Best setup for just Alerts?
Jason Burrell
I tried doing production\custom install. Using the following.
I Pick Snort VRT Policy Balanced, no bro http, no argus, no prads, yes to elsa, and yes to the full packet capture. Do the sudo so-allow and allow my workstation to load the login page for Squert. Once I login to Squert I only see OSSEC messages.
I'm going to do the same install again but try using ET Alerts instead to see if that helps with alerts not showing up in Squert. I did the same kind of setup earlier using Snort VRT Policy Security and it was working fine, but I wanted to try the VRT balance policy so I could see how performance was, because on security the machine was fast and drive never filled up.
So basically just making sure I'm not missing something?
Wes
Jason,
The next time you experience an issue, please provide the output of sostat-redacted:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#include-sostat-redacted-output
Have you tried waiting or using tcpreplay to replay traffic to the monitor interface?
Also, full packet capture is going to take up the most space, so, if you want the machine for just "alerts" then yo may want to disable it (unless you want to be able to pivot to FPC).
What browser are you using when accessing Squert? You will get the best results when using a Chromium-based browser.
Thanks,
Wes
Jason Burrell
Wes,
I'm not getting any alerts in Squert here is my sostat-redacted info
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-56-generic x86_64)
* Documentation: https://help.ubuntu.com/
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
onionadmin@BSSSECONION01:~$ sudo sostat-redacted
[sudo] password for onionadmin:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 5594 2 08 Apr 17:59:41
proxy proxy localhost running 5658 2 08 Apr 17:59:43
SO-server-eth1-1 worker localhost running 5754 2 08 Apr 17:59:47
Status: SO-server-eth1
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:239341 errors:0 dropped:45 overruns:0 frame:0
TX packets:33324 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:100110971 (100.1 MB) TX bytes:2820954 (2.8 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:177637760 errors:0 dropped:2146 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:117367979915 (117.3 GB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:49018 errors:0 dropped:0 overruns:0 frame:0
TX packets:49018 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:85474871 (85.4 MB) TX bytes:85474871 (85.4 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
85476797 49020 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
85476797 49020 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
100111063 239342 0 45 0 114
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2820954 33324 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
117373500072 177645702 0 2146 0 78649
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 799M 1.2M 798M 1% /run
/dev/sda1 780G 4.1G 736G 1% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 18M 3.9G 1% /run/shm
none 100M 24K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 534 avahi 12u IPv4 10160 0t0 UDP *:5353
avahi-dae 534 avahi 13u IPv6 10161 0t0 UDP *:5353
avahi-dae 534 avahi 14u IPv4 10162 0t0 UDP *:45089
avahi-dae 534 avahi 15u IPv6 10163 0t0 UDP *:33619
sshd 1209 root 3u IPv4 11780 0t0 TCP *:ssh_port (LISTEN)
sshd 1209 root 4u IPv6 11782 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1331 root 6u IPv6 15467 0t0 TCP [X.X.X.X]:51494->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1331 root 8u IPv4 15473 0t0 UDP *:631
/usr/sbin 1862 root 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 1862 root 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1862 root 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
cupsd 2379 root 10u IPv6 15427 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2379 root 11u IPv4 15428 0t0 TCP X.X.X.X:631 (LISTEN)
ntpd 2725 ntp 16u IPv4 16344 0t0 UDP *:123
ntpd 2725 ntp 17u IPv6 16345 0t0 UDP *:123
ntpd 2725 ntp 18u IPv4 16351 0t0 UDP X.X.X.X:123
ntpd 2725 ntp 19u IPv4 16352 0t0 UDP X.X.X.X:123
ntpd 2725 ntp 20u IPv6 16353 0t0 UDP [X.X.X.X]:123
ntpd 2725 ntp 21u IPv6 16354 0t0 UDP [X.X.X.X]:123
chromium- 2844 SO-user 97u IPv4 63485 0t0 TCP X.X.X.X:38831->X.X.X.X:80 (CLOSE_WAIT)
chromium- 2844 SO-user 144u IPv4 18240 0t0 UDP *:5353
chromium- 2844 SO-user 199u IPv4 19834 0t0 TCP X.X.X.X:44453->X.X.X.X:443 (ESTABLISHED)
ossec-csy 3258 ossecm 5u IPv4 21408 0t0 UDP X.X.X.X:51827->X.X.X.X:514
mysqld 3421 mysql 10u IPv4 21626 0t0 TCP X.X.X.X:3306 (LISTEN)
tclsh 5480 SO-user 13u IPv4 24914 0t0 TCP *:7734 (LISTEN)
tclsh 5480 SO-user 14u IPv6 24915 0t0 TCP *:7734 (LISTEN)
tclsh 5480 SO-user 15u IPv4 24918 0t0 TCP *:7736 (LISTEN)
tclsh 5480 SO-user 16u IPv6 24919 0t0 TCP *:7736 (LISTEN)
tclsh 5480 SO-user 17u IPv4 24973 0t0 TCP X.X.X.X:7736->X.X.X.X:35761 (ESTABLISHED)
tclsh 5480 SO-user 18u IPv4 25636 0t0 TCP X.X.X.X:7736->X.X.X.X:35774 (ESTABLISHED)
tclsh 5533 SO-user 3u IPv4 24972 0t0 TCP X.X.X.X:35761->X.X.X.X:7736 (ESTABLISHED)
bro 5594 SO-user 4u IPv4 25201 0t0 UDP X.X.X.X:37648->X.X.X.X:53
bro 5610 SO-user 0u IPv4 25287 0t0 TCP *:47761 (LISTEN)
bro 5610 SO-user 1u IPv6 25288 0t0 TCP *:47761 (LISTEN)
bro 5610 SO-user 2u IPv4 25358 0t0 TCP X.X.X.X:47761->X.X.X.X:59668 (ESTABLISHED)
bro 5610 SO-user 4u IPv4 25201 0t0 UDP X.X.X.X:37648->X.X.X.X:53
bro 5610 SO-user 268u IPv4 25494 0t0 TCP X.X.X.X:47761->X.X.X.X:59669 (ESTABLISHED)
bro 5658 SO-user 4u IPv4 25324 0t0 UDP X.X.X.X:54992->X.X.X.X:53
bro 5714 SO-user 0u IPv4 25357 0t0 TCP X.X.X.X:59668->X.X.X.X:47761 (ESTABLISHED)
bro 5714 SO-user 4u IPv4 25324 0t0 UDP X.X.X.X:54992->X.X.X.X:53
bro 5714 SO-user 265u IPv4 25365 0t0 TCP *:47762 (LISTEN)
bro 5714 SO-user 266u IPv6 25366 0t0 TCP *:47762 (LISTEN)
bro 5714 SO-user 267u IPv4 25500 0t0 TCP X.X.X.X:47762->X.X.X.X:54894 (ESTABLISHED)
bro 5754 SO-user 4u IPv4 25473 0t0 UDP X.X.X.X:47564->X.X.X.X:53
bro 5761 SO-user 0u IPv4 25493 0t0 TCP X.X.X.X:59669->X.X.X.X:47761 (ESTABLISHED)
bro 5761 SO-user 4u IPv4 25473 0t0 UDP X.X.X.X:47564->X.X.X.X:53
bro 5761 SO-user 266u IPv4 25499 0t0 TCP X.X.X.X:54894->X.X.X.X:47762 (ESTABLISHED)
bro 5761 SO-user 271u IPv4 25507 0t0 TCP *:47763 (LISTEN)
bro 5761 SO-user 272u IPv6 25508 0t0 TCP *:47763 (LISTEN)
tclsh 5816 SO-user 3u IPv4 25635 0t0 TCP X.X.X.X:35774->X.X.X.X:7736 (ESTABLISHED)
tclsh 5816 SO-user 4u IPv4 25637 0t0 TCP X.X.X.X:8101 (LISTEN)
searchd 7417 sphinxsearch 7u IPv4 29700 0t0 TCP *:9306 (LISTEN)
searchd 7417 sphinxsearch 8u IPv4 29701 0t0 TCP *:9312 (LISTEN)
syslog-ng 7440 root 23u IPv4 30052 0t0 TCP *:514 (LISTEN)
syslog-ng 7440 root 24u IPv4 30053 0t0 UDP *:514
/usr/sbin 15033 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 15033 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 15033 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 17727 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 17727 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 17727 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18694 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 18694 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18694 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19094 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 19094 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19094 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19134 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 19134 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19134 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19136 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 19136 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19136 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
/usr/sbin 19985 www-data 5u IPv6 14117 0t0 TCP *:443 (LISTEN)
/usr/sbin 19985 www-data 7u IPv6 14121 0t0 TCP *:9876 (LISTEN)
/usr/sbin 19985 www-data 9u IPv6 31392 0t0 TCP *:3154 (LISTEN)
sshd 21245 root 3u IPv4 63333 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:21125 (ESTABLISHED)
sshd 21610 SO-user 3u IPv4 63333 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:21125 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
9.55 9.22 5.80
Processing units: 1
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:12:46 up 19 min, 3 users, load average: 9.55, 9.22, 5.80
Tasks: 211 total, 10 running, 201 sleeping, 0 stopped, 0 zombie
%Cpu(s): 50.1 us, 17.8 sy, 0.4 ni, 10.7 id, 4.0 wa, 0.0 hi, 16.8 si, 0.0 st
KiB Mem: 8176324 total, 3685628 used, 4490696 free, 56836 buffers
KiB Swap: 8386556 total, 0 used, 8386556 free. 1080388 cached Mem
%CPU %MEM COMMAND
16.2 10.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.4 0.3 tclsh ./ip2c.tcl
10.3 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
10.3 5.4 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
4.7 0.7 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
3.8 0.0 /usr/bin/mandb --quiet
2.3 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.3 0.3 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1.1 2.0 chromium-browser --enable-pinch
1.1 0.0 /var/ossec/bin/ossec-syscheckd
0.9 1.9 /usr/lib/chromium-browser/chro
0.9 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.9 3.1 /usr/bin/searchd --nodetach
0.7 0.4 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.7 0.8 /usr/sbin/mysqld
0.5 1.5 /usr/lib/chromium-browser/chro
0.5 0.0 /var/ossec/bin/ossec-analysisd
0.4 0.0 [ksoftirqd/0]
0.4 1.9 /usr/sbin/apache2 -k start
0.4 1.0 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.4 0.0 -bash
0.3 0.0 /sbin/init
0.3 0.0 [rcu_sched]
0.3 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.2 0.0 [rcuos/0]
0.1 0.0 [kworker/0:0]
0.1 0.0 [kworker/0:1]
0.1 0.0 [kworker/0:2]
0.1 0.0 sudo sostat-redacted
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/u2:1]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [kpsmoused]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [ext4lazyinit]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 anacron -s
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.1 lightdm
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 12 21
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.1 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-JD1bWUAn7l
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.1 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.2 xfwm4
0.0 0.2 xfce4-panel
0.0 0.1 Thunar --daemon
0.0 0.3 xfdesktop
0.0 0.3 nm-applet
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.1 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.5 /usr/bin/python /usr/bin/blueman-applet
0.0 0.2 light-locker
0.0 0.1 xfce4-power-manager
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.2 update-notifier
0.0 0.1 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.1 xfce4-volumed
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.1 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 xfsettingsd
0.0 0.3 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
0.0 0.1 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 0.0 [kworker/0:1H]
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.18 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.8 chromium-browser --type=zygote
0.0 0.1 chromium-browser --type=zygote
0.0 1.0 chromium-browser --type=gpu-process --channel=2844.0.2133771593 --supports-dual-gpus=false --gpu-driver-bug-workarounds=2,52 --disable-accelerated-video-decode --gpu-vendor-id=0x15ad --gpu-device-id=0x0405 --gpu-driver-vendor --gpu-driver-version --v8-natives-passed-by-fd --v8-snapshot-passed-by-
0.0 0.2 chromium-browser --type=gpu-broker
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 cron
0.0 0.3 xfce4-terminal
0.0 0.0 gnome-pty-helper
0.0 0.0 bash
0.0 0.0 /bin/sh -c run-parts --report /etc/cron.weekly
0.0 0.0 run-parts --report /etc/cron.weekly
0.0 0.0 [kworker/u2:0]
0.0 0.0 /bin/sh /etc/cron.weekly/man-db
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 1.7 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u2:2]
0.0 1.7 /usr/sbin/apache2 -k start
0.0 1.7 /usr/sbin/apache2 -k start
0.0 1.7 /usr/sbin/apache2 -k start
0.0 1.7 /usr/sbin/apache2 -k start
0.0 1.7 /usr/sbin/apache2 -k start
0.0 1.6 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/7
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 0
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 1 days
8.0K .
4.0K ./2016-04-08
/nsm/bro/logs/ - 1 days
160K .
120K ./2016-04-08
36K ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 2304.062629
SO-server-eth1-1: 1460139166.137160 recvd=5082965 dropped=117114697 link=5082965
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 95.188
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 1
Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 9
Cluster Fragment Discard : 0
/proc/net/pf_ring/5754-eth1.1
Appl. Name : bro-eth1
Tot Packets : 122472772
Tot Pkt Lost : 117332706
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 0
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
22
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Total
0
=========================================================================
Last update
=========================================================================
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
7440 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
3421 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
7415 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
7417 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
45M /nsm/elsa/data
2.1M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-04-08 18:01:21 2016-04-08 18:11:26
Wes Lambert
Jason,
It looks like Sguil is showing (from your sostat) 22 uncat'd alerts. Have you tried logging into Sguil to see if you can see the alerts there, and again, what browser are you using for Squert?
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Jason Burrell
any sudo snort shows the following
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
Wes
Jason,
I believe the "WARNING: No preprocessors configured for policy 0." error is normal, as I get the same message if I try to run "sudo snort" and my machine is working as intended.
Thanks,
Wes
Jason Burrell
Nothing in Squel either.
But what is interesting is I read did the set up and chose to do the emerging threats rules over snort using my oink code and I get alerts using the emerging threats. Haven't tried snort open rules yet but using the VRT policy with my oink code gives nothing.
Doug Burks
may want to double-check your oinkcode and/or generate a new one.
You can also run "sudo rule-update" and check for errors.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Jason Burrell
> If you get alerts using the ET ruleset but not the VRT ruleset, you
> may want to double-check your oinkcode and/or generate a new one.
>
> You can also run "sudo rule-update" and check for errors.
>
> > Firefox.
> >
> > Nothing in Squel either.
> >
> > But what is interesting is I read did the set up and chose to do the emerging threats rules over snort using my oink code and I get alerts using the emerging threats. Haven't tried snort open rules yet but using the VRT policy with my oink code gives nothing.
> >
> > --
> > Follow Security Onion on Twitter!
> > https://twitter.com/securityonion
> > ---
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> > To post to this group, send email to securit...@googlegroups.com.
> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
Doug,
no errors that I can see. I generated a new oinkcode and redid the setup. No alerts using balanced. Below is the output of the rule update.
Checking latest MD5 for snortrules-snapshot-2980.tar.gz....
They Match
Done!
Rules tarball download of community-rules.tar.gz....
Prepping rules from snortrules-snapshot-2980.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Activating balanced rulesets....
Done
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 343 flowbits
Enabled 1 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------46
Deleted:---16
Enabled Rules:----7377
Dropped Rules:----0
Disabled Rules:---21259
Total Rules:------28636
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: BSSSECONION01-eth1
* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* starting: barnyard2-1 (spooler, unified2 format) [ OK ]
Restarting IDS Engine.
Restarting: BSSSECONION01-eth1
* stopping: snort-1 (alert data) [ OK ]
* starting: snort-1 (alert data) [ OK ]
Log into squert and only have OSSEC alerts.
[OSSEC] Received 0 packets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!
[OSSEC] Integrity checksum changed again (3rd time).
Wes
Jason,
Could you please attach a new sostat-redacted?
Thanks,
Wes
Jason Burrell
i've reinstalled like 10 times and only alerts i can get are from ET. Nothing from Snort rule set seems to work..
Error: unable to open database file: /nsm/bro/spool/state.db
Check if the user running BroControl has both write and search permission to
the directory containing the database file and has both read and write
permission to the database file itself.
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: SO-server-eth1
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:780425 errors:0 dropped:94 overruns:0 frame:0
TX packets:32470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:118024020 (118.0 MB) TX bytes:3385657 (3.3 MB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:156884326 errors:0 dropped:654 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:79440658783 (79.4 GB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:164417 errors:0 dropped:0 overruns:0 frame:0
TX packets:164417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:64836429 (64.8 MB) TX bytes:64836429 (64.8 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
64837814 164421 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
64837814 164421 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
118024020 780425 0 94 0 253
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3385657 32470 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
79441109411 156885309 0 654 0 80938
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 799M 1.2M 798M 1% /run
/dev/sda1 682G 4.6G 642G 1% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 76K 3.9G 1% /run/shm
none 100M 28K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 506 avahi 12u IPv4 10192 0t0 UDP *:5353
avahi-dae 506 avahi 13u IPv6 10193 0t0 UDP *:5353
avahi-dae 506 avahi 14u IPv4 10194 0t0 UDP *:41090
avahi-dae 506 avahi 15u IPv6 10195 0t0 UDP *:43345
sshd 1281 root 3u IPv4 11907 0t0 TCP *:ssh_port (LISTEN)
sshd 1281 root 4u IPv6 11909 0t0 TCP *:ssh_port (LISTEN)
cups-brow 1404 root 6u IPv6 14197 0t0 TCP [X.X.X.X]:36204->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1404 root 8u IPv4 14202 0t0 UDP *:631
/usr/sbin 2208 root 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 2208 root 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
cupsd 2217 root 10u IPv6 14068 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2217 root 11u IPv4 14069 0t0 TCP X.X.X.X:631 (LISTEN)
ntpd 2897 ntp 16u IPv4 17879 0t0 UDP *:123
ntpd 2897 ntp 17u IPv6 17880 0t0 UDP *:123
ntpd 2897 ntp 18u IPv4 17886 0t0 UDP X.X.X.X:123
ntpd 2897 ntp 19u IPv4 17887 0t0 UDP X.X.X.X:123
ntpd 2897 ntp 20u IPv6 17888 0t0 UDP [X.X.X.X]:123
ntpd 2897 ntp 21u IPv6 17889 0t0 UDP [X.X.X.X]:123
mysqld 6678 mysql 10u IPv4 39601 0t0 TCP X.X.X.X:3306 (LISTEN)
tclsh 8638 SO-user 13u IPv4 42526 0t0 TCP *:7734 (LISTEN)
tclsh 8638 SO-user 14u IPv6 42527 0t0 TCP *:7734 (LISTEN)
tclsh 8638 SO-user 15u IPv4 42530 0t0 TCP *:7736 (LISTEN)
tclsh 8638 SO-user 16u IPv6 42531 0t0 TCP *:7736 (LISTEN)
tclsh 8638 SO-user 17u IPv4 42678 0t0 TCP X.X.X.X:7736->X.X.X.X:38324 (ESTABLISHED)
tclsh 8638 SO-user 18u IPv4 42803 0t0 TCP X.X.X.X:7736->X.X.X.X:47962 (ESTABLISHED)
tclsh 8638 SO-user 19u IPv4 87812 0t0 TCP X.X.X.X:7734->X.X.X.X:58949 (ESTABLISHED)
/usr/sbin 8644 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 8644 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8646 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 8646 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8647 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 8647 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8648 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 8648 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
tclsh 8691 SO-user 3u IPv4 42677 0t0 TCP X.X.X.X:38324->X.X.X.X:7736 (ESTABLISHED)
tclsh 8739 SO-user 3u IPv4 42802 0t0 TCP X.X.X.X:47962->X.X.X.X:7736 (ESTABLISHED)
tclsh 8739 SO-user 4u IPv4 42804 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 8739 SO-user 5u IPv4 43103 0t0 TCP X.X.X.X:8101->X.X.X.X:33782 (ESTABLISHED)
barnyard2 8786 SO-user 3u IPv4 43102 0t0 TCP X.X.X.X:33782->X.X.X.X:8101 (ESTABLISHED)
/usr/sbin 8842 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 8842 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10393 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 10393 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
sshd 10880 root 3u IPv4 229546 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59079 (ESTABLISHED)
sshd 11333 SO-user 3u IPv4 229546 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59079 (ESTABLISHED)
/usr/sbin 11959 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 11959 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11960 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 11960 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11961 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 11961 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11962 www-data 5u IPv6 14005 0t0 TCP *:443 (LISTEN)
/usr/sbin 11962 www-data 7u IPv6 14009 0t0 TCP *:9876 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
2.05 2.75 4.49
Processing units: 1
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 19:42:48 up 59 min, 3 users, load average: 2.05, 2.75, 4.49
Tasks: 194 total, 3 running, 191 sleeping, 0 stopped, 0 zombie
%Cpu(s): 72.0 us, 6.2 sy, 0.2 ni, 10.7 id, 2.3 wa, 0.0 hi, 8.8 si, 0.0 st
KiB Mem: 8176324 total, 2740152 used, 5436172 free, 62100 buffers
KiB Swap: 8385532 total, 0 used, 8385532 free. 1211488 cached Mem
%CPU %MEM COMMAND
60.4 9.2 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
13.9 1.4 /usr/sbin/mysqld
4.7 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
2.0 0.7 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.9 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.6 0.4 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.6 0.0 /var/ossec/bin/ossec-syscheckd
0.5 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.3 0.0 /bin/bash /usr/bin/sostat-redacted
0.3 0.0 /bin/bash /usr/bin/sostat
0.2 0.0 [rcu_sched]
0.2 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.2 0.3 xfce4-terminal --geometry=78x24 --display :0.0 --role=xfce4-terminal-1460485880--1871814690 --show-menubar --show-borders --hide-toolbar --working-directory /home/SO-user --sm-client-id 2416511fe-fa47-46ff-aaec-bf9848a4e9a1
0.2 0.0 /var/ossec/bin/ossec-analysisd
0.2 0.0 -bash
0.1 0.0 [ksoftirqd/0]
0.1 0.0 [rcuos/0]
0.1 0.0 /usr/lib/accountsservice/accounts-daemon
0.1 0.0 sudo sostat-redacted
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/0:1]
0.0 0.0 [kswapd0]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/0:2]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 cron
0.0 0.0 supervising syslog-ng
0.0 0.0 lightdm
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [kauditd]
0.0 0.0 lightdm --session-child 12 21
0.0 0.1 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.3 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-X5za0VZkBk
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
0.0 0.0 upstart-file-bridge --daemon --user
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.1 xfce4-session
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.2 xfwm4 --display :0.0 --sm-client-id 280301dac-f3cc-4cc9-a63c-5f19a0c3d8ac
0.0 0.1 Thunar --sm-client-id 24edc2453-171e-4888-b789-3191bd96a1d0 --daemon
0.0 0.2 xfce4-panel --display :0.0 --sm-client-id 228cdad4a-50c5-4b7f-998e-9c2c7e1a4546
0.0 0.3 xfdesktop --display :0.0 --sm-client-id 24736d665-de8c-4f35-93c7-cb73cd2cdd4c
0.0 0.1 xfsettingsd --display :0.0 --sm-client-id 25c834f2f-a33e-45b5-a22f-ea3215f9f5d6
0.0 0.1 /usr/lib/upower/upowerd
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 14680096 whiskermenu Whisker Menu Show a menu to easily access installed applications
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 14680097 systray Notification Area Area where notification icons appear
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 14680098 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and interact with the user.
0.0 0.1 xfce4-power-manager --restart --sm-client-id 22b1dc341-e545-4ab0-8e4c-a8f75b29e165
0.0 0.3 nm-applet
0.0 0.1 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 0.1 zeitgeist-datahub
0.0 0.1 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.3 update-notifier
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 init --user --startup-event indicator-services-start
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.1 /usr/bin/zeitgeist-daemon
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
0.0 0.2 light-locker
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
0.0 0.5 /usr/bin/python /usr/bin/blueman-applet
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.0 gnome-pty-helper
0.0 0.0 bash
0.0 0.1 xfce4-volumed
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 [kworker/0:1H]
0.0 0.1 /usr/lib/x86_64-linux-gnu/zeitgeist-fts
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /bin/cat
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 [kworker/u2:2]
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 [kworker/u2:1]
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.4 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/u2:0]
0.0 0.3 /usr/bin/X -core :1 -seat seat0 -auth /var/run/lightdm/root/:1 -nolisten tcp vt8 -novtswitch
0.0 0.0 lightdm --session-child 17 22
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.3 /usr/sbin/lightdm-gtk-greeter
0.0 0.1 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.1 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
0.0 0.0 lightdm --session-child 13 22
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 35280792
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 1 days
8.0K .
4.0K ./2016-04-12
/nsm/bro/logs/ - 0 days
4.0K .
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 84.749
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 1
Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/8764-eth1.1
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 107744416
Tot Pkt Lost : 93478987
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 0
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
32492
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
17669 1:2101411 GPL SNMP public access udp
7833 1:2008118 ET TFTP Outbound TFTP ACK
2345 1:2101918 GPL SCAN SolarWinds IP scan attempt
751 1:2000419 ET POLICY PE EXE or DLL Windows file download
476 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
335 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
327 3:19187 PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
231 3:30881 MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt
207 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
182 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
129 1:2100483 GPL SCAN PING CyberKit 2.2 Windows
61 1:2008120 ET TFTP Outbound TFTP Read Request
43 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
41 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
24 1:2009702 ET POLICY DNS Update From External net
21 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
21 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
19 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
18 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
18 1:2000418 ET POLICY Executable and linking format (ELF) file download
15 1:2010938 ET POLICY Suspicious inbound to mSQL port 4333
15 1:2013224 ET POLICY Suspicious User-Agent Containing .exe
12 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
11 3:31738 PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected
8 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
7 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
7 1:2001219 ET SCAN Potential SSH Scan
5 1:2002910 ET SCAN Potential VNC Scan 5800-5820
4 3:15912 OS-WINDOWS TCP window closed before receiving data
4 1:2002664 ET SCAN Nessus User Agent
2 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
2 1:2002911 ET SCAN Potential VNC Scan 5900-5920
2 1:2003410 ET POLICY FTP Login Successful
1 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
1 1:2018131 ET WORM TheMoon.linksys.router 1
1 1:2010140 ET P2P Vuze BT UDP Connection
1 1:2100651 GPL SHELLCODE x86 stealth NOOP
1 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
1 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
1 1:2018087 ET INFO Control Panel Applet File Download
1 1:2012648 ET POLICY Dropbox Client Broadcasting
Total
30853
=========================================================================
Last update
=========================================================================
Start-Date: 2016-04-12 17:56:46
Commandline: apt-get install gedit
Install: zeitgeist-core:amd64 (0.9.14-0ubuntu4.1, automatic), libpeas-common:amd64 (1.8.1-2ubuntu2, automatic), gedit-common:amd64 (3.10.4-0ubuntu4, automatic), gir1.2-peas-1.0:amd64 (1.8.1-2ubuntu2, automatic), libtelepathy-glib0:amd64 (0.22.1-1ubuntu2, automatic), zeitgeist-datahub:amd64 (0.9.14-0ubuntu4.1, automatic), libgtksourceview-3.0-1:amd64 (3.10.2-0ubuntu1, automatic), python-xdg:amd64 (0.25-4, automatic), gir1.2-gtksource-3.0:amd64 (3.10.2-0ubuntu1, automatic), libdee-1.0-4:amd64 (1.2.7+14.04.20140324-0ubuntu1, automatic), python-zeitgeist:amd64 (0.9.14-0ubuntu4.1, automatic), zeitgeist:amd64 (0.9.14-0ubuntu4.1, automatic), gedit:amd64 (3.10.4-0ubuntu4), libzeitgeist-2.0-0:amd64 (0.9.14-0ubuntu4.1, automatic), libpeas-1.0-0:amd64 (1.8.1-2ubuntu2, automatic), libgtksourceview-3.0-common:amd64 (3.10.2-0ubuntu1, automatic)
End-Date: 2016-04-12 17:58:35
=========================================================================
Available updates
=========================================================================
41 packages can be updated.
24 updates are security updates.
Run 'sudo soup' to install the latest updates.
Jason Burrell
=========================================================================
Service Status
=========================================================================
Status: securityonion
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: BSSSECONION01-eth1
* snort_agent-1 (sguil)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
inet addr:172.18.14.182 Bcast:172.18.15.255 Mask:255.255.252.0
inet6 addr: fe80::20c:29ff:feb0:f00f/64 Scope:Link
TX packets:36001 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:95434755 (95.4 MB) TX bytes:2677004 (2.6 MB)
eth1 Link encap:Ethernet HWaddr 00:0c:29:b0:f0:19
collisions:0 txqueuelen:1000
lo Link encap:Local Loopback
inet6 addr: ::1/128 Scope:Host
TX packets:2096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12576811 (12.5 MB) TX bytes:12576811 (12.5 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 799M 1.2M 798M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 76K 3.9G 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 495 avahi 13u IPv6 10119 0t0 UDP *:5353
avahi-dae 495 avahi 14u IPv4 10120 0t0 UDP *:36234
avahi-dae 495 avahi 15u IPv6 10121 0t0 UDP *:60700
sshd 1190 root 3u IPv4 11854 0t0 TCP *:22 (LISTEN)
sshd 1190 root 4u IPv6 11856 0t0 TCP *:22 (LISTEN)
cups-brow 1279 root 6u IPv6 15073 0t0 TCP [::1]:56455->[::1]:631 (CLOSE_WAIT)
cups-brow 1279 root 8u IPv4 15082 0t0 UDP *:631
/usr/sbin 1804 root 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 1804 root 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
cupsd 2243 root 10u IPv6 14952 0t0 TCP [::1]:631 (LISTEN)
cupsd 2243 root 11u IPv4 14953 0t0 TCP 127.0.0.1:631 (LISTEN)
ntpd 2720 ntp 16u IPv4 16468 0t0 UDP *:123
ntpd 2720 ntp 17u IPv6 16469 0t0 UDP *:123
ntpd 2720 ntp 18u IPv4 16475 0t0 UDP 127.0.0.1:123
ntpd 2720 ntp 19u IPv4 16476 0t0 UDP 172.18.14.182:123
ntpd 2720 ntp 20u IPv6 16477 0t0 UDP [::1]:123
ntpd 2720 ntp 21u IPv6 16478 0t0 UDP [fe80::20c:29ff:feb0:f00f]:123
mysqld 3513 mysql 10u IPv4 21813 0t0 TCP 127.0.0.1:3306 (LISTEN)
/usr/sbin 5376 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 5376 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5379 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 5379 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5384 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 5384 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5385 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 5385 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5386 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 5386 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
tclsh 5445 sguil 13u IPv4 24961 0t0 TCP *:7734 (LISTEN)
tclsh 5445 sguil 14u IPv6 24962 0t0 TCP *:7734 (LISTEN)
tclsh 5445 sguil 15u IPv4 24965 0t0 TCP *:7736 (LISTEN)
tclsh 5445 sguil 16u IPv6 24966 0t0 TCP *:7736 (LISTEN)
tclsh 5445 sguil 17u IPv4 25011 0t0 TCP 127.0.0.1:7736->127.0.0.1:44679 (ESTABLISHED)
tclsh 5445 sguil 18u IPv4 25145 0t0 TCP 127.0.0.1:7736->127.0.0.1:34372 (ESTABLISHED)
tclsh 5496 sguil 3u IPv4 25010 0t0 TCP 127.0.0.1:44679->127.0.0.1:7736 (ESTABLISHED)
tclsh 5544 sguil 3u IPv4 25144 0t0 TCP 127.0.0.1:34372->127.0.0.1:7736 (ESTABLISHED)
tclsh 5544 sguil 4u IPv4 25146 0t0 TCP 127.0.0.1:8101 (LISTEN)
tclsh 5544 sguil 6u IPv4 25812 0t0 TCP 127.0.0.1:8101->127.0.0.1:37459 (ESTABLISHED)
barnyard2 5591 sguil 3u IPv4 25811 0t0 TCP 127.0.0.1:37459->127.0.0.1:8101 (ESTABLISHED)
/usr/sbin 6280 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 6280 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6285 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 6285 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6286 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 6286 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6287 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 6287 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
/usr/sbin 6288 www-data 5u IPv6 14079 0t0 TCP *:443 (LISTEN)
/usr/sbin 6288 www-data 7u IPv6 14083 0t0 TCP *:9876 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
If load average is higher than processing units,
then tune until load average is lower than processing units.
Tasks: 169 total, 3 running, 166 sleeping, 0 stopped, 0 zombie
%Cpu(s): 50.7 us, 6.4 sy, 0.6 ni, 27.5 id, 2.4 wa, 0.0 hi, 12.4 si, 0.0 s
KiB Mem: 8176300 total, 2260348 used, 5915952 free, 42120 buffers
KiB Swap: 8385532 total, 0 used, 8385532 free. 1035952 cached Mem
%CPU %MEM COMMAND
60.4 9.0 snort -c /etc/nsm/BSSSECONION01-eth1/snort.conf -u sguil -g sguil -i
7.2 0.1 barnyard2 -c /etc/nsm/BSSSECONION01-eth1/barnyard2-1.conf -u sguil -
1.5 1.2 /usr/sbin/mysqld
1.2 0.0 /var/ossec/bin/ossec-syscheckd
0.6 0.0 /bin/bash /usr/bin/sostat redact
0.4 0.0 [ksoftirqd/0]
0.4 0.0 /var/ossec/bin/ossec-analysisd
0.3 0.0 [rcu_sched]
0.3 0.0 [kworker/u2:1]
0.2 0.0 /sbin/init
0.2 0.0 [rcuos/0]
0.1 0.0 [kworker/u2:0]
0.1 0.3 xfce4-terminal
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/0:2]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_tmf_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 lightdm
0.0 0.1 /usr/lib/accountsservice/accounts-daemon
0.0 0.1 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.1 /usr/bin/gnome-keyring-daemon --daemonize --login
0.0 0.0 init --user
0.0 0.0 upstart-event-bridge
0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nof
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
0.0 0.0 /usr/bin/ssh-agent -s
0.0 0.2 xfwm4
0.0 0.1 Thunar --daemon
0.0 0.3 xfdesktop
0.0 0.2 light-locker
0.0 0.1 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-applicatio
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.2 update-notifier
0.0 0.3 nm-applet
0.0 0.1 xfce4-power-manager
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.5 /usr/bin/python /usr/bin/blueman-applet
0.0 0.1 xfce4-volumed
0.0 0.1 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.1 xfsettingsd
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.1 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-li
0.0 0.1 /usr/lib/udisks2/udisksd --no-debug
0.0 0.2 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-li
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.1 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/
0.0 0.0 su - sguil -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.l
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/BSSSECONION01-eth1/snort_
0.0 0.0 tail -n 1 -f /nsm/sensor_data/BSSSECONION01-eth1/snort-1.stats
0.0 0.0 bash
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
0.0 0.2 /usr/sbin/apache2 -k start
Packets received during last monitoring interval (600 seconds)
=========================================================================
=========================================================================
Log Archive
=========================================================================
4.0K .
/nsm/sensor_data/BSSSECONION01-eth1/dailylogs/ - 1 days
8.0K .
4.0K ./2016-04-13
/nsm/bro/logs/ - 0 days
4.0K .
Check if the user running BroControl has both write and search permission to
the directory containing the database file and has both read and write
permission to the database file itself.
=========================================================================
=========================================================================
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 1
Standard (non DNA/ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 50525306
Tot Pkt Lost : 17334641
Min Num Slots : 4098
=========================================================================
Sguil Uncategorized Events
=========================================================================
| COUNT(*) |
+----------+
| 34 |
+----------+
=========================================================================
Sguil events summary for yesterday
=========================================================================
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Top 50 All time Sguil Events
=========================================================================
| Totals | GenID:SigID | Signature |
+--------+-------------+-----------------------------------------------------------------------------------------+
| 12 | 1:16301 | BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt |
+--------+-------------+-----------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 12 |
+-------+
=========================================================================
Last update
=========================================================================
Start-Date: 2016-04-13 16:49:53
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.19.0-58:amd64 (3.19.0-58.64~14.04.1, automatic), linux-image-extra-3.19.0-58-generic:amd64 (3.19.0-58.64~14.04.1, automatic), linux-image-3.19.0-58-generic:amd64 (3.19.0-58.64~14.04.1, automatic), linux-headers-3.19.0-58-generic:amd64 (3.19.0-58.64~14.04.1, automatic)
Upgrade: apt:amd64 (1.0.1ubuntu2.11, 1.0.1ubuntu2.12), initramfs-tools-bin:amd64 (0.103ubuntu4.2, 0.103ubuntu4.3), libsystemd-login0:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), systemd-services:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), apt-transport-https:amd64 (1.0.1ubuntu2.11, 1.0.1ubuntu2.12), coreutils:amd64 (8.21-1ubuntu5.3, 8.21-1ubuntu5.4), libjavascriptcoregtk-3.0-0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), libwebkitgtk-1.0-0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), apt-utils:amd64 (1.0.1ubuntu2.11, 1.0.1ubuntu2.12), gir1.2-javascriptcoregtk-3.0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), libtiff5:amd64 (4.0.3-7ubuntu0.3, 4.0.3-7ubuntu0.4), libsystemd-daemon0:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), libgudev-1.0-0:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), chromium-codecs-ffmpeg-extra:amd64 (48.0.2564.116-0ubuntu0.14.04.1.1111, 49.0.2623.108-0ubuntu0.14.04.1.1113), libpam-systemd:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), linux-image-generic-lts-vivid:amd64 (3.19.0.56.40, 3.19.0.58.41), libapt-inst1.5:amd64 (1.0.1ubuntu2.11, 1.0.1ubuntu2.12), udev:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), initramfs-tools:amd64 (0.103ubuntu4.2, 0.103ubuntu4.3), chromium-browser-l10n:amd64 (48.0.2564.116-0ubuntu0.14.04.1.1111, 49.0.2623.108-0ubuntu0.14.04.1.1113), libudev1:amd64 (204-5ubuntu20.18, 204-5ubuntu20.19), linux-headers-generic-lts-vivid:amd64 (3.19.0.56.40, 3.19.0.58.41), libwebkitgtk-3.0-0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), libapt-pkg4.12:amd64 (1.0.1ubuntu2.11, 1.0.1ubuntu2.12), linux-generic-lts-vivid:amd64 (3.19.0.56.40, 3.19.0.58.41), git-man:amd64 (1.9.1-1ubuntu0.2, 1.9.1-1ubuntu0.3), git:amd64 (1.9.1-1ubuntu0.2, 1.9.1-1ubuntu0.3), securityonion-setup:amd64 (20120912-0ubuntu0securityonion203, 20120912-0ubuntu0securityonion206), securityonion-rule-update:amd64 (20151201-1ubuntu1securityonion1, 20151201-1ubuntu1securityonion2), libwebkitgtk-3.0-common:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), libwebkitgtk-1.0-common:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), tzdata:amd64 (2015g-0ubuntu0.14.04, 2016c-0ubuntu0.14.04), linux-libc-dev:amd64 (3.13.0-83.127, 3.13.0-85.129), libjavascriptcoregtk-1.0-0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1), libpcre3:amd64 (8.31-2ubuntu2.1, 8.31-2ubuntu2.2), chromium-browser:amd64 (48.0.2564.116-0ubuntu0.14.04.1.1111, 49.0.2623.108-0ubuntu0.14.04.1.1113), libpq5:amd64 (9.3.11-0ubuntu0.14.04, 9.3.12-0ubuntu0.14.04), gir1.2-webkit-3.0:amd64 (2.4.8-1ubuntu1~ubuntu14.04.1, 2.4.10-0ubuntu0.14.04.1)
End-Date: 2016-04-13 16:57:35
Wes
It doesn't look like you are getting much traffic:
"=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 0"
Did you notice any issue with Bro as well?
From sostat:
"Error: unable to open database file: /nsm/bro/spool/state.db
Check if the user running BroControl has both write and search permission to
the directory containing the database file and has both read and write
permission to the database file itself"
Wes
Jason Burrell
Jason Burrell
I decide to remove some of the monitoring sources since I had few vlans and port channels in the monitoring sessions. I scaled down to just two for the heck of it and I started to get a flood of alerts now. So I don't know if I just had to many and it was not able to keep up with the amount of traffic.