Re: [security-onion] Just installed my sensor/server SO - now how do i varifie that its working?

2,425 views

Skip to first unread message

Matt Gregory

unread,

Mar 26, 2013, 10:47:23 AM3/26/13

to securit...@googlegroups.com

Hi,

There are a couple of things you can verify:

1. Run the command 'sudo service nsm status' on both your server and sensor and check for any nsm service failures.

2. Make sure the traffic you expect to see is actually getting to your sensor's sniffing interface, whether via a tap, SPAN port, or locally-generated traffic. You can do this by running tcpdump on your sensor against the sniffing interface, like so: tcpdump -nnt -i eth0 (replace eth0 with the name of your sniffing interface).

3. When you replay PCAPs on your sensor, make sure you run them against an interface you configured SO to monitor during setup.

If this is unsuccessful, post the output of 'sudo sostat' (redacting sensitive info as necessary).

Matt

On Tue, Mar 26, 2013 at 1:17 AM, <offe...@gmail.com> wrote:

Hey all,

I have setup a VM ubuntu with a installed SO so i could log on to the SO server using Sguil client.

I have setup my server

I have setup my sensor to report back via ssh to the server

I do see both the server and sensor in my Sguil.

I have troed to load a honypot dump file on the sensor and expected to see the entries in my Sguil client in my ubuntu VM but no joy there..

Is there a "best practise" as to test that everything is working?

If i have allready followed best practise in regards to testing (rcpreplay) any good suggestion for troupleshooting why it isn't working?

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

Matt Gregory

unread,

Mar 27, 2013, 10:58:53 AM3/27/13

to securit...@googlegroups.com

Hi Casper,

It looks like there might be a couple of issues at play. Possibly a software installation error or skipping a step in the SO installation and setup procedure. For that reason I recommend you start from scratch with reinstalling the operating system, SO repositories and packages, then re-running setup.

You should follow the instructions exactly at http://code.google.com/p/security-onion/wiki/Installation. For the best results, follow the instructions under the heading "If you're going to be deploying Security Onion in production, follow these steps".

First install and setup your SO server, then install and setup your SO sensors. During the sensor setup, you will be prompted to enter the IP for your SO server (which is why the server must be setup first) and to enter your server ssh login credentials once or twice (the sensor setup creates ssh connections from the sensor to the server so it can send back alerts and logs to the server).

You can run sosetup on the server and sensors over ssh, just use the -X flag (i.e., ssh -X username@ipaddress). However, don't ssh to your server, then ssh from the server to the sensor to run setup on the sensor. Theoretically it could work, but you're needlessly adding complexity to the process. Instead, once your server is setup, disconnect your ssh connection then directly ssh into the sensor to run sosetup.

Let us know how it works out.

Matt

Matt Gregory

unread,

Apr 2, 2013, 7:08:12 PM4/2/13

to securit...@googlegroups.com

Well, your sostat output shows all of your nsm services on your sensor as FAIL, so that's why you don't see the sensor when logging into your server from Sguil. The question now is why everything failed.

sudo apt-get install python-software-properties=0.82.7

Downgrading python-software-properties to version 0.82.7 was meant for only if you received errors installing the latest version, so you should skip this if you don't have any problems with it.

Gtk-Message: Failed to load module "canberra-gtk-module"

I don't think this error would have affected the setup process, but the line /usr/bin/sostat: line 23: /etc/nsm/securityonion.conf: No such file or directory in your sostat output indicates something did go wrong, even if it wasn't due to the Gtk error. Check /var/log/nsm/sosetup.log for any evidence of errors.

How many processor cores does your sensor have? It's recommended to only run as many Snort processes as you have cores, and only half as many Bro processes. You can modify this setting if necessary by changing the IDS_LB_PROCS variable in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf.

With all that said, if sosetup.log shows no errors to indicate the problem, try running sudo service nsm restart, then sudo service nsm status to make sure everything is "OK", then log back into your server to see if the sensor has connected. If that works, let it run for a little while then recheck the nsm status.

If that doesn't work, try re-running sosetup. Finally you may have to reinstall the OS and Security Onion packages, but let's hold off on that.

Matt

On Tue, Apr 2, 2013 at 7:29 AM, <offe...@gmail.com> wrote:

On Thursday, March 28, 2013 12:55:05 AM UTC+1, offe...@gmail.com wrote:

> On Wednesday, March 27, 2013 3:58:53 PM UTC+1, Matt wrote:
>
> > Hi Casper,
>
> >
>
> >
>
> >
>
> > It looks like there might be a couple of issues at play. Possibly a software installation error or skipping a step in the SO installation and setup procedure. For that reason I recommend you start from scratch with reinstalling the operating system, SO repositories and packages, then re-running setup.
>
> >
>
> >
>
> >
>
> >
>
> > You should follow the instructions exactly at http://code.google.com/p/security-onion/wiki/Installation. For the best results, follow the instructions under the heading "If you're going to be deploying Security Onion in production, follow these steps".
>
> >
>
> >
>
> >
>
> >
>
> > First install and setup your SO server, then install and setup your SO sensors. During the sensor setup, you will be prompted to enter the IP for your SO server (which is why the server must be setup first) and to enter your server ssh login credentials once or twice (the sensor setup creates ssh connections from the sensor to the server so it can send back alerts and logs to the server).
>
> >
>
> >
>
> >
>
> >
>

> > You can run sosetup on the server and sensors over ssh, just use the -X flag (i.e., ssh -X user...@ipaddress). However, don't ssh to your server, then ssh from the server to the sensor to run setup on the sensor. Theoretically it could work, but you're needlessly adding complexity to the process. Instead, once your server is setup, disconnect your ssh connection then directly ssh into the sensor to run sosetup.

>
> >
>
> >
>
> >
>
> >
>
> > Let us know how it works out.
>
> >
>
> >
>
> >
>
> > Matt
>
>
>

> Hi Matt,
>
>
>
> That is excatly what i thought and have done... but just to be safe i will do it all over again with your instruction close to heart :)
>
>
>
> I will give it a go one of these days only reinstalling the SO.. if that doesn't work i will reinstall the the ubuntu server and the so which will be done sometime next week..
>
>
>
> Thanks for your suggestions

So here is what i did Matt - I REALLY hope you know whats going on

installed ubuntu
Raid 1 - 2 gig boot partition
Raid 5 - 8TB root partition
2 gig swarp partition on all discs
1Mb Grub partition on all discs

After install I ran these commands

ssh -X sup...@10.10.10.102
Login

sudo apt-get update && sudo apt-get dist-upgrade
Reboot

I didn't see if i got prompted about the PF_ring/kernal so i ran the update commands again just to be safe
It returned 0 upgraded 0 newly installed 0 removed 0 noupgrade so i assume i didn't install both at the same time

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
I didn't get the .Xauthority file error so didn't do that other command in step 12

sudo apt-get -y install python-software-properties

sudo add-apt-repository -y ppa:securityonion/stable

sudo apt-get install python-software-properties=0.82.7

sudo apt-get update

sudo apt-get -y install securityonion-all

sudo sosetup
ETH01
IP 10.10.10.20/24
Gateway 10.10.10.1
DNS 10.10.10.12 10.10.10.13
Monitoring ETH0

Reboot

ssh -X sup...@10.10.10.20
yes to fingerprint
login
sudo sosetup
in the gui i chose

Sensor
server ip 10.10.10.19
ssh username support
monitored port eth0
IDS engine processes 2
Bro Processes 2
Yes enable Elsa
Yes, update ELSA server
Yes proceed with the changes

The installations begins and when it reaches "Please wait while craeting Sguil sensor(s)" it reaches half way then the terminal says:

Gtk-Message: Failed to load module "canberra-gtk-module"

followed by:

The program 'xfce4-terminal' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadValue (integer parameter out of range for operation)'.
(Details: serial 180 error_code 2 request_code 130 minor_code 3)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the --sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error() function.)
The authenticity of host '10.10.10.19 (10.10.10.19)' can't be established.
ECDSA key fingerprint is c7:d4:0c:78:1e:67:23:b7:dd:97:5d:a0:01:0e:a6:d7.
Are you sure you want to continue connecting (yes/no)?

I type yes and then the terminal asks for password. I provide the password but it keeps prompting for it. I have tried both the password for support and the SGUIL and non worked.

I am at a loss what to do???

!!!!!!!!!!!!!!!!!!!!! SOSTAT OUTPUT !!!!!!!!!!!!!!!!!!!!!!!!!!

support@ITG-IDS-Sensor01:~$ sudo sostat
/usr/bin/sostat: line 23: /etc/nsm/securityonion.conf: No such file or directory
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ FAIL ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager 10.10.10.20 stopped
proxy proxy 10.10.10.20 stopped
ITG-IDS-Sensor01-eth0-1 worker 10.10.10.20 stopped
ITG-IDS-Sensor01-eth0-2 worker 10.10.10.20 stopped
Status: ITG-IDS-Sensor01-eth0
* netsniff-ng (full packet data)[ FAIL ]
* pcap_agent (sguil)[ FAIL ]
grep: /etc/nsm/securityonion.conf: No such file or directory
* snort_agent-1 (sguil)[ FAIL ]
* snort_agent-2 (sguil)[ FAIL ]
grep: /etc/nsm/securityonion.conf: No such file or directory
* snort-1 (alert data)[ FAIL ]
* snort-2 (alert data)[ FAIL ]
grep: /etc/nsm/securityonion.conf: No such file or directory
* barnyard2-1 (spooler, unified2 format)[ FAIL ]
* barnyard2-2 (spooler, unified2 format)[ FAIL ]
* prads (sessions/assets)[ FAIL ]
* sancp_agent (sguil)[ FAIL ]
* pads_agent (sguil)[ FAIL ]
* argus[ FAIL ]
* http_agent (sguil)[ FAIL ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 88:51:fb:28:55:88
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:8133 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1811015 (1.8 MB) TX bytes:527 (527.0 B)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 88:51:fb:28:55:89
inet addr:10.10.10.20 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::8a51:fbff:fe28:5589/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16965 errors:0 dropped:0 overruns:0 frame:0
TX packets:5106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10344331 (10.3 MB) TX bytes:1732415 (1.7 MB)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5954 errors:0 dropped:0 overruns:0 frame:0
TX packets:5954 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2047935 (2.0 MB) TX bytes:2047935 (2.0 MB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/md1 8.2T 3.0G 7.7T 1% /
udev 971M 4.0K 971M 1% /dev
tmpfs 393M 352K 393M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 982M 4.0K 982M 1% /run/shm
/dev/md0 1.9G 92M 1.7G 6% /boot
/home/support/.Private 8.2T 3.0G 7.7T 1% /home/support

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 926 root 3u IPv4 11335 0t0 TCP *:22 (LISTEN)
sshd 926 root 4u IPv6 11337 0t0 TCP *:22 (LISTEN)
mysqld 1125 mysql 10u IPv4 11488 0t0 TCP 127.0.0.1:3306 (LISTEN)
/usr/sbin 1798 root 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1798 root 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1798 root 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
/usr/sbin 1846 www-data 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1846 www-data 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1846 www-data 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
/usr/sbin 1847 www-data 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1847 www-data 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1847 www-data 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
/usr/sbin 1848 www-data 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1848 www-data 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1848 www-data 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
/usr/sbin 1849 www-data 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1849 www-data 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1849 www-data 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
/usr/sbin 1850 www-data 4u IPv4 13157 0t0 TCP *:443 (LISTEN)
/usr/sbin 1850 www-data 5u IPv4 13160 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1850 www-data 6u IPv4 13162 0t0 TCP *:444 (LISTEN)
ntpd 1995 ntp 16u IPv4 10837 0t0 UDP *:123
ntpd 1995 ntp 17u IPv6 10838 0t0 UDP *:123
ntpd 1995 ntp 18u IPv4 10844 0t0 UDP 127.0.0.1:123
ntpd 1995 ntp 19u IPv4 10845 0t0 UDP 10.10.10.20:123
ntpd 1995 ntp 20u IPv6 10846 0t0 UDP [fe80::8a51:fbff:fe28:5589]:123
ntpd 1995 ntp 21u IPv6 10847 0t0 UDP [::1]:123
sshd 2027 root 3u IPv4 13336 0t0 TCP 10.10.10.20:22->10.10.10.108:57769 (ESTABLISHED)
sshd 2224 support 3u IPv4 13336 0t0 TCP 10.10.10.20:22->10.10.10.108:57769 (ESTABLISHED)
sshd 2224 support 8u IPv6 13562 0t0 TCP [::1]:6010 (LISTEN)
sshd 2224 support 9u IPv4 13563 0t0 TCP 127.0.0.1:6010 (LISTEN)

=========================================================================
IDS Rules Update
=========================================================================
tail: cannot open `/var/log/nsm/pulledpork.log' for reading: No such file or directory

=========================================================================
CPU Usage
=========================================================================
top - 11:22:50 up 9 min, 1 user, load average: 0.09, 0.17, 0.13
Tasks: 122 total, 1 running, 121 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.7%us, 0.3%sy, 0.0%ni, 96.9%id, 2.1%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 2009320k total, 455720k used, 1553600k free, 26128k buffers
Swap: 7809008k total, 0k used, 7809008k free, 242880k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 24464 2412 1384 S 0 0.1 0:00.48 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.04 ksoftirqd/0
4 root 20 0 0 0 0 S 0 0.0 0:00.21 kworker/0:0
6 root RT 0 0 0 0 S 0 0.0 0:00.65 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:00.02 ksoftirqd/1
11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
14 root 20 0 0 0 0 S 0 0.0 0:00.02 ksoftirqd/2
15 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
16 root RT 0 0 0 0 S 0 0.0 0:00.22 migration/3
18 root 20 0 0 0 0 S 0 0.0 0:00.01 ksoftirqd/3
19 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
22 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
23 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
25 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
26 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
27 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
30 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
31 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
34 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
35 root 20 0 0 0 0 S 0 0.0 0:00.00 kswapd0
36 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
37 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
38 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
49 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
50 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
51 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
53 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:3
54 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
55 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
56 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:4
58 root 0 -20 0 0 0 S 0 0.0 0:00.00 binder
77 root 0 -20 0 0 0 S 0 0.0 0:00.00 deferwq
78 root 0 -20 0 0 0 S 0 0.0 0:00.00 charger_manager
79 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
80 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/2:1
81 root 20 0 0 0 0 S 0 0.0 0:00.05 kworker/3:1
82 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/1:1
135 root 20 0 0 0 0 S 0 0.0 0:00.02 kworker/2:2
172 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/3:2
275 root 20 0 0 0 0 S 0 0.0 0:00.04 kworker/1:2
284 root 20 0 0 0 0 S 0 0.0 0:00.12 kworker/0:3
287 root 20 0 0 0 0 S 0 0.0 0:00.00 md0_raid1
291 root 20 0 0 0 0 S 0 0.0 0:00.92 md1_raid5
363 root 20 0 0 0 0 S 0 0.0 0:00.01 jbd2/md1-8
364 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
447 root 20 0 0 0 0 S 0 0.0 0:00.10 ext4lazyinit
468 root 20 0 17496 904 532 S 0 0.0 0:00.04 upstart-udev-br
474 root 20 0 0 0 0 S 0 0.0 0:00.00 jbd2/md0-8
475 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
476 root 20 0 21920 1728 804 S 0 0.1 0:00.04 udevd
580 root 20 0 21860 1180 380 S 0 0.1 0:00.00 udevd
581 root 20 0 21860 1120 320 S 0 0.1 0:00.00 udevd
695 root 0 -20 0 0 0 S 0 0.0 0:00.00 kvm-irqfd-clean
702 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
732 messageb 20 0 23816 944 644 S 0 0.0 0:00.00 dbus-daemon
758 root 20 0 15188 396 200 S 0 0.0 0:00.00 upstart-socket-
926 root 20 0 49956 2828 2220 S 0 0.1 0:00.00 sshd
1042 root 20 0 0 0 0 S 0 0.0 0:00.01 flush-9:1
1077 root 20 0 15784 960 800 S 0 0.0 0:00.00 getty
1084 root 20 0 15784 960 800 S 0 0.0 0:00.00 getty
1098 root 20 0 15784 960 800 S 0 0.0 0:00.00 getty
1099 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
1102 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
1119 root 20 0 4328 684 560 S 0 0.0 0:00.00 acpid
1121 root 20 0 19112 1020 780 S 0 0.1 0:00.00 cron
1122 daemon 20 0 16908 376 216 S 0 0.0 0:00.00 atd
1124 root 20 0 15980 724 540 S 0 0.0 0:00.04 irqbalance
1125 mysql 20 0 472m 41m 6980 S 0 2.1 0:00.13 mysqld
1151 root 20 0 26780 436 200 S 0 0.0 0:00.00 syslog-ng
1152 root 20 0 84712 3764 2776 S 0 0.2 0:00.02 syslog-ng
1154 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
1169 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd_io
1170 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd
1183 whoopsie 20 0 195m 5092 3752 S 0 0.3 0:00.00 whoopsie
1301 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
1303 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd_io
1304 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd
1355 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
1357 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd_io
1358 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd
1585 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
1586 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd_io
1587 root 0 -20 0 0 0 S 0 0.0 0:00.00 kcryptd
1733 root 20 0 13372 552 392 S 0 0.0 0:00.00 mdadm
1798 root 20 0 176m 12m 6540 S 0 0.6 0:00.05 /usr/sbin/apach
1811 root 20 0 215m 2064 1768 S 0 0.1 0:00.00 PassengerWatchd
1814 root 20 0 288m 2292 1996 S 0 0.1 0:00.00 PassengerHelper
1816 root 20 0 108m 8196 2164 S 0 0.4 0:00.03 ruby1.9.1
1819 nobody 20 0 165m 4684 3656 S 0 0.2 0:00.00 PassengerLoggin
1843 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
1846 www-data 20 0 176m 6856 660 S 0 0.3 0:00.00 /usr/sbin/apach
1847 www-data 20 0 176m 6856 660 S 0 0.3 0:00.00 /usr/sbin/apach
1848 www-data 20 0 176m 6856 660 S 0 0.3 0:00.00 /usr/sbin/apach
1849 www-data 20 0 176m 6856 660 S 0 0.3 0:00.00 /usr/sbin/apach
1850 www-data 20 0 176m 6856 660 S 0 0.3 0:00.00 /usr/sbin/apach
1995 ntp 20 0 37696 2208 1576 S 0 0.1 0:00.02 ntpd
2027 root 20 0 95560 4064 3060 S 0 0.2 0:00.01 sshd
2224 support 20 0 95840 2176 1144 S 0 0.1 0:00.28 sshd
2225 support 20 0 26500 7720 1708 S 0 0.4 0:00.23 bash
2339 root 20 0 0 0 0 S 0 0.0 0:00.00 flush-ecryptfs-
2852 root 20 0 12804 532 348 S 0 0.0 0:00.00 ossec-execd
2856 ossec 20 0 14508 2324 768 S 0 0.1 0:00.33 ossec-analysisd
2860 root 20 0 4528 572 428 S 0 0.0 0:00.00 ossec-logcollec
2871 root 20 0 5056 1012 488 S 0 0.1 0:00.57 ossec-syscheckd
2875 ossec 20 0 13060 544 364 S 0 0.0 0:00.00 ossec-monitord
3193 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/0:1
3818 root 20 0 4400 612 512 S 0 0.0 0:00.00 sh
3821 root 20 0 4400 320 220 S 0 0.0 0:00.00 sh
3826 root 20 0 7160 356 276 S 0 0.0 0:00.00 sleep
3828 root 20 0 65380 2292 1728 S 0 0.1 0:00.00 sudo
3829 root 20 0 12360 1536 1304 S 0 0.1 0:00.00 sostat
3913 root 20 0 17336 1244 916 R 0 0.1 0:00.00 top

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/ITG-IDS-Sensor01-eth0/dailylogs/
4.0K .

/nsm/bro/logs/
4.0K .

=========================================================================
IDS Engine () packet drops
=========================================================================
grep: /nsm/sensor_data/*/snort-*.stats: No such file or directory
ERROR: No stats found in /nsm/sensor_data/*/snort-*.stats

=========================================================================
pf_ring stats
=========================================================================

Went to my Sguil client and logged on the server. I don't see the sensor...

HELP!!!! :)

Matt Gregory

unread,

Apr 3, 2013, 7:06:53 AM4/3/13

to securit...@googlegroups.com

I'm really glad you are helping me on this... i'm lost and my boss i breathing down my neck atm..

My pleasure; hopefully we'll get it worked out!

it best practice here to post answers above or below the original mail?

It doesn't really matter, but many folks just quote the pertinent parts of the post they are replying to and delete the rest...it makes it easier to follow.

Now to what you suggest. This has worked before... I know it.. So from what you say i think i will start by reinstalling my sensor from scratch and do the whole install over WITHOUT the:

sudo apt-get install python-software-properties=0.82.7

and see if that solves it. I think its something in my installation process that i'm doing wrong cause it has worked before..

Just be sure to follow the installation and setup instructions precisely. Problems getting the stable repo installed and setup are often tied back to something going wrong during the installation process - I usually refer back to the installation instructions step-by-step every time just to be sure I don't miss anything, and I've done a number of installations.

Matt

Matt Gregory

unread,

Apr 3, 2013, 6:41:22 PM4/3/13

to securit...@googlegroups.com

the installation crashed again at the same spot.

What installation process crashed? Ubuntu? Security Onion packages? The Security Onion setup (which isn't actually an installation)?

Can you please specify what you mean by "the same spot"? Are you referring to the Gtk error message?

I used the ISO provieded by this website

Did you install the operating system to disk or just run sosetup off the live CD? It's recommended that you boot the live CD to the Xubuntu desktop, then install it to disk from the icon on the desktop. There were some earlier problems reported with installing Xubuntu from the live CD boot menu option; I don't know if those are still present but you're probably safer to fully boot the live CD then install Xubuntu.

Status: HIDS
* ossec_agent (sguil)[ FAIL ]

Since this is the only service shown in the Service Status section of your sostat output, it still looks like the installation of the securityonion-all packages didn't complete. There should be a Bro proxy and manager status, as well as about 10 other services, such as Snort, barnyard2, prads, etc.

/usr/bin/sostat: line 23: /etc/nsm/securityonion.conf: No such file or directory

tail: cannot open `/var/log/nsm/pulledpork.log' for reading: No such file or directory

These lines also suggest there was a problem with the securityonion-all packages installing.

Matt

Doug Burks

unread,

Apr 4, 2013, 7:06:09 AM4/4/13

to securit...@googlegroups.com

It's possible...I've never tested with home folder encryption. Please
try without encryption and let us know whether or not that helps.

Thanks,
Doug

On Thu, Apr 4, 2013 at 6:54 AM, <offe...@gmail.com> wrote:
> Hi Matt,
>
> more spam... i have chosen to encrypt home folder on both server and sensor.. could that be the problem?

>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Doug Burks
http://securityonion.blogspot.com

Doug Burks

unread,

Apr 4, 2013, 8:50:05 AM4/4/13

to securit...@googlegroups.com

I don't think python is causing your issue, but I did update the
Installation guide to make it more readily apparent that downgrading
Python should only be done if an error occurred in the previous step:

https://code.google.com/p/security-onion/wiki/Installation now says:

If you got a ValueError? when running the previous command, please see
the following note from jonh; otherwise, continue to the next step.
"when I did the add-apt-repository -y ppa:securityonion/stable command
it gave a bunch of lines of errors with the final line
beingValueError: cannot convert float NaN to integer. This appears to
be a known bug:https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1063350.
The reported workaround of downgrading python-software-properties got
me past that error."

# Only run this if you got a ValueError in the previous step!
sudo apt-get install python-software-properties=0.82.7

Doug

On Thu, Apr 4, 2013 at 8:38 AM, <offe...@gmail.com> wrote:
> Hi Matt,
>

> More information... if its not too much?
>
> I have tried to install a sensor in a VM on my mashine using Vbox.
>
> It too does the same thing... going through a 5th time what you wrote im thinking could this be because my server is installed with the downgraded python? I think i reinstalled my server before you so kindly made me aware that i should skip that step??
>
> Casper

Doug Burks

unread,

Apr 4, 2013, 8:51:07 AM4/4/13

to securit...@googlegroups.com

Home folder encryption would only encrypt the home folder and so it
would not protect the pcaps and other data stored in /nsm.
Doug

On Thu, Apr 4, 2013 at 8:42 AM, <offe...@gmail.com> wrote:
> Hi Doug
>
> Sorry didn't see you reply due to some google chrome failing on me... or me failing on chrome.. anyways based on your answer i have chosen to start over.
>
> Installing the server wihtout python downgrade and no home folder encryption
>
> Installing the sensor without python downgrade and no home folder encryption
>
> A quick question..
>
> I would really want my sensor to have its partition encrypted in the same way as windows bitlocker.. I want to secure them incase they were stolen.. I though one step to this was to encrypt home folder. If it shows this is an issue.. any suggestion how to do it?
>
> Casper

Doug Burks

unread,

Apr 5, 2013, 8:59:09 AM4/5/13

to securit...@googlegroups.com

On Fri, Apr 5, 2013 at 8:52 AM, <offe...@gmail.com> wrote:
> Hi Doug and Matt,
>
> Ok it looks like NOT downgrading python (step 15 in the installation guide) and NOT installing ubuntu server with encrypted home folder did the trick..
>
> To others who may experience this in the future i currently don't know if my problems was solved by both solutions OR one of them.

I'm 99% sure it was the encrypted home folder.

> And sadly i seriously don't have time right now to test... sorry..
>
> My SOstat output now looks like this.. is this a healthy sensor?
>
> support@ITG-IDS-Sensor01:~$ sudo sostat
> [sudo] password for support:
> =========================================================================
> Service Status
> =========================================================================
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> waiting for lock ..... ok

> Name Type Host Status Pid Peers Started

> manager manager 10.10.10.20 running 7628 4 05 Apr 10:45:17
> proxy proxy 10.10.10.20 running 7775 4 05 Apr 10:45:20
> ITG-IDS-Sensor01-eth0-1 worker 10.10.10.20 running 7849 2 05 Apr 10:45:22
> ITG-IDS-Sensor01-eth0-2 worker 10.10.10.20 running 7850 2 05 Apr 10:45:22
> ITG-IDS-Sensor01-eth0-3 worker 10.10.10.20 running 7851 2 05 Apr 10:45:22

> Status: ITG-IDS-Sensor01-eth0
> * netsniff-ng (full packet data)[ FAIL ]
> * pcap_agent (sguil)[ FAIL ]

netsniff-ng and pcap_agent are failed. Please try the following:
sudo nsm_sensor_ps-restart

> * snort_agent-1 (sguil)[ OK ]
> * snort_agent-2 (sguil)[ OK ]
> * snort_agent-3 (sguil)[ OK ]
> * snort-1 (alert data)[ OK ]
> * snort-2 (alert data)[ OK ]
> * snort-3 (alert data)[ OK ]
> * barnyard2-1 (spooler, unified2 format)[ OK ]
> * barnyard2-2 (spooler, unified2 format)[ OK ]
> * barnyard2-3 (spooler, unified2 format)[ OK ]
> * prads (sessions/assets)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]

>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 88:51:fb:28:55:88

> UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:16

Looks like you're not seeing any traffic on eth0 yet. Is that what
you're expecting?

> eth1 Link encap:Ethernet HWaddr 88:51:fb:28:55:89
> inet addr:10.10.10.20 Bcast:10.10.10.255 Mask:255.255.255.0
> inet6 addr: fe80::8a51:fbff:fe28:5589/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

> RX packets:108317 errors:0 dropped:0 overruns:0 frame:0
> TX packets:85197 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:25647006 (25.6 MB) TX bytes:17180920 (17.1 MB)

> Interrupt:17
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1

> RX packets:162465 errors:0 dropped:0 overruns:0 frame:0
> TX packets:162465 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:19926415 (19.9 MB) TX bytes:19926415 (19.9 MB)

>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on

> /dev/md1 8.2T 2.7G 7.8T 1% /
> udev 972M 4.0K 972M 1% /dev
> tmpfs 393M 400K 393M 1% /run

> none 5.0M 0 5.0M 0% /run/lock

> none 982M 0 982M 0% /run/shm
> /dev/md0 1.9G 62M 1.7G 4% /boot

>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

> sshd 935 root 3u IPv4 8119 0t0 TCP *:22 (LISTEN)
> sshd 935 root 4u IPv6 8121 0t0 TCP *:22 (LISTEN)
> /usr/sbin 1547 root 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1547 root 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1547 root 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1595 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1595 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1595 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1596 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1596 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1596 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1597 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1597 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1597 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1598 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1598 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1598 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> /usr/sbin 1599 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
> /usr/sbin 1599 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
> /usr/sbin 1599 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
> ntpd 1874 ntp 16u IPv4 13333 0t0 UDP *:123
> ntpd 1874 ntp 17u IPv6 13334 0t0 UDP *:123
> ntpd 1874 ntp 18u IPv4 13340 0t0 UDP 127.0.0.1:123
> ntpd 1874 ntp 19u IPv4 13341 0t0 UDP 10.10.10.20:123
> ntpd 1874 ntp 20u IPv6 13342 0t0 UDP [fe80::8a51:fbff:fe28:5589]:123
> ntpd 1874 ntp 21u IPv6 13343 0t0 UDP [::1]:123
> sshd 2624 root 3u IPv4 11762 0t0 TCP 10.10.10.20:22->10.10.10.111:39852 (ESTABLISHED)
> sshd 2781 support 3u IPv4 11762 0t0 TCP 10.10.10.20:22->10.10.10.111:39852 (ESTABLISHED)
> sshd 2781 support 8u IPv6 11812 0t0 TCP [::1]:6010 (LISTEN)
> sshd 2781 support 9u IPv4 11813 0t0 TCP 127.0.0.1:6010 (LISTEN)
> sshd 2781 support 11u IPv4 164562 0t0 TCP 127.0.0.1:6010->127.0.0.1:37324 (ESTABLISHED)
> ssh 7437 root 3u IPv4 154562 0t0 TCP 10.10.10.20:53168->10.10.10.19:22 (ESTABLISHED)
> ssh 7437 root 4u IPv6 156869 0t0 TCP [::1]:3306 (LISTEN)
> ssh 7437 root 5u IPv4 156870 0t0 TCP 127.0.0.1:3306 (LISTEN)
> ssh 7437 root 6u IPv4 165385 0t0 TCP 127.0.0.1:3306->127.0.0.1:56086 (ESTABLISHED)
> ssh 7437 root 7u IPv4 164593 0t0 TCP 127.0.0.1:3306->127.0.0.1:56087 (ESTABLISHED)
> ssh 7437 root 8u IPv4 164594 0t0 TCP 127.0.0.1:3306->127.0.0.1:56088 (ESTABLISHED)
> mysqld 7475 mysql 10u IPv4 157705 0t0 TCP 127.0.0.1:50000 (LISTEN)
> tclsh 7514 root 3u IPv4 162686 0t0 TCP 10.10.10.20:52944->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 5u IPv4 168011 0t0 UDP *:43228
> tclsh 7514 root 7u IPv4 165390 0t0 TCP 10.10.10.20:52957->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 8u IPv4 164600 0t0 TCP 10.10.10.20:52958->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 9u IPv4 164601 0t0 TCP 10.10.10.20:52959->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 10u IPv4 164602 0t0 TCP 10.10.10.20:52960->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 11u IPv4 162705 0t0 TCP 10.10.10.20:52961->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 12u IPv4 163558 0t0 TCP 10.10.10.20:52962->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 13u IPv4 162706 0t0 TCP 10.10.10.20:52963->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 14u IPv4 163559 0t0 TCP 10.10.10.20:52964->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 15u IPv4 163560 0t0 TCP 10.10.10.20:52965->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 16u IPv4 164603 0t0 TCP 10.10.10.20:52966->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 17u IPv4 164604 0t0 TCP 10.10.10.20:52967->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 18u IPv4 164605 0t0 TCP 10.10.10.20:52968->10.10.10.19:7736 (ESTABLISHED)
> tclsh 7514 root 19u IPv4 162707 0t0 TCP 10.10.10.20:52969->10.10.10.19:7736 (ESTABLISHED)
> bro 7628 root 4u IPv4 156903 0t0 UDP 10.10.10.20:56877->10.10.10.12:53
> bro 7741 root 0u IPv4 155457 0t0 TCP *:47761 (LISTEN)
> bro 7741 root 1u IPv6 155458 0t0 TCP *:47761 (LISTEN)
> bro 7741 root 2u IPv4 157814 0t0 TCP 10.10.10.20:47761->10.10.10.20:46504 (ESTABLISHED)
> bro 7741 root 4u IPv4 156903 0t0 UDP 10.10.10.20:56877->10.10.10.12:53
> bro 7741 root 8u IPv4 155505 0t0 TCP 10.10.10.20:47761->10.10.10.20:46506 (ESTABLISHED)
> bro 7741 root 10u IPv4 156563 0t0 TCP 10.10.10.20:47761->10.10.10.20:46507 (ESTABLISHED)
> bro 7741 root 11u IPv4 157085 0t0 TCP 10.10.10.20:47761->10.10.10.20:46509 (ESTABLISHED)
> bro 7775 root 4u IPv4 157005 0t0 UDP 10.10.10.20:47531->10.10.10.12:53
> bro 7782 root 0u IPv4 157813 0t0 TCP 10.10.10.20:46504->10.10.10.20:47761 (ESTABLISHED)
> bro 7782 root 1u IPv4 157817 0t0 TCP *:47762 (LISTEN)
> bro 7782 root 2u IPv6 157818 0t0 TCP *:47762 (LISTEN)
> bro 7782 root 4u IPv4 157005 0t0 UDP 10.10.10.20:47531->10.10.10.12:53
> bro 7782 root 7u IPv4 157083 0t0 TCP 10.10.10.20:47762->10.10.10.20:49877 (ESTABLISHED)
> bro 7782 root 9u IPv4 156565 0t0 TCP 10.10.10.20:47762->10.10.10.20:49880 (ESTABLISHED)
> bro 7782 root 10u IPv4 155508 0t0 TCP 10.10.10.20:47762->10.10.10.20:49882 (ESTABLISHED)
> bro 7849 root 4u IPv4 156554 0t0 UDP 10.10.10.20:48201->10.10.10.12:53
> bro 7850 root 4u IPv4 157076 0t0 UDP 10.10.10.20:43480->10.10.10.12:53
> bro 7851 root 4u IPv4 157835 0t0 UDP 10.10.10.20:56623->10.10.10.12:53
> bro 7855 root 0u IPv4 156556 0t0 TCP 10.10.10.20:49877->10.10.10.20:47762 (ESTABLISHED)
> bro 7855 root 1u IPv4 156557 0t0 TCP 10.10.10.20:46506->10.10.10.20:47761 (ESTABLISHED)
> bro 7855 root 2u IPv4 156560 0t0 TCP *:47763 (LISTEN)
> bro 7855 root 4u IPv4 156554 0t0 UDP 10.10.10.20:48201->10.10.10.12:53
> bro 7855 root 8u IPv6 156561 0t0 TCP *:47763 (LISTEN)
> bro 7859 root 0u IPv4 156562 0t0 TCP 10.10.10.20:46507->10.10.10.20:47761 (ESTABLISHED)
> bro 7859 root 1u IPv4 156564 0t0 TCP 10.10.10.20:49880->10.10.10.20:47762 (ESTABLISHED)
> bro 7859 root 2u IPv4 156568 0t0 TCP *:47764 (LISTEN)
> bro 7859 root 4u IPv4 157076 0t0 UDP 10.10.10.20:43480->10.10.10.12:53
> bro 7859 root 8u IPv6 156569 0t0 TCP *:47764 (LISTEN)
> bro 7865 root 0u IPv4 157084 0t0 TCP 10.10.10.20:46509->10.10.10.20:47761 (ESTABLISHED)
> bro 7865 root 1u IPv4 157086 0t0 TCP 10.10.10.20:49882->10.10.10.20:47762 (ESTABLISHED)
> bro 7865 root 2u IPv4 157089 0t0 TCP *:47765 (LISTEN)
> bro 7865 root 4u IPv4 157835 0t0 UDP 10.10.10.20:56623->10.10.10.12:53
> bro 7865 root 8u IPv6 157090 0t0 TCP *:47765 (LISTEN)
> tclsh 7981 root 3u IPv4 158794 0t0 TCP 127.0.0.1:8001 (LISTEN)
> tclsh 7981 root 4u IPv4 157408 0t0 TCP 127.0.0.1:8001->127.0.0.1:37151 (ESTABLISHED)
> tclsh 7981 root 6u IPv4 162694 0t0 TCP 10.10.10.20:52949->10.10.10.19:7736 (ESTABLISHED)
> tclsh 8007 root 3u IPv4 157928 0t0 TCP 127.0.0.1:8002 (LISTEN)
> tclsh 8007 root 4u IPv4 158086 0t0 TCP 127.0.0.1:8002->127.0.0.1:39356 (ESTABLISHED)
> tclsh 8007 root 6u IPv4 162695 0t0 TCP 10.10.10.20:52950->10.10.10.19:7736 (ESTABLISHED)
> tclsh 8033 root 3u IPv4 157251 0t0 TCP 127.0.0.1:8003 (LISTEN)
> tclsh 8033 root 4u IPv4 159046 0t0 TCP 127.0.0.1:8003->127.0.0.1:56968 (ESTABLISHED)
> tclsh 8033 root 6u IPv4 165384 0t0 TCP 10.10.10.20:52952->10.10.10.19:7736 (ESTABLISHED)
> barnyard2 8147 root 3u IPv4 157407 0t0 TCP 127.0.0.1:37151->127.0.0.1:8001 (ESTABLISHED)
> barnyard2 8147 root 4u IPv4 163549 0t0 TCP 127.0.0.1:56086->127.0.0.1:3306 (ESTABLISHED)
> barnyard2 8169 root 3u IPv4 158085 0t0 TCP 127.0.0.1:39356->127.0.0.1:8002 (ESTABLISHED)
> barnyard2 8169 root 4u IPv4 162698 0t0 TCP 127.0.0.1:56087->127.0.0.1:3306 (ESTABLISHED)
> barnyard2 8193 root 3u IPv4 158090 0t0 TCP 127.0.0.1:56968->127.0.0.1:8003 (ESTABLISHED)
> barnyard2 8193 root 4u IPv4 163552 0t0 TCP 127.0.0.1:56088->127.0.0.1:3306 (ESTABLISHED)
> tclsh 8228 root 6u IPv4 162689 0t0 TCP 10.10.10.20:52945->10.10.10.19:7736 (ESTABLISHED)
> tclsh 8251 root 3u IPv4 164592 0t0 TCP 10.10.10.20:52946->10.10.10.19:7736 (ESTABLISHED)
> searchd 8294 root 6u IPv4 159351 0t0 TCP *:9306 (LISTEN)
> searchd 8294 root 7u IPv4 159352 0t0 TCP *:3307 (LISTEN)
> syslog-ng 8323 root 9u IPv4 161388 0t0 TCP *:514 (LISTEN)
> syslog-ng 8323 root 10u IPv4 161389 0t0 UDP *:514
> tclsh 8349 root 3u IPv4 162691 0t0 TCP 10.10.10.20:52948->10.10.10.19:7736 (ESTABLISHED)
> wish 9189 support 3u IPv4 162645 0t0 TCP 127.0.0.1:37324->127.0.0.1:6010 (ESTABLISHED)
> wish 9189 support 4u IPv4 165383 0t0 TCP 10.10.10.20:34165->10.10.10.19:7734 (ESTABLISHED)
> sshd 9211 root 3u IPv4 162708 0t0 TCP 10.10.10.20:22->10.10.10.111:40184 (ESTABLISHED)
> sshd 9361 support 3u IPv4 162708 0t0 TCP 10.10.10.20:22->10.10.10.111:40184 (ESTABLISHED)
> sshd 9361 support 8u IPv6 163612 0t0 TCP [::1]:6011 (LISTEN)
> sshd 9361 support 9u IPv4 163613 0t0 TCP 127.0.0.1:6011 (LISTEN)

>
> =========================================================================
> IDS Rules Update
> =========================================================================

> tail: cannot open `/var/log/nsm/pulledpork.log' for reading: No such file or directory
>

> =========================================================================
> CPU Usage
> =========================================================================
> top - 10:50:11 up 50 min, 2 users, load average: 2.10, 1.17, 0.58
> Tasks: 156 total, 6 running, 150 sleeping, 0 stopped, 0 zombie
> Cpu(s): 1.7%us, 1.7%sy, 0.3%ni, 95.4%id, 0.8%wa, 0.0%hi, 0.0%si, 0.0%st
> Mem: 2009284k total, 1851216k used, 158068k free, 24836k buffers

Looks like you only have 2GB RAM? Might want to max out your RAM for
a production sensor.

> Swap: 7809008k total, 260k used, 7808748k free, 391536k cached

>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

> 7741 root 25 5 139m 18m 936 R 20 0.9 0:54.67 bro
> 7782 root 25 5 69016 18m 952 S 20 0.9 0:53.45 bro
> 7855 root 25 5 127m 82m 64m R 18 4.2 0:43.33 bro
> 7865 root 25 5 127m 82m 64m S 18 4.2 0:42.50 bro
> 7850 root 20 0 267m 85m 68m S 16 4.4 0:43.02 bro
> 7851 root 20 0 267m 85m 68m R 16 4.4 0:44.50 bro
> 7859 root 25 5 127m 82m 64m R 16 4.2 0:43.25 bro
> 7849 root 20 0 267m 85m 68m R 14 4.4 0:42.78 bro
> 7437 root 20 0 41752 3204 2408 S 2 0.2 0:02.91 ssh
> 7775 root 20 0 275m 21m 3972 S 2 1.1 0:02.68 bro
> 1 root 20 0 24432 2336 1360 S 0 0.1 0:00.49 init

> 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd

> 3 root 20 0 0 0 0 S 0 0.0 0:00.16 ksoftirqd/0
> 6 root RT 0 0 0 0 S 0 0.0 0:02.92 migration/0

> 7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0

> 8 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/1
> 10 root 20 0 0 0 0 S 0 0.0 0:00.10 ksoftirqd/1

> 11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1

> 12 root RT 0 0 0 0 S 0 0.0 0:00.20 migration/2
> 13 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/2:0
> 14 root 20 0 0 0 0 S 0 0.0 0:00.11 ksoftirqd/2

> 15 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2

> 16 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
> 18 root 20 0 0 0 0 S 0 0.0 0:00.10 ksoftirqd/3

> 19 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
> 20 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
> 21 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
> 22 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
> 23 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns

> 25 root 20 0 0 0 0 S 0 0.0 0:00.01 sync_supers

> 26 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
> 27 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
> 28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
> 29 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
> 30 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> 31 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
> 34 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd

> 35 root 20 0 0 0 0 S 0 0.0 0:00.03 kswapd0

> 36 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> 37 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
> 38 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
> 39 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
> 40 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
> 49 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
> 50 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
> 51 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1

> 52 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:2
> 53 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
> 54 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
> 55 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:3
> 57 root 0 -20 0 0 0 S 0 0.0 0:00.00 binder

> 77 root 0 -20 0 0 0 S 0 0.0 0:00.00 deferwq
> 78 root 0 -20 0 0 0 S 0 0.0 0:00.00 charger_manager
> 79 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq

> 80 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/3:1
> 81 root 20 0 0 0 0 S 0 0.0 0:00.49 kworker/1:1
> 144 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/2:2
> 261 root 20 0 0 0 0 S 0 0.0 0:00.07 kworker/3:2
> 270 root 20 0 0 0 0 S 0 0.0 0:00.46 kworker/1:2
> 292 root 20 0 0 0 0 S 0 0.0 0:01.06 md1_raid5
> 302 root 20 0 0 0 0 S 0 0.0 0:00.00 md0_raid1
> 315 root 20 0 0 0 0 S 0 0.0 0:00.09 jbd2/md1-8
> 316 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 408 root 20 0 17364 640 452 S 0 0.0 0:00.03 upstart-udev-br
> 411 root 20 0 21732 1536 804 S 0 0.1 0:00.03 udevd
> 550 root 20 0 21728 1048 328 S 0 0.1 0:00.00 udevd
> 551 root 20 0 21728 1036 312 S 0 0.1 0:00.00 udevd
> 588 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
> 616 root 0 -20 0 0 0 S 0 0.0 0:00.00 kvm-irqfd-clean
> 690 root 20 0 15188 392 200 S 0 0.0 0:00.00 upstart-socket-
> 745 root 20 0 0 0 0 S 0 0.0 0:00.03 ext4lazyinit
> 891 root 20 0 0 0 0 S 0 0.0 0:00.00 jbd2/md0-8
> 892 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 913 root 20 0 0 0 0 S 0 0.0 0:00.06 flush-9:1
> 935 root 20 0 49956 2824 2220 S 0 0.1 0:00.00 sshd
> 990 messageb 20 0 23916 984 684 S 0 0.0 0:00.00 dbus-daemon
> 1017 root 20 0 15784 960 800 S 0 0.0 0:00.00 getty
> 1024 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
> 1037 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
> 1038 root 20 0 15784 960 800 S 0 0.0 0:00.00 getty
> 1041 root 20 0 15784 956 800 S 0 0.0 0:00.00 getty
> 1047 root 20 0 4328 688 560 S 0 0.0 0:00.00 acpid
> 1067 root 20 0 19112 1016 780 S 0 0.1 0:00.00 cron
> 1068 daemon 20 0 16908 372 216 S 0 0.0 0:00.00 atd
> 1080 root 20 0 15980 688 512 S 0 0.0 0:00.23 irqbalance
> 1107 whoopsie 20 0 195m 5092 3756 S 0 0.3 0:00.00 whoopsie
> 1486 root 20 0 13368 736 504 S 0 0.0 0:00.00 mdadm
> 1547 root 20 0 176m 12m 6540 S 0 0.6 0:00.10 /usr/sbin/apach
> 1560 root 20 0 215m 2060 1768 S 0 0.1 0:00.00 PassengerWatchd
> 1563 root 20 0 288m 2292 1996 S 0 0.1 0:00.01 PassengerHelper
> 1565 root 20 0 108m 8196 2164 S 0 0.4 0:00.03 ruby1.9.1
> 1568 nobody 20 0 165m 4684 3656 S 0 0.2 0:00.00 PassengerLoggin
> 1592 root 20 0 15784 964 800 S 0 0.0 0:00.00 getty
> 1595 www-data 20 0 176m 6860 660 S 0 0.3 0:00.00 /usr/sbin/apach
> 1596 www-data 20 0 176m 6860 660 S 0 0.3 0:00.00 /usr/sbin/apach
> 1597 www-data 20 0 176m 6860 660 S 0 0.3 0:00.00 /usr/sbin/apach
> 1598 www-data 20 0 176m 6860 660 S 0 0.3 0:00.00 /usr/sbin/apach
> 1599 www-data 20 0 176m 6860 660 S 0 0.3 0:00.00 /usr/sbin/apach
> 1874 ntp 20 0 37696 2244 1612 S 0 0.1 0:00.09 ntpd
> 2624 root 20 0 77488 3552 2732 S 0 0.2 0:00.01 sshd
> 2781 support 20 0 77808 1980 1128 S 0 0.1 0:00.68 sshd
> 2782 support 20 0 26560 7836 1760 S 0 0.4 0:00.31 bash
> 5775 root 20 0 0 0 0 S 0 0.0 0:00.13 kworker/0:2
> 6524 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/0:1
> 6651 root 20 0 12804 532 348 S 0 0.0 0:00.00 ossec-execd
> 6655 ossec 20 0 14508 2328 768 S 0 0.1 0:00.46 ossec-analysisd
> 6659 root 20 0 4528 560 420 S 0 0.0 0:00.00 ossec-logcollec
> 6670 root 20 0 5080 1096 488 S 0 0.1 0:00.65 ossec-syscheckd
> 6674 ossec 20 0 13060 548 364 S 0 0.0 0:00.00 ossec-monitord
> 7423 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
> 7426 root 20 0 4400 324 220 S 0 0.0 0:00.00 sh
> 7431 root 20 0 7160 352 276 S 0 0.0 0:00.00 sleep
> 7435 root 20 0 4308 320 216 S 0 0.0 0:00.00 autossh
> 7475 mysql 20 0 1113m 48m 8176 S 0 2.5 0:01.09 mysqld
> 7514 root 20 0 47480 13m 2756 S 0 0.7 0:00.02 tclsh
> 7578 root 20 0 17884 1588 1308 S 0 0.1 0:00.00 bash
> 7628 root 20 0 635m 21m 3952 S 0 1.1 0:02.83 bro
> 7766 root 20 0 17884 1584 1308 S 0 0.1 0:00.00 bash
> 7818 root 20 0 17884 1588 1308 S 0 0.1 0:00.00 bash
> 7822 root 20 0 17884 1584 1308 S 0 0.1 0:00.00 bash
> 7829 root 20 0 17884 1588 1308 S 0 0.1 0:00.00 bash
> 7981 root 20 0 33044 4836 2964 S 0 0.2 0:00.01 tclsh
> 8007 root 20 0 33044 4844 2964 S 0 0.2 0:00.01 tclsh
> 8033 root 20 0 33044 4844 2964 S 0 0.2 0:00.01 tclsh
> 8063 sguil 20 0 541m 205m 10m S 0 10.5 0:05.71 snort
> 8089 sguil 20 0 540m 205m 10m S 0 10.5 0:05.74 snort
> 8115 sguil 20 0 543m 207m 10m S 0 10.6 0:05.69 snort
> 8147 root 20 0 150m 51m 1772 S 0 2.6 0:18.45 barnyard2
> 8169 root 20 0 150m 51m 1772 S 0 2.6 0:20.09 barnyard2
> 8193 root 20 0 150m 51m 1752 S 0 2.6 0:10.19 barnyard2
> 8209 sguil 20 0 25728 6836 3636 S 0 0.3 0:00.01 prads
> 8228 root 20 0 32992 4740 2952 S 0 0.2 0:00.01 tclsh
> 8230 root 20 0 4328 356 280 S 0 0.0 0:00.00 cat
> 8251 root 20 0 33008 4708 2952 S 0 0.2 0:00.01 tclsh
> 8287 sguil 20 0 111m 6192 1144 S 0 0.3 0:00.12 argus
> 8293 root 20 0 102m 5460 204 S 0 0.3 0:00.00 searchd
> 8294 root 20 0 309m 24m 6076 S 0 1.2 0:01.45 searchd
> 8322 root 20 0 26780 440 200 S 0 0.0 0:00.00 syslog-ng
> 8323 root 20 0 70516 4200 2876 S 0 0.2 0:00.03 syslog-ng
> 8324 root 20 0 4400 612 508 S 0 0.0 0:00.00 sh
> 8326 root 20 0 201m 36m 3740 S 0 1.9 0:01.03 perl
> 8349 root 20 0 33020 4864 2972 S 0 0.2 0:00.01 tclsh
> 9177 root 20 0 4344 360 280 S 0 0.0 0:00.00 tail
> 9178 root 20 0 4344 356 280 S 0 0.0 0:00.00 tail
> 9180 root 20 0 4344 608 504 S 0 0.0 0:00.00 tail
> 9189 support 20 0 93552 21m 6300 S 0 1.1 0:00.75 wish
> 9200 root 20 0 4344 356 280 S 0 0.0 0:00.00 tail
> 9201 root 20 0 4340 612 512 S 0 0.0 0:00.00 tail
> 9210 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0
> 9211 root 20 0 77488 3548 2732 S 0 0.2 0:00.01 sshd
> 9214 root 20 0 201m 34m 824 S 0 1.7 0:00.00 perl
> 9361 support 20 0 77488 1984 1140 S 0 0.1 0:00.00 sshd
> 9362 support 20 0 26484 7612 1624 S 0 0.4 0:00.21 bash
> 9684 root 20 0 43300 1872 1392 S 0 0.1 0:00.00 sudo
> 9816 root 20 0 12316 1472 1248 S 0 0.1 0:00.00 sostat
> 10419 root 20 0 17336 1272 916 R 0 0.1 0:00.00 top

>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/ITG-IDS-Sensor01-eth0/dailylogs/

> 8.0K .
> 4.0K ./2013-04-05
>
> /nsm/bro/logs/
> 20K .
> 16K ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> ERROR: No stats found in /nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-1.stats
> ERROR: No stats found in /nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-2.stats
> ERROR: No stats found in /nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-3.stats
>
> =========================================================================
> pf_ring stats
> =========================================================================
> Appl. Name : <unknown>
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : <unknown>
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-51-socket-0
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-51-socket-0
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> Appl. Name : snort-cluster-51-socket-0
> Tot Packets : 0
> Tot Pkt Lost : 0
> TX: Send Errors : 0
> Reflect: Fwd Errors: 0
> support@ITG-IDS-Sensor01:~$

Doug Burks

unread,

Apr 5, 2013, 9:08:12 AM4/5/13

to securit...@googlegroups.com

On Fri, Apr 5, 2013 at 8:59 AM, Doug Burks <doug....@gmail.com> wrote:
> On Fri, Apr 5, 2013 at 8:52 AM, <offe...@gmail.com> wrote:
>> Hi Doug and Matt,
>>
>> Ok it looks like NOT downgrading python (step 15 in the installation guide) and NOT installing ubuntu server with encrypted home folder did the trick..
>>
>> To others who may experience this in the future i currently don't know if my problems was solved by both solutions OR one of them.
>
> I'm 99% sure it was the encrypted home folder.

I've updated the Installation guide to include the following:

"If prompted with an "encrypt home folder" option, DO NOT enable this feature."

https://code.google.com/p/security-onion/wiki/Installation

Doug

Doug Burks

unread,

Apr 5, 2013, 1:27:55 PM4/5/13

to securit...@googlegroups.com

On Fri, Apr 5, 2013 at 1:13 PM, <offe...@gmail.com> wrote:
> I also see in my SGUIl client that the PCAP service (is it a service) is down..
>
> I will try run the command you say Doug and see if that works..
>
> ETH0 is the monitoring port.. i will give the switch a look to varify the mirroring is setup correctly..

You can look at the netsniff-ng log file to see why it failed. Most
times it's because the NIC hadn't negotiated a link. So netsniff-ng
terminates, which causes pcap_agent to fail, so the Sguil client shows
the pcap service as down.

Hope that helps!

Thanks,

Doug Burks

unread,

Apr 5, 2013, 2:08:52 PM4/5/13

to securit...@googlegroups.com

If eth0 is your sniffing NIC receiving traffic from a tap or span
port, then it does not need an IP address. It just needs to be
connected to the tap or span port.
Doug

On Fri, Apr 5, 2013 at 2:01 PM, <offe...@gmail.com> wrote:
> Do i need to setup a IP on the monitoring network card? In my case ETH0
>
> or can it do without relaying on MAC?
>
> Casper

Matt Gregory

unread,

Apr 9, 2013, 12:29:13 PM4/9/13

to securit...@googlegroups.com

Casper,

It looks mostly okay to me; glad you got it working!

You might want to keep an eye on ITG-IDS-Sensor01-eth0, as it's showing a very small packet loss on one of the Snort instances, shown here:

/nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-3.stats last reported pkt_drop_percent as 0.111

pf_ring is also showing some packet loss:

Appl. Name : snort-cluster-51-socket-0
Tot Packets : 3825944
Tot Pkt Lost : 751

TX: Send Errors : 0
Reflect: Fwd Errors: 0

This could be a RAM issue, but it also might be corrected by reducing the number of Snort instances you have running - see step #22 under "If you're going to be deploying Security Onion in production, follow these steps" of the installation instructions.

Matt

On Tue, Apr 9, 2013 at 9:20 AM, <offe...@gmail.com> wrote:

Doug and Matt,

HUGS ALL AROUND!!

It's working beautifully - except the RAM thing that i still haven't gotten through to management..

The reason i got no traffic on my ETH0 was because of a switch misconfigration. Once i fixed that everything worked and alerts are coming in. I can pull transcripts and when i run a tcpreplay on the sensor i see the alerts on the server allmost on the spot..

I would say this works..

I have put the sensors sostat here hoping you would give a quick look to confirm that i'm right?

And thanks to the both of you for helping.. now i can stop sweating :)

SOSTAT OUTPUT:

]0;support@ITG-IDS-Sensor01: ~ support@ITG-IDS-Sensor01:~$ sudo sostat

[sudo] password for support:
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro

Name Type Host Status Pid Peers Started

manager manager 10.10.10.20 running 3385 4 05 Apr 17:24:08
proxy proxy 10.10.10.20 running 3435 4 05 Apr 17:24:10
ITG-IDS-Sensor01-eth0-1 worker 10.10.10.20 running 3509 2 05 Apr 17:24:12
ITG-IDS-Sensor01-eth0-2 worker 10.10.10.20 running 3510 2 05 Apr 17:24:12
ITG-IDS-Sensor01-eth0-3 worker 10.10.10.20 running 3511 2 05 Apr 17:24:12
Status: ITG-IDS-Sensor01-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]

* snort_agent-1 (sguil)[ OK ]
* snort_agent-2 (sguil)[ OK ]
* snort_agent-3 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 88:51:fb:28:55:88

UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:5519210 errors:0 dropped:0 overruns:0 frame:0
TX packets:28118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3859975784 (3.8 GB) TX bytes:2571349 (2.5 MB)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 88:51:fb:28:55:89
inet addr:10.10.10.20 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::8a51:fbff:fe28:5589/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:2989271 errors:0 dropped:0 overruns:0 frame:0
TX packets:1138884 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:552808981 (552.8 MB) TX bytes:235542753 (235.5 MB)

Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:2962869 errors:0 dropped:0 overruns:0 frame:0
TX packets:2962869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:430969801 (430.9 MB) TX bytes:430969801 (430.9 MB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on

/dev/md1 8.2T 7.6G 7.7T 1% /
udev 972M 12K 972M 1% /dev
tmpfs 393M 412K 393M 1% /run

none 5.0M 0 5.0M 0% /run/lock
none 982M 0 982M 0% /run/shm

/dev/md0 1.9G 110M 1.7G 7% /boot

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 935 root 3u IPv4 8119 0t0 TCP *:22 (LISTEN)
sshd 935 root 4u IPv6 8121 0t0 TCP *:22 (LISTEN)
/usr/sbin 1547 root 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 1547 root 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 1547 root 6u IPv4 11192 0t0 TCP *:444 (LISTEN)

ntpd 1874 ntp 16u IPv4 13333 0t0 UDP *:123
ntpd 1874 ntp 17u IPv6 13334 0t0 UDP *:123
ntpd 1874 ntp 18u IPv4 13340 0t0 UDP 127.0.0.1:123
ntpd 1874 ntp 19u IPv4 13341 0t0 UDP 10.10.10.20:123
ntpd 1874 ntp 20u IPv6 13342 0t0 UDP [fe80::8a51:fbff:fe28:5589]:123
ntpd 1874 ntp 21u IPv6 13343 0t0 UDP [::1]:123

tclsh 2817 root 3u IPv4 4579274 0t0 TCP 10.10.10.20:35231->10.10.10.19:7736 (CLOSE_WAIT)
bro 3385 root 4u IPv4 482584 0t0 UDP 10.10.10.20:38090->10.10.10.12:53
bro 3393 root 0u IPv4 484358 0t0 TCP *:47761 (LISTEN)
bro 3393 root 1u IPv6 484359 0t0 TCP *:47761 (LISTEN)
bro 3393 root 2u IPv4 484425 0t0 TCP 10.10.10.20:47761->10.10.10.20:47453 (ESTABLISHED)
bro 3393 root 4u IPv4 482584 0t0 UDP 10.10.10.20:38090->10.10.10.12:53
bro 3393 root 8u IPv4 485399 0t0 TCP 10.10.10.20:47761->10.10.10.20:47454 (ESTABLISHED)
bro 3393 root 10u IPv4 485402 0t0 TCP 10.10.10.20:47761->10.10.10.20:47457 (ESTABLISHED)
bro 3393 root 11u IPv4 485403 0t0 TCP 10.10.10.20:47761->10.10.10.20:47459 (ESTABLISHED)
bro 3435 root 4u IPv4 482620 0t0 UDP 10.10.10.20:51699->10.10.10.12:53
bro 3442 root 0u IPv4 482272 0t0 TCP 10.10.10.20:47453->10.10.10.20:47761 (ESTABLISHED)
bro 3442 root 1u IPv4 482275 0t0 TCP *:47762 (LISTEN)
bro 3442 root 2u IPv6 482276 0t0 TCP *:47762 (LISTEN)
bro 3442 root 4u IPv4 482620 0t0 UDP 10.10.10.20:51699->10.10.10.12:53
bro 3442 root 7u IPv4 483593 0t0 TCP 10.10.10.20:47762->10.10.10.20:50827 (ESTABLISHED)
bro 3442 root 9u IPv4 485401 0t0 TCP 10.10.10.20:47762->10.10.10.20:50828 (ESTABLISHED)
bro 3442 root 10u IPv4 484440 0t0 TCP 10.10.10.20:47762->10.10.10.20:50830 (ESTABLISHED)
bro 3509 root 4u IPv4 482629 0t0 UDP 10.10.10.20:50641->10.10.10.12:53
bro 3510 root 4u IPv4 483584 0t0 UDP 10.10.10.20:57775->10.10.10.12:53
bro 3511 root 4u IPv4 485392 0t0 UDP 10.10.10.20:52821->10.10.10.12:53
bro 3516 root 0u IPv4 483592 0t0 TCP 10.10.10.20:50827->10.10.10.20:47762 (ESTABLISHED)
bro 3516 root 1u IPv4 483594 0t0 TCP 10.10.10.20:47457->10.10.10.20:47761 (ESTABLISHED)
bro 3516 root 2u IPv4 483597 0t0 TCP *:47764 (LISTEN)
bro 3516 root 4u IPv4 483584 0t0 UDP 10.10.10.20:57775->10.10.10.12:53
bro 3516 root 8u IPv6 483598 0t0 TCP *:47764 (LISTEN)
bro 3517 root 0u IPv4 485398 0t0 TCP 10.10.10.20:47454->10.10.10.20:47761 (ESTABLISHED)
bro 3517 root 1u IPv4 485400 0t0 TCP 10.10.10.20:50828->10.10.10.20:47762 (ESTABLISHED)
bro 3517 root 2u IPv4 485406 0t0 TCP *:47765 (LISTEN)
bro 3517 root 4u IPv4 485392 0t0 UDP 10.10.10.20:52821->10.10.10.12:53
bro 3517 root 8u IPv6 485407 0t0 TCP *:47765 (LISTEN)
bro 3522 root 0u IPv4 484439 0t0 TCP 10.10.10.20:50830->10.10.10.20:47762 (ESTABLISHED)
bro 3522 root 1u IPv4 484441 0t0 TCP 10.10.10.20:47459->10.10.10.20:47761 (ESTABLISHED)
bro 3522 root 2u IPv4 484444 0t0 TCP *:47763 (LISTEN)
bro 3522 root 4u IPv4 482629 0t0 UDP 10.10.10.20:50641->10.10.10.12:53
bro 3522 root 8u IPv6 484445 0t0 TCP *:47763 (LISTEN)
tclsh 3614 root 3u IPv4 5254497 0t0 TCP 10.10.10.20:36329->10.10.10.19:7736 (ESTABLISHED)
tclsh 3653 root 3u IPv4 5251514 0t0 TCP 10.10.10.20:36327->10.10.10.19:7736 (ESTABLISHED)
tclsh 3653 root 4u IPv4 483816 0t0 TCP 127.0.0.1:8001 (LISTEN)
tclsh 3653 root 6u IPv4 5417109 0t0 TCP 127.0.0.1:8001->127.0.0.1:49170 (ESTABLISHED)
tclsh 3690 root 3u IPv4 5252516 0t0 TCP 10.10.10.20:36328->10.10.10.19:7736 (ESTABLISHED)
tclsh 3690 root 4u IPv4 482832 0t0 TCP 127.0.0.1:8002 (LISTEN)
tclsh 3690 root 8u IPv4 5417318 0t0 TCP 127.0.0.1:8002->127.0.0.1:51379 (ESTABLISHED)
tclsh 3727 root 3u IPv4 5253478 0t0 TCP 10.10.10.20:36325->10.10.10.19:7736 (ESTABLISHED)
tclsh 3727 root 4u IPv4 482909 0t0 TCP 127.0.0.1:8003 (LISTEN)
tclsh 3727 root 6u IPv4 5447455 0t0 TCP 127.0.0.1:8003->127.0.0.1:40781 (ESTABLISHED)
tclsh 4100 root 3u IPv4 5251515 0t0 TCP 10.10.10.20:36330->10.10.10.19:7736 (ESTABLISHED)
tclsh 4136 root 3u IPv4 5254496 0t0 TCP 10.10.10.20:36326->10.10.10.19:7736 (ESTABLISHED)

ssh 7437 root 3u IPv4 154562 0t0 TCP 10.10.10.20:53168->10.10.10.19:22 (ESTABLISHED)
ssh 7437 root 4u IPv6 156869 0t0 TCP [::1]:3306 (LISTEN)
ssh 7437 root 5u IPv4 156870 0t0 TCP 127.0.0.1:3306 (LISTEN)

ssh 7437 root 6u IPv4 5418294 0t0 TCP 127.0.0.1:3306->127.0.0.1:39740 (ESTABLISHED)
ssh 7437 root 8u IPv4 5448341 0t0 TCP 127.0.0.1:3306->127.0.0.1:39770 (ESTABLISHED)
ssh 7437 root 9u IPv4 5420483 0t0 TCP 127.0.0.1:3306->127.0.0.1:39745 (ESTABLISHED)

mysqld 7475 mysql 10u IPv4 157705 0t0 TCP 127.0.0.1:50000 (LISTEN)

searchd 8294 root 6u IPv4 159351 0t0 TCP *:9306 (LISTEN)
searchd 8294 root 7u IPv4 159352 0t0 TCP *:3307 (LISTEN)
syslog-ng 8323 root 9u IPv4 161388 0t0 TCP *:514 (LISTEN)
syslog-ng 8323 root 10u IPv4 161389 0t0 UDP *:514

tclsh 12176 root 3u IPv4 5353637 0t0 TCP 10.10.10.20:36532->10.10.10.19:7736 (ESTABLISHED)
/usr/sbin 31805 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 31805 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 31805 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
/usr/sbin 31806 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 31806 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 31806 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
/usr/sbin 31807 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 31807 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 31807 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
/usr/sbin 31808 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 31808 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 31808 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
/usr/sbin 31809 www-data 4u IPv4 11187 0t0 TCP *:443 (LISTEN)
/usr/sbin 31809 www-data 5u IPv4 11190 0t0 TCP *:9876 (LISTEN)
/usr/sbin 31809 www-data 6u IPv4 11192 0t0 TCP *:444 (LISTEN)
sshd 46995 root 3u IPv4 5619879 0t0 TCP 10.10.10.20:22->10.10.10.90:61912 (ESTABLISHED)
sshd 47182 support 3u IPv4 5619879 0t0 TCP 10.10.10.20:22->10.10.10.90:61912 (ESTABLISHED)
barnyard2 51511 root 3u IPv4 5415843 0t0 TCP 127.0.0.1:49170->127.0.0.1:8001 (ESTABLISHED)
barnyard2 51511 root 4u IPv4 5420043 0t0 TCP 127.0.0.1:39740->127.0.0.1:3306 (ESTABLISHED)
barnyard2 51839 root 3u IPv4 5420212 0t0 TCP 127.0.0.1:51379->127.0.0.1:8002 (ESTABLISHED)
barnyard2 51839 root 4u IPv4 5417469 0t0 TCP 127.0.0.1:39745->127.0.0.1:3306 (ESTABLISHED)
barnyard2 58660 root 3u IPv4 5447454 0t0 TCP 127.0.0.1:40781->127.0.0.1:8003 (ESTABLISHED)
barnyard2 58660 root 4u IPv4 5447574 0t0 TCP 127.0.0.1:39770->127.0.0.1:3306 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================

Tue Apr 9 07:01:04 UTC 2013
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 5 minutes to allow master time to download new rules.
Copying rules from 10.10.10.19.
Restarting Barnyard2.
Restarting: ITG-IDS-Sensor01-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.

=========================================================================
CPU Usage
=========================================================================
top - 13:19:45 up 4 days, 3:20, 1 user, load average: 2.14, 1.90, 1.79
Tasks: 183 total, 5 running, 178 sleeping, 0 stopped, 0 zombie
Cpu(s): 7.0%us, 20.7%sy, 3.9%ni, 64.6%id, 3.7%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 2009284k total, 1921816k used, 87468k free, 8372k buffers
Swap: 7809008k total, 1395512k used, 6413496k free, 240832k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

3393 root 25 5 139m 1256 460 S 22 0.1 1088:38 bro
3442 root 25 5 68988 748 456 S 20 0.0 1071:01 bro
3509 root 20 0 318m 120m 72m S 18 6.2 862:57.14 bro
3511 root 20 0 314m 117m 68m S 18 6.0 851:57.77 bro
3516 root 25 5 127m 64m 64m R 18 3.3 864:33.62 bro
3510 root 20 0 314m 116m 68m R 16 5.9 866:44.88 bro
3522 root 25 5 127m 65m 64m S 16 3.3 866:36.26 bro
3517 root 25 5 127m 65m 64m S 14 3.3 871:54.02 bro
3435 root 20 0 277m 6460 1136 S 2 0.3 49:59.22 bro
11929 root 20 0 267m 245m 238m S 2 12.5 0:26.45 netsniff-ng
12077 sguil 20 0 111m 22m 520 S 2 1.1 1:04.06 argus
1 root 20 0 15508 772 404 S 0 0.0 0:00.95 init
2 root 20 0 0 0 0 S 0 0.0 0:00.02 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:39.92 ksoftirqd/0
6 root RT 0 0 0 0 S 0 0.0 0:03.44 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.58 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.56 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:37.20 ksoftirqd/1
11 root RT 0 0 0 0 S 0 0.0 0:00.46 watchdog/1
12 root RT 0 0 0 0 S 0 0.0 0:00.73 migration/2
14 root 20 0 0 0 0 S 0 0.0 0:37.17 ksoftirqd/2
15 root RT 0 0 0 0 S 0 0.0 0:00.46 watchdog/2
16 root RT 0 0 0 0 S 0 0.0 0:00.53 migration/3
18 root 20 0 0 0 0 S 0 0.0 0:36.78 ksoftirqd/3
19 root RT 0 0 0 0 S 0 0.0 0:00.47 watchdog/3

20 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
22 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
23 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns

25 root 20 0 0 0 0 S 0 0.0 0:00.36 sync_supers

26 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
27 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
28 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
30 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
31 root 0 -20 0 0 0 S 0 0.0 0:00.00 md

34 root 20 0 0 0 0 S 0 0.0 0:00.08 khungtaskd
35 root 20 0 0 0 0 S 0 0.0 3:46.31 kswapd0

36 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
37 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
38 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
39 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
49 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
50 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
51 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
52 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:2

53 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_2

54 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
55 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:3
57 root 0 -20 0 0 0 S 0 0.0 0:00.00 binder
77 root 0 -20 0 0 0 S 0 0.0 0:00.00 deferwq
78 root 0 -20 0 0 0 S 0 0.0 0:00.00 charger_manager
79 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq

292 root 20 0 0 0 0 S 0 0.0 105:55.11 md1_raid5
302 root 20 0 0 0 0 S 0 0.0 0:05.63 md0_raid1
315 root 20 0 0 0 0 S 0 0.0 0:34.61 jbd2/md1-8

316 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit

411 root 20 0 21732 284 284 S 0 0.0 0:00.03 udevd

588 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
616 root 0 -20 0 0 0 S 0 0.0 0:00.00 kvm-irqfd-clean

745 root 20 0 0 0 0 S 0 0.0 0:05.43 ext4lazyinit

891 root 20 0 0 0 0 S 0 0.0 0:00.00 jbd2/md0-8
892 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit

913 root 20 0 0 0 0 S 0 0.0 0:12.05 flush-9:1
935 root 20 0 49956 520 412 S 0 0.0 0:00.22 sshd
990 messageb 20 0 23904 196 196 S 0 0.0 0:00.01 dbus-daemon
1017 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1024 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1037 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1038 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1041 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1047 root 20 0 4328 240 236 S 0 0.0 0:00.00 acpid
1067 root 20 0 19112 364 272 S 0 0.0 0:00.64 cron
1068 daemon 20 0 16908 88 88 S 0 0.0 0:00.00 atd
1080 root 20 0 15980 408 304 S 0 0.0 0:32.36 irqbalance
1107 whoopsie 20 0 195m 1268 964 S 0 0.1 0:00.11 whoopsie
1486 root 20 0 13368 424 336 S 0 0.0 0:00.04 mdadm
1547 root 20 0 176m 1032 988 S 0 0.1 0:05.07 /usr/sbin/apach
1592 root 20 0 15784 232 228 S 0 0.0 0:00.00 getty
1874 ntp 20 0 37696 728 584 S 0 0.0 0:09.23 ntpd
2765 root 20 0 0 0 0 S 0 0.0 0:02.25 kworker/2:0
2817 root 20 0 43220 2708 872 S 0 0.1 0:00.83 tclsh
2818 root 20 0 7228 316 284 S 0 0.0 0:00.01 tail
3376 root 20 0 12332 232 228 S 0 0.0 0:00.00 bash
3385 root 20 0 1798m 11m 1324 R 0 0.6 54:34.42 bro
3426 root 20 0 12336 232 228 S 0 0.0 0:00.00 bash
3478 root 20 0 12336 232 228 S 0 0.0 0:00.00 bash
3483 root 20 0 12336 232 228 S 0 0.0 0:00.00 bash
3487 root 20 0 12336 232 228 S 0 0.0 0:00.00 bash
3614 root 20 0 37064 4168 1856 S 0 0.2 0:00.83 tclsh
3653 root 20 0 36320 1836 976 S 0 0.1 0:00.46 tclsh
3655 root 20 0 7196 188 176 S 0 0.0 0:00.00 tail
3690 root 20 0 36276 1864 976 S 0 0.1 0:00.43 tclsh
3692 root 20 0 7196 136 136 S 0 0.0 0:00.00 tail
3727 root 20 0 36276 1892 976 S 0 0.1 0:00.48 tclsh
3729 root 20 0 7196 112 112 S 0 0.0 0:00.00 tail
3851 sguil 20 0 541m 52m 9736 S 0 2.7 1:17.53 snort
3902 root 20 0 270m 10m 724 S 0 0.5 0:00.00 perl
3936 sguil 20 0 544m 52m 9716 S 0 2.7 0:42.79 snort
4015 root 20 0 270m 9.9m 496 S 0 0.5 0:00.00 perl
4052 sguil 20 0 540m 66m 9716 S 0 3.4 1:28.55 snort
4065 sguil 20 0 27968 6068 3120 S 0 0.3 0:37.80 prads
4100 root 20 0 35868 1524 908 S 0 0.1 0:00.45 tclsh
4102 root 20 0 7180 108 108 S 0 0.0 0:00.00 cat
4136 root 20 0 38416 4860 1652 S 0 0.2 0:18.28 tclsh
4311 root 20 0 270m 9.9m 500 S 0 0.5 0:00.00 perl
4312 root 20 0 270m 9.9m 496 S 0 0.5 0:00.00 perl
4315 root 20 0 270m 10m 724 S 0 0.5 0:00.00 perl
4321 root 20 0 270m 9.9m 500 S 0 0.5 0:00.00 perl
4322 root 20 0 270m 9.9m 496 S 0 0.5 0:00.00 perl
4323 root 20 0 270m 9.9m 496 S 0 0.5 0:00.00 perl
4328 root 20 0 270m 9.9m 496 S 0 0.5 0:00.00 perl
4512 sguil 20 0 176m 464 464 S 0 0.0 0:46.57 argus
6474 root 20 0 0 0 0 S 0 0.0 0:02.07 kworker/2:1
6651 root 20 0 12804 212 192 S 0 0.0 0:00.04 ossec-execd
6655 ossec 20 0 14768 1648 368 S 0 0.1 0:01.75 ossec-analysisd
6659 root 20 0 4528 332 272 S 0 0.0 0:00.11 ossec-logcollec
6670 root 20 0 5544 188 188 S 0 0.0 0:54.35 ossec-syscheckd
6674 ossec 20 0 13068 280 228 S 0 0.0 0:00.17 ossec-monitord
7435 root 20 0 4308 116 116 S 0 0.0 0:00.02 autossh
7437 root 20 0 43644 468 352 S 0 0.0 0:10.01 ssh
7475 mysql 20 0 2357m 36m 3468 S 0 1.9 10:27.77 mysqld
8293 root 20 0 102m 20 4 S 0 0.0 0:00.00 searchd
8294 root 20 0 377m 18m 8876 S 0 0.9 4:17.95 searchd
8322 root 20 0 26780 80 60 S 0 0.0 0:00.00 syslog-ng
8323 root 20 0 76704 2928 868 S 0 0.1 0:37.88 syslog-ng
9201 root 20 0 4344 100 100 S 0 0.0 0:00.00 tail
12176 root 20 0 36380 1976 992 S 0 0.1 0:08.33 tclsh
12193 root 20 0 7228 412 344 S 0 0.0 0:00.03 tail
14998 root 20 0 4400 188 184 S 0 0.0 0:00.00 sh
14999 root 20 0 293m 17m 1620 S 0 0.9 1:01.04 perl
29685 root 20 0 0 0 0 R 0 0.0 0:00.92 kworker/3:0
31763 root 20 0 215m 320 320 S 0 0.0 0:00.00 PassengerWatchd
31769 root 20 0 288m 492 436 S 0 0.0 0:00.95 PassengerHelper
31771 root 20 0 108m 392 204 S 0 0.0 0:00.07 ruby1.9.1
31776 nobody 20 0 165m 216 188 S 0 0.0 0:00.61 PassengerLoggin
31805 www-data 20 0 176m 364 348 S 0 0.0 0:00.00 /usr/sbin/apach
31806 www-data 20 0 176m 368 352 S 0 0.0 0:00.00 /usr/sbin/apach
31807 www-data 20 0 176m 232 192 S 0 0.0 0:00.19 /usr/sbin/apach
31808 www-data 20 0 176m 368 352 S 0 0.0 0:00.00 /usr/sbin/apach
31809 www-data 20 0 176m 328 312 S 0 0.0 0:00.00 /usr/sbin/apach
33165 root 20 0 0 0 0 S 0 0.0 0:05.15 kworker/0:1
40390 root 20 0 0 0 0 S 0 0.0 0:04.98 kworker/0:4
44342 root 20 0 0 0 0 S 0 0.0 0:00.15 kworker/3:2
45022 root 20 0 0 0 0 S 0 0.0 0:00.13 kworker/1:2
45922 root 20 0 4400 612 508 S 0 0.0 0:00.00 sh
45925 root 20 0 4400 324 220 S 0 0.0 0:00.00 sh
45930 root 20 0 7160 352 276 S 0 0.0 0:00.00 sleep
45995 root 20 0 0 0 0 S 0 0.0 0:00.09 kworker/1:0
46653 root 20 0 0 0 0 S 0 0.0 0:00.03 kworker/3:1
46989 root 20 0 0 0 0 S 0 0.0 0:00.01 kworker/1:1
46991 root 20 0 293m 17m 796 S 0 0.9 0:00.00 perl
46995 root 20 0 77492 3684 2760 S 0 0.2 0:00.02 sshd
47182 support 20 0 77492 1928 1004 S 0 0.1 0:00.00 sshd
47183 support 20 0 26484 7604 1624 S 0 0.4 0:00.23 bash
47281 root 20 0 43300 1872 1388 S 0 0.1 0:00.01 sudo
47282 root 20 0 12316 1472 1248 S 0 0.1 0:00.00 sostat
47587 root 20 0 17336 1296 916 R 0 0.1 0:00.00 top
51511 root 20 0 156m 50m 828 S 0 2.6 0:16.98 barnyard2
51839 root 20 0 156m 50m 816 S 0 2.6 0:17.53 barnyard2
54675 root 0 -20 0 0 0 S 0 0.0 0:00.00 xfsalloc
54676 root 0 -20 0 0 0 S 0 0.0 0:00.00 xfs_mru_cache
54677 root 0 -20 0 0 0 S 0 0.0 0:00.00 xfslogd
54680 root 20 0 21728 244 240 S 0 0.0 0:00.00 udevd
54682 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsIO
54683 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsCommit
54684 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsCommit
54685 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsCommit
54686 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsCommit
54687 root 20 0 0 0 0 S 0 0.0 0:00.00 jfsSync
54706 root 20 0 21728 168 164 S 0 0.0 0:00.00 udevd
58660 root 20 0 156m 51m 824 S 0 2.6 0:39.11 barnyard2
64902 root 20 0 289m 880 880 S 0 0.0 0:00.00 perl
64973 root 20 0 289m 824 820 S 0 0.0 0:00.00 perl
65029 root 20 0 289m 500 496 S 0 0.0 0:00.00 perl
65037 root 20 0 289m 928 828 S 0 0.0 0:00.00 perl
65041 root 20 0 289m 500 496 S 0 0.0 0:00.00 perl
65207 root 20 0 289m 548 496 S 0 0.0 0:00.00 perl
65227 root 20 0 289m 760 692 S 0 0.0 0:00.00 perl
65264 root 20 0 289m 720 692 S 0 0.0 0:00.02 perl
65269 root 20 0 289m 824 820 S 0 0.0 0:00.00 perl
65280 root 20 0 289m 500 496 S 0 0.0 0:00.00 perl

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/ITG-IDS-Sensor01-eth0/dailylogs/

3.7G .
12M ./2013-04-05
43M ./2013-04-06
46M ./2013-04-07
74M ./2013-04-08
3.5G ./2013-04-09

/nsm/bro/logs/
15M .
1.4M ./2013-04-05
2.4M ./2013-04-06
2.4M ./2013-04-07
2.6M ./2013-04-08
2.1M ./2013-04-09
4.1M ./stats

=========================================================================
IDS Engine (snort) packet drops
=========================================================================

/nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/ITG-IDS-Sensor01-eth0/snort-3.stats last reported pkt_drop_percent as 0.111

=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>

Tot Packets : 1529208

Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>

Tot Packets : 2135537

Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>

Tot Packets : 1778635

Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0

Tot Packets : 474994
Tot Pkt Lost : 2665

TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0

Tot Packets : 252896

Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0

Tot Packets : 3825944
Tot Pkt Lost : 751

TX: Send Errors : 0
Reflect: Fwd Errors: 0

]0;support@ITG-IDS-Sensor01: ~ support@ITG-IDS-Sensor01:~$

/casper

Doug Burks

unread,

Apr 13, 2013, 7:19:52 PM4/13/13

to securit...@googlegroups.com

On Wed, Apr 10, 2013 at 3:59 AM, <offe...@gmail.com> wrote:
> Hi Matt,
>

> I do have a RAM issue thats for sure and we will get more.. I thinking 8 Gig more should be enough?

As I mentioned previously, you might want to max out your RAM for a
production sensor.

> Thank you for the headsup on the packet loss thing.. i'm hoping this allso may be due to the RAM thing.
>
> Also i haven't put in my backup filter. We service a hosted online backup solution and i want to filter that out of SO. I'm not sure that would affect the packet loss? I mean filter or not the backup trafic would still hit my ETH0 and so may affect a packet loss in a DOS kind of way right?

You can use a BPF to tell the sniffing process to ignore traffic from
your backup solution:
https://code.google.com/p/security-onion/wiki/BPF

The less traffic the sniffing processes have to deal with, the less
likely they are to lose packets.

Thanks,

Doug Burks

unread,

Apr 14, 2013, 2:04:59 PM4/14/13

to securit...@googlegroups.com

On Sun, Apr 14, 2013 at 1:15 PM, <offe...@gmail.com> wrote:
> I actually thought about doing the filtering in SNORT if that can be done.. i seem to remember that it can..

Did you read the BPF page I linked to?
https://code.google.com/p/security-onion/wiki/BPF

By default, you set your BPF in one place and it applies to Bro,
Snort, prads, and netsniff-ng.

Heine Lysemose

unread,

Apr 24, 2013, 9:45:18 AM4/24/13

to securit...@googlegroups.com

On Mon, Apr 15, 2013 at 6:18 AM, <offe...@gmail.com> wrote:

Hi Doug,

I skimmed it figuring i would give it a closer look tomorrow (today) at work. I'm still green on SO or at least consider myself to be and didn't know that what you suggested would also implement in snort and all the other apps - NICE by the way :)

I'm a little worried about starting to filter traffic. It does open a potential whole in my network for hackers to slip in if i don't do it right so all i meant by googling was that i would go through the awesome docs here read up on google to get as much know how on this and then implement it.

If you use BPF filters you can choose to limit the pcap capture you will see IDS alerts.

You do this by breaking the symlink /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf

But again you will loose the ability to see the "whole" picture in an investigation.

Regards,

Lysemose
Thanks
Casper

Reply all

Reply to author

Forward

0 new messages