Security Onion over a OpenVPN link

375 views
Skip to first unread message

Nii Okai

unread,
Aug 5, 2015, 10:00:58 AM8/5/15
to security-onion
Good Afternoon,

I have tried to implement the following, a group of sensors to send their data to a server over an openvpn link using TCP/1194.

I can ssh to the clients and even communicate with salt from the server to the sensors to do updates etc.

My only problem is that I can not get any data on Snorby, although my sensor where added through the VPN tunnel. I want a way forward. This is what I did to troubleshoot.

1) I installed an all in one SO on a laptop and pick up data from the monitoring interface on snorby. ( Thinking there are no data being pickup by snort)

2) I am able to pickup the sensor and server at both ends of the VPN Network.

I used the following advice from this link https://wirewatcher.wordpress.com/2012/10/08/virtual-private-onions/

But my implementation is not working. Can someone please help and point me to the right direction

Regards
Nii

Doug Burks

unread,
Aug 5, 2015, 2:05:10 PM8/5/15
to securit...@googlegroups.com
Hi Nii,

Replies inline.


On Wed, Aug 5, 2015 at 9:56 AM, Nii Okai <ataama...@gmail.com> wrote:
> Good Afternoon,
>
> I have tried to implement the following, a group of sensors to send their data to a server over an openvpn link using TCP/1194.
>
> I can ssh to the clients and even communicate with salt from the server to the sensors to do updates etc.
>
> My only problem is that I can not get any data on Snorby,


Snorby is going away in the future, so you should go ahead and begin
transitioning to Squert, Sguil, and/or ELSA.

To disable Snorby in your existing deployment, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses#disabling-snorby


> although my sensor where added through the VPN tunnel. I want a way forward. This is what I did to troubleshoot.
>
> 1) I installed an all in one SO on a laptop and pick up data from the monitoring interface on snorby. ( Thinking there are no data being pickup by snort)
>
> 2) I am able to pickup the sensor and server at both ends of the VPN Network.
>
> I used the following advice from this link https://wirewatcher.wordpress.com/2012/10/08/virtual-private-onions/
>
> But my implementation is not working. Can someone please help and point me to the right direction


Please provide sostat-redacted output from your master server and one
or more sensors.

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.

Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

Nii Okai

unread,
Aug 6, 2015, 1:02:19 PM8/6/15
to security-onion

Server sostat-redacted.txt

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1131149 errors:0 dropped:0 overruns:0 frame:0
TX packets:2573176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:211152442 (211.1 MB) TX bytes:3332316594 (3.3 GB)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1167916 errors:0 dropped:0 overruns:0 frame:0
TX packets:1167916 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:865082777 (865.0 MB) TX bytes:865082777 (865.0 MB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:X.X.X.X P-t-P:X.X.X.X Mask:X.X.X.X
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:900030 errors:0 dropped:0 overruns:0 frame:0
TX packets:1399864 errors:0 dropped:708 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:63617654 (63.6 MB) TX bytes:1588663455 (1.5 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
865082777 1167916 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
865082777 1167916 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
211152442 1131149 0 0 0 2554
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3332316594 2573176 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
RX: bytes packets errors dropped overrun mcast
63617654 900030 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1588663455 1399864 0 708 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 261G 11G 238G 5% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 799M 752K 798M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 80K 3.9G 1% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1057 avahi 12u IPv4 11275 0t0 UDP *:5353
avahi-dae 1057 avahi 13u IPv6 11276 0t0 UDP *:5353
avahi-dae 1057 avahi 14u IPv4 11277 0t0 UDP *:45206
avahi-dae 1057 avahi 15u IPv6 11278 0t0 UDP *:47778
cupsd 1135 root 8u IPv6 471405 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1135 root 9u IPv4 471406 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1535 root 3u IPv4 10358 0t0 TCP *:ssh_port (LISTEN)
sshd 1535 root 4u IPv6 10360 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1642 root 10u IPv4 17317 0t0 TCP X.X.X.X:40360->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1642 root 21u IPv4 18107 0t0 TCP X.X.X.X:35996->X.X.X.X:4505 (ESTABLISHED)
mysqld 1721 mysql 10u IPv4 10707 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1721 mysql 34u IPv4 462925 0t0 TCP X.X.X.X:3306->X.X.X.X:55215 (ESTABLISHED)
searchd 1894 sphinxsearch 7u IPv4 10620 0t0 TCP *:9306 (LISTEN)
searchd 1894 sphinxsearch 8u IPv4 10621 0t0 TCP *:9312 (LISTEN)
openvpn 1908 nobody 6u IPv4 13318 0t0 TCP X.X.X.X:1194 (LISTEN)
openvpn 1908 nobody 9u IPv4 10711 0t0 TCP X.X.X.X:1194->X.X.X.X:43764 (ESTABLISHED)
ossec-csy 2086 ossecm 5u IPv4 11903 0t0 UDP X.X.X.X:36702->X.X.X.X:514
salt-mast 2409 root 12u IPv4 11053 0t0 TCP *:4505 (LISTEN)
salt-mast 2409 root 14u IPv4 14181 0t0 TCP X.X.X.X:4505->X.X.X.X:52092 (ESTABLISHED)
salt-mast 2409 root 15u IPv4 18439 0t0 TCP X.X.X.X:4505->X.X.X.X:35996 (ESTABLISHED)
salt-mast 2421 root 20u IPv4 13976 0t0 TCP *:4506 (LISTEN)
salt-mast 2421 root 22u IPv4 17318 0t0 TCP X.X.X.X:4506->X.X.X.X:40360 (ESTABLISHED)
salt-mast 2421 root 23u IPv4 11103 0t0 TCP X.X.X.X:4506->X.X.X.X:34368 (ESTABLISHED)
ntpd 2516 ntp 16u IPv4 13197 0t0 UDP *:123
ntpd 2516 ntp 17u IPv6 13198 0t0 UDP *:123
ntpd 2516 ntp 18u IPv4 13204 0t0 UDP X.X.X.X:123
ntpd 2516 ntp 19u IPv4 13205 0t0 UDP X.X.X.X:123
ntpd 2516 ntp 20u IPv4 13206 0t0 UDP X.X.X.X:123
ntpd 2516 ntp 21u IPv6 13207 0t0 UDP [X.X.X.X]:123
ntpd 2516 ntp 22u IPv6 13208 0t0 UDP [X.X.X.X]:123
sshd 2639 root 3u IPv4 14352 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36297 (ESTABLISHED)
sshd 2789 SO-user 3u IPv4 14352 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:36297 (ESTABLISHED)
sshd 2789 SO-user 9u IPv6 15386 0t0 TCP [X.X.X.X]:50004 (LISTEN)
sshd 2789 SO-user 10u IPv4 15387 0t0 TCP X.X.X.X:50004 (LISTEN)
sshd 2790 root 3u IPv4 14109 0t0 TCP X.X.X.X:ssh_port-/usr/bin/sostat: line 197: /bin/ls: Argument list too long
>X.X.X.X:56916 (ESTABLISHED)
sshd 2963 SO-user 3u IPv4 14109 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56916 (ESTABLISHED)
sshd 2963 SO-user 9u IPv6 14209 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 2963 SO-user 10u IPv4 14210 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 2963 SO-user 11u IPv4 460522 0t0 TCP X.X.X.X:55215->X.X.X.X:3306 (ESTABLISHED)
tclsh 2976 SO-user 3u IPv4 553531 0t0 TCP X.X.X.X:37590->X.X.X.X:7736 (ESTABLISHED)
splunkd 3527 root 4u IPv4 15683 0t0 TCP *:8089 (LISTEN)
splunkd 3527 root 59u IPv4 15037 0t0 TCP *:8000 (LISTEN)
splunkd 3527 root 66u IPv4 15805 0t0 TCP X.X.X.X:47842->X.X.X.X:8191 (ESTABLISHED)
splunkd 3527 root 79u IPv4 570112 0t0 TCP X.X.X.X:8089->X.X.X.X:43106 (ESTABLISHED)
mongod 3541 root 7u IPv4 14734 0t0 TCP *:8191 (LISTEN)
mongod 3541 root 12u IPv4 14737 0t0 TCP X.X.X.X:8191->X.X.X.X:47842 (ESTABLISHED)
mongod 3541 root 13u IPv4 17043 0t0 TCP X.X.X.X:8191->X.X.X.X:47874 (ESTABLISHED)
mongod 3541 root 14u IPv4 17784 0t0 TCP X.X.X.X:8191->X.X.X.X:47876 (ESTABLISHED)
mongod 3541 root 16u IPv4 17045 0t0 TCP X.X.X.X:8191->X.X.X.X:47877 (ESTABLISHED)
python 3602 root 8u IPv4 18260 0t0 TCP X.X.X.X:8065 (LISTEN)
splunkd 3632 root 5u IPv4 17782 0t0 TCP X.X.X.X:47874->X.X.X.X:8191 (ESTABLISHED)
splunkd 3632 root 6u IPv4 17783 0t0 TCP X.X.X.X:47876->X.X.X.X:8191 (ESTABLISHED)
splunkd 3632 root 7u IPv4 17044 0t0 TCP X.X.X.X:47877->X.X.X.X:8191 (ESTABLISHED)
splunkd 3632 root 13u IPv4 571308 0t0 TCP X.X.X.X:43106->X.X.X.X:8089 (ESTABLISHED)
/usr/sbin 4541 root 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 4541 root 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4541 root 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4541 root 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 4665 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 4665 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4665 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4665 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 4667 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 4667 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4667 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4667 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 4668 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 4668 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4668 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4668 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 4669 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 4669 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4669 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4669 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
miniserv. 4724 root 6u IPv4 19722 0t0 TCP *:10000 (LISTEN)
miniserv. 4724 root 7u IPv4 19723 0t0 UDP *:10000
/usr/sbin 6891 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6891 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6891 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6891 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 6901 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6901 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6901 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6901 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
ruby1.9.1 6919 www-data 12u IPv4 29212 0t0 TCP X.X.X.X:38427 (LISTEN)
/usr/sbin 6964 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6964 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6964 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6964 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 6965 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6965 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6965 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6965 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 6966 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6966 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6966 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6966 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
/usr/sbin 6967 www-data 4u IPv4 16267 0t0 TCP *:443 (LISTEN)
/usr/sbin 6967 www-data 5u IPv4 16270 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6967 www-data 6u IPv4 16272 0t0 TCP *:3154 (LISTEN)
/usr/sbin 6967 www-data 7u IPv4 16276 0t0 TCP *:444 (LISTEN)
ssh 7357 root 3u IPv4 34454 0t0 TCP X.X.X.X:50344->X.X.X.X:ssh_port (ESTABLISHED)
gvfsd-smb 7431 SO-user 9u IPv4 36926 0t0 TCP X.X.X.X:59246->X.X.X.X:139 (CLOSE_WAIT)
syslog-ng 17354 root 9u IPv4 309796 0t0 TCP *:514 (LISTEN)
syslog-ng 17354 root 10u IPv4 309797 0t0 UDP *:514
tclsh 20803 SO-user 13u IPv4 418183 0t0 TCP *:7734 (LISTEN)
tclsh 20803 SO-user 14u IPv4 418184 0t0 TCP *:7736 (LISTEN)
tclsh 20803 SO-user 15u IPv4 554146 0t0 TCP X.X.X.X:7736->X.X.X.X:38609 (ESTABLISHED)
tclsh 20803 SO-user 16u IPv4 554356 0t0 TCP X.X.X.X:7736->X.X.X.X:38626 (ESTABLISHED)
tclsh 20803 SO-user 18u IPv4 554199 0t0 TCP X.X.X.X:7736->X.X.X.X:38623 (ESTABLISHED)
tclsh 20803 SO-user 19u IPv4 549824 0t0 TCP X.X.X.X:7736->X.X.X.X:38581 (ESTABLISHED)
tclsh 20803 SO-user 20u IPv4 554033 0t0 TCP X.X.X.X:7736->X.X.X.X:38595 (ESTABLISHED)
tclsh 20803 SO-user 21u IPv4 551792 0t0 TCP X.X.X.X:7736->X.X.X.X:37590 (ESTABLISHED)
tclsh 20803 SO-user 22u IPv4 618094 0t0 TCP X.X.X.X:7736->X.X.X.X:40428 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Thu Aug 6 07:01:01 SAST 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 40 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------23
Deleted:---0
Enabled Rules:----17975
Dropped Rules:----0
Disabled Rules:---4024
Total Rules:------21999
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table

=========================================================================
CPU Usage
=========================================================================
top - 14:33:24 up 20:20, 1 user, load average: 0.46, 0.53, 0.51
Tasks: 234 total, 3 running, 229 sleeping, 0 stopped, 2 zombie
Cpu(s): 6.9%us, 0.9%sy, 0.0%ni, 89.6%id, 2.5%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 8176272k total, 5289176k used, 2887096k free, 298168k buffers
Swap: 12473664k total, 0k used, 12473664k free, 2390624k cached

%CPU %MEM COMMAND
9.8 2.5 /usr/sbin/mysqld
1.6 1.6 splunkd -p 8089 start
1.3 0.0 [/usr/share/webm] <defunct>
1.0 1.1 /usr/bin/python /usr/bin/salt-master
0.3 1.2 delayed_job
0.1 0.2 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.1 0.5 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089
0.1 2.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.4 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=1000 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx
0.1 0.6 /usr/bin/python /usr/bin/salt-master
0.1 0.6 /usr/bin/python /usr/bin/salt-master
0.1 0.7 /usr/bin/python /usr/bin/salt-master
0.1 0.7 /usr/bin/python /usr/bin/salt-master
0.1 2.4 /usr/lib/firefox/firefox
0.1 0.6 /usr/bin/python /usr/bin/salt-master
0.1 0.0 PassengerHelperAgent
0.1 0.0 [splunkd pid=3527] splunkd -p 8089 start [process-runner]
0.1 0.6 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=X.X.X.X,8065,8000
0.1 0.0 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 [kipmi0]
0.0 0.6 /usr/bin/python /usr/bin/salt-minion
0.0 2.8 /usr/bin/searchd --nodetach
0.0 0.0 [rcu_sched]
0.0 1.1 Rack: /opt/snorby
0.0 0.6 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 [jbd2/sda1-8]
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [kworker/2:2]
0.0 0.0 [rcuos/1]
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/3:1]
0.0 0.0 [rcuos/3]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 [rcuos/0]
0.0 0.0 [kworker/u8:2]
0.0 0.0 [rcuos/2]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [khugepaged]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.2 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u8:1]
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u8:3]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 118:126
0.0 0.0 /sbin/init
0.0 0.4 xfdesktop
0.0 0.0 [migration/0]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [ksoftirqd/0]
0.0 0.1 update-notifier
0.0 0.1 xfwm4 --replace
0.0 0.2 xfce4-panel
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 cron
0.0 0.0 xfce4-power-manager
0.0 0.1 /usr/bin/xfce4-terminal
0.0 0.0 [migration/2]
0.0 0.0 [kworker/u8:0]
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 20971555 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 [migration/3]
0.0 0.0 xscreensaver -no-splash
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 sshd: SO-user
0.0 0.2 Thunar --daemon
0.0 0.1 xfce4-notes
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.3 /usr/bin/python /usr/bin/blueman-applet
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 ssh SO-...@X.X.X.X
0.0 0.0 [watchdog/1]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 bash
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 bash
0.0 0.0 [watchdog/2]
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.2 nm-applet
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [watchdog/3]
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 [ksoftirqd/3]
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /sbin/udevd --daemon
0.0 0.1 Passenger spawn server
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 xfce4-settings-helper
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 20971553 systray Notification Area Area where notification icons appear
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.1 xfce4-volumed
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 xfce4-session
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 20971561 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 20971568 thunar-tpa Trash Applet Display the trash can
0.0 0.0 /usr/lib/gvfs/gvfsd-dnssd --spawner :1.11 /org/gtk/gvfs/exec_spaw/3
0.0 0.0 [khungtaskd]
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 lightdm
0.0 0.1 /usr/lib/gvfs/gvfsd-smb-browse --spawner :1.11 /org/gtk/gvfs/exec_spaw/2
0.0 0.0 [scsi_eh_0]
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/lib/gvfs/gvfsd-network --spawner :1.11 /org/gtk/gvfs/exec_spaw/1
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u9:0]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [kworker/0:2]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [ttm_swap]
0.0 0.0 [aacraid]
0.0 0.0 [kworker/u9:1]
0.0 0.0 [qla2xxx_3_dpc]
0.0 0.0 [scsi_wq_3]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [edac-poller]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 [kworker/1:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 [xfce4-terminal] <defunct>
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 sudo ssh SO-...@X.X.X.X
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
174

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
2 1:2009970 ET P2P eMule Kademlia Hello Request
1 10000:1 PADS New Asset - domain DNS SQR No Error
1 10000:1 PADS New Asset - unknown @www
Total
4

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
10 10000:1 PADS New Asset - domain DNS SQR No Error
5 10000:1 PADS New Asset - unknown @www
5 1:2100366 GPL ICMP_INFO PING *NIX
5 1:2101918 GPL SCAN SolarWinds IP scan attempt
3 10000:1 PADS New Asset - unknown @domain
3 10000:1 PADS New Asset - unknown @https
2 10000:1 PADS New Asset - unknown @ntp
2 1:2009970 ET P2P eMule Kademlia Hello Request
2 1:2008581 ET P2P BitTorrent DHT ping request
2 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
1 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
1 1:2001219 ET SCAN Potential SSH Scan
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
1 10000:1 PADS New Asset - bit Bittorrent
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
1 1:2010140 ET P2P Vuze BT UDP Connection
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
Total
46

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
2 1:2009970 ET P2P eMule Kademlia Hello Request
Total
2

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
12 1:2101918 GPL SCAN SolarWinds IP scan attempt
8 1:2100366 GPL ICMP_INFO PING *NIX
2 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
2 1:2001219 ET SCAN Potential SSH Scan
2 1:2008581 ET P2P BitTorrent DHT ping request
2 1:2009970 ET P2P eMule Kademlia Hello Request
1 1:2010140 ET P2P Vuze BT UDP Connection
Total
29

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
17353 supervising syslog-ng
17354 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1721 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1716 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:

ELSA Directory Sizes:
695M /nsm/elsa/data
82M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
NULL NULL

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node DISCONNECTED
50003 SO-node DISCONNECTED
50004 SO-node X.X.X.X


*****************************************************************************

Sensor sostat-redacted4.txt
============================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
waiting for lock ........ ok
Name Type Host Status Pid Peers Started
manager manager localhost running 4590 2 05 Aug 01:53:19
proxy proxy localhost running 4803 2 05 Aug 01:53:21
SO-server-eth1-1 worker localhost running 4958 2 05 Aug 01:53:23
Status: SO-server-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* http_agent (SO-user)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7480377 errors:0 dropped:3124 overruns:0 frame:0
TX packets:5539572 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4270739505 (4.2 GB) TX bytes:1324185865 (1.3 GB)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1305537 errors:0 dropped:68310 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:197003252 (197.0 MB) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:292532 errors:0 dropped:0 overruns:0 frame:0
TX packets:292532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:176190913 (176.1 MB) TX bytes:176190913 (176.1 MB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:X.X.X.X P-t-P:X.X.X.X Mask:X.X.X.X
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:7962387 errors:0 dropped:0 overruns:0 frame:0
TX packets:7658223 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3319184444 (3.3 GB) TX bytes:610125457 (610.1 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
176190913 292532 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
176190913 292532 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
4270739505 7480377 0 3124 0 70711
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1324185865 5539572 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
197003252 1305537 0 68310 0 326454
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
RX: bytes packets errors dropped overrun mcast
3319184444 7962387 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
610125457 7658223 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/cciss/c0d0p1 119G 4.8G 108G 5% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 804K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1254 avahi 12u IPv4 9995 0t0 UDP *:5353
avahi-dae 1254 avahi 13u IPv6 9996 0t0 UDP *:5353
avahi-dae 1254 avahi 14u IPv4 9997 0t0 UDP *:57613
avahi-dae 1254 avahi 15u IPv6 9998 0t0 UDP *:45003
cupsd 1263 root 8u IPv6 2231075 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1263 root 9u IPv4 2231076 0t0 TCP X.X.X.X:631 (LISTEN)
dhclient3 1506 root 6u IPv4 9194 0t0 UDP *:68
sshd 1591 root 3u IPv4 10431 0t0 TCP *:ssh_port (LISTEN)
sshd 1591 root 4u IPv6 10433 0t0 TCP *:ssh_port (LISTEN)
mysqld 1823 mysql 14u IPv4 12598 0t0 TCP X.X.X.X:50000 (LISTEN)
openvpn 1830 nobody 5u IPv4 1659532 0t0 TCP X.X.X.X:43764->X.X.X.X:1194 (ESTABLISHED)
searchd 1933 sphinxsearch 7u IPv4 12243 0t0 TCP *:9306 (LISTEN)
searchd 1933 sphinxsearch 8u IPv4 12244 0t0 TCP *:9312 (LISTEN)
ossec-csy 1983 ossecm 4u IPv4 14346 0t0 UDP X.X.X.X:48928->X.X.X.X:514
starman 2109 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2116 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2117 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2117 www-data 16u IPv4 1824669 0t0 TCP X.X.X.X:38525->X.X.X.X:3154 (CLOSE_WAIT)
starman 2118 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2119 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2120 www-data 5u IPv6 13662 0t0 TCP *:3154 (LISTEN)
starman 2120 www-data 16u IPv4 1823815 0t0 TCP X.X.X.X:38442->X.X.X.X:3154 (CLOSE_WAIT)
ntpd 2224 ntp 16u IPv4 13732 0t0 UDP *:123
ntpd 2224 ntp 17u IPv6 13733 0t0 UDP *:123
ntpd 2224 ntp 18u IPv4 13739 0t0 UDP X.X.X.X:123
ntpd 2224 ntp 19u IPv4 13740 0t0 UDP X.X.X.X:123
ntpd 2224 ntp 20u IPv6 13741 0t0 UDP [X.X.X.X]:123
ntpd 2224 ntp 21u IPv6 13742 0t0 UDP [X.X.X.X]:123
ntpd 2224 ntp 23u IPv4 24600 0t0 UDP X.X.X.X:123
tclsh 4177 SO-user 3u IPv4 2412642 0t0 TCP X.X.X.X:38779->X.X.X.X:7736 (ESTABLISHED)
tclsh 4221 SO-user 3u IPv4 2410301 0t0 TCP X.X.X.X:38777->X.X.X.X:7736 (ESTABLISHED)
tclsh 4221 SO-user 4u IPv4 2406333 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 4221 SO-user 6u IPv4 2407375 0t0 TCP X.X.X.X:8101->X.X.X.X:39601 (ESTABLISHED)
tclsh 4302 SO-user 3u IPv4 2412641 0t0 TCP X.X.X.X:38778->X.X.X.X:7736 (ESTABLISHED)
tclsh 4340 SO-user 3u IPv4 2411270 0t0 TCP X.X.X.X:38780->X.X.X.X:7736 (ESTABLISHED)
bro 4590 SO-user 4u IPv4 23001 0t0 UDP X.X.X.X:51975->X.X.X.X:53
bro 4651 SO-user 0u IPv4 21734 0t0 TCP *:47761 (LISTEN)
bro 4651 SO-user 1u IPv6 21735 0t0 TCP *:47761 (LISTEN)
bro 4651 SO-user 2u IPv4 21752 0t0 TCP X.X.X.X:47761->X.X.X.X:59879 (ESTABLISHED)
bro 4651 SO-user 4u IPv4 23001 0t0 UDP X.X.X.X:51975->X.X.X.X:53
bro 4651 SO-user 251u IPv4 20460 0t0 TCP X.X.X.X:47761->X.X.X.X:59881 (ESTABLISHED)
bro 4803 SO-user 4u IPv4 20377 0t0 UDP X.X.X.X:36996->X.X.X.X:53
bro 4805 SO-user 0u IPv4 23034 0t0 TCP X.X.X.X:59879->X.X.X.X:47761 (ESTABLISHED)
bro 4805 SO-user 1u IPv4 23037 0t0 TCP *:47762 (LISTEN)
bro 4805 SO-user 2u IPv6 23038 0t0 TCP *:47762 (LISTEN)
bro 4805 SO-user 4u IPv4 20377 0t0 UDP X.X.X.X:36996->X.X.X.X:53
bro 4805 SO-user 251u IPv4 20993 0t0 TCP X.X.X.X:47762->X.X.X.X:41753 (ESTABLISHED)
bro 4958 SO-user 4u IPv4 20451 0t0 UDP X.X.X.X:49759->X.X.X.X:53
bro 4959 SO-user 0u IPv4 20991 0t0 TCP X.X.X.X:59881->X.X.X.X:47761 (ESTABLISHED)
bro 4959 SO-user 1u IPv4 20992 0t0 TCP X.X.X.X:41753->X.X.X.X:47762 (ESTABLISHED)
bro 4959 SO-user 2u IPv4 20996 0t0 TCP *:47763 (LISTEN)
bro 4959 SO-user 4u IPv4 20451 0t0 UDP X.X.X.X:49759->X.X.X.X:53
bro 4959 SO-user 251u IPv6 20997 0t0 TCP *:47763 (LISTEN)
/usr/sbin 7135 root 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7135 root 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7135 root 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
/usr/sbin 7156 www-data 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7156 www-data 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7156 www-data 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
/usr/sbin 7157 www-data 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7157 www-data 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7157 www-data 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
/usr/sbin 7158 www-data 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7158 www-data 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7158 www-data 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
/usr/sbin 7159 www-data 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7159 www-data 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7159 www-data 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
/usr/sbin 7160 www-data 4u IPv4 1624473 0t0 TCP *:443 (LISTEN)
/usr/sbin 7160 www-data 5u IPv4 1624476 0t0 TCP *:9876 (LISTEN)
/usr/sbin 7160 www-data 6u IPv4 1624478 0t0 TCP *:444 (LISTEN)
syslog-ng 7347 root 12u IPv4 2024371 0t0 TCP *:514 (LISTEN)
syslog-ng 7347 root 13u IPv4 2024372 0t0 UDP *:514
ssh 10524 root 3u IPv4 1660784 0t0 TCP X.X.X.X:36297->X.X.X.X:ssh_port (ESTABLISHED)
ssh 10524 root 4u IPv6 1659713 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 10524 root 5u IPv4 1659714 0t0 TCP X.X.X.X:3306 (LISTEN)
sshd 11312 root 3u IPv4 1667270 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50344 (ESTABLISHED)
sshd 11485 SO-user 3u IPv4 1667270 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50344 (ESTABLISHED)
sshd 11485 SO-user 3u IPv4 1667270 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:50344 (ESTABLISHED)
barnyard2 13081 SO-user 12u IPv4 2408809 0t0 TCP X.X.X.X:39601->X.X.X.X:8101 (ESTABLISHED)

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
1.30 0.98 0.98
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 12:40:12 up 1 day, 10:48, 1 user, load average: 1.30, 0.98, 0.98
Tasks: 366 total, 2 running, 364 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.2%us, 10.6%sy, 1.3%ni, 81.3%id, 0.5%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 16431880k total, 4670772k used, 11761108k free, 213972k buffers
Swap: 24990076k total, 0k used, 24990076k free, 1789436k cached

%CPU %MEM COMMAND
14.1 3.5 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
13.6 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
13.5 3.6 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
13.3 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
10.4 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
10.4 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
10.3 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth1/pads_agent.conf
9.9 0.0 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth1/sancp_agent.conf
0.9 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.8 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.3 0.0 /usr/sbin/openvpn --writepid /var/run/openvpn.client.pid --daemon ovpn-client --status /var/run/openvpn.client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --script-security 2
0.2 2.8 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/SO-user_data/SO-server-eth1/snort-1 --perfmon-file /nsm/SO-user_data/SO-server-eth1/snort-1.stats -U
0.2 2.8 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/SO-user_data/SO-server-eth1/snort-1 --perfmon-file /nsm/SO-user_data/SO-server-eth1/snort-1.stats -U
0.1 0.4 /usr/sbin/mysqld
0.1 2.0 /usr/bin/searchd --nodetach
0.1 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth1/http_agent.conf -e /etc/nsm/SO-server-eth1/http_agent.exclude -f /nsm/bro/logs/current/http_eth1.log
0.0 0.2 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.0 0.0 [rcu_sched]
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/SO-user_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kworker/1:2]
0.0 0.8 netsniff-ng -i eth1 -o /nsm/SO-user_data/SO-server-eth1/dailylogs/2015-08-06/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB --mmap
0.0 0.0 [rcuos/0]
0.0 0.0 prads -i eth1 -c /etc/nsm/SO-server-eth1/prads.conf -u SO-user -g SO-user -L /nsm/SO-user_data/SO-server-eth1/sancp/ -f /nsm/SO-user_data/SO-server-eth1/pads.fifo -b ip or (vlan and ip)
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuos/2]
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [jbd2/cciss!c0d0]
0.0 0.0 /sbin/init
0.0 0.0 [kworker/u16:1]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 118:126
0.0 0.6 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.6 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.6 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 [kworker/u16:0]
0.0 0.6 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 [migration/2]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/2:1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [khugepaged]
0.0 0.0 cron
0.0 0.0 [kworker/0:1]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 [migration/3]
0.0 0.0 [migration/0]
0.0 0.0 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/3:2]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 -bash
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 PassengerHelperAgent
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50004:localhost:3154 @X.X.X.X
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 [watchdog/1]
0.0 0.0 [watchdog/0]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/2]
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [khungtaskd]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 lightdm
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 [kthreadd]
0.0 0.0 [scsi_eh_1]
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [rcuob/4]
0.0 0.0 [rcuob/5]
0.0 0.0 [rcuob/6]
0.0 0.0 [rcuob/7]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u17:0]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [cciss_scan]
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 [ttm_swap]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [kworker/0:2]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [edac-poller]
0.0 0.0 [kpsmoused]
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [krfcommd]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 tail -n 1 -f /nsm/SO-user_data/SO-server-eth1/snort-1.stats
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 PassengerWatchdog
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 supervising syslog-ng
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth1/http_agent.conf -e /etc/nsm/SO-server-eth1/http$
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec$
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo
0.0 0.0 cat /nsm/SO-user_data/SO-server-eth1/pads.fifo

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 7219

=========================================================================
Log Archive
=========================================================================
/nsm/SO-user_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .

/nsm/SO-user_data/SO-server-eth1/dailylogs/ - 3 days
246M .
51M ./2015-08-04
246M .
51M ./2015-08-04
124M ./2015-08-05
72M ./2015-08-06

/nsm/bro/logs/ - 3 days
15M .
3.4M ./2015-08-04
6.2M ./2015-08-05
3.7M ./2015-08-06
1.4M ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

SO-server-eth1-1: 1438864812.661295 recvd=1239203 dropped=0 link=1239203

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/SO-user_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2

Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/12979-eth1.333
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 266052
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65530

/proc/net/pf_ring/4958-eth1.1
Appl. Name : bro-eth1
Tot Packets : 1239211
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
ELSA
=========================================================================
Syslog-ng
=========================================================================
Syslog-ng
Checking for process:
7346 supervising syslog-ng
7347 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1823 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!

Sphinx
Checking for process:
1773 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-qu$

ELSA Directory Sizes:
382M /nsm/elsa/data
2.9M /var/lib/mysql/syslog
19M /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
2015-08-04 13:50:52 2015-08-06 12:40:00

autossh
Checking for process:
4005 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -$

Checking APIKEY:
APIKEY matches server.

starman
Checking for processes:
2109 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$
2116 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$
2117 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$
2118 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$
2119 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$
2120 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /v$

Displaying sostat-redacted4.txt.

Doug Burks

unread,
Aug 8, 2015, 7:25:25 AM8/8/15
to securit...@googlegroups.com
On Thu, Aug 6, 2015 at 1:02 PM, Nii Okai <ataama...@gmail.com> wrote:
> On Wednesday, August 5, 2015 at 4:00:58 PM UTC+2, Nii Okai wrote:
>> Good Afternoon,
>>
>> I have tried to implement the following, a group of sensors to send their data to a server over an openvpn link using TCP/1194.
>>
>> I can ssh to the clients and even communicate with salt from the server to the sensors to do updates etc.
>>
>> My only problem is that I can not get any data on Snorby, although my sensor where added through the VPN tunnel. I want a way forward. This is what I did to troubleshoot.
>>
>> 1) I installed an all in one SO on a laptop and pick up data from the monitoring interface on snorby. ( Thinking there are no data being pickup by snort)
>>
>> 2) I am able to pickup the sensor and server at both ends of the VPN Network.
>>
>> I used the following advice from this link https://wirewatcher.wordpress.com/2012/10/08/virtual-private-onions/
>>
>> But my implementation is not working. Can someone please help and point me to the right direction

I'd start with disabling the following services:

Snorby
prads
sancp_agent
pads_agent
http_agent

https://github.com/Security-Onion-Solutions/security-onion/wiki/DisablingProcesses

Next, I would check the sniffing interface eth1 on the sensor:

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1305537 errors:0 dropped:68310 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:197003252 (197.0 MB) TX bytes:0 (0.0 B)

It doesn't appear to be seeing much traffic (only 197MB) and it is
dropping a high number of packets (68310).
Reply all
Reply to author
Forward
0 new messages