just ran update, can't start sguil console, pcap_agent, snort_agent not working
354 views
Skip to first unread message
Jeff Nucciarone
Jun 11, 2015, 3:56:30 PM6/11/15
to securit...@googlegroups.com
I just ran sudo soup on my entire SO setup and now I am cut off from sguil.
When I start up the console, I get the login screen. I enter my credentials and get the following error:
Error: SSL channel "sock4": error: dh key too small
I ran sostat and then saw that pcap_agent, snort_agent, and a bunch of other SO stuff just not working.
I am in the process of rebooting the entire complex to see if this clears it out.
Update = disaster?
*frustrated*
When I start up the console, I get the login screen. I enter my credentials and get the following error:
Error: SSL channel "sock4": error: dh key too small
I ran sostat and then saw that pcap_agent, snort_agent, and a bunch of other SO stuff just not working.
I am in the process of rebooting the entire complex to see if this clears it out.
Update = disaster?
*frustrated*
Doug Burks
Jun 11, 2015, 3:58:42 PM6/11/15
to securit...@googlegroups.com
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jeff Nucciarone
Jun 11, 2015, 4:07:33 PM6/11/15
to securit...@googlegroups.com
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5167 5 11 Jun 20:00:05
proxy proxy localhost running 5445 5 11 Jun 20:00:09
SO-server-eth2-1 worker localhost running 5757 2 11 Jun 20:00:11
SO-server-eth2-2 worker localhost running 6029 2 11 Jun 20:00:14
SO-server-eth2-3 worker localhost running 6230 2 11 Jun 20:00:16
SO-server-eth2-4 worker localhost running 6704 2 11 Jun 20:00:18
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16616 errors:0 dropped:0 overruns:0 frame:0
TX packets:18287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2839305 (2.8 MB) TX bytes:2626221 (2.6 MB)
Interrupt:36 Memory:d8000000-d8012800
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6274393 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5920507308 (5.9 GB) TX bytes:0 (0.0 B)
Interrupt:40 Memory:dd2c0000-dd2e0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41762 errors:0 dropped:0 overruns:0 frame:0
TX packets:41762 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:68897720 (68.8 MB) TX bytes:68897720 (68.8 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
68897720 41762 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
68897720 41762 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
2839305 16616 0 0 0 413
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2626221 18287 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
5920510606 6274399 0 0 0 211
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
8: eth6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 139G 24G 109G 18% /
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 808K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sdb2 32T 29T 3.3T 90% /nsm
/dev/sda1 472M 329M 119M 74% /boot
/dev/sda6 29G 173M 27G 1% /tmp
/dev/sda10 19G 551M 18G 4% /home
/dev/sda11 9.4G 171M 8.8G 2% /usr/local
/dev/sda7 29G 1.6G 26G 6% /var
/dev/sdb1 977G 50G 927G 6% /var/lib/mysql
/dev/sda8 29G 1.7G 26G 7% /var/log
/dev/sda9 19G 172M 18G 1% /var/log/audit
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 2115 avahi 12u IPv4 31277 0t0 UDP *:5353
avahi-dae 2115 avahi 13u IPv6 31278 0t0 UDP *:5353
avahi-dae 2115 avahi 14u IPv4 31279 0t0 UDP *:49182
avahi-dae 2115 avahi 15u IPv6 31280 0t0 UDP *:39083
cupsd 2122 root 8u IPv6 7367 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2122 root 9u IPv4 7368 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2196 root 3r IPv4 10591 0t0 TCP *:ssh_port (LISTEN)
sshd 2196 root 4u IPv6 10593 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2321 root 10u IPv4 26688 0t0 TCP X.X.X.X:57098->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2321 root 21u IPv4 10884 0t0 TCP X.X.X.X:42783->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2336 root 9u IPv4 31644 0t0 TCP *:514 (LISTEN)
syslog-ng 2336 root 10u IPv4 31645 0t0 UDP *:514
mysqld 2416 mysql 10u IPv4 31671 0t0 TCP X.X.X.X:50000 (LISTEN)
searchd 2535 sphinxsearch 7u IPv4 9468 0t0 TCP *:9306 (LISTEN)
searchd 2535 sphinxsearch 8u IPv4 9469 0t0 TCP *:9312 (LISTEN)
snmpd 2679 snmp 8u IPv4 11462 0t0 UDP X.X.X.X:161
snmpd 2679 snmp 9u IPv4 9495 0t0 UDP *:36179
ntpd 3206 ntp 16u IPv4 33066 0t0 UDP *:123
ntpd 3206 ntp 17u IPv6 33067 0t0 UDP *:123
ntpd 3206 ntp 18u IPv4 33073 0t0 UDP X.X.X.X:123
ntpd 3206 ntp 19u IPv4 33074 0t0 UDP X.X.X.X:123
ntpd 3206 ntp 20u IPv6 33075 0t0 UDP [X.X.X.X]:123
ntpd 3206 ntp 21u IPv6 33076 0t0 UDP [X.X.X.X]:123
ossec-csy 4049 ossecm 5u IPv4 33401 0t0 UDP X.X.X.X:56114->X.X.X.X:514
starman 4731 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4744 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4745 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4746 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4746 www-data 16u IPv4 44851 0t0 TCP X.X.X.X:41979->X.X.X.X:3154 (CLOSE_WAIT)
starman 4747 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4749 www-data 5u IPv6 33461 0t0 TCP *:3154 (LISTEN)
starman 4749 www-data 16u IPv4 23321 0t0 TCP X.X.X.X:41957->X.X.X.X:3154 (CLOSE_WAIT)
/usr/sbin 5127 root 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5127 root 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5127 root 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
bro 5167 SO-user 4u IPv4 13877 0t0 UDP X.X.X.X:58659->X.X.X.X:53
bro 5257 SO-user 0u IPv4 23894 0t0 TCP *:47761 (LISTEN)
bro 5257 SO-user 1u IPv6 23895 0t0 TCP *:47761 (LISTEN)
bro 5257 SO-user 2u IPv4 15776 0t0 TCP X.X.X.X:47761->X.X.X.X:40370 (ESTABLISHED)
bro 5257 SO-user 4u IPv4 13877 0t0 UDP X.X.X.X:58659->X.X.X.X:53
bro 5257 SO-user 251u IPv4 14505 0t0 TCP X.X.X.X:47761->X.X.X.X:40374 (ESTABLISHED)
bro 5257 SO-user 255u IPv4 9829 0t0 TCP X.X.X.X:47761->X.X.X.X:40377 (ESTABLISHED)
bro 5257 SO-user 256u IPv4 9860 0t0 TCP X.X.X.X:47761->X.X.X.X:40379 (ESTABLISHED)
bro 5257 SO-user 257u IPv4 14575 0t0 TCP X.X.X.X:47761->X.X.X.X:40384 (ESTABLISHED)
/usr/sbin 5437 www-data 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5437 www-data 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5437 www-data 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
/usr/sbin 5438 www-data 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5438 www-data 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5438 www-data 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
/usr/sbin 5439 www-data 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5439 www-data 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5439 www-data 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
/usr/sbin 5440 www-data 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5440 www-data 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5440 www-data 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
/usr/sbin 5441 www-data 4u IPv4 32344 0t0 TCP *:443 (LISTEN)
/usr/sbin 5441 www-data 5u IPv4 32347 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5441 www-data 6u IPv4 32349 0t0 TCP *:444 (LISTEN)
bro 5445 SO-user 4u IPv4 12659 0t0 UDP X.X.X.X:34119->X.X.X.X:53
bro 5481 SO-user 0u IPv4 33888 0t0 TCP X.X.X.X:40370->X.X.X.X:47761 (ESTABLISHED)
bro 5481 SO-user 1u IPv4 33891 0t0 TCP *:47762 (LISTEN)
bro 5481 SO-user 2u IPv6 33892 0t0 TCP *:47762 (LISTEN)
bro 5481 SO-user 4u IPv4 12659 0t0 UDP X.X.X.X:34119->X.X.X.X:53
bro 5481 SO-user 251u IPv4 23016 0t0 TCP X.X.X.X:47762->X.X.X.X:55956 (ESTABLISHED)
bro 5481 SO-user 255u IPv4 33546 0t0 TCP X.X.X.X:47762->X.X.X.X:55959 (ESTABLISHED)
bro 5481 SO-user 256u IPv4 23032 0t0 TCP X.X.X.X:47762->X.X.X.X:55961 (ESTABLISHED)
bro 5481 SO-user 257u IPv4 21944 0t0 TCP X.X.X.X:47762->X.X.X.X:55966 (ESTABLISHED)
ssh 5512 root 3r IPv4 8553 0t0 TCP X.X.X.X:35183->X.X.X.X:ssh_port (ESTABLISHED)
ssh 5512 root 4u IPv6 26776 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 5512 root 5u IPv4 26777 0t0 TCP X.X.X.X:3306 (LISTEN)
sshd 5740 root 3r IPv4 33520 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:47120 (ESTABLISHED)
bro 5757 SO-user 4u IPv4 18983 0t0 UDP X.X.X.X:34008->X.X.X.X:53
bro 5829 SO-user 0u IPv4 11835 0t0 TCP X.X.X.X:40374->X.X.X.X:47761 (ESTABLISHED)
bro 5829 SO-user 1u IPv4 11836 0t0 TCP X.X.X.X:55956->X.X.X.X:47762 (ESTABLISHED)
bro 5829 SO-user 2u IPv4 11839 0t0 TCP *:47763 (LISTEN)
bro 5829 SO-user 4u IPv4 18983 0t0 UDP X.X.X.X:34008->X.X.X.X:53
bro 5829 SO-user 251u IPv6 11840 0t0 TCP *:47763 (LISTEN)
bro 6029 SO-user 4u IPv4 14000 0t0 UDP X.X.X.X:35228->X.X.X.X:53
bro 6045 SO-user 0u IPv4 17826 0t0 TCP X.X.X.X:40377->X.X.X.X:47761 (ESTABLISHED)
bro 6045 SO-user 1u IPv4 17827 0t0 TCP X.X.X.X:55959->X.X.X.X:47762 (ESTABLISHED)
bro 6045 SO-user 2u IPv4 17830 0t0 TCP *:47764 (LISTEN)
bro 6045 SO-user 4u IPv4 14000 0t0 UDP X.X.X.X:35228->X.X.X.X:53
bro 6045 SO-user 251u IPv6 17831 0t0 TCP *:47764 (LISTEN)
bro 6230 SO-user 4u IPv4 17104 0t0 UDP X.X.X.X:33199->X.X.X.X:53
bro 6254 SO-user 0u IPv4 14029 0t0 TCP X.X.X.X:40379->X.X.X.X:47761 (ESTABLISHED)
bro 6254 SO-user 1u IPv4 14030 0t0 TCP X.X.X.X:55961->X.X.X.X:47762 (ESTABLISHED)
bro 6254 SO-user 2u IPv4 14033 0t0 TCP *:47765 (LISTEN)
bro 6254 SO-user 4u IPv4 17104 0t0 UDP X.X.X.X:33199->X.X.X.X:53
bro 6254 SO-user 251u IPv6 14034 0t0 TCP *:47765 (LISTEN)
sshd 6572 SO-user 3u IPv4 33520 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:47120 (ESTABLISHED)
sshd 6572 SO-user 9u IPv6 33585 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 6572 SO-user 10u IPv4 33586 0t0 TCP X.X.X.X:6010 (LISTEN)
bro 6704 SO-user 4u IPv4 19892 0t0 UDP X.X.X.X:37295->X.X.X.X:53
bro 6721 SO-user 0u IPv4 15830 0t0 TCP X.X.X.X:40384->X.X.X.X:47761 (ESTABLISHED)
bro 6721 SO-user 1u IPv4 15831 0t0 TCP X.X.X.X:55966->X.X.X.X:47762 (ESTABLISHED)
bro 6721 SO-user 2u IPv4 15834 0t0 TCP *:47766 (LISTEN)
bro 6721 SO-user 4u IPv4 19892 0t0 UDP X.X.X.X:37295->X.X.X.X:53
bro 6721 SO-user 251u IPv6 15835 0t0 TCP *:47766 (LISTEN)
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
6.52 4.10 1.78
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 20:03:31 up 4 min, 1 user, load average: 6.52, 4.10, 1.78
Tasks: 305 total, 6 running, 299 sleeping, 0 stopped, 0 zombie
Cpu(s): 12.8%us, 9.2%sy, 0.3%ni, 73.9%id, 3.4%wa, 0.0%hi, 0.5%si, 0.0%st
Mem: 65965188k total, 19495692k used, 46469496k free, 40188k buffers
Swap: 36981308k total, 0k used, 36981308k free, 9418196k cached
%CPU %MEM COMMAND
163 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
102 0.4 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_2
81.8 1.1 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
79.3 1.1 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
76.9 1.1 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
73.0 1.1 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
25.8 4.5 /usr/bin/searchd --nodetach
24.2 1.0 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-11/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
20.9 0.0 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
16.1 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
16.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
12.8 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
12.7 0.2 /usr/sbin/mysqld
12.7 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
12.7 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
12.7 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
11.2 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
5.1 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.9 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
1.7 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1.6 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 0.1 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1.3 0.1 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1.3 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
1.2 0.1 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1.2 0.0 /sbin/init
1.1 0.1 /usr/sbin/apache2 -k start
1.1 0.1 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
1.1 0.1 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.8 0.0 /usr/bin/python /usr/bin/salt-minion
0.3 0.0 /var/ossec/bin/ossec-analysisd
0.2 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.2 0.0 -bash
0.2 0.0 [kworker/0:2]
0.2 0.0 /usr/sbin/lightdm-gtk-greeter
0.2 0.0 [kworker/0:3]
0.1 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.1 0.0 [xfsaild/sdb2]
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.0 [flush-8:16]
0.1 0.0 [kworker/u:0]
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 [kworker/0:0]
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:2]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kworker/0:1]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 Passenger spawn server
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [migration/1]
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 [migration/23]
0.0 0.0 [migration/22]
0.0 0.0 [migration/21]
0.0 0.0 [migration/20]
0.0 0.0 [migration/19]
0.0 0.0 [migration/18]
0.0 0.0 [migration/17]
0.0 0.0 [migration/16]
0.0 0.0 [migration/15]
0.0 0.0 [migration/14]
0.0 0.0 [migration/13]
0.0 0.0 [migration/12]
0.0 0.0 [migration/3]
0.0 0.0 [migration/0]
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/11]
0.0 0.0 [migration/10]
0.0 0.0 [migration/9]
0.0 0.0 [migration/8]
0.0 0.0 [migration/7]
0.0 0.0 [migration/6]
0.0 0.0 [migration/5]
0.0 0.0 [migration/4]
0.0 0.0 [migration/2]
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 [xfsbufd/sdb2]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [xfsaild/sdb1]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@XXX.
0.0 0.0 lightdm
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [watchdog/4]
0.0 0.0 [kworker/5:0]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [kworker/8:0]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [watchdog/13]
0.0 0.0 [kworker/14:0]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [watchdog/14]
0.0 0.0 [kworker/15:0]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [watchdog/17]
0.0 0.0 [kworker/18:0]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [watchdog/20]
0.0 0.0 [kworker/21:0]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 [watchdog/21]
0.0 0.0 [kworker/22:0]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [watchdog/22]
0.0 0.0 [kworker/23:0]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [watchdog/23]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [kworker/u:1]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/15:1]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kworker/u:2]
0.0 0.0 [kworker/1:1]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/10:1]
0.0 0.0 [kworker/9:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/7:2]
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/5:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [kworker/12:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [flush-251:0]
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/8:2]
0.0 0.0 [kworker/5:2]
0.0 0.0 [kworker/9:2]
0.0 0.0 [kworker/3:2]
0.0 0.0 [kworker/6:2]
0.0 0.0 [kworker/17:2]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda6-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 [flush-8:0]
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 cron
0.0 0.0 atd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@XXXX.
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|lost+found|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: -26124711
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 25 days
23T .
704G ./2015-05-18
815G ./2015-05-19
814G ./2015-05-20
764G ./2015-05-21
620G ./2015-05-22
1.2T ./2015-05-23
290G ./2015-05-24
407G ./2015-05-25
715G ./2015-05-26
872G ./2015-05-27
873G ./2015-05-28
709G ./2015-05-29
1019G ./2015-05-30
639G ./2015-05-31
797G ./2015-06-01
849G ./2015-06-02
1.1T ./2015-06-03
791G ./2015-06-04
646G ./2015-06-05
1.2T ./2015-06-06
2.1T ./2015-06-07
1.6T ./2015-06-08
2.2T ./2015-06-09
919G ./2015-06-10
776G ./2015-06-11
/nsm/bro/logs/ - 25 days
50G .
2.7G ./2015-05-18
2.9G ./2015-05-19
3.0G ./2015-05-20
2.6G ./2015-05-21
1.9G ./2015-05-22
624M ./2015-05-23
564M ./2015-05-24
580M ./2015-05-25
2.4G ./2015-05-26
2.6G ./2015-05-27
2.4G ./2015-05-28
2.3G ./2015-05-29
676M ./2015-05-30
648M ./2015-05-31
2.5G ./2015-06-01
2.8G ./2015-06-02
2.6G ./2015-06-03
2.6G ./2015-06-04
2.5G ./2015-06-05
646M ./2015-06-06
661M ./2015-06-07
2.5G ./2015-06-08
2.9G ./2015-06-09
2.6G ./2015-06-10
2.3G ./2015-06-11
364M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-1: 1434053012.055418 recvd=1060697 dropped=0 link=1060697
SO-server-eth2-2: 1434053012.255305 recvd=635089 dropped=0 link=635089
SO-server-eth2-3: 1434053012.456591 recvd=1717163 dropped=0 link=1717163
SO-server-eth2-4: 1434053012.656533 recvd=1476984 dropped=0 link=1476984
=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
tcp.segment_memcap_drop | RxPFReth24 | 0
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 8
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/5757-eth2.1
Appl. Name : bro-eth2
Tot Packets : 1066998
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6029-eth2.2
Appl. Name : bro-eth2
Tot Packets : 637193
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6230-eth2.3
Appl. Name : bro-eth2
Tot Packets : 1721610
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6704-eth2.4
Appl. Name : bro-eth2
Tot Packets : 1479484
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/8469-eth2.6
Appl. Name : Suricata
Tot Packets : 789305
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65476
/proc/net/pf_ring/8471-eth2.7
Appl. Name : Suricata
Tot Packets : 494388
Tot Pkt Lost : 5849
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 29984
/proc/net/pf_ring/8473-eth2.8
Appl. Name : Suricata
Tot Packets : 1360266
Tot Pkt Lost : 21570
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65479
/proc/net/pf_ring/8475-eth2.9
Appl. Name : Suricata
Tot Packets : 1219546
Tot Pkt Lost : 5667
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65480
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2334 supervising syslog-ng
2336 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
2416 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
2382 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
10684 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_2
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
5.5T /nsm/elsa/data
345M /var/lib/mysql/syslog
49G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-04-14 14:41:50 2015-06-11 20:02:26
autossh
Checking for process:
5510 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@XXXX.
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
4731 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
4744 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
4745 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
4746 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
4747 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
4749 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Jeff Nucciarone
Jun 11, 2015, 4:08:04 PM6/11/15
to securit...@googlegroups.com
On Thursday, June 11, 2015 at 3:56:30 PM UTC-4, Jeff Nucciarone wrote:
df: `/sys/kernel/debug': Function not implemented
df: `/var/lib/lightdm/.gvfs': Permission denied
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda12 145598048 24168784 114033272 18% /
udev 32970452 4 32970448 1% /dev
tmpfs 6596520 808 6595712 1% /run
none 5120 0 5120 0% /run/lock
none 32982592 0 32982592 0% /run/shm
/dev/sdb2 34132141056 30596024864 3536116192 90% /nsm
/dev/sda1 482922 336288 121700 74% /boot
/dev/sda6 29528148 176188 27852008 1% /tmp
/dev/sda10 19684632 563616 18121080 4% /home
/dev/sda11 9842208 174544 9167696 2% /usr/local
/dev/sda7 29528148 1580860 26447336 6% /var
/dev/sdb1 1023498980 51679376 971819604 6% /var/lib/mysql
/dev/sda8 29528148 1715360 26312836 7% /var/log
/dev/sda9 19684632 176064 18508632 1% /var/log/audit
Doug Burks
Jun 11, 2015, 4:20:17 PM6/11/15
to securit...@googlegroups.com
Please check the following log files on the sensor in /var/log/nsm/:
pcap_agent (SO-user)[ FAIL ]
snort_agent (SO-user)[ FAIL ]
Please check the sguild log file in
/var/log/nsm/securityonion/sguild.log on the master server.
Please also send sostat output from the master server.
pcap_agent (SO-user)[ FAIL ]
snort_agent (SO-user)[ FAIL ]
Please check the sguild log file in
/var/log/nsm/securityonion/sguild.log on the master server.
Please also send sostat output from the master server.
Jeff Nucciarone
Jun 11, 2015, 4:37:29 PM6/11/15
to securit...@googlegroups.com
On Thursday, June 11, 2015 at 4:20:17 PM UTC-4, Doug Burks wrote:
> Please check the following log files on the sensor in /var/log/nsm/:
>
> pcap_agent (SO-user)[ FAIL ]
Executing: /usr/bin/pcap_agent.tcl -c /etc/nsm/REDACTED-eth2/pcap_agent.conf
> Please check the following log files on the sensor in /var/log/nsm/:
>
> pcap_agent (SO-user)[ FAIL ]
Connected to localhost
Sending sguild (sock3) RegisterAgent pcap REDACTED-eth2 bisporgera-eth2
ERROR: error writing "sock3": software caused connection abort : RegisterAgent pcap bisporgera-eth2 REDACTED-eth2
Sending sguild (sock3) DiskReport /nsm/sensor_data/REDACTED-eth2 88%
ERROR: error writing "sock3": connection reset by peer : DiskReport /nsm/sensor_data/REDACTED-eth2 88%
Sending sguild (sock3) PING
ERROR: error writing "sock3": connection reset by peer : PING
Socket sock3 closed
Attempting to reconnect.
Connected to localhost
Sending sguild (sock3) RegisterAgent pcap REDACTED-eth2 REDACTED-eth2
ERROR: error writing "sock3": software caused connection abort : RegisterAgent pcap REDACTED-eth2 REDACTED-eth2
Sensor Data Rcvd:
Socket sock3 closed
Attempting to reconnect.
Connected to localhost
repeated over and over....
> snort_agent (SO-user)[ FAIL ]
ERROR: error writing "sock3": software caused connection abort : RegisterAgent snort REDACTED-eth2 REDACTED-eth2
Sensor Data Rcvd:
Socket sock3 closed
Attempting to reconnect.
over and over.....
>
> Please check the sguild log file in
> /var/log/nsm/securityonion/sguild.log on the master server.
>
015-06-11 20:25:33 pid(4637) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-11 20:25:33 pid(4637) Sensor Data Rcvd: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2015-06-11 20:25:33 pid(4637) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-11 20:25:33 pid(4637) Sensor Data Rcvd: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2015-06-11 20:25:33 pid(4637) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-11 20:25:33 pid(4637) Sensor Data Rcvd: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2015-06-11 20:25:33 pid(4637) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-11 20:25:33 pid(4637) Sensor agent connect from 127.0.0.1:59054 sock15
Here's the sostat-redacted from the master:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 4985 9 11 Jun 19:58:23
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
proxy proxy localhost running 5175 9 11 Jun 19:58:25
SO-server-eth2-1 worker localhost running 6421 2 11 Jun 19:58:43
SO-server-eth2-2 worker localhost running 6424 2 11 Jun 19:58:43
SO-server-eth2-3 worker localhost running 6423 2 11 Jun 19:58:43
SO-server-eth2-4 worker localhost running 6426 2 11 Jun 19:58:43
SO-server-eth3-1 worker localhost running 6428 2 11 Jun 19:58:43
SO-server-eth3-2 worker localhost running 6427 2 11 Jun 19:58:43
SO-server-eth3-3 worker localhost running 6422 2 11 Jun 19:58:43
SO-server-eth3-4 worker localhost running 6425 2 11 Jun 19:58:43
Status: SO-server-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:236212 errors:0 dropped:0 overruns:0 frame:0
* pcap_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* snort_agent (SO-user)[ FAIL ]
* stale PID file found, process will be restarted at the next 5-minute interval!
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
TX packets:55777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:113186131 (113.1 MB) TX bytes:9837749 (9.8 MB)
Interrupt:36 Memory:da000000-da012800
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73228076916 (73.2 GB) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Interrupt:40 Memory:df2c0000-df2e0000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
collisions:0 txqueuelen:1000
Interrupt:41 Memory:df3c0000-df3e0000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
TX packets:1670187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:550118982 (550.1 MB) TX bytes:550118982 (550.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
550118982 1670187 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
113186131 236212 0 0 0 4053
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
9837749 55777 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
73228291964 57085660 0 0 0 4051
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda12 149G 44G 97G 32% /
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 32G 4.0K 32G 1% /dev
tmpfs 6.3G 848K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 32G 0 32G 0% /run/shm
/dev/sda5 29G 174M 27G 1% /tmp
none 32G 0 32G 0% /run/shm
/dev/sdb2 18T 15T 2.3T 88% /nsm
/dev/sda1 484M 300M 159M 66% /boot
/dev/sda10 9.4G 170M 8.8G 2% /usr/local
/dev/sda11 19G 492M 18G 3% /home
/dev/sda7 29G 1009M 26G 4% /var
/dev/sdb1 1.0T 149G 875G 15% /var/lib/mysql
/dev/sda8 29G 5.4G 22G 21% /var/log
/dev/sda9 9.4G 150M 8.8G 2% /var/log/audit
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 2147 root 9u IPv4 29872 0t0 TCP X.X.X.X:631 (LISTEN)
avahi-dae 2151 avahi 12u IPv4 29853 0t0 UDP *:5353
avahi-dae 2151 avahi 13u IPv6 29854 0t0 UDP *:5353
avahi-dae 2151 avahi 14u IPv4 29855 0t0 UDP *:57414
avahi-dae 2151 avahi 15u IPv6 29856 0t0 UDP *:58140
sshd 2224 root 3r IPv4 16584 0t0 TCP *:ssh_port (LISTEN)
sshd 2224 root 4u IPv6 16586 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2342 root 10u IPv4 1713 0t0 TCP X.X.X.X:39641->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2342 root 21u IPv4 9750 0t0 TCP X.X.X.X:47247->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 2372 root 9u IPv4 30568 0t0 TCP *:514 (LISTEN)
syslog-ng 2372 root 10u IPv4 30569 0t0 UDP *:514
mysqld 2525 mysql 12u IPv4 28800 0t0 TCP X.X.X.X:3306 (LISTEN)
searchd 2571 sphinxsearch 7u IPv4 31772 0t0 TCP *:9306 (LISTEN)
searchd 2571 sphinxsearch 8u IPv4 31773 0t0 TCP *:9312 (LISTEN)
salt-mast 2648 root 12u IPv4 16657 0t0 TCP *:4505 (LISTEN)
salt-mast 2648 root 14u IPv4 14451 0t0 TCP X.X.X.X:4505->X.X.X.X:47247 (ESTABLISHED)
salt-mast 2648 root 15u IPv4 45065 0t0 TCP X.X.X.X:4505->X.X.X.X:42783 (ESTABLISHED)
salt-mast 2660 root 20u IPv4 11382 0t0 TCP *:4506 (LISTEN)
salt-mast 2660 root 22u IPv4 20663 0t0 TCP X.X.X.X:4506->X.X.X.X:39641 (ESTABLISHED)
salt-mast 2660 root 28u IPv4 28024 0t0 TCP X.X.X.X:4506->X.X.X.X:57098 (ESTABLISHED)
snmpd 3003 snmp 8u IPv4 31863 0t0 UDP X.X.X.X:161
snmpd 3003 snmp 9u IPv4 31861 0t0 UDP *:47226
ntpd 3285 ntp 16u IPv4 31873 0t0 UDP *:123
ntpd 3285 ntp 17u IPv6 31874 0t0 UDP *:123
ntpd 3285 ntp 18u IPv4 31880 0t0 UDP X.X.X.X:123
ntpd 3285 ntp 19u IPv4 31881 0t0 UDP X.X.X.X:123
ntpd 3285 ntp 20u IPv6 31882 0t0 UDP [X.X.X.X]:123
ntpd 3285 ntp 21u IPv6 31883 0t0 UDP [X.X.X.X]:123
sshd 3843 root 3r IPv4 12455 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55725 (ESTABLISHED)
sshd 3996 SO-user 3u IPv4 12455 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:55725 (ESTABLISHED)
sshd 3996 SO-user 9u IPv6 1727 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 3996 SO-user 10u IPv4 1728 0t0 TCP X.X.X.X:50001 (LISTEN)
ossec-csy 4322 ossecm 5u IPv4 32971 0t0 UDP X.X.X.X:55579->X.X.X.X:514
/usr/sbin 4465 root 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 4465 root 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4465 root 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4465 root 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
/usr/sbin 4590 www-data 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 4590 www-data 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4590 www-data 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4590 www-data 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
/usr/sbin 4591 www-data 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 4591 www-data 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4591 www-data 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4591 www-data 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
/usr/sbin 4592 www-data 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 4592 www-data 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4592 www-data 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4592 www-data 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
tclsh 4637 SO-user 13u IPv4 29117 0t0 TCP *:7734 (LISTEN)
tclsh 4637 SO-user 14u IPv4 29118 0t0 TCP *:7736 (LISTEN)
bro 4985 SO-user 4u IPv4 12646 0t0 UDP X.X.X.X:56935->X.X.X.X:53
bro 5009 SO-user 0u IPv4 21835 0t0 TCP *:47761 (LISTEN)
bro 5009 SO-user 1u IPv6 21836 0t0 TCP *:47761 (LISTEN)
bro 5009 SO-user 2u IPv4 13499 0t0 TCP X.X.X.X:47761->X.X.X.X:39023 (ESTABLISHED)
bro 5009 SO-user 4u IPv4 12646 0t0 UDP X.X.X.X:56935->X.X.X.X:53
bro 5009 SO-user 251u IPv4 25996 0t0 TCP X.X.X.X:47761->X.X.X.X:39034 (ESTABLISHED)
bro 5009 SO-user 255u IPv4 20711 0t0 TCP X.X.X.X:47761->X.X.X.X:39036 (ESTABLISHED)
bro 5009 SO-user 256u IPv4 29043 0t0 TCP X.X.X.X:47761->X.X.X.X:39037 (ESTABLISHED)
bro 5009 SO-user 257u IPv4 24991 0t0 TCP X.X.X.X:47761->X.X.X.X:39039 (ESTABLISHED)
bro 5009 SO-user 258u IPv4 24992 0t0 TCP X.X.X.X:47761->X.X.X.X:39041 (ESTABLISHED)
bro 5009 SO-user 259u IPv4 20712 0t0 TCP X.X.X.X:47761->X.X.X.X:39044 (ESTABLISHED)
bro 5009 SO-user 260u IPv4 29047 0t0 TCP X.X.X.X:47761->X.X.X.X:39046 (ESTABLISHED)
bro 5009 SO-user 261u IPv4 17705 0t0 TCP X.X.X.X:47761->X.X.X.X:39048 (ESTABLISHED)
bro 5175 SO-user 4u IPv4 17610 0t0 UDP X.X.X.X:34533->X.X.X.X:53
bro 5189 SO-user 0u IPv4 8613 0t0 TCP X.X.X.X:39023->X.X.X.X:47761 (ESTABLISHED)
bro 5189 SO-user 1u IPv4 8616 0t0 TCP *:47762 (LISTEN)
bro 5189 SO-user 2u IPv6 8617 0t0 TCP *:47762 (LISTEN)
bro 5189 SO-user 4u IPv4 17610 0t0 UDP X.X.X.X:34533->X.X.X.X:53
bro 5189 SO-user 251u IPv4 23693 0t0 TCP X.X.X.X:47762->X.X.X.X:45189 (ESTABLISHED)
bro 5189 SO-user 255u IPv4 17052 0t0 TCP X.X.X.X:47762->X.X.X.X:45191 (ESTABLISHED)
bro 5189 SO-user 256u IPv4 21907 0t0 TCP X.X.X.X:47762->X.X.X.X:45194 (ESTABLISHED)
bro 5189 SO-user 257u IPv4 21908 0t0 TCP X.X.X.X:47762->X.X.X.X:45196 (ESTABLISHED)
bro 5189 SO-user 258u IPv4 19917 0t0 TCP X.X.X.X:47762->X.X.X.X:45198 (ESTABLISHED)
bro 5189 SO-user 259u IPv4 8666 0t0 TCP X.X.X.X:47762->X.X.X.X:45199 (ESTABLISHED)
bro 5189 SO-user 260u IPv4 15741 0t0 TCP X.X.X.X:47762->X.X.X.X:45201 (ESTABLISHED)
bro 5189 SO-user 261u IPv4 26008 0t0 TCP X.X.X.X:47762->X.X.X.X:45203 (ESTABLISHED)
bro 6421 SO-user 4u IPv4 14647 0t0 UDP X.X.X.X:54751->X.X.X.X:53
bro 6422 SO-user 4u IPv4 15734 0t0 UDP X.X.X.X:44588->X.X.X.X:53
bro 6423 SO-user 4u IPv4 12703 0t0 UDP X.X.X.X:43756->X.X.X.X:53
bro 6424 SO-user 4u IPv4 23691 0t0 UDP X.X.X.X:42376->X.X.X.X:53
bro 6425 SO-user 4u IPv4 17050 0t0 UDP X.X.X.X:45339->X.X.X.X:53
bro 6426 SO-user 4u IPv4 17697 0t0 UDP X.X.X.X:36103->X.X.X.X:53
bro 6427 SO-user 4u IPv4 10001 0t0 UDP X.X.X.X:38863->X.X.X.X:53
bro 6428 SO-user 4u IPv4 11671 0t0 UDP X.X.X.X:49203->X.X.X.X:53
bro 6429 SO-user 0u IPv4 24979 0t0 TCP X.X.X.X:45189->X.X.X.X:47762 (ESTABLISHED)
bro 6429 SO-user 1u IPv4 24980 0t0 TCP X.X.X.X:39034->X.X.X.X:47761 (ESTABLISHED)
bro 6429 SO-user 2u IPv4 24983 0t0 TCP *:47765 (LISTEN)
bro 6429 SO-user 4u IPv4 12703 0t0 UDP X.X.X.X:43756->X.X.X.X:53
bro 6429 SO-user 251u IPv6 24984 0t0 TCP *:47765 (LISTEN)
bro 6432 SO-user 0u IPv4 24985 0t0 TCP X.X.X.X:45191->X.X.X.X:47762 (ESTABLISHED)
bro 6432 SO-user 1u IPv4 24986 0t0 TCP X.X.X.X:39036->X.X.X.X:47761 (ESTABLISHED)
bro 6432 SO-user 2u IPv4 24989 0t0 TCP *:47767 (LISTEN)
bro 6432 SO-user 4u IPv4 11671 0t0 UDP X.X.X.X:49203->X.X.X.X:53
bro 6432 SO-user 251u IPv6 24990 0t0 TCP *:47767 (LISTEN)
bro 6435 SO-user 0u IPv4 17055 0t0 TCP X.X.X.X:39037->X.X.X.X:47761 (ESTABLISHED)
bro 6435 SO-user 1u IPv4 17056 0t0 TCP X.X.X.X:45194->X.X.X.X:47762 (ESTABLISHED)
bro 6435 SO-user 2u IPv4 17059 0t0 TCP *:47764 (LISTEN)
bro 6435 SO-user 4u IPv4 23691 0t0 UDP X.X.X.X:42376->X.X.X.X:53
bro 6435 SO-user 251u IPv6 17060 0t0 TCP *:47764 (LISTEN)
bro 6445 SO-user 0u IPv4 25997 0t0 TCP X.X.X.X:39039->X.X.X.X:47761 (ESTABLISHED)
bro 6445 SO-user 1u IPv4 25998 0t0 TCP X.X.X.X:45196->X.X.X.X:47762 (ESTABLISHED)
bro 6445 SO-user 2u IPv4 26001 0t0 TCP *:47770 (LISTEN)
bro 6445 SO-user 4u IPv4 17050 0t0 UDP X.X.X.X:45339->X.X.X.X:53
bro 6445 SO-user 251u IPv6 26002 0t0 TCP *:47770 (LISTEN)
bro 6449 SO-user 0u IPv4 8660 0t0 TCP X.X.X.X:39041->X.X.X.X:47761 (ESTABLISHED)
bro 6449 SO-user 1u IPv4 8661 0t0 TCP X.X.X.X:45198->X.X.X.X:47762 (ESTABLISHED)
bro 6449 SO-user 2u IPv4 8664 0t0 TCP *:47769 (LISTEN)
bro 6449 SO-user 4u IPv4 15734 0t0 UDP X.X.X.X:44588->X.X.X.X:53
bro 6449 SO-user 251u IPv6 8665 0t0 TCP *:47769 (LISTEN)
bro 6452 SO-user 0u IPv4 11684 0t0 TCP X.X.X.X:45199->X.X.X.X:47762 (ESTABLISHED)
bro 6452 SO-user 1u IPv4 11685 0t0 TCP X.X.X.X:39044->X.X.X.X:47761 (ESTABLISHED)
bro 6452 SO-user 2u IPv4 11688 0t0 TCP *:47763 (LISTEN)
bro 6452 SO-user 4u IPv4 14647 0t0 UDP X.X.X.X:54751->X.X.X.X:53
bro 6452 SO-user 251u IPv6 11689 0t0 TCP *:47763 (LISTEN)
bro 6464 SO-user 0u IPv4 24993 0t0 TCP X.X.X.X:45201->X.X.X.X:47762 (ESTABLISHED)
bro 6464 SO-user 1u IPv4 24994 0t0 TCP X.X.X.X:39046->X.X.X.X:47761 (ESTABLISHED)
bro 6464 SO-user 2u IPv4 24997 0t0 TCP *:47768 (LISTEN)
bro 6464 SO-user 4u IPv4 10001 0t0 UDP X.X.X.X:38863->X.X.X.X:53
bro 6464 SO-user 251u IPv6 24998 0t0 TCP *:47768 (LISTEN)
bro 6470 SO-user 0u IPv4 24999 0t0 TCP X.X.X.X:45203->X.X.X.X:47762 (ESTABLISHED)
bro 6470 SO-user 1u IPv4 25000 0t0 TCP X.X.X.X:39048->X.X.X.X:47761 (ESTABLISHED)
bro 6470 SO-user 2u IPv4 25003 0t0 TCP *:47766 (LISTEN)
bro 6470 SO-user 4u IPv4 17697 0t0 UDP X.X.X.X:36103->X.X.X.X:53
bro 6470 SO-user 251u IPv6 25004 0t0 TCP *:47766 (LISTEN)
sshd 14243 root 3r IPv4 72437 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35183 (ESTABLISHED)
sshd 14396 SO-user 3u IPv4 72437 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:35183 (ESTABLISHED)
sshd 14396 SO-user 9u IPv6 85214 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 14396 SO-user 10u IPv4 85215 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 15932 root 3r IPv4 139680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48009 (ESTABLISHED)
/usr/sbin 15934 www-data 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 15934 www-data 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 15934 www-data 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 15934 www-data 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
sshd 16086 SO-user 3u IPv4 139680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48009 (ESTABLISHED)
sshd 16086 SO-user 9u IPv6 139920 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 16086 SO-user 10u IPv4 139921 0t0 TCP X.X.X.X:6010 (LISTEN)
/usr/sbin 18212 www-data 4u IPv4 8568 0t0 TCP *:443 (LISTEN)
/usr/sbin 18212 www-data 5u IPv4 8571 0t0 TCP *:9876 (LISTEN)
/usr/sbin 18212 www-data 6u IPv4 8573 0t0 TCP *:3154 (LISTEN)
/usr/sbin 18212 www-data 7u IPv4 8577 0t0 TCP *:444 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Thu Jun 11 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2972.tar.gz....
No Match
Done
Rules tarball download of snortrules-snapshot-2972.tar.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
They Match
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2972.tar.gz for work....
Done!
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 69 rules
Done
Setting Flowbit State....
Enabled 75 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------82
Deleted:---15
Enabled Rules:----23989
Dropped Rules:----0
Disabled Rules:---20380
Total Rules:------44369
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table...done.
Restarting Barnyard2.
Restarting: SO-server-eth2
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2 (spooler, unified2 format)[ OK ]
* starting: barnyard2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth2
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]
Restarting: SO-server-eth3
* stopping: suricata (alert data)[ OK ]
* starting: suricata (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
Processing units: 24
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 20:09:20 up 12 min, 1 user, load average: 14.55, 10.68, 5.90
If load average is higher than processing units,
then tune until load average is lower than processing units.
Tasks: 350 total, 18 running, 332 sleeping, 0 stopped, 0 zombie
Cpu(s): 23.6%us, 11.5%sy, 0.7%ni, 60.6%id, 2.5%wa, 0.0%hi, 1.1%si, 0.0%st
Mem: 65965188k total, 42605188k used, 23360000k free, 59744k buffers
Swap: 36981308k total, 0k used, 36981308k free, 27868792k cached
%CPU %MEM COMMAND
132 2.1 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth2/suricata.yaml --pfring=eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2
99.5 0.4 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_2
97.7 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
97.7 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
97.5 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
97.3 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
96.0 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
64.6 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
57.2 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
41.1 0.4 /usr/sbin/mysqld
37.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
32.1 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
29.5 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
28.4 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
27.3 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
25.1 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
24.9 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
24.4 1.0 netsniff-ng -i eth2 -o /nsm/sensor_data/SO-server-eth2/dailylogs/2015-06-11/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth2/bpf-pcap.ops
17.7 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.4 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
17.3 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.8 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.7 0.8 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.6 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.6 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.6 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
15.6 0.8 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
13.1 0.1 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
10.0 7.4 /usr/bin/searchd --nodetach
9.4 0.0 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo -i 1 -U
9.3 0.0 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo -i 1 -U
6.1 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
3.9 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
3.8 1.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth3/suricata.yaml --pfring=eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3
3.7 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
2.8 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
2.8 0.0 /var/ossec/bin/ossec-syscheckd
1.4 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.8 0.1 delayed_job
0.6 0.0 /usr/bin/python /usr/bin/salt-master
0.5 0.0 /var/ossec/bin/ossec-analysisd
0.5 0.0 /usr/bin/python /usr/bin/salt-master
0.4 0.0 /opt/dell/srvadmin/sbin/dsm_sa_datamgrd
0.4 0.0 /usr/bin/python /usr/bin/salt-master
0.4 0.0 /sbin/init
0.4 0.0 /usr/bin/python /usr/bin/salt-master
0.4 0.0 /usr/bin/python /usr/bin/salt-master
0.3 0.0 /usr/bin/python /usr/bin/salt-master
0.3 0.1 /usr/sbin/apache2 -k start
0.3 0.0 /usr/bin/python /usr/bin/salt-minion
0.2 0.0 [kworker/0:2]
0.2 0.0 [kworker/0:1]
0.2 0.0 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.2 0.0 /usr/sbin/lightdm-gtk-greeter
0.1 0.0 [ksoftirqd/0]
0.1 0.0 [flush-8:16]
0.1 0.0 [xfsaild/sdb2]
0.1 0.0 -bash
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_snmpd
0.0 0.0 [kworker/0:3]
0.0 0.0 [kworker/u:0]
0.0 0.8 netsniff-ng -i eth3 -o /nsm/sensor_data/SO-server-eth3/dailylogs/2015-06-11/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 512 iB --interval 150 iB --mmap --filter /etc/nsm/SO-server-eth3/bpf-pcap.ops
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 [kworker/1:1]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 [kworker/1:2]
0.0 0.0 [migration/0]
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /opt/dell/srvadmin/sbin/dsm_sa_eventmgrd
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 [flush-8:0]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [kworker/1:0]
0.0 0.0 [xfsaild/sdb1]
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 sshd: SO-user
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 sshd: SO-user
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 [migration/14]
0.0 0.0 [migration/15]
0.0 0.0 [migration/5]
0.0 0.0 Passenger spawn server
0.0 0.0 [migration/19]
0.0 0.0 [migration/20]
0.0 0.0 [migration/21]
0.0 0.0 [migration/22]
0.0 0.0 [migration/23]
0.0 0.0 [migration/13]
0.0 0.0 [migration/16]
0.0 0.0 [migration/17]
0.0 0.0 [migration/18]
0.0 0.0 [migration/8]
0.0 0.0 [migration/12]
0.0 0.0 [migration/3]
0.0 0.0 [migration/4]
0.0 0.0 [migration/3]
0.0 0.0 [migration/6]
0.0 0.0 [migration/7]
0.0 0.0 [migration/1]
0.0 0.0 [migration/2]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 [kworker/15:1]
0.0 0.0 [migration/9]
0.0 0.0 [migration/10]
0.0 0.0 [migration/11]
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [xfsbufd/sdb2]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 [kworker/14:1]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 lightdm
0.0 0.0 [jbd2/sda8-8]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kworker/2:2]
0.0 0.0 [watchdog/0]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 cron
0.0 0.0 [jbd2/sda5-8]
0.0 0.0 [jbd2/sda7-8]
0.0 0.0 [kworker/3:2]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/10:1]
0.0 0.0 [watchdog/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [watchdog/7]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [watchdog/7]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kthreadd]
0.0 0.0 [watchdog/1]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/2:0]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/4:0]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/5:0]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/6:0]
0.0 0.0 [watchdog/6]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/8:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [watchdog/8]
0.0 0.0 [kworker/9:0]
0.0 0.0 [kworker/9:0]
0.0 0.0 [watchdog/9]
0.0 0.0 [kworker/10:0]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [kworker/10:0]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [watchdog/10]
0.0 0.0 [kworker/11:0]
0.0 0.0 [watchdog/11]
0.0 0.0 [kworker/12:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [kworker/12:0]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [watchdog/12]
0.0 0.0 [kworker/13:0]
0.0 0.0 [watchdog/13]
0.0 0.0 [kworker/14:0]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/14:0]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [kworker/16:0]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [watchdog/17]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kworker/16:0]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [watchdog/16]
0.0 0.0 [kworker/17:0]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [watchdog/17]
0.0 0.0 [kworker/18:0]
0.0 0.0 [watchdog/18]
0.0 0.0 [kworker/19:0]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/19:0]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [watchdog/19]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/21:1]
0.0 0.0 [kworker/19:1]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/23:1]
0.0 0.0 [kworker/11:1]
0.0 0.0 [kworker/20:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [jbd2/sda12-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [kpsmoused]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kworker/5:2]
0.0 0.0 [kworker/9:2]
0.0 0.0 [kworker/7:2]
0.0 0.0 [kworker/9:2]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [xfs_mru_cache]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [xfslogd]
0.0 0.0 [xfsdatad]
0.0 0.0 [xfsconvertd]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda10-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda11-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 [xfsbufd/sdb1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 [jbd2/sda9-8]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 atd
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/sbin/nullmailer-send -d
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-3 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-4 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort.stats
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort.stats
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.0 CRON
0.0 0.0 /bin/sh -c perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-user|lost+found|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth2: 47987154
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth3: 0
=========================================================================
464G ./2015-06-08
862G ./2015-06-09
908G ./2015-06-10
696G ./2015-06-11
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 10 days
5.1M .
68K ./2015-06-02
1.2M ./2015-06-03
996K ./2015-06-04
100K ./2015-06-05
148K ./2015-06-06
1.0M ./2015-06-07
136K ./2015-06-08
68K ./2015-06-09
96K ./2015-06-10
1.4M ./2015-06-11
/nsm/bro/logs/ - 20 days
53G .
1.8G ./2015-05-23
1.7G ./2015-05-24
1.8G ./2015-05-25
2.8G ./2015-05-26
2.7G ./2015-05-27
2.8G ./2015-05-28
2.9G ./2015-05-29
1.7G ./2015-05-30
1.9G ./2015-05-31
3.3G ./2015-06-01
3.6G ./2015-06-02
3.2G ./2015-06-03
3.3G ./2015-06-04
3.1G ./2015-06-05
1.5G ./2015-06-06
1.9G ./2015-06-07
3.4G ./2015-06-08
3.0G ./2015-06-09
3.3G ./2015-06-10
2.5G ./2015-06-11
1.3G ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth2-2: 1434053362.361671 recvd=5211556 dropped=0 link=5211556
SO-server-eth2-3: 1434053362.565654 recvd=1222582 dropped=0 link=1222582
SO-server-eth2-4: 1434053362.765671 recvd=1498672 dropped=0 link=1498672
SO-server-eth3-1: 1434053362.965641 recvd=0 dropped=0 link=0
SO-server-eth3-2: 1434053363.165670 recvd=0 dropped=0 link=0
SO-server-eth3-3: 1434053363.365680 recvd=0 dropped=0 link=0
SO-server-eth3-4: 1434053363.565644 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth2/stats.log
tcp.ssn_memcap_drop | RxPFReth24 | 0
/nsm/sensor_data/SO-server-eth3/stats.log
tcp.ssn_memcap_drop | RxPFReth34 | 0
tcp.segment_memcap_drop | RxPFReth34 | 0
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Standard (non DNA) Options
Ring slots : 65534
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
Appl. Name : bro-eth2
Tot Packets : 5621275
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6422-eth3.5
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6423-eth2.2
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth2
Tot Packets : 1227185
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6424-eth2.3
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth2
Tot Packets : 5224811
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6425-eth3.6
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6426-eth2.8
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth2
Tot Packets : 1504437
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6427-eth3.7
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/6428-eth3.1
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
/proc/net/pf_ring/7490-eth2.9
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65534
Num Free Slots : 65534
Appl. Name : Suricata
Tot Packets : 1152175
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65472
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7491-eth2.10
Appl. Name : Suricata
Tot Packets : 4977748
Tot Pkt Lost : 141057
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65472
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7492-eth2.11
Appl. Name : Suricata
Tot Packets : 5419736
Tot Pkt Lost : 200758
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65502
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7493-eth2.12
Appl. Name : Suricata
Tot Packets : 1443811
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65418
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7754-eth3.13
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7755-eth3.14
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7756-eth3.15
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
/proc/net/pf_ring/7758-eth3.16
Appl. Name : Suricata
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
Num Free Slots : 65538
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 65538
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
7485
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
11518 1:2000419 ET POLICY PE EXE or DLL Windows file download
3453 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2414 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2348 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
1727 1:2220006 SURICATA SMTP no server welcome message
1548 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
1335 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
972 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
598 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
434 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
365 1:2013298 ET POLICY Nessus Server SSL certificate detected
359 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
358 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
325 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
302 1:2015561 ET INFO PDF Using CCITTFax Filter
281 1:2001329 ET POLICY RDP connection request
261 1:2001219 ET SCAN Potential SSH Scan
257 1:2001330 ET POLICY RDP connection confirm
218 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
216 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
180 1:2013028 ET POLICY curl User-Agent Outbound
169 1:2021117 ET TROJAN Win32/Rallovs.A CnC Beacon
169 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
169 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
163 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
159 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
136 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
135 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
125 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
111 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
102 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
94 1:2402000 ET DROP Dshield Block Listed Source group 1
93 1:2008581 ET P2P BitTorrent DHT ping request
85 1:2014819 ET INFO Packed Executable Download
85 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
84 1:2210026 SURICATA STREAM ESTABLISHED SYN resend
72 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
70 1:2522456 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229
69 1:2012648 ET POLICY Dropbox Client Broadcasting
65 1:2221002 SURICATA HTTP request field missing colon
58 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
58 1:2014520 ET INFO EXE - Served Attached HTTP
53 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
53 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
52 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
48 1:2522778 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390
44 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
42 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
41 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
41 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
38 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
37 1:2522226 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114
34 1:2221013 SURICATA HTTP request header invalid
23 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
23 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
17 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
17 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
17 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
17 1:2011507 ET WEB_CLIENT PDF With Embedded File
17 1:2000418 ET POLICY Executable and linking format (ELF) file download
16 1:2018087 ET INFO Control Panel Applet File Download
14 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
13 1:2016847 ET INFO Possible Chrome Plugin install
12 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
11 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
11 1:2014488 ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain
11 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
11 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
10 1:2210004 SURICATA STREAM 3way handshake SYNACK resend with different ack
10 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
9 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
9 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
9 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
9 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
8 1:2012171 ET INFO DYNAMIC_DNS Query to 3322.org Domain
8 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
8 1:2002157 ET CHAT Skype User-Agent detected
8 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
8 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
7 1:2522380 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191
7 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
6 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
6 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2000032 ET NETBIOS LSA exploit
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
6 1:2016754 ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
5 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
5 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
4 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
4 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
4 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
4 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
4 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
4 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
3 1:2013097 ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
3 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
3 1:2403304 ET CINS Active Threat Intelligence Poor Reputation IP group 5
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3 1:2010066 ET POLICY Data POST to an image file (gif)
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2403306 ET CINS Active Threat Intelligence Poor Reputation IP group 7
3 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
3 1:2000334 ET P2P BitTorrent peer sync
3 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
3 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
3 1:2001805 ET CHAT ICQ Message
2 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
2 1:2002926 ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port
2 1:2403327 ET CINS Active Threat Intelligence Poor Reputation IP group 28
2 1:2403320 ET CINS Active Threat Intelligence Poor Reputation IP group 21
2 1:30516 SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt
2 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
2 1:2523058 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530
2 1:2008986 ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
2 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
2 1:2019389 ET EXPLOIT Possible Postfix CVE-2014-6271 attempt
2 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
2 1:2014041716 TLSv1.1 large heartbeat response - possible ssl heartbleed attempt
2 1:2522726 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364
2 1:2500066 ET COMPROMISED Known Compromised or Hostile Host Traffic group 34
2 1:2009970 ET P2P eMule Kademlia Hello Request
1 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
1 1:2522446 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224
1 1:2520006 ET TOR Known Tor Exit Node Traffic group 4
1 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
1 1:23005 PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1 1:2017015 ET POLICY DropBox User Content Access over SSL
1 1:2522938 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470
1 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
1 1:2014939 ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 1:2522162 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2014041715 TLSv1 large heartbeat response - possible ssl heartbleed attempt
1 1:2520056 ET TOR Known Tor Exit Node Traffic group 29
1 1:2014169 ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related
1 1:2522402 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202
1 1:2522932 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2522006 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4
1 1:2014781 ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net
1 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
1 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
1 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2522058 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2012547 ET WEB_CLIENT Known Fraudulent SSL Certificate for Global Trustee
1 1:2520102 ET TOR Known Tor Exit Node Traffic group 52
1 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
1 1:2500042 ET COMPROMISED Known Compromised or Hostile Host Traffic group 22
1 1:2016680 ET WEB_SERVER WebShell Generic - net user
1 1:2016846 ET INFO Possible Firefox Plugin install
1 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
1 1:2008120 ET TFTP Outbound TFTP Read Request
1 1:2017639 ET INFO JAR Size Under 30K Size - Potentially Hostile
1 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1 1:2522468 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235
1 1:2011041 ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources
1 1:2520162 ET TOR Known Tor Exit Node Traffic group 82
1 1:2011581 ET POLICY Vulnerable Java Version 1.5.x Detected
1 1:2012810 ET POLICY HTTP Request to a *.tk domain
1 1:30515 SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2522102 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52
1 1:2011011 ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI
Total
32756
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1439057 1:2000419 ET POLICY PE EXE or DLL Windows file download
944555 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
908897 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
284381 1:2013298 ET POLICY Nessus Server SSL certificate detected
221349 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
185190 1:2015561 ET INFO PDF Using CCITTFax Filter
159148 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
146003 1:2008117 ET TFTP Outbound TFTP Data Transfer
119525 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
118547 1:2220006 SURICATA SMTP no server welcome message
116868 1:2200038 SURICATA UDP packet too small
115033 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
98010 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
96404 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
79418 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
78430 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
77895 1:2001329 ET POLICY RDP connection request
63882 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
45290 1:2001330 ET POLICY RDP connection confirm
43077 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
41998 1:2008517 ET EXPLOIT SQL sp_configure - configuration change
34400 1:2008453 ET SCAN Tomcat Auth Brute Force attempt (admin)
32096 1:2001219 ET SCAN Potential SSH Scan
25679 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
23119 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
20284 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
19412 1:2002157 ET CHAT Skype User-Agent detected
15866 1:2210004 SURICATA STREAM 3way handshake SYNACK resend with different ack
14347 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
13752 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
13236 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
12474 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
12413 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
12137 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
11436 1:2019232 ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
11281 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
10817 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
10384 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
10037 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
9038 1:2221002 SURICATA HTTP request field missing colon
8537 1:2013028 ET POLICY curl User-Agent Outbound
8469 1:2008581 ET P2P BitTorrent DHT ping request
7147 1:31978 OS-OTHER Bash CGI environment variable injection attempt
6362 1:2018087 ET INFO Control Panel Applet File Download
5934 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
5504 1:2019239 ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie
5374 1:2221013 SURICATA HTTP request header invalid
4713 1:2012648 ET POLICY Dropbox Client Broadcasting
4705 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4457 1:25358 APP-DETECT Acunetix web vulnerability scan attempt
Total
5882096
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
11518 1:2000419 ET POLICY PE EXE or DLL Windows file download
3453 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2414 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2348 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
1727 1:2220006 SURICATA SMTP no server welcome message
1548 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
1335 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
972 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
598 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
434 1:2008517 Snort Alert [1:2008517:2]
365 1:2013298 ET POLICY Nessus Server SSL certificate detected
359 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
358 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
325 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
302 1:2015561 ET INFO PDF Using CCITTFax Filter
281 1:2001329 ET POLICY RDP connection request
261 1:2001219 ET SCAN Potential SSH Scan
257 1:2001330 ET POLICY RDP connection confirm
218 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
216 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
180 1:2013028 ET POLICY curl User-Agent Outbound
169 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
169 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
169 1:2021117 ET TROJAN Win32/Rallovs.A CnC Beacon
163 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
159 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
136 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
135 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
125 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
111 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
102 1:2522760 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381
94 1:2402000 ET DROP Dshield Block Listed Source group 1
93 1:2008581 ET P2P BitTorrent DHT ping request
85 1:2014819 ET INFO Packed Executable Download
85 1:2210031 SURICATA STREAM FIN1 ack with wrong seq
84 1:2210026 SURICATA STREAM ESTABLISHED SYN resend
72 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
70 1:2522456 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229
69 1:2012648 ET POLICY Dropbox Client Broadcasting
65 1:2221002 SURICATA HTTP request field missing colon
58 1:2014520 ET INFO EXE - Served Attached HTTP
58 1:2522224 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
53 1:2018906 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
53 1:2018905 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
52 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
48 1:2522778 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390
44 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
42 1:2020630 ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)
41 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
41 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
38 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
37 1:2522226 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114
34 1:2221013 SURICATA HTTP request header invalid
23 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
23 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
17 1:2011507 ET WEB_CLIENT PDF With Embedded File
17 1:2000418 ET POLICY Executable and linking format (ELF) file download
17 1:2015686 ET POLICY Signed TLS Certificate with md5WithRSAEncryption
17 1:2013715 ET POLICY BingBar ToolBar User-Agent (BingBar)
17 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
16 1:2018087 ET INFO Control Panel Applet File Download
14 1:2011802 ET DNS DNS Lookup for localhost.DOMAIN.TLD
13 1:2016847 ET INFO Possible Chrome Plugin install
12 1:2012887 ET POLICY Http Client Body contains pass= in cleartext
11 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
11 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
11 1:2210022 SURICATA STREAM ESTABLISHED SYNACK resend
11 1:2014488 ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain
10 1:2210004 SURICATA STREAM 3way handshake SYNACK resend with different ack
10 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
9 1:2014635 ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
9 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
9 1:2013926 ET POLICY HTTP traffic on port 443 (POST)
9 1:2019617 ET POLICY Office Document Containing AutoOpen Macro Via smtp
8 1:2002157 ET CHAT Skype User-Agent detected
8 1:2003479 ET POLICY Radmin Remote Control Session Setup Initiate
8 1:7209 OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
8 1:2012171 ET INFO DYNAMIC_DNS Query to 3322.org Domain
8 1:2013172 ET DNS DNS Query for a Suspicious *.cu.cc domain
7 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request
7 1:2522380 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191
6 1:2020087 ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound
6 1:2210008 SURICATA STREAM 3way handshake SYN resend different seq on SYN recv
6 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)
6 1:2016871 ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
6 1:2000032 ET NETBIOS LSA exploit
6 1:2016754 ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
5 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
5 1:2018076 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
5 1:2000348 ET TROJAN IRC Channel JOIN on non-standard port
4 1:2001595 ET CHAT Skype VOIP Checking Version (Startup)
4 1:2018377 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)
4 1:2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
4 1:2018455 ET TROJAN DNS Reply Sinkhole - Anubis - X.X.X.X/26
4 1:2403315 ET CINS Active Threat Intelligence Poor Reputation IP group 16
4 1:2012709 ET POLICY MS Remote Desktop Administrator Login Request
3 1:2013097 ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
3 1:2000334 ET P2P BitTorrent peer sync
3 1:2001805 ET CHAT ICQ Message
3 1:2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
3 1:2010066 ET POLICY Data POST to an image file (gif)
3 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
3 1:2017321 ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7
3 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
3 1:2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
3 1:2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
3 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
2 1:2522726 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364
2 1:2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
2 1:2002926 ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port
2 1:2008986 Snort Alert [1:2008986:5]
2 1:2403304 ET CINS Active Threat Intelligence Poor Reputation IP group 5
2 1:2403327 ET CINS Active Threat Intelligence Poor Reputation IP group 28
2 1:2523058 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530
2 1:2015743 ET INFO Revoked Adobe Code Signing Certificate Seen
2 1:2000340 ET P2P Kaaza Media desktop p2pnetworking.exe Activity
2 1:2500066 ET COMPROMISED Known Compromised or Hostile Host Traffic group 34
2 1:30516 SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt
2 1:2014041716 TLSv1.1 large heartbeat response - possible ssl heartbleed attempt
2 1:2403320 ET CINS Active Threat Intelligence Poor Reputation IP group 21
2 1:2019389 ET EXPLOIT Possible Postfix CVE-2014-6271 attempt
2 1:2403306 ET CINS Active Threat Intelligence Poor Reputation IP group 7
2 1:2009970 ET P2P eMule Kademlia Hello Request
1 1:2012547 ET WEB_CLIENT Known Fraudulent SSL Certificate for Global Trustee
1 1:2522468 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2001579 ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
1 1:2403306 ET CINS Active Threat Intelligence Poor Reputation IP group 7
1 1:2403304 ET CINS Active Threat Intelligence Poor Reputation IP group 5
1 1:30515 SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt
1 1:2014041715 TLSv1 large heartbeat response - possible ssl heartbleed attempt
1 1:2011041 ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources
1 1:2522446 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224
1 1:2013115 ET WEB_SERVER Muieblackcat scanner
1 1:2522266 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134
1 1:2522708 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355
1 1:2522548 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275
1 1:2520006 ET TOR Known Tor Exit Node Traffic group 4
1 1:2522006 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4
1 1:2520102 ET TOR Known Tor Exit Node Traffic group 52
1 1:2522102 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52
1 1:2520056 ET TOR Known Tor Exit Node Traffic group 29
1 1:2522058 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30
1 1:2520162 ET TOR Known Tor Exit Node Traffic group 82
1 1:2522162 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82
1 1:2013409 ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware
1 1:2014781 ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net
1 1:2011409 ET DNS DNS Query for Suspicious .co.cc Domain
1 1:2014169 ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related
1 1:2018193 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
1 1:2017639 ET INFO JAR Size Under 30K Size - Potentially Hostile
1 1:2016846 ET INFO Possible Firefox Plugin install
1 1:2016680 ET WEB_SERVER WebShell Generic - net user
1 1:2500042 ET COMPROMISED Known Compromised or Hostile Host Traffic group 22
1 1:2011011 ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI
1 1:2522402 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202
1 1:2403321 ET CINS Active Threat Intelligence Poor Reputation IP group 22
1 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
1 1:2017015 ET POLICY DropBox User Content Access over SSL
1 1:2014756 ET POLICY Logmein.com/Join.me SSL Remote Control Access
1 1:2522932 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467
1 1:2011581 ET POLICY Vulnerable Java Version 1.5.x Detected
1 1:2014605 ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin
1 1:2018430 ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)
1 1:2010516 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1 1:2014939 ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
1 1:2522938 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470
1 1:23005 PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt
1 1:2018389 ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)
1 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
1 1:2016778 ET INFO DNS Query to a *.pw domain - Likely Hostile
1 1:2012810 ET POLICY HTTP Request to a *.tk domain
1 1:2012087 ET SHELLCODE Possible Call with No Offset UDP Shellcode
1 1:2018382 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)
1 1:19014 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ
1 1:2008120 ET TFTP Outbound TFTP Read Request
Total
32756
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
184026 1:2016149 ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
177134 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
153320 1:2000419 ET POLICY PE EXE or DLL Windows file download
147316 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
112205 1:2210043 SURICATA STREAM TIMEWAIT invalid ack
39907 1:2015561 ET INFO PDF Using CCITTFax Filter
21426 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
18988 1:28283 BLACKLIST DNS request for known malware domain chickenkiller.com
17253 1:2220006 SURICATA SMTP no server welcome message
14457 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
10248 1:2210003 SURICATA STREAM 3way handshake SYNACK in wrong direction
7284 1:2013298 ET POLICY Nessus Server SSL certificate detected
7256 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
6946 1:2008517 Snort Alert [1:2008517:2]
5965 1:2221002 SURICATA HTTP request field missing colon
5532 1:2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)
4579 1:2018485 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
4260 1:2012758 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
4140 1:2001219 ET SCAN Potential SSH Scan
3831 1:2221013 SURICATA HTTP request header invalid
3439 1:2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
2816 1:2006402 ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
2779 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2629 1:2013028 ET POLICY curl User-Agent Outbound
2421 1:2210024 SURICATA STREAM ESTABLISHED SYNACK resend with different seq
2385 1:2001329 ET POLICY RDP connection request
2298 1:2018359 ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
2242 1:2001330 ET POLICY RDP connection confirm
2008 1:19013 PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ
1915 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
1835 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
1789 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
1749 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
1314 1:2210012 SURICATA STREAM 4way handshake SYNACK with wrong SYN
1290 1:2008581 ET P2P BitTorrent DHT ping request
975 1:2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
813 1:2018087 ET INFO Control Panel Applet File Download
762 1:2012648 ET POLICY Dropbox Client Broadcasting
714 1:2012889 ET POLICY Http Client Body contains pw= in cleartext
695 1:2018489 ET SCAN NMAP OS Detection Probe
621 1:2012079 ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2
610 1:2012692 ET POLICY Microsoft user-agent automated process response to automated request
605 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected
547 1:2522778 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390
523 1:2012063 ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
430 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
430 1:2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
424 1:2010066 ET POLICY Data POST to an image file (gif)
420 1:2009475 ET POLICY TeamViewer Dyngate User-Agent
408 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Total
999876
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
2372 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
2525 /usr/sbin/mysqld
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
2380 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
18142 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_2
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
5
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
6.3T /nsm/elsa/data
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
424M /var/lib/mysql/syslog
858M /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
Doug Burks
Jun 11, 2015, 4:45:34 PM6/11/15
to securit...@googlegroups.com
I just updated a test VM and am seeing this as well. My guess is it's
related to the new SSL packages Ubuntu just pushed.
Troubleshooting...
related to the new SSL packages Ubuntu just pushed.
Troubleshooting...
Jeff Nucciarone
Jun 11, 2015, 4:48:23 PM6/11/15
to securit...@googlegroups.com
in the interim should I boot to the previous OS release?
Doug Burks
Jun 11, 2015, 4:49:46 PM6/11/15
to securit...@googlegroups.com
It's not a kernel issue. It seems to be an issue with the SSL packages.
On Thu, Jun 11, 2015 at 4:48 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> in the interim should I boot to the previous OS release?
>
>
On Thu, Jun 11, 2015 at 4:48 PM, Jeff Nucciarone
<jeff.nu...@gmail.com> wrote:
> in the interim should I boot to the previous OS release?
>
>
Jeff Nucciarone
Jun 11, 2015, 4:54:35 PM6/11/15
to securit...@googlegroups.com
I'll go into a holding pattern until I hear back. Suricata appears to still be running so I can come back later to see what it's been recording. I'm guessing netsniff-ng is also still doing its job in the interim.
Doug Burks
Jun 11, 2015, 4:55:08 PM6/11/15
to securit...@googlegroups.com
Yes, Suricata and netsniff-ng should be running just fine.
On Thu, Jun 11, 2015 at 4:54 PM, Jeff Nucciarone
On Thu, Jun 11, 2015 at 4:54 PM, Jeff Nucciarone
Jeff Nucciarone
Jun 11, 2015, 5:03:18 PM6/11/15
to securit...@googlegroups.com
On Thursday, June 11, 2015 at 4:55:08 PM UTC-4, Doug Burks wrote:
> Yes, Suricata and netsniff-ng should be running just fine.
>
ELSA doesn't seem to be indexing anything. Is this because snort_agent is down for the count, or is something else broken? (I have no class=SNORT data in ELSA since the update time).
> Yes, Suricata and netsniff-ng should be running just fine.
>
Doug Burks
Jun 11, 2015, 6:32:19 PM6/11/15
to securit...@googlegroups.com
barnyard is most likely waiting for snort_agent to come up before
sending any Snort alerts.
sending any Snort alerts.
EricV
Jun 17, 2015, 3:49:27 PM6/17/15
to securit...@googlegroups.com
im on the same boat:
2015-06-17 19:48:43 pid(13642) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-17 19:48:43 pid(13642) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure
2015-06-17 19:48:43 pid(13642) Closing socket.
2015-06-17 19:48:58 pid(13642) Sensor agent connect from 127.0.0.1:50935 sock15
2015-06-17 19:48:58 pid(13642) Validating sensor access: 127.0.0.1 :
2015-06-17 19:48:58 pid(13642) Valid sensor agent: 127.0.0.1
2015-06-17 19:48:58 pid(13642) Sensor Data Rcvd: VersionInfo {SGUIL-0.9.0 OPENSSL ENABLED}
2015-06-17 19:48:58 pid(13642) ERROR: handshake failed: sslv3 alert handshake failure
2015-06-17 19:48:58 pid(13642) Error from socket sock15: SSL channel "sock15": error: sslv3 alert handshake failure
2015-06-17 19:48:58 pid(13642) Closing socket.
any fix yet?
Doug Burks
Jun 17, 2015, 3:50:32 PM6/17/15
to securit...@googlegroups.com
Hi EricV,
Yes, please see:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html
Yes, please see:
http://blog.securityonion.net/2015/06/new-tcltls-package-resolves-openssl.html
Reply all
Reply to author
Forward
0 new messages