Re: [security-onion] Sguil not launching wireshark
643 views
Skip to first unread message
Doug Burks
Jan 16, 2013, 8:17:42 AM1/16/13
to securit...@googlegroups.com
Hi David,
When sending pcap to Wireshark, the "System Msgs" tab should give you
further details including any available error messages. sostat shows
your pcap_agent as failed and that is the most likely culprit. Please
try this:
sudo nsm_sensor_ps-restart --only-pcap-agent
Thanks,
Doug
On Wed, Jan 16, 2013 at 7:57 AM, nullprocess <drdav...@gmail.com> wrote:
> Hi guys,
>
> When I right click an Alert ID in sguil and select wireshark, or wireshark (force new) nothing changes on the screen. I was expecting wireshark to launch and load the traffic that generated the alert for analysis. I did a ps to see if wireshark was running in the background but it isnt. Am I missing something?
>
> Here is the sostat if needed:-
>
> student@student-desktop:/usr/sbin$ sudo sostat
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: student-desktop-eth1
> * pcap_agent (sguil)[ FAIL ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 2828 0 16 Jan 12:18:29
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:0c:29:65:f2:17
> inet addr:192.168.2.129 Bcast:192.168.2.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:fe65:f217/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:9880 (9.8 KB)
> Interrupt:19 Base address:0x2000
>
> eth1 Link encap:Ethernet HWaddr 00:0c:29:65:f2:21
> inet6 addr: fe80::20c:29ff:fe65:f221/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:19 Base address:0x2080
>
> eth2 Link encap:Ethernet HWaddr 00:0c:29:65:f2:2b
> inet6 addr: fe80::20c:29ff:fe65:f22b/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:16 Base address:0x2400
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:2435 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2435 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:736040 (736.0 KB) TX bytes:736040 (736.0 KB)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 19G 6.4G 12G 36% /
> none 2.0G 284K 2.0G 1% /dev
> none 2.0G 148K 2.0G 1% /dev/shm
> none 2.0G 152K 2.0G 1% /var/run
> none 2.0G 0 2.0G 0% /var/lock
> none 2.0G 0 2.0G 0% /lib/init/rw
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 1100 root 3r IPv4 5496 0t0 TCP *:22 (LISTEN)
> sshd 1100 root 4u IPv6 5507 0t0 TCP *:22 (LISTEN)
> avahi-dae 1129 avahi 13u IPv4 4867 0t0 UDP *:5353
> avahi-dae 1129 avahi 14u IPv4 4868 0t0 UDP *:37261
> mysqld 1819 mysql 10u IPv4 6858 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 1819 mysql 118u IPv4 9405 0t0 TCP 127.0.0.1:3306->127.0.0.1:46642 (ESTABLISHED)
> ntpd 1946 ntp 16u IPv4 6982 0t0 UDP *:123
> ntpd 1946 ntp 17u IPv6 6983 0t0 UDP *:123
> ntpd 1946 ntp 18u IPv4 6987 0t0 UDP 127.0.0.1:123
> ntpd 1946 ntp 19u IPv4 6988 0t0 UDP 192.168.2.129:123
> ntpd 1946 ntp 20u IPv6 6989 0t0 UDP [::1]:123
> ntpd 1946 ntp 21u IPv6 6990 0t0 UDP [fe80::20c:29ff:fe65:f22b]:123
> ntpd 1946 ntp 22u IPv6 6991 0t0 UDP [fe80::20c:29ff:fe65:f221]:123
> ntpd 1946 ntp 23u IPv6 6992 0t0 UDP [fe80::20c:29ff:fe65:f217]:123
> cupsd 1968 root 6u IPv6 7018 0t0 TCP [::1]:631 (LISTEN)
> cupsd 1968 root 7u IPv4 7019 0t0 TCP 127.0.0.1:631 (LISTEN)
> apache2 2145 root 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2145 root 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2145 root 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2225 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2225 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2225 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2226 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2226 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2226 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2227 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2227 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2227 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2228 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2228 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2228 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2229 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2229 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2229 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> tclsh 2310 root 14u IPv4 8332 0t0 TCP *:7734 (LISTEN)
> tclsh 2310 root 15u IPv4 8333 0t0 TCP *:7736 (LISTEN)
> tclsh 2310 root 16u IPv4 8596 0t0 TCP 127.0.0.1:7736->127.0.0.1:50746 (ESTABLISHED)
> tclsh 2310 root 17u IPv4 8671 0t0 TCP 127.0.0.1:7736->127.0.0.1:50747 (ESTABLISHED)
> tclsh 2310 root 18u IPv4 9052 0t0 TCP 127.0.0.1:7736->127.0.0.1:50748 (ESTABLISHED)
> tclsh 2310 root 19u IPv4 9302 0t0 TCP 127.0.0.1:7736->127.0.0.1:50749 (ESTABLISHED)
> tclsh 2310 root 20u IPv4 9396 0t0 TCP 127.0.0.1:7736->127.0.0.1:50751 (ESTABLISHED)
> tclsh 2310 root 21u IPv4 14059 0t0 TCP 127.0.0.1:7734->127.0.0.1:56160 (ESTABLISHED)
> tclsh 2365 root 3u IPv4 8595 0t0 TCP 127.0.0.1:50746->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2381 root 3u IPv4 8670 0t0 TCP 127.0.0.1:50747->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2381 root 4u IPv4 8673 0t0 TCP 127.0.0.1:8000 (LISTEN)
> tclsh 2381 root 6u IPv4 9401 0t0 TCP 127.0.0.1:8000->127.0.0.1:59768 (ESTABLISHED)
> barnyard2 2430 root 3u IPv4 9400 0t0 TCP 127.0.0.1:59768->127.0.0.1:8000 (ESTABLISHED)
> barnyard2 2430 root 4u IPv4 9404 0t0 TCP 127.0.0.1:46642->127.0.0.1:3306 (ESTABLISHED)
> tclsh 2486 root 3u IPv4 9051 0t0 TCP 127.0.0.1:50748->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2544 root 3u IPv4 9301 0t0 TCP 127.0.0.1:50749->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2570 root 3u IPv4 9395 0t0 TCP 127.0.0.1:50751->127.0.0.1:7736 (ESTABLISHED)
> bro 2828 root 4u IPv4 10282 0t0 UDP 192.168.2.129:44811->192.168.2.128:53
> bro 2904 root 0u IPv4 10291 0t0 TCP *:47760 (LISTEN)
> bro 2904 root 4u IPv4 10282 0t0 UDP 192.168.2.129:44811->192.168.2.128:53
> wish 3449 student 4r IPv4 14058 0t0 TCP 127.0.0.1:56160->127.0.0.1:7734 (ESTABLISHED)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> tail: cannot open `/var/log/nsm/pulledpork.log' for reading: No such file or directory
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 12:49:53 up 31 min, 2 users, load average: 1.10, 0.82, 0.71
> Tasks: 166 total, 3 running, 163 sleeping, 0 stopped, 0 zombie
> Cpu(s): 4.4%us, 1.6%sy, 0.0%ni, 91.3%id, 2.5%wa, 0.0%hi, 0.0%si, 0.0%st
> Mem: 4117988k total, 1785500k used, 2332488k free, 236816k buffers
> Swap: 2975460k total, 0k used, 2975460k free, 839196k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 2828 root 20 0 24876 17m 7632 R 4.0 0.4 1:02.69 bro
> 1242 root 20 0 158m 20m 6376 S 2.0 0.5 0:07.26 Xorg
> 1 root 20 0 2832 1756 1228 S 0.0 0.0 0:00.70 init
> 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
> 3 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
> 4 root 20 0 0 0 0 S 0.0 0.0 0:00.04 ksoftirqd/0
> 5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
> 6 root 20 0 0 0 0 S 0.0 0.0 0:00.04 events/0
> 7 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuset
> 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper
> 9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns
> 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr
> 11 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm
> 12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
> 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
> 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kintegrityd/0
> 15 root 20 0 0 0 0 S 0.0 0.0 0:00.06 kblockd/0
> 16 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid
> 17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_notify
> 18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_hotplug
> 19 root 20 0 0 0 0 S 0.0 0.0 0:00.98 ata/0
> 20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_aux
> 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksuspend_usbd
> 22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
> 23 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
> 24 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmmcd
> 27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
> 28 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
> 29 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
> 30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 aio/0
> 31 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
> 32 root 20 0 0 0 0 S 0.0 0.0 0:00.00 crypto/0
> 35 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pciehpd
> 37 root 20 0 0 0 0 S 0.0 0.0 0:00.01 scsi_eh_0
> 38 root 20 0 0 0 0 S 0.0 0.0 0:00.46 scsi_eh_1
> 41 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kstriped
> 42 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmpathd/0
> 43 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd
> 44 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksnapd
> 45 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kondemand/0
> 46 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kconservative/0
> 194 root 20 0 0 0 0 S 0.0 0.0 0:00.01 mpt_poll_0
> 196 root 20 0 0 0 0 S 0.0 0.0 0:00.00 mpt/0
> 276 root 20 0 0 0 0 S 0.0 0.0 0:00.00 usbhid_resumer
> 280 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
> 346 root 20 0 0 0 0 S 0.0 0.0 0:00.16 jbd2/sda1-8
> 347 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
> 406 root 20 0 2468 1152 792 S 0.0 0.0 0:00.02 upstart-udev-br
> 408 root 16 -4 2640 1036 336 S 0.0 0.0 0:00.02 udevd
> 643 root 18 -2 2840 1084 284 S 0.0 0.0 0:00.00 udevd
> 644 root 18 -2 2840 1036 236 S 0.0 0.0 0:00.00 udevd
> 686 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
> 928 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kgameportd
> 1100 root 20 0 5572 2152 1736 S 0.0 0.1 0:00.00 sshd
> 1105 messageb 20 0 3216 1472 784 S 0.0 0.0 0:00.06 dbus-daemon
> 1107 syslog 20 0 33532 1496 1036 S 0.0 0.0 0:00.03 rsyslogd
> 1125 root 20 0 9532 4508 3796 S 0.0 0.1 0:00.04 NetworkManager
> 1129 avahi 20 0 2952 1556 1292 S 0.0 0.0 0:00.60 avahi-daemon
> 1131 avahi 20 0 2952 540 316 S 0.0 0.0 0:00.00 avahi-daemon
> 1156 root 20 0 18812 3268 2696 S 0.0 0.1 0:00.02 gdm-binary
> 1171 root 20 0 19576 3136 2272 S 0.0 0.1 0:00.01 console-kit-dae
> 1237 root 20 0 20524 3784 2976 S 0.0 0.1 0:00.00 gdm-simple-slav
> 1272 gdm 20 0 3404 788 524 S 0.0 0.0 0:00.00 dbus-launch
> 1313 root 20 0 0 0 0 S 0.0 0.0 0:00.04 flush-8:0
> 1319 root 20 0 4188 2316 1876 S 0.0 0.1 0:00.01 modem-manager
> 1334 root 20 0 20880 3572 2828 S 0.0 0.1 0:00.03 gdm-session-wor
> 1338 haldaemo 20 0 16536 4128 3300 S 0.0 0.1 0:00.24 hald
> 1339 root 20 0 3556 1276 1068 S 0.0 0.0 0:00.00 hald-runner
> 1533 root 20 0 3632 1232 1060 S 0.0 0.0 0:00.01 hald-addon-inpu
> 1648 root 20 0 4860 1736 1472 S 0.0 0.0 0:00.00 wpa_supplicant
> 1674 root 20 0 3636 1232 1052 S 0.0 0.0 0:00.39 hald-addon-stor
> 1689 root 20 0 3636 1228 1048 S 0.0 0.0 0:00.02 hald-addon-stor
> 1693 haldaemo 20 0 3440 1184 1012 S 0.0 0.0 0:00.00 hald-addon-acpi
> 1696 root 20 0 34380 848 464 S 0.0 0.0 0:00.00 vmware-vmblock-
> 1716 root 20 0 26280 4028 3300 S 0.0 0.1 0:00.86 vmtoolsd
> 1765 root 20 0 1812 560 480 S 0.0 0.0 0:00.03 getty
> 1770 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 1782 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 1784 root 20 0 1812 560 484 S 0.0 0.0 0:00.00 getty
> 1789 root 20 0 1812 564 484 S 0.0 0.0 0:00.03 getty
> 1794 root 20 0 2068 888 532 S 0.0 0.0 0:00.00 acpid
> 1797 root 20 0 2396 924 732 S 0.0 0.0 0:00.00 cron
> 1798 daemon 20 0 2268 444 304 S 0.0 0.0 0:00.00 atd
> 1819 mysql 20 0 154m 28m 6460 S 0.0 0.7 0:00.88 mysqld
> 1857 ossec 20 0 3032 1612 708 S 0.0 0.0 0:03.11 ossec-analysisd
> 1861 root 20 0 1980 500 388 S 0.0 0.0 0:00.02 ossec-logcollec
> 1874 root 20 0 3024 1880 624 S 0.0 0.0 0:10.44 ossec-syscheckd
> 1879 ossec 20 0 2256 552 408 S 0.0 0.0 0:00.00 ossec-monitord
> 1946 ntp 20 0 4460 1360 1012 S 0.0 0.0 0:00.05 ntpd
> 1968 root 20 0 6884 2908 2188 S 0.0 0.1 0:00.01 cupsd
> 2012 root 20 0 12540 1492 1268 S 0.0 0.0 0:00.02 tpvmlp
> 2145 root 20 0 39740 9024 5272 S 0.0 0.2 0:00.11 apache2
> 2150 root 20 0 4396 1744 1532 S 0.0 0.0 0:00.00 PassengerWatchd
> 2155 root 20 0 15196 2004 1780 S 0.0 0.0 0:00.01 PassengerHelper
> 2158 root 20 0 9980 6588 2220 S 0.0 0.2 0:01.40 ruby
> 2161 nobody 20 0 9600 3128 2568 S 0.0 0.1 0:00.00 PassengerLoggin
> 2213 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 2225 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2226 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2227 www-data 20 0 39740 4460 692 S 0.0 0.1 0:00.00 apache2
> 2228 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2229 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2310 root 20 0 10736 6780 3288 S 0.0 0.2 0:00.23 tclsh
> 2313 root 20 0 8784 2980 1104 S 0.0 0.1 0:00.04 tclsh
> 2314 root 20 0 8784 2648 788 S 0.0 0.1 0:00.00 tclsh
> 2365 root 20 0 6196 4160 2596 S 0.0 0.1 0:00.11 tclsh
> 2381 root 20 0 5548 3456 2584 S 0.0 0.1 0:00.01 tclsh
> 2383 root 20 0 1816 504 428 S 0.0 0.0 0:00.02 tail
> 2414 sguil 20 0 560m 304m 134m S 0.0 7.6 0:10.04 snort
> 2430 root 20 0 14564 8920 1788 S 0.0 0.2 0:03.97 barnyard2
> 2446 sguil 20 0 7744 5592 5192 S 0.0 0.1 0:00.05 sancp
> 2470 sguil 20 0 7340 5996 4948 S 0.0 0.1 0:00.08 pads
> 2486 root 20 0 5468 3404 2568 S 0.0 0.1 0:00.01 tclsh
> 2488 root 20 0 1812 432 364 S 0.0 0.0 0:00.00 cat
> 2504 sguil 20 0 6224 4924 4780 S 0.0 0.1 0:00.04 daemonlogger
> 2523 sguil 20 0 35088 7880 3144 S 0.0 0.2 0:00.42 argus
> 2544 root 20 0 5548 3428 2564 S 0.0 0.1 0:00.02 tclsh
> 2546 root 20 0 1812 548 480 S 0.0 0.0 0:00.04 tail
> 2570 root 20 0 6752 4452 2400 S 0.0 0.1 0:00.02 tclsh
> 2571 root 20 0 1816 492 428 S 0.0 0.0 0:00.02 tail
> 2649 root 20 0 2968 1388 1172 S 0.0 0.0 0:00.00 bash
> 2904 root 25 5 24684 14m 4528 R 0.0 0.4 0:26.75 bro
> 2964 www-data 20 0 75232 61m 3396 S 0.0 1.5 0:04.07 ruby
> 2967 root 20 0 4460 812 460 S 0.0 0.0 0:00.00 ntpd
> 3154 student 20 0 24004 2528 2080 S 0.0 0.1 0:00.00 gnome-keyring-d
> 3172 student 20 0 1852 576 492 S 0.0 0.0 0:00.01 sh
> 3201 student 20 0 3304 352 144 S 0.0 0.0 0:00.00 ssh-agent
> 3204 student 20 0 3404 780 516 S 0.0 0.0 0:00.00 dbus-launch
> 3205 student 20 0 2952 1116 680 S 0.0 0.0 0:00.03 dbus-daemon
> 3216 student 20 0 4748 2156 1680 S 0.0 0.1 0:00.22 xscreensaver
> 3220 student 20 0 26796 7068 5644 S 0.0 0.2 0:00.10 xfce4-session
> 3222 student 20 0 3876 1980 1684 S 0.0 0.0 0:00.00 xfconfd
> 3228 student 20 0 16508 3340 2308 S 0.0 0.1 0:00.00 xfsettingsd
> 3229 student 20 0 6524 3132 2224 S 0.0 0.1 0:00.01 gconfd-2
> 3231 student 20 0 19436 9212 7608 S 0.0 0.2 0:00.25 xfwm4
> 3232 student 20 0 41540 10m 8852 S 0.0 0.3 0:00.07 Thunar
> 3234 student 20 0 3088 1272 1080 S 0.0 0.0 0:00.00 gam_server
> 3235 student 20 0 69608 15m 11m S 0.0 0.4 0:00.55 xfdesktop
> 3237 student 20 0 32732 11m 9060 S 0.0 0.3 0:00.71 xfce4-panel
> 3239 student 20 0 17340 3504 2332 S 0.0 0.1 0:00.01 xfce4-power-man
> 3240 student 20 0 19516 4316 2884 S 0.0 0.1 0:00.07 xfce4-settings-
> 3241 student 20 0 34164 13m 9532 S 0.0 0.3 0:00.75 xfce4-menu-plug
> 3242 student 20 0 32264 10m 8288 S 0.0 0.3 0:00.04 xfce4-places-pl
> 3248 student 20 0 6404 2232 1888 S 0.0 0.1 0:00.00 gvfsd
> 3251 student 20 0 258m 10m 8316 S 0.0 0.3 0:00.04 xfce4-mixer-plu
> 3254 student 9 -11 94172 4420 3356 S 0.0 0.1 0:00.11 pulseaudio
> 3256 rtkit 21 1 22928 1220 1028 S 0.0 0.0 0:00.01 rtkit-daemon
> 3260 root 20 0 6160 3728 2952 S 0.0 0.1 0:00.04 polkitd
> 3335 student 20 0 18320 6008 4884 S 0.0 0.1 0:00.01 polkit-gnome-au
> 3341 student 20 0 39316 13m 11m S 0.0 0.3 0:01.02 vmtoolsd
> 3343 student 20 0 43296 10m 8036 S 0.0 0.2 0:00.04 nm-applet
> 3347 student 20 0 31984 10m 8624 S 0.0 0.3 0:00.06 update-notifier
> 3360 root 20 0 5344 2820 2352 S 0.0 0.1 0:00.01 udisks-daemon
> 3363 student 20 0 31404 14m 8688 S 0.0 0.4 0:00.07 python
> 3364 root 20 0 5208 872 596 S 0.0 0.0 0:00.21 udisks-daemon
> 3373 student 20 0 41564 11m 9000 S 0.0 0.3 0:00.88 xfce4-terminal
> 3374 student 20 0 246m 6312 4524 S 0.0 0.2 0:00.01 xfce4-volumed
> 3387 student 20 0 17672 6352 5160 S 0.0 0.2 0:00.01 notify-osd
> 3389 student 20 0 2008 712 588 S 0.0 0.0 0:00.00 gnome-pty-helpe
> 3390 student 20 0 6544 3900 1556 S 0.0 0.1 0:00.14 bash
> 3449 student 20 0 20460 16m 5676 S 0.0 0.4 0:02.34 wish
> 3751 student 20 0 7636 3144 2588 S 0.0 0.1 0:00.01 gvfs-gdu-volume
> 3753 student 20 0 7280 2392 1968 S 0.0 0.1 0:00.00 gvfs-gphoto2-vo
> 3755 student 20 0 16980 2388 1992 S 0.0 0.1 0:00.03 gvfs-afc-volume
> 6073 root 20 0 4240 1384 1180 S 0.0 0.0 0:00.00 sostat
> 6252 root 20 0 2564 1104 812 R 0.0 0.0 0:00.00 top
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/student-desktop-eth1/dailylogs/
> 97M .
> 84K ./2012-12-03
> 89M ./2012-12-04
> 3.2M ./2012-12-07
> 1.9M ./2012-12-10
> 704K ./2012-12-14
> 468K ./2012-12-17
> 156K ./2012-12-22
> 12K ./2012-12-27
> 16K ./2012-12-28
> 4.0K ./2013-01-02
> 1.2M ./2013-01-15
> 4.0K ./2013-01-16
>
> /nsm/bro/logs/
> 5.2M .
> 56K ./2012-12-03
> 3.5M ./2012-12-04
> 272K ./2012-12-07
> 112K ./2012-12-10
> 180K ./2012-12-14
> 60K ./2012-12-17
> 172K ./2012-12-22
> 8.0K ./2012-12-23
> 80K ./2012-12-27
> 136K ./2012-12-28
> 16K ./2013-01-02
> 72K ./2013-01-15
> 252K ./2013-01-16
> 308K ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/student-desktop-eth1/snort.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 594 |
> +----------+
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> +--------+-------------+---------------------------------------------------------------------------+
> | Totals | SignatureID | SignatureName |
> +--------+-------------+---------------------------------------------------------------------------+
> | 7405 | 15 | stream5: Reset outside window |
> | 4894 | 3 | http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE |
> | 1720 | 17335 | SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder |
> | 1415 | 2100366 | GPL ICMP_INFO PING *NIX |
> | 1410 | 12 | stream5: TCP Small Segment Threshold Exceeded |
> | 1308 | 2101390 | GPL SHELLCODE x86 inc ebx NOOP |
> | 1129 | 2100368 | GPL ICMP_INFO PING BSDtype |
> | 1031 | 648 | GPL SHELLCODE x86 NOOP |
> | 269 | 17775 | SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected |
> | 233 | 14 | stream5: TCP Timestamp is missing |
> | 216 | 5 | stream5: Bad segment, overlap adjusted size less than/equal 0 |
> | 184 | 2102003 | GPL SQL Slammer Worm propagation attempt |
> | 92 | 17336 | SHELLCODE x86 OS agnostic call geteip byte xor decoder |
> | 81 | 2010935 | ET POLICY Suspicious inbound to MSSQL port 1433 |
> | 68 | 2102923 | GPL NETBIOS SMB repeated logon failure |
> | 56 | 2003869 | ET SCAN ProxyReconBot CONNECT method to Mail |
> | 45 | 4 | stream5: TCP Timestamp is outside of PAWS window |
> | 43 | 2101201 | GPL WEB_SERVER 403 Forbidden |
> | 36 | 8 | http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE |
> | 16 | 2012086 | ET SHELLCODE Possible Call with No Offset TCP Shellcode |
> | 16 | 2101243 | GPL EXPLOIT ISAPI .ida attempt |
> | 12 | 2002667 | ET WEB_SERVER sumthin scan |
> | 7 | 2013031 | ET POLICY Python-urllib/ Suspicious User Agent |
> | 6 | 2009358 | ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) |
> | 5 | 2100598 | GPL RPC portmap listing TCP 111 |
> | 4 | 2011031 | ET SCAN HTTP GET invalid method case |
> | 4 | 2406461 | ET RBN Known Russian Business Network IP UDP (231) |
> | 4 | 2406460 | ET RBN Known Russian Business Network IP TCP (231) |
> | 4 | 2007802 | ET SCAN Grim's Ping ftp scanning tool |
> | 4 | 2003410 | ET POLICY FTP Login Successful |
> | 4 | 2002024 | ET CHAT IRC NICK command |
> | 4 | 2002023 | ET CHAT IRC USER command |
> | 4 | 5 | sensitive_data: sensitive data - eMail addresses |
> | 4 | 2102586 | GPL P2P eDonkey transfer |
> | 4 | 2013028 | ET POLICY curl User-Agent Outbound |
> | 2 | 2002911 | ET SCAN Potential VNC Scan 5900-5920 |
> | 2 | 10127 | DOS Microsoft IP Options denial of service |
> | 2 | 7 | stream5: Limit on number of overlapping TCP packets reached |
> | 2 | 17344 | SHELLCODE x86 OS agnostic xor dword decoder |
> | 1 | 2002993 | ET SCAN Rapid POP3S Connections - Possible Brute Force Attack |
> | 1 | 2010937 | ET POLICY Suspicious inbound to mySQL port 3306 |
> | 1 | 2010939 | ET POLICY Suspicious inbound to PostgreSQL port 5432 |
> | 1 | 2002910 | ET SCAN Potential VNC Scan 5800-5820 |
> | 1 | 2010936 | ET POLICY Suspicious inbound to Oracle SQL port 1521 |
> | 1 | 3 | stream5: Data sent on stream not accepting data |
> | 1 | 2009949 | ET WEB_SERVER Tilde in URI, potential .pl source disclosure vulnerability |
> +--------+-------------+---------------------------------------------------------------------------+
> +-------+
> | Total |
> +-------+
> | 21752 |
> +-------+
> student@student-desktop:/usr/sbin$
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
--
Doug Burks
http://securityonion.blogspot.com
When sending pcap to Wireshark, the "System Msgs" tab should give you
further details including any available error messages. sostat shows
your pcap_agent as failed and that is the most likely culprit. Please
try this:
sudo nsm_sensor_ps-restart --only-pcap-agent
Thanks,
Doug
On Wed, Jan 16, 2013 at 7:57 AM, nullprocess <drdav...@gmail.com> wrote:
> Hi guys,
>
> When I right click an Alert ID in sguil and select wireshark, or wireshark (force new) nothing changes on the screen. I was expecting wireshark to launch and load the traffic that generated the alert for analysis. I did a ps to see if wireshark was running in the background but it isnt. Am I missing something?
>
> Here is the sostat if needed:-
>
> student@student-desktop:/usr/sbin$ sudo sostat
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: student-desktop-eth1
> * pcap_agent (sguil)[ FAIL ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> bro standalone localhost running 2828 0 16 Jan 12:18:29
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:0c:29:65:f2:17
> inet addr:192.168.2.129 Bcast:192.168.2.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:fe65:f217/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:9880 (9.8 KB)
> Interrupt:19 Base address:0x2000
>
> eth1 Link encap:Ethernet HWaddr 00:0c:29:65:f2:21
> inet6 addr: fe80::20c:29ff:fe65:f221/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:19 Base address:0x2080
>
> eth2 Link encap:Ethernet HWaddr 00:0c:29:65:f2:2b
> inet6 addr: fe80::20c:29ff:fe65:f22b/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:16 Base address:0x2400
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:2435 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2435 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:736040 (736.0 KB) TX bytes:736040 (736.0 KB)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 19G 6.4G 12G 36% /
> none 2.0G 284K 2.0G 1% /dev
> none 2.0G 148K 2.0G 1% /dev/shm
> none 2.0G 152K 2.0G 1% /var/run
> none 2.0G 0 2.0G 0% /var/lock
> none 2.0G 0 2.0G 0% /lib/init/rw
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 1100 root 3r IPv4 5496 0t0 TCP *:22 (LISTEN)
> sshd 1100 root 4u IPv6 5507 0t0 TCP *:22 (LISTEN)
> avahi-dae 1129 avahi 13u IPv4 4867 0t0 UDP *:5353
> avahi-dae 1129 avahi 14u IPv4 4868 0t0 UDP *:37261
> mysqld 1819 mysql 10u IPv4 6858 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 1819 mysql 118u IPv4 9405 0t0 TCP 127.0.0.1:3306->127.0.0.1:46642 (ESTABLISHED)
> ntpd 1946 ntp 16u IPv4 6982 0t0 UDP *:123
> ntpd 1946 ntp 17u IPv6 6983 0t0 UDP *:123
> ntpd 1946 ntp 18u IPv4 6987 0t0 UDP 127.0.0.1:123
> ntpd 1946 ntp 19u IPv4 6988 0t0 UDP 192.168.2.129:123
> ntpd 1946 ntp 20u IPv6 6989 0t0 UDP [::1]:123
> ntpd 1946 ntp 21u IPv6 6990 0t0 UDP [fe80::20c:29ff:fe65:f22b]:123
> ntpd 1946 ntp 22u IPv6 6991 0t0 UDP [fe80::20c:29ff:fe65:f221]:123
> ntpd 1946 ntp 23u IPv6 6992 0t0 UDP [fe80::20c:29ff:fe65:f217]:123
> cupsd 1968 root 6u IPv6 7018 0t0 TCP [::1]:631 (LISTEN)
> cupsd 1968 root 7u IPv4 7019 0t0 TCP 127.0.0.1:631 (LISTEN)
> apache2 2145 root 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2145 root 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2145 root 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2225 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2225 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2225 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2226 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2226 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2226 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2227 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2227 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2227 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2228 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2228 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2228 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> apache2 2229 www-data 3u IPv4 7234 0t0 TCP *:443 (LISTEN)
> apache2 2229 www-data 4u IPv4 7236 0t0 TCP *:9876 (LISTEN)
> apache2 2229 www-data 5u IPv4 7289 0t0 TCP *:3000 (LISTEN)
> tclsh 2310 root 14u IPv4 8332 0t0 TCP *:7734 (LISTEN)
> tclsh 2310 root 15u IPv4 8333 0t0 TCP *:7736 (LISTEN)
> tclsh 2310 root 16u IPv4 8596 0t0 TCP 127.0.0.1:7736->127.0.0.1:50746 (ESTABLISHED)
> tclsh 2310 root 17u IPv4 8671 0t0 TCP 127.0.0.1:7736->127.0.0.1:50747 (ESTABLISHED)
> tclsh 2310 root 18u IPv4 9052 0t0 TCP 127.0.0.1:7736->127.0.0.1:50748 (ESTABLISHED)
> tclsh 2310 root 19u IPv4 9302 0t0 TCP 127.0.0.1:7736->127.0.0.1:50749 (ESTABLISHED)
> tclsh 2310 root 20u IPv4 9396 0t0 TCP 127.0.0.1:7736->127.0.0.1:50751 (ESTABLISHED)
> tclsh 2310 root 21u IPv4 14059 0t0 TCP 127.0.0.1:7734->127.0.0.1:56160 (ESTABLISHED)
> tclsh 2365 root 3u IPv4 8595 0t0 TCP 127.0.0.1:50746->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2381 root 3u IPv4 8670 0t0 TCP 127.0.0.1:50747->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2381 root 4u IPv4 8673 0t0 TCP 127.0.0.1:8000 (LISTEN)
> tclsh 2381 root 6u IPv4 9401 0t0 TCP 127.0.0.1:8000->127.0.0.1:59768 (ESTABLISHED)
> barnyard2 2430 root 3u IPv4 9400 0t0 TCP 127.0.0.1:59768->127.0.0.1:8000 (ESTABLISHED)
> barnyard2 2430 root 4u IPv4 9404 0t0 TCP 127.0.0.1:46642->127.0.0.1:3306 (ESTABLISHED)
> tclsh 2486 root 3u IPv4 9051 0t0 TCP 127.0.0.1:50748->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2544 root 3u IPv4 9301 0t0 TCP 127.0.0.1:50749->127.0.0.1:7736 (ESTABLISHED)
> tclsh 2570 root 3u IPv4 9395 0t0 TCP 127.0.0.1:50751->127.0.0.1:7736 (ESTABLISHED)
> bro 2828 root 4u IPv4 10282 0t0 UDP 192.168.2.129:44811->192.168.2.128:53
> bro 2904 root 0u IPv4 10291 0t0 TCP *:47760 (LISTEN)
> bro 2904 root 4u IPv4 10282 0t0 UDP 192.168.2.129:44811->192.168.2.128:53
> wish 3449 student 4r IPv4 14058 0t0 TCP 127.0.0.1:56160->127.0.0.1:7734 (ESTABLISHED)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> tail: cannot open `/var/log/nsm/pulledpork.log' for reading: No such file or directory
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 12:49:53 up 31 min, 2 users, load average: 1.10, 0.82, 0.71
> Tasks: 166 total, 3 running, 163 sleeping, 0 stopped, 0 zombie
> Cpu(s): 4.4%us, 1.6%sy, 0.0%ni, 91.3%id, 2.5%wa, 0.0%hi, 0.0%si, 0.0%st
> Mem: 4117988k total, 1785500k used, 2332488k free, 236816k buffers
> Swap: 2975460k total, 0k used, 2975460k free, 839196k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 2828 root 20 0 24876 17m 7632 R 4.0 0.4 1:02.69 bro
> 1242 root 20 0 158m 20m 6376 S 2.0 0.5 0:07.26 Xorg
> 1 root 20 0 2832 1756 1228 S 0.0 0.0 0:00.70 init
> 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
> 3 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
> 4 root 20 0 0 0 0 S 0.0 0.0 0:00.04 ksoftirqd/0
> 5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
> 6 root 20 0 0 0 0 S 0.0 0.0 0:00.04 events/0
> 7 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuset
> 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper
> 9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns
> 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr
> 11 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm
> 12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
> 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
> 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kintegrityd/0
> 15 root 20 0 0 0 0 S 0.0 0.0 0:00.06 kblockd/0
> 16 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid
> 17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_notify
> 18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_hotplug
> 19 root 20 0 0 0 0 S 0.0 0.0 0:00.98 ata/0
> 20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_aux
> 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksuspend_usbd
> 22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
> 23 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
> 24 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmmcd
> 27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
> 28 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
> 29 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
> 30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 aio/0
> 31 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
> 32 root 20 0 0 0 0 S 0.0 0.0 0:00.00 crypto/0
> 35 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pciehpd
> 37 root 20 0 0 0 0 S 0.0 0.0 0:00.01 scsi_eh_0
> 38 root 20 0 0 0 0 S 0.0 0.0 0:00.46 scsi_eh_1
> 41 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kstriped
> 42 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmpathd/0
> 43 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd
> 44 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksnapd
> 45 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kondemand/0
> 46 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kconservative/0
> 194 root 20 0 0 0 0 S 0.0 0.0 0:00.01 mpt_poll_0
> 196 root 20 0 0 0 0 S 0.0 0.0 0:00.00 mpt/0
> 276 root 20 0 0 0 0 S 0.0 0.0 0:00.00 usbhid_resumer
> 280 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
> 346 root 20 0 0 0 0 S 0.0 0.0 0:00.16 jbd2/sda1-8
> 347 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
> 406 root 20 0 2468 1152 792 S 0.0 0.0 0:00.02 upstart-udev-br
> 408 root 16 -4 2640 1036 336 S 0.0 0.0 0:00.02 udevd
> 643 root 18 -2 2840 1084 284 S 0.0 0.0 0:00.00 udevd
> 644 root 18 -2 2840 1036 236 S 0.0 0.0 0:00.00 udevd
> 686 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
> 928 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kgameportd
> 1100 root 20 0 5572 2152 1736 S 0.0 0.1 0:00.00 sshd
> 1105 messageb 20 0 3216 1472 784 S 0.0 0.0 0:00.06 dbus-daemon
> 1107 syslog 20 0 33532 1496 1036 S 0.0 0.0 0:00.03 rsyslogd
> 1125 root 20 0 9532 4508 3796 S 0.0 0.1 0:00.04 NetworkManager
> 1129 avahi 20 0 2952 1556 1292 S 0.0 0.0 0:00.60 avahi-daemon
> 1131 avahi 20 0 2952 540 316 S 0.0 0.0 0:00.00 avahi-daemon
> 1156 root 20 0 18812 3268 2696 S 0.0 0.1 0:00.02 gdm-binary
> 1171 root 20 0 19576 3136 2272 S 0.0 0.1 0:00.01 console-kit-dae
> 1237 root 20 0 20524 3784 2976 S 0.0 0.1 0:00.00 gdm-simple-slav
> 1272 gdm 20 0 3404 788 524 S 0.0 0.0 0:00.00 dbus-launch
> 1313 root 20 0 0 0 0 S 0.0 0.0 0:00.04 flush-8:0
> 1319 root 20 0 4188 2316 1876 S 0.0 0.1 0:00.01 modem-manager
> 1334 root 20 0 20880 3572 2828 S 0.0 0.1 0:00.03 gdm-session-wor
> 1338 haldaemo 20 0 16536 4128 3300 S 0.0 0.1 0:00.24 hald
> 1339 root 20 0 3556 1276 1068 S 0.0 0.0 0:00.00 hald-runner
> 1533 root 20 0 3632 1232 1060 S 0.0 0.0 0:00.01 hald-addon-inpu
> 1648 root 20 0 4860 1736 1472 S 0.0 0.0 0:00.00 wpa_supplicant
> 1674 root 20 0 3636 1232 1052 S 0.0 0.0 0:00.39 hald-addon-stor
> 1689 root 20 0 3636 1228 1048 S 0.0 0.0 0:00.02 hald-addon-stor
> 1693 haldaemo 20 0 3440 1184 1012 S 0.0 0.0 0:00.00 hald-addon-acpi
> 1696 root 20 0 34380 848 464 S 0.0 0.0 0:00.00 vmware-vmblock-
> 1716 root 20 0 26280 4028 3300 S 0.0 0.1 0:00.86 vmtoolsd
> 1765 root 20 0 1812 560 480 S 0.0 0.0 0:00.03 getty
> 1770 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 1782 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 1784 root 20 0 1812 560 484 S 0.0 0.0 0:00.00 getty
> 1789 root 20 0 1812 564 484 S 0.0 0.0 0:00.03 getty
> 1794 root 20 0 2068 888 532 S 0.0 0.0 0:00.00 acpid
> 1797 root 20 0 2396 924 732 S 0.0 0.0 0:00.00 cron
> 1798 daemon 20 0 2268 444 304 S 0.0 0.0 0:00.00 atd
> 1819 mysql 20 0 154m 28m 6460 S 0.0 0.7 0:00.88 mysqld
> 1857 ossec 20 0 3032 1612 708 S 0.0 0.0 0:03.11 ossec-analysisd
> 1861 root 20 0 1980 500 388 S 0.0 0.0 0:00.02 ossec-logcollec
> 1874 root 20 0 3024 1880 624 S 0.0 0.0 0:10.44 ossec-syscheckd
> 1879 ossec 20 0 2256 552 408 S 0.0 0.0 0:00.00 ossec-monitord
> 1946 ntp 20 0 4460 1360 1012 S 0.0 0.0 0:00.05 ntpd
> 1968 root 20 0 6884 2908 2188 S 0.0 0.1 0:00.01 cupsd
> 2012 root 20 0 12540 1492 1268 S 0.0 0.0 0:00.02 tpvmlp
> 2145 root 20 0 39740 9024 5272 S 0.0 0.2 0:00.11 apache2
> 2150 root 20 0 4396 1744 1532 S 0.0 0.0 0:00.00 PassengerWatchd
> 2155 root 20 0 15196 2004 1780 S 0.0 0.0 0:00.01 PassengerHelper
> 2158 root 20 0 9980 6588 2220 S 0.0 0.2 0:01.40 ruby
> 2161 nobody 20 0 9600 3128 2568 S 0.0 0.1 0:00.00 PassengerLoggin
> 2213 root 20 0 1812 564 484 S 0.0 0.0 0:00.00 getty
> 2225 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2226 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2227 www-data 20 0 39740 4460 692 S 0.0 0.1 0:00.00 apache2
> 2228 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2229 www-data 20 0 39740 4448 680 S 0.0 0.1 0:00.00 apache2
> 2310 root 20 0 10736 6780 3288 S 0.0 0.2 0:00.23 tclsh
> 2313 root 20 0 8784 2980 1104 S 0.0 0.1 0:00.04 tclsh
> 2314 root 20 0 8784 2648 788 S 0.0 0.1 0:00.00 tclsh
> 2365 root 20 0 6196 4160 2596 S 0.0 0.1 0:00.11 tclsh
> 2381 root 20 0 5548 3456 2584 S 0.0 0.1 0:00.01 tclsh
> 2383 root 20 0 1816 504 428 S 0.0 0.0 0:00.02 tail
> 2414 sguil 20 0 560m 304m 134m S 0.0 7.6 0:10.04 snort
> 2430 root 20 0 14564 8920 1788 S 0.0 0.2 0:03.97 barnyard2
> 2446 sguil 20 0 7744 5592 5192 S 0.0 0.1 0:00.05 sancp
> 2470 sguil 20 0 7340 5996 4948 S 0.0 0.1 0:00.08 pads
> 2486 root 20 0 5468 3404 2568 S 0.0 0.1 0:00.01 tclsh
> 2488 root 20 0 1812 432 364 S 0.0 0.0 0:00.00 cat
> 2504 sguil 20 0 6224 4924 4780 S 0.0 0.1 0:00.04 daemonlogger
> 2523 sguil 20 0 35088 7880 3144 S 0.0 0.2 0:00.42 argus
> 2544 root 20 0 5548 3428 2564 S 0.0 0.1 0:00.02 tclsh
> 2546 root 20 0 1812 548 480 S 0.0 0.0 0:00.04 tail
> 2570 root 20 0 6752 4452 2400 S 0.0 0.1 0:00.02 tclsh
> 2571 root 20 0 1816 492 428 S 0.0 0.0 0:00.02 tail
> 2649 root 20 0 2968 1388 1172 S 0.0 0.0 0:00.00 bash
> 2904 root 25 5 24684 14m 4528 R 0.0 0.4 0:26.75 bro
> 2964 www-data 20 0 75232 61m 3396 S 0.0 1.5 0:04.07 ruby
> 2967 root 20 0 4460 812 460 S 0.0 0.0 0:00.00 ntpd
> 3154 student 20 0 24004 2528 2080 S 0.0 0.1 0:00.00 gnome-keyring-d
> 3172 student 20 0 1852 576 492 S 0.0 0.0 0:00.01 sh
> 3201 student 20 0 3304 352 144 S 0.0 0.0 0:00.00 ssh-agent
> 3204 student 20 0 3404 780 516 S 0.0 0.0 0:00.00 dbus-launch
> 3205 student 20 0 2952 1116 680 S 0.0 0.0 0:00.03 dbus-daemon
> 3216 student 20 0 4748 2156 1680 S 0.0 0.1 0:00.22 xscreensaver
> 3220 student 20 0 26796 7068 5644 S 0.0 0.2 0:00.10 xfce4-session
> 3222 student 20 0 3876 1980 1684 S 0.0 0.0 0:00.00 xfconfd
> 3228 student 20 0 16508 3340 2308 S 0.0 0.1 0:00.00 xfsettingsd
> 3229 student 20 0 6524 3132 2224 S 0.0 0.1 0:00.01 gconfd-2
> 3231 student 20 0 19436 9212 7608 S 0.0 0.2 0:00.25 xfwm4
> 3232 student 20 0 41540 10m 8852 S 0.0 0.3 0:00.07 Thunar
> 3234 student 20 0 3088 1272 1080 S 0.0 0.0 0:00.00 gam_server
> 3235 student 20 0 69608 15m 11m S 0.0 0.4 0:00.55 xfdesktop
> 3237 student 20 0 32732 11m 9060 S 0.0 0.3 0:00.71 xfce4-panel
> 3239 student 20 0 17340 3504 2332 S 0.0 0.1 0:00.01 xfce4-power-man
> 3240 student 20 0 19516 4316 2884 S 0.0 0.1 0:00.07 xfce4-settings-
> 3241 student 20 0 34164 13m 9532 S 0.0 0.3 0:00.75 xfce4-menu-plug
> 3242 student 20 0 32264 10m 8288 S 0.0 0.3 0:00.04 xfce4-places-pl
> 3248 student 20 0 6404 2232 1888 S 0.0 0.1 0:00.00 gvfsd
> 3251 student 20 0 258m 10m 8316 S 0.0 0.3 0:00.04 xfce4-mixer-plu
> 3254 student 9 -11 94172 4420 3356 S 0.0 0.1 0:00.11 pulseaudio
> 3256 rtkit 21 1 22928 1220 1028 S 0.0 0.0 0:00.01 rtkit-daemon
> 3260 root 20 0 6160 3728 2952 S 0.0 0.1 0:00.04 polkitd
> 3335 student 20 0 18320 6008 4884 S 0.0 0.1 0:00.01 polkit-gnome-au
> 3341 student 20 0 39316 13m 11m S 0.0 0.3 0:01.02 vmtoolsd
> 3343 student 20 0 43296 10m 8036 S 0.0 0.2 0:00.04 nm-applet
> 3347 student 20 0 31984 10m 8624 S 0.0 0.3 0:00.06 update-notifier
> 3360 root 20 0 5344 2820 2352 S 0.0 0.1 0:00.01 udisks-daemon
> 3363 student 20 0 31404 14m 8688 S 0.0 0.4 0:00.07 python
> 3364 root 20 0 5208 872 596 S 0.0 0.0 0:00.21 udisks-daemon
> 3373 student 20 0 41564 11m 9000 S 0.0 0.3 0:00.88 xfce4-terminal
> 3374 student 20 0 246m 6312 4524 S 0.0 0.2 0:00.01 xfce4-volumed
> 3387 student 20 0 17672 6352 5160 S 0.0 0.2 0:00.01 notify-osd
> 3389 student 20 0 2008 712 588 S 0.0 0.0 0:00.00 gnome-pty-helpe
> 3390 student 20 0 6544 3900 1556 S 0.0 0.1 0:00.14 bash
> 3449 student 20 0 20460 16m 5676 S 0.0 0.4 0:02.34 wish
> 3751 student 20 0 7636 3144 2588 S 0.0 0.1 0:00.01 gvfs-gdu-volume
> 3753 student 20 0 7280 2392 1968 S 0.0 0.1 0:00.00 gvfs-gphoto2-vo
> 3755 student 20 0 16980 2388 1992 S 0.0 0.1 0:00.03 gvfs-afc-volume
> 6073 root 20 0 4240 1384 1180 S 0.0 0.0 0:00.00 sostat
> 6252 root 20 0 2564 1104 812 R 0.0 0.0 0:00.00 top
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/student-desktop-eth1/dailylogs/
> 97M .
> 84K ./2012-12-03
> 89M ./2012-12-04
> 3.2M ./2012-12-07
> 1.9M ./2012-12-10
> 704K ./2012-12-14
> 468K ./2012-12-17
> 156K ./2012-12-22
> 12K ./2012-12-27
> 16K ./2012-12-28
> 4.0K ./2013-01-02
> 1.2M ./2013-01-15
> 4.0K ./2013-01-16
>
> /nsm/bro/logs/
> 5.2M .
> 56K ./2012-12-03
> 3.5M ./2012-12-04
> 272K ./2012-12-07
> 112K ./2012-12-10
> 180K ./2012-12-14
> 60K ./2012-12-17
> 172K ./2012-12-22
> 8.0K ./2012-12-23
> 80K ./2012-12-27
> 136K ./2012-12-28
> 16K ./2013-01-02
> 72K ./2013-01-15
> 252K ./2013-01-16
> 308K ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/student-desktop-eth1/snort.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> +----------+
> | COUNT(*) |
> +----------+
> | 594 |
> +----------+
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> +-------+
> | Total |
> +-------+
> | 0 |
> +-------+
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> +--------+-------------+---------------------------------------------------------------------------+
> | Totals | SignatureID | SignatureName |
> +--------+-------------+---------------------------------------------------------------------------+
> | 7405 | 15 | stream5: Reset outside window |
> | 4894 | 3 | http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE |
> | 1720 | 17335 | SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder |
> | 1415 | 2100366 | GPL ICMP_INFO PING *NIX |
> | 1410 | 12 | stream5: TCP Small Segment Threshold Exceeded |
> | 1308 | 2101390 | GPL SHELLCODE x86 inc ebx NOOP |
> | 1129 | 2100368 | GPL ICMP_INFO PING BSDtype |
> | 1031 | 648 | GPL SHELLCODE x86 NOOP |
> | 269 | 17775 | SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected |
> | 233 | 14 | stream5: TCP Timestamp is missing |
> | 216 | 5 | stream5: Bad segment, overlap adjusted size less than/equal 0 |
> | 184 | 2102003 | GPL SQL Slammer Worm propagation attempt |
> | 92 | 17336 | SHELLCODE x86 OS agnostic call geteip byte xor decoder |
> | 81 | 2010935 | ET POLICY Suspicious inbound to MSSQL port 1433 |
> | 68 | 2102923 | GPL NETBIOS SMB repeated logon failure |
> | 56 | 2003869 | ET SCAN ProxyReconBot CONNECT method to Mail |
> | 45 | 4 | stream5: TCP Timestamp is outside of PAWS window |
> | 43 | 2101201 | GPL WEB_SERVER 403 Forbidden |
> | 36 | 8 | http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE |
> | 16 | 2012086 | ET SHELLCODE Possible Call with No Offset TCP Shellcode |
> | 16 | 2101243 | GPL EXPLOIT ISAPI .ida attempt |
> | 12 | 2002667 | ET WEB_SERVER sumthin scan |
> | 7 | 2013031 | ET POLICY Python-urllib/ Suspicious User Agent |
> | 6 | 2009358 | ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) |
> | 5 | 2100598 | GPL RPC portmap listing TCP 111 |
> | 4 | 2011031 | ET SCAN HTTP GET invalid method case |
> | 4 | 2406461 | ET RBN Known Russian Business Network IP UDP (231) |
> | 4 | 2406460 | ET RBN Known Russian Business Network IP TCP (231) |
> | 4 | 2007802 | ET SCAN Grim's Ping ftp scanning tool |
> | 4 | 2003410 | ET POLICY FTP Login Successful |
> | 4 | 2002024 | ET CHAT IRC NICK command |
> | 4 | 2002023 | ET CHAT IRC USER command |
> | 4 | 5 | sensitive_data: sensitive data - eMail addresses |
> | 4 | 2102586 | GPL P2P eDonkey transfer |
> | 4 | 2013028 | ET POLICY curl User-Agent Outbound |
> | 2 | 2002911 | ET SCAN Potential VNC Scan 5900-5920 |
> | 2 | 10127 | DOS Microsoft IP Options denial of service |
> | 2 | 7 | stream5: Limit on number of overlapping TCP packets reached |
> | 2 | 17344 | SHELLCODE x86 OS agnostic xor dword decoder |
> | 1 | 2002993 | ET SCAN Rapid POP3S Connections - Possible Brute Force Attack |
> | 1 | 2010937 | ET POLICY Suspicious inbound to mySQL port 3306 |
> | 1 | 2010939 | ET POLICY Suspicious inbound to PostgreSQL port 5432 |
> | 1 | 2002910 | ET SCAN Potential VNC Scan 5800-5820 |
> | 1 | 2010936 | ET POLICY Suspicious inbound to Oracle SQL port 1521 |
> | 1 | 3 | stream5: Data sent on stream not accepting data |
> | 1 | 2009949 | ET WEB_SERVER Tilde in URI, potential .pl source disclosure vulnerability |
> +--------+-------------+---------------------------------------------------------------------------+
> +-------+
> | Total |
> +-------+
> | 21752 |
> +-------+
> student@student-desktop:/usr/sbin$
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Jan 16, 2013, 8:19:37 AM1/16/13
to securit...@googlegroups.com
Also, based on your sostat output, it looks like you're running the
old version of Security Onion based on Ubuntu 10.04. I'd recommend
upgrading to the new Security Onion 12.04 as it has much better
performance and many bug fixes.
http://securityonion.blogspot.com/2012/12/security-onion-1204-is-now-available.html
Doug
old version of Security Onion based on Ubuntu 10.04. I'd recommend
upgrading to the new Security Onion 12.04 as it has much better
performance and many bug fixes.
http://securityonion.blogspot.com/2012/12/security-onion-1204-is-now-available.html
Doug
Reply all
Reply to author
Forward
0 new messages