64a6a77
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.0 Thunar --sm-client-id 292bbeb59-61ce-4976-9cdb-3b2699e38a75 --daemon
0.0 0.0 xfce4-panel --display :0.0 --sm-client-id 2d7e8f89e-15fe-4648-964c-577fb06b604c
0.0 0.1 xfdesktop --display :0.0 --sm-client-id 25aafe05c-194b-466d-8eb0-5a2bcb6b0c1b
0.0 0.0 xfsettingsd --display :0.0 --sm-client-id 2fac12eca-984f-44f1-9500-ae7f0ca97207
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.0 xfce4-power-manager --restart --sm-client-id 2ab4dfbeb-bfed-4638-8a39-078db4258956
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 8 12582947 actions Action Buttons Log out, lock or other system actions
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 update-notifier
0.0 0.0 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 nm-applet
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.1 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 [kworker/6:1H]
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 xfce4-volumed
0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 [kworker/11:1H]
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.18 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/2:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/9:2]
0.0 0.0 [kworker/10:0]
0.0 0.0 dbus-launch --autolaunch=e4815b95315abaa8ed8cc61b57d43b4e --binary-syntax --close-stderr
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/python /usr/bin/salt-minion
0.0 0.1 /usr/bin/python /usr/bin/salt-minion
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 1.7 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 1.7 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 1.7 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 [kworker/8:1H]
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 cron
0.0 0.0 starman SO-user -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-...@X.X.X.X
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/10:1]
0.0 0.0 light-locker --lock-after-screensaver=0 --no-lock-on-suspend --no-late-locking
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-...@X.X.X.X
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/1:0]
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/1:0]
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth2/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth3/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/2:1]
0.0 1.5 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U --snaplen 1524
0.0 1.6 snort -c /etc/nsm/SO-server-eth3/snort.conf -u SO-user -g SO-user -i eth3 -l /nsm/sensor_data/SO-server-eth3/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth3/snort-1.stats -U --snaplen 1524
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i 1 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo-1 -i 1 -U
0.0 0.0 [kworker/4:2]
0.0 0.0 [kworker/u96:1]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/u96:2]
0.0 0.0 [kworker/4:0]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/0:2]
0.0 0.0 [kworker/11:2]
0.0 0.2 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2016-11-10/ --user 1002 --group 1002 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.2 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2016-11-10/ --user 1002 --group 1002 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.2 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2016-11-10/ --user 1002 --group 1002 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
0.0 0.0 [kworker/7:2]
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
0.0 0.2 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.0 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.0 [kworker/7:0]
0.0 0.2 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=41400.5.255199162 --mojo-application-channel-token=A0B98E96FCD132FBEC5A532702AD8F8B --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,IncidentReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,MainFrameBeforeActivation<MainFrameBeforeActivation,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRenderingMixingStrategy<NewAudioRenderingMixingStrategy,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFl ebRTC-EnableWebRtcEcdsa,WebRTC-H264WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,use-new-media-cache<use-new-media-cache --force-fieldtrials=AsyncDNS/AsyncDNSA/AutofillClassifier/Enabled/*AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/CaptivePortalInterstitial/Enabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DisallowFetchForDocWrittenScriptsInMainFrame/DocumentWriteEvaluatorGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRouter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubbleUI/Enabled/ExtensionActionRedesign/Enabled/GoogleBrandedContextMenu/branded/InstanceID/Enabled/*LocalNTPSuggestionsService/Enabled/*MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled/MojoChannel/Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStrategy/Enabled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled/*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SSLCommonNameMismatchHandling/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentReportingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDatabaseManagerEnabled/Enabled/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SimpleCacheTrial/ExperimentYes/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TokenBinding/TokenBinding/*V8CacheStrategiesForCacheStorage/default/VarationsServiceControl/Interval_30min/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --window-depth=24 --x11-visual-id=33 --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,6,18,23,26,56 --gpu-vendor-id=0x102b --gpu-device-id=0x0534 --gpu-driver-vendor=Mesa --gpu-driver-version=10.5.9 --gpu-driver-date --v8-natives-passed-by-fd --v8-snapshot-passed-by-fd
0.0 0.0 [kworker/0:1]
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 gnome-pty-helper
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sudo -i
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/2:2]
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 [kworker/6:1]
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 0
eth3: 0
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
eth2:
RX packets:0 dropped:0 TX packets:0 dropped:0
eth3:
RX packets:0 dropped:0 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : bro-eth1
Tot Packets : 32463652
Tot Pkt Lost : 0
Appl. Name : bro-eth2
Tot Packets : 0
Tot Pkt Lost : 0
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 2661203
Tot Pkt Lost : 0
Appl. Name : snort-cluster-53-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
Appl. Name : snort-cluster-54-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
ERROR: No stats found in /nsm/sensor_data/SO-server-eth2/snort-1.stats
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
ERROR: No stats found in /nsm/sensor_data/SO-server-eth3/snort-1.stats
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth1-1: 1478736762.505302 recvd=32463666 dropped=0 link=32463666
Bro:
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-1: 1478736762.705299 recvd=0 dropped=0 link=0
SO-server-eth3-1: 1478736762.905226 recvd=0 dropped=0 link=0
No capture loss reported.
-------------------------------------------------------------------------
Netsniff-NG:
0 Loss
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Standard (non ZC) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
9.3G .
1.1G ./2016-10-26
1.3G ./2016-10-27
383M ./2016-10-28
662M ./2016-10-29
415M ./2016-10-30
413M ./2016-10-31
327M ./2016-11-01
662M ./2016-11-02
316M ./2016-11-03
289M ./2016-11-04
301M ./2016-11-05
471M ./2016-11-06
466M ./2016-11-07
512M ./2016-11-08
1.9G ./2016-11-09
28M ./2016-11-10
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 16 days
132K .
8.0K ./2016-10-26
8.0K ./2016-10-27
8.0K ./2016-10-28
8.0K ./2016-10-29
8.0K ./2016-10-30
8.0K ./2016-10-31
8.0K ./2016-11-01
8.0K ./2016-11-02
8.0K ./2016-11-03
8.0K ./2016-11-04
8.0K ./2016-11-05
8.0K ./2016-11-06
8.0K ./2016-11-07
8.0K ./2016-11-08
8.0K ./2016-11-09
8.0K ./2016-11-10
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 16 days
132K .
8.0K ./2016-10-26
8.0K ./2016-10-27
8.0K ./2016-10-28
8.0K ./2016-10-29
8.0K ./2016-10-30
8.0K ./2016-10-31
8.0K ./2016-11-01
8.0K ./2016-11-02
8.0K ./2016-11-03
8.0K ./2016-11-04
8.0K ./2016-11-05
8.0K ./2016-11-06
8.0K ./2016-11-07
8.0K ./2016-11-08
8.0K ./2016-11-09
8.0K ./2016-11-10
/nsm/bro/logs/ - 15 days
160M .
19M ./2016-10-26
17M ./2016-10-27
7.0M ./2016-10-28
14M ./2016-10-29
8.5M ./2016-10-30
7.6M ./2016-10-31
5.3M ./2016-11-01
14M ./2016-11-02
5.8M ./2016-11-03
5.6M ./2016-11-04
5.5M ./2016-11-05
9.4M ./2016-11-06
7.2M ./2016-11-07
6.4M ./2016-11-08
10M ./2016-11-09
19M ./stats
=========================================================================
Last update
=========================================================================
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
11782 /usr/sbin/mysqld
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
13169 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
13181 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
2.9G /nsm/elsa/data
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
22M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
autossh
Checking for process:
14741 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-...@X.X.X.X
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
14731 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
14732 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
14733 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
14735 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
14736 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Wes
Nov 9, 2016, 7:48:33 PM11/9/16
to security-onion
It looks to me like you (from your output) have two sensors, and a master server:
Ex. From the master:
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
//Sensor 1//
autossh
Checking for process:
3238 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50001:localhost:3154 SO-...@X.X.X.X
//Sensor 2//
Checking for process:
3238 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50001:localhost:3154 SO-...@X.X.X.X
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 3651 2 04 Nov 21:16:12
proxy proxy localhost running 3880 ??? 04 Nov 21:16:14
SO-server-eth1-1 worker localhost running 4107 2 04 Nov 21:16:16
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
autossh
Checking for process:
14741 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-...@X.X.X.X
------------------------
Checking for process:
14741 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-...@X.X.X.X
Notice that this part is not included in the sensor sostat(s):
Status: securityonion
* SO-user server[ OK ]
See: https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall#so-allow
Thanks,
Wes
Franck DANVIDE
Nov 9, 2016, 8:12:53 PM11/9/16
to securit...@googlegroups.com
Hey Wes,
That is correct, but remember 1 of my sensors is a standalone box i linked to the master as a sensor?
Franck DANVIDE
Nov 9, 2016, 8:19:06 PM11/9/16
to securit...@googlegroups.com
[ So, it looks like you have 2 sensors connected to a master. From here, you should be able to connect to the master from your analyst machine to use Sguil, ELSA, etc. You'll want to make sure you have the appropriate firewall rules in place as well. ]
yes I'm able to connect to any of the sensors from my analyst machines, but when i run a query from within Sguil, it says that the database doesn't exist. Also, when i pivot from Sguil to Elsa, the Elsa page gives me an error message as shown below:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 3154
To post to this group, send email to securit...@googlegroups.com.
Wes
Nov 9, 2016, 9:42:20 PM11/9/16
to security-onion
On Wednesday, November 9, 2016 at 8:19:06 PM UTC-5, BelleCrosse wrote:
> [ So, it looks like you have 2 sensors connected to a master. From here, you should be able to connect to the master from your analyst machine to use Sguil, ELSA, etc. You'll want to make sure you have the appropriate firewall rules in place as well. ]
>
>
>
> yes I'm able to connect to any of the sensors from my analyst machines, but when i run a query from within Sguil, it says that the database doesn't exist. Also, when i pivot from Sguil to Elsa, the Elsa page gives me an error message as shown below:
>
>
> Internal Server Error
> The server encountered an internal error or misconfiguration and was unable to complete your request.
> Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.
> More information about this error may be available in the server error log.Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 3154
> [ So, it looks like you have 2 sensors connected to a master. From here, you should be able to connect to the master from your analyst machine to use Sguil, ELSA, etc. You'll want to make sure you have the appropriate firewall rules in place as well. ]
>
>
>
> yes I'm able to connect to any of the sensors from my analyst machines, but when i run a query from within Sguil, it says that the database doesn't exist. Also, when i pivot from Sguil to Elsa, the Elsa page gives me an error message as shown below:
>
>
> Internal Server Error
> The server encountered an internal error or misconfiguration and was unable to complete your request.
> Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.
You shouldn't need connect to sensors from an analyst machine, unless you are managing them via SSH, etc -- you should only need to connect to sguild on the master.
The sensors do not contain their own Sguild database (securityonion_db), only the master has this.
Are you trying to connect to ELSA on the sensors as well or are you accessing https://masterserver/elsa ?
Have you tried checking the Apache error log (/var/log/apache2/error.log) or /nsm/elsa/data/elsa/log/*?
Thanks,
Wes
Wes
Nov 9, 2016, 9:52:15 PM11/9/16
to security-onion
BelleCrosse
Nov 15, 2016, 8:56:27 AM11/15/16
to security-onion
Good Afternoon Wes,
I apologize for the late reply. I had gotten a cold that knocked me out for a bit.
So in response to your question, I have been connecting to Sguil on the master server from the analyst machine. However I'm still getting the database error message as well as Elsa Apache server error message.
On a side note, I switched my master server to a new master server 2 but I did not reinstall SO on the sensor. Do you think that it might be the issue?
So in the meantime, I will restart the install on both machines and see if it resolves the issue
Thank you so much for your time on this issue.
BelleCrosse
Reply all
Reply to author
Forward
0 new messages