No Events In Squert
505 views
Skip to first unread message
William E. Smith, Jr.
Oct 6, 2015, 12:42:03 PM10/6/15
to security-onion
Hi,
Very new to SO. I have a fresh install of SO using the 12.04.5.3 ISO. Install, setup pretty straight forward. Using Sguil remotely on a hackintosh via Xquartz 2.7.7
Using Snorby via the web interface, getting comfortable with that and I just read that Snorby is going away. Oh well. So I'm looking at Squert via the web interface and there are no events showing there. sostat seems to report nothing wrong. I did a quick search of the group but didn't see anything that helped. Can someone steer me in the right direction?
Of course I have 400 other questions. Is it only appropriate to ask 1 question per post?
Thanks,
William.
PS This is a test run to get familiar with SO before deploying on new hardware in several medical offices of which I am the IT admin. I recently had an domain account associated with a Xerox Workcenter (for storing scans) compromised. Management has now budgeted for my hardware request. Not much, but enough for me to move forward with SO.
Will.
Very new to SO. I have a fresh install of SO using the 12.04.5.3 ISO. Install, setup pretty straight forward. Using Sguil remotely on a hackintosh via Xquartz 2.7.7
Using Snorby via the web interface, getting comfortable with that and I just read that Snorby is going away. Oh well. So I'm looking at Squert via the web interface and there are no events showing there. sostat seems to report nothing wrong. I did a quick search of the group but didn't see anything that helped. Can someone steer me in the right direction?
Of course I have 400 other questions. Is it only appropriate to ask 1 question per post?
Thanks,
William.
PS This is a test run to get familiar with SO before deploying on new hardware in several medical offices of which I am the IT admin. I recently had an domain account associated with a Xerox Workcenter (for storing scans) compromised. Management has now budgeted for my hardware request. Not much, but enough for me to move forward with SO.
Will.
Heine Lysemose
Oct 6, 2015, 1:17:25 PM10/6/15
to securit...@googlegroups.com
Hi
Welcome to the list.
First of all, remember to read all about SecurityOnion on the github wiki page, https://github.com/Security-Onion-Solutions/security-onion/wiki, this really a great resource.
It's okay to send multiple questions as long as the are within the subject of the mail. Otherwise just send another mail, it's free... :)
Please send the output of sudo sostat-redacted, so we can have a look at your system.
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
William E. Smith, Jr.
Oct 6, 2015, 2:52:24 PM10/6/15
to security-onion
Thank You Very Much.
Here is the redacted SO Status output...
The web interface does not allow me to attach a file (attach file link does nothing for me), so I will just paste it here. Seems messy. I hope its not too obtrusive...
=========================================================================
Service Status
=========================================================================
Status: securitySO-server
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 3944 0 06 Oct 14:54:38
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
* http_agent (SO-user)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:496128 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:190036776 (190.0 MB) TX bytes:90 (90.0 B)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43655 errors:588 dropped:0 overruns:588 frame:0
TX packets:32836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5271358 (5.2 MB) TX bytes:12118458 (12.1 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:45429 errors:0 dropped:0 overruns:0 frame:0
TX packets:45429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11145901 (11.1 MB) TX bytes:11145901 (11.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
11145901 45429 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
11145901 45429 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
190036776 496128 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
5271358 43655 588 0 0 342
RX errors: length crc frame fifo missed
0 0 0 588 0
TX: bytes packets errors dropped carrier collsns
12118458 32836 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 228G 24G 193G 11% /
udev 955M 4.0K 955M 1% /dev
tmpfs 194M 872K 193M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 969M 60K 969M 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1425 avahi 12u IPv4 9083 0t0 UDP *:5353
avahi-dae 1425 avahi 13u IPv6 9084 0t0 UDP *:5353
avahi-dae 1425 avahi 14u IPv4 9085 0t0 UDP *:40484
avahi-dae 1425 avahi 15u IPv6 9086 0t0 UDP *:38725
cupsd 1427 root 8u IPv6 10719 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1427 root 9u IPv4 10720 0t0 TCP X.X.X.X:631 (LISTEN)
dhclient3 1444 root 6u IPv4 8956 0t0 UDP *:68
sshd 1503 root 3u IPv4 11283 0t0 TCP *:ssh_port (LISTEN)
sshd 1503 root 4u IPv6 11285 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 1646 root 10u IPv4 10777 0t0 TCP *:514 (LISTEN)
syslog-ng 1646 root 11u IPv4 10778 0t0 UDP *:514
mysqld 1711 mysql 10u IPv4 12146 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1711 mysql 220u IPv4 26226 0t0 TCP X.X.X.X:3306->X.X.X.X:44856 (ESTABLISHED)
searchd 1836 sphinxsearch 7u IPv4 10873 0t0 TCP *:9306 (LISTEN)
searchd 1836 sphinxsearch 8u IPv4 10874 0t0 TCP *:9312 (LISTEN)
ntpd 2203 ntp 16u IPv4 12719 0t0 UDP *:123
ntpd 2203 ntp 17u IPv6 12720 0t0 UDP *:123
ntpd 2203 ntp 18u IPv4 12726 0t0 UDP X.X.X.X:123
ntpd 2203 ntp 19u IPv4 12727 0t0 UDP X.X.X.X:123
ntpd 2203 ntp 20u IPv6 12728 0t0 UDP [X.X.X.X]:123
ntpd 2203 ntp 21u IPv6 12729 0t0 UDP [X.X.X.X]:123
/usr/sbin 2217 root 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 2217 root 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2217 root 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2217 root 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
tclsh 3362 SO-user 13u IPv4 17163 0t0 TCP *:7734 (LISTEN)
tclsh 3362 SO-user 14u IPv4 17164 0t0 TCP *:7736 (LISTEN)
tclsh 3362 SO-user 15u IPv4 21614 0t0 TCP X.X.X.X:7736->X.X.X.X:39178 (ESTABLISHED)
tclsh 3362 SO-user 16u IPv4 20806 0t0 TCP X.X.X.X:7736->X.X.X.X:39179 (ESTABLISHED)
tclsh 3362 SO-user 17u IPv4 20881 0t0 TCP X.X.X.X:7736->X.X.X.X:39180 (ESTABLISHED)
tclsh 3362 SO-user 18u IPv4 21174 0t0 TCP X.X.X.X:7736->X.X.X.X:39181 (ESTABLISHED)
tclsh 3362 SO-user 19u IPv4 21263 0t0 TCP X.X.X.X:7736->X.X.X.X:39183 (ESTABLISHED)
tclsh 3362 SO-user 20u IPv4 22282 0t0 TCP X.X.X.X:7736->X.X.X.X:39184 (ESTABLISHED)
tclsh 3453 SO-user 3u IPv4 20880 0t0 TCP X.X.X.X:39180->X.X.X.X:7736 (ESTABLISHED)
bro 3944 SO-user 4u IPv4 18813 0t0 UDP X.X.X.X:39191->X.X.X.X:53
bro 4059 SO-user 0u IPv4 19937 0t0 TCP *:47760 (LISTEN)
bro 4059 SO-user 1u IPv6 19938 0t0 TCP *:47760 (LISTEN)
bro 4059 SO-user 4u IPv4 18813 0t0 UDP X.X.X.X:39191->X.X.X.X:53
tclsh 4348 SO-user 3u IPv4 21613 0t0 TCP X.X.X.X:39178->X.X.X.X:7736 (ESTABLISHED)
tclsh 4407 SO-user 3u IPv4 20805 0t0 TCP X.X.X.X:39179->X.X.X.X:7736 (ESTABLISHED)
tclsh 4407 SO-user 4u IPv4 20807 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 4407 SO-user 6u IPv4 25068 0t0 TCP X.X.X.X:8001->X.X.X.X:50960 (ESTABLISHED)
barnyard2 4520 SO-user 3u IPv4 26222 0t0 TCP X.X.X.X:50960->X.X.X.X:8001 (ESTABLISHED)
barnyard2 4520 SO-user 4u IPv4 26225 0t0 TCP X.X.X.X:44856->X.X.X.X:3306 (ESTABLISHED)
tclsh 4584 SO-user 3u IPv4 21173 0t0 TCP X.X.X.X:39181->X.X.X.X:7736 (ESTABLISHED)
tclsh 4612 SO-user 3u IPv4 21262 0t0 TCP X.X.X.X:39183->X.X.X.X:7736 (ESTABLISHED)
tclsh 4656 SO-user 3u IPv4 22281 0t0 TCP X.X.X.X:39184->X.X.X.X:7736 (ESTABLISHED)
sshd 8954 root 3u IPv4 1310865 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56279 (ESTABLISHED)
sshd 9134 SO-user 3u IPv4 1310865 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56279 (ESTABLISHED)
sshd 9134 SO-user 9u IPv6 1312182 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 9134 SO-user 10u IPv4 1312183 0t0 TCP X.X.X.X:6010 (LISTEN)
/usr/sbin 9140 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 9140 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9140 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9140 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 10357 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 10357 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10357 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10357 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12132 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12132 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12132 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12132 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12642 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12642 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12642 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12642 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12897 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12897 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12897 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12897 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
ruby1.9.1 25098 www-data 12u IPv4 147963 0t0 TCP X.X.X.X:37016 (LISTEN)
ossec-csy 26959 ossecm 5u IPv4 879579 0t0 UDP X.X.X.X:58969->X.X.X.X:514
ossec-rem 26979 ossecr 4u IPv4 880734 0t0 UDP *:1514
=========================================================================
IDS Rules Update
=========================================================================
Tue Oct 6 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 30 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 40 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------26
Deleted:---10
Enabled Rules:----18354
Dropped Rules:----0
Disabled Rules:---4127
Total Rules:------22481
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table...done.
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.26 0.37 0.47
Processing units: 2
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:28:39 up 3:35, 1 user, load average: 0.26, 0.37, 0.47
Tasks: 174 total, 1 running, 171 sleeping, 0 stopped, 2 zombie
Cpu(s): 14.1%us, 9.0%sy, 0.1%ni, 74.2%id, 2.6%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 1984036k total, 1809884k used, 174152k free, 29556k buffers
Swap: 3021580k total, 151288k used, 2870292k free, 289912k cached
%CPU %MEM COMMAND
26.8 4.8 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
1.3 4.9 Rack: /opt/snorby
1.0 3.6 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.8 18.5 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U
0.7 0.1 /var/ossec/bin/ossec-syscheckd
0.6 0.1 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.4 4.9 delayed_job
0.4 4.4 /usr/sbin/mysqld
0.3 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.2 0.1 /var/ossec/bin/ossec-analysisd
0.2 13.2 /usr/bin/searchd --nodetach
0.2 0.1 /usr/sbin/lightdm-gtk-greeter
0.2 0.0 PassengerHelperAgent
0.2 0.4 -bash
0.1 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.4 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2015-10-06.log
0.0 3.4 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2015-10-06/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
0.0 0.2 /bin/bash
0.0 0.0 [rcu_sched]
0.0 0.0 [kworker/0:2]
0.0 0.4 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.2 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 [kworker/0:0]
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.3 prads -i eth0 -c /etc/nsm/SO-server-eth0/prads.conf -u SO-user -g SO-user -L /nsm/sensor_data/SO-server-eth0/sancp/ -f /nsm/sensor_data/SO-server-eth0/pads.fifo -b ip or (vlan and ip)
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/1:2]
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.1 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http.log
0.0 0.1 sshd: SO-user@pts/0
0.0 0.0 [jbd2/sda1-8]
0.0 0.2 sshd: SO-user [priv]
0.0 0.0 /sbin/init
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kswapd0]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 [khugepaged]
0.0 0.0 [/usr/sbin/apach] <defunct>
0.0 0.0 [kworker/u4:2]
0.0 0.0 [migration/0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/1]
0.0 0.0 [kworker/u5:1]
0.0 0.0 [kworker/u4:0]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/u4:1]
0.0 0.0 [tcpdump] <defunct>
0.0 0.0 [ksoftirqd/1]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /var/ossec/bin/ossec-remoted
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 cron
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.2 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.1 /usr/lib/upower/upowerd
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.3 Passenger spawn server
0.0 0.1 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http.log
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [kworker/u5:0]
0.0 0.0 lightdm
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 3.4 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [scsi_eh_0]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [hd-audio0]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp/dhclient.eth1.leases -1 eth1
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 atd
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth0/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http.log
0.0 0.0 [kworker/1:0]
0.0 1.6 /usr/sbin/apache2 -k start
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.0 0.0 sh -c /usr/bin/byobu-shell
0.0 1.6 /usr/sbin/apache2 -k start
0.0 1.5 /usr/sbin/apache2 -k start
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:1]
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.1 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 11419
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 2 days
18G .
9.9G ./2015-10-05
8.0G ./2015-10-06
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 2 days
9.3M .
5.7M ./2015-10-05
3.2M ./2015-10-06
492K ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
bro: 1444156120.474641 recvd=493310 dropped=0 link=493310
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/3944-eth0.1
Appl. Name : <unknown>
Tot Packets : 493347
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/4468-eth0.3
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 483861
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4069
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
842
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
118 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
21 1:2012648 ET POLICY Dropbox Client Broadcasting
15 10000:1 PADS New Asset - unknown @https
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
12 1:2014819 ET INFO Packed Executable Download
8 10000:1 PADS New Asset - unknown @www
8 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
7 10000:1 PADS New Asset - unknown @ntp
7 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
6 1:2100498 GPL ATTACK_RESPONSE id check returned root
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 10000:1 PADS New Asset - unknown @imaps
3 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
3 10000:1 PADS New Asset - unknown @domain
3 10000:2 PADS Changed Asset - smb Windows SMB
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2 10000:1 PADS New Asset - http AppleTV2,1/7.1.2 (11D258)
2 1:2016847 ET INFO Possible Chrome Plugin install
2 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
2 10000:1 PADS New Asset - http WSDAPI
2 1:2013028 ET POLICY curl User-Agent Outbound
2 10000:1 PADS New Asset - http 494/6.2.6124 CFNetwork/711.5.6 Darwin/14.0.0
2 10000:1 PADS New Asset - http SXL/3.1
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.89 Mobile/12H321 Safari/600.1.4
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H321
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http curl/7.22.0 (x86_64-pc-linux (gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/X.X.X.X libidn/1.23 librtmp/2.3)
1 10000:1 PADS New Asset - http ooTunes/4.0.2 CFNetwork/711.5.6 Darwin/14.0.0
1 10000:1 PADS New Asset - smb Windows SMB
1 10000:1 PADS New Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - ssh OpenSSH 6.2 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Ruby
1 1:2014726 ET POLICY Outdated Windows Flash Version IE
1 10000:2 PADS Changed Asset - domain DNS SQR No Error
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
1 10000:2 PADS Changed Asset - http Debian/4.0, UPnP/1.0, MiniUPnPc/1.2
1 10000:1 PADS New Asset - http Server: httpd
1 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 10000:1 PADS New Asset - http mbam - consumer_licensed (Scheduler) - base:2.1.8.1057 ( rules:v2015.10.04.04 swissarmy:v2015.10.02.01 actions:v2015.09.30.01 domains:v2015.10.04.02 ips:v2015.10.04.01 akadomains:v2015.09.11.02 akaips:v2015.09.11.02)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
1 10000:1 PADS New Asset - ssh OpenSSH 6.2 (Protocol 2.0)
1 10000:1 PADS New Asset - http AppleCoreMedia/1.0.0.12H321 (iPhone; U; CPU OS 8_4_1 like Mac OS X; en_us)
1 10000:2 PADS Changed Asset - http mbam - consumer_licensed (Scheduler) - base:2.1.8.1057 ( rules:v2015.10.05.05 swissarmy:v2015.10.02.01 actions:v2015.09.30.01 domains:v2015.10.05.05 ips:v2015.10.04.01 akadomains:v2015.09.11.02 akaips:v2015.09.11.02)
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 10000:1 PADS New Asset - unknown @ftp
1 10000:1 PADS New Asset - http Microsoft-Windows/6.1 UPnP/1.0 Windows-Media-Player (DMS/12.0.7601.17514 DLNADOC/1.50)
1 10000:1 PADS New Asset - http CFNetwork MooTunes, get your Mootunes! CFNetwork
1 10000:2 PADS Changed Asset - unknown @www
1 10000:2 PADS Changed Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - unknown @imaps
1 10000:1 PADS New Asset - dns TCP DNS Server
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
Total
444
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
303 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
41 1:2012648 ET POLICY Dropbox Client Broadcasting
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
20 10000:1 PADS New Asset - unknown @https
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
15 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
13 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
12 1:2014819 ET INFO Packed Executable Download
12 1:2014520 ET INFO EXE - Served Attached HTTP
11 1:2100498 GPL ATTACK_RESPONSE id check returned root
10 10000:1 PADS New Asset - unknown @www
10 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
10 10000:1 PADS New Asset - unknown @ntp
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
5 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
5 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
4 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 10000:1 PADS New Asset - unknown @imaps
3 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
3 10000:1 PADS New Asset - unknown @domain
3 10000:2 PADS Changed Asset - smb Windows SMB
2 10000:1 PADS New Asset - http 494/6.2.6124 CFNetwork/711.5.6 Darwin/14.0.0
2 10000:1 PADS New Asset - http Microsoft-Windows/6.1 UPnP/1.0 Windows-Media-Player (DMS/12.0.7601.17514 DLNADOC/1.50)
2 10000:1 PADS New Asset - http SXL/3.1
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.89 Mobile/12H321 Safari/600.1.4
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 10000:2 PADS Changed Asset - unknown @imaps
2 10000:2 PADS Changed Asset - ssh OpenSSH 6.2 (Protocol 2.0)
2 10000:1 PADS New Asset - http AppleTV2,1/7.1.2 (11D258)
2 1:2016847 ET INFO Possible Chrome Plugin install
2 10000:1 PADS New Asset - http eo/1.5.1 CFNetwork/711.5.6 Darwin/14.0.0
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
2 10000:1 PADS New Asset - http WSDAPI
2 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2 1:2013028 ET POLICY curl User-Agent Outbound
1 10000:1 PADS New Asset - unknown @ftp
1 10000:1 PADS New Asset - http CFNetwork MooTunes, get your Mootunes! CFNetwork
1 10000:2 PADS Changed Asset - unknown @www
1 1:2522585 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 293
1 10000:2 PADS Changed Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - http IMTransferAgent/1000 CFNetwork/711.5.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - unknown @https
1 10000:1 PADS New Asset - dns TCP DNS Server
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Unity3d)
Total
701
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
1112 URL go.vrvm.com
793 URL adcel.vrvm.com
720 URL download.windowsupdate.com
699 URL http.00.s.sophosxl.net
578 URL ad.vrvm.com
467 URL bcoveliveios-i.akamaihd.net
444 URL az698131.vo.msecnd.net
426 URL data-cdn.mbamupdates.com
358 URL ecx.images-amazon.com
312 URL fls-na.amazon.com
247 URL ads.mp.mydas.mobi
164 URL www.amazon.com
164 URL metrics.brightcove.com
160 URL cdn0.nflximg.net
158 URL cdn1.nflximg.net
152 URL dci.sophosupd.com
151 URL az337102.vo.msecnd.net
126 URL d2.sophosupd.com
126 URL www.netflix.com
121 URL g-ecx.images-amazon.com
111 URL displayadsservice.rumble.me
109 URL www.supercircuits.com
108 URL www.mpja.net
108 URL b.scorecardresearch.com
103 URL crl.microsoft.com
103 URL ast1.r10.io
77 URL X.X.X.X
76 URL www.google-analytics.com
73 URL i2.cdn.turner.com
72 URL a.fsdn.com
70 URL cnnios-f.akamaihd.net
70 URL images.outbrain.com
70 URL rumbles3.cloudapp.net
69 URL z-ecx.images-amazon.com
68 URL www.dell.com
68 URL img-s-msn-com.akamaized.net
68 URL dell.com
66 URL rumlservice.rumble.me
66 URL us.archive.ubuntu.com
66 URL 3.static.img-dpreview.com
63 URL cdn.i24news.tv
63 URL promotions.newegg.com
61 URL cdn.arstechnica.net
60 URL google.com
58 URL www.google.com
56 URL pagead2.googlesyndication.com
53 URL help.thruhere.net
52 URL www.zerohedge.com
46 URL v4.moatads.com
45 URL ocw.mit.edu
Total
12863
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
118 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
21 1:2012648 ET POLICY Dropbox Client Broadcasting
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 1:2014819 ET INFO Packed Executable Download
8 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
7 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
6 1:2100498 GPL ATTACK_RESPONSE id check returned root
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2016847 ET INFO Possible Chrome Plugin install
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
1 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
1 1:2014726 ET POLICY Outdated Windows Flash Version IE
Total
349
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
303 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
41 1:2012648 ET POLICY Dropbox Client Broadcasting
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 1:2014819 ET INFO Packed Executable Download
11 1:2100498 GPL ATTACK_RESPONSE id check returned root
10 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
5 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2016847 ET INFO Possible Chrome Plugin install
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
1 1:2002878 ET POLICY iTunes User Agent
1 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
1 1:2522585 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 293
Total
575
=========================================================================
Last update
=========================================================================
Start-Date: 2015-10-05 16:33:37
Commandline: apt-get -y dist-upgrade
Install: linux-image-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, automatic), linux-headers-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, automatic), linux-headers-3.13.0-65:amd64 (3.13.0-65.105~precise1, automatic)
Upgrade: apt-transport-https:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), openssh-server:amd64 (5.9p1-5ubuntu1.4, 5.9p1-5ubuntu1.7), securitySO-server-bro-scripts:amd64 (20121004-0ubuntu0securitySO-server39, 20121004-0ubuntu0securitySO-server43), libgtk2.0-common:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), securitySO-server-setup:amd64 (20120912-0ubuntu0securitySO-server142, 20120912-0ubuntu0securitySO-server157), libgail18:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), libldap-2.4-2:amd64 (2.4.28-1.1ubuntu4.5, 2.4.28-1.1ubuntu4.6), unattended-upgrades:amd64 (0.76ubuntu1, 0.76ubuntu1.1), bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), libnss3:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), libsane-hpaio:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), libgudev-1.0-0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), libcomerr2:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), libsnmp15:amd64 (5.4.3~dfsg-2.4ubuntu1.2, 5.4.3~dfsg-2.4ubuntu1.3), libwmf0.2-7:amd64 (X.X.X.X-10ubuntu1, X.X.X.X-10ubuntu1.1), python3.2-minimal:amd64 (3.2.3-0ubuntu3.6, 3.2.3-0ubuntu3.7), libicu48:amd64 (X.X.X.X-3ubuntu0.5, X.X.X.X-3ubuntu0.6), thunderbird-locale-en-us:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), x11-utils:amd64 (7.6+4ubuntu0.1, 7.6+4ubuntu0.2), securitySO-server-sostat:amd64 (20120722-0ubuntu0securitySO-server34, 20120722-0ubuntu0securitySO-server35), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-SO-user-agent-ossec:amd64 (20120726-0ubuntu0securitySO-server15, 20120726-0ubuntu0securitySO-server16), php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libcupsfilters1:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), thunderbird:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), libpython2.7:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), ghostscript-cups:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), firefox-globalmenu:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), printer-driver-postscript-hp:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), hplip:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), php5-sqlite:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), libpcre3:amd64 (8.12-4, 8.12-4ubuntu0.1), libslp1:amd64 (1.2.1-7.8ubuntu1, 1.2.1-7.8ubuntu1.1), linux-image-3.13.0-55-generic:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), libgs9-common:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libapt-inst1.4:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), apport:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), gir1.2-gtk-2.0:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), apache2-mpm-prefork:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securitySO-server-libcapture-tiny-perl:amd64 (0.22-0ubuntu0securitySO-server0, 0.22-0ubuntu0securitySO-server1), python2.7:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), php5-gd:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libfreetype6:amd64 (2.4.8-1ubuntu2.2, 2.4.8-1ubuntu2.3), python3.2:amd64 (3.2.3-0ubuntu3.6, 3.2.3-0ubuntu3.7), linux-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), e2fsprogs:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), grub-pc:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libmysqlclient18:amd64 (5.5.43-0ubuntu0.12.04.1, 5.5.44-0ubuntu0.12.04.1), libexpat1:amd64 (2.0.1-7.2ubuntu1.1, 2.0.1-7.2ubuntu1.2), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), apache2-utils:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt-utils:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), libsnmp-base:amd64 (5.4.3~dfsg-2.4ubuntu1.2, 5.4.3~dfsg-2.4ubuntu1.3), apache2:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securitySO-server-rule-update:amd64 (20120726-0ubuntu0securitySO-server28, 20120726-0ubuntu0securitySO-server29), linux-headers-3.13.0-55:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), libgdk-pixbuf2.0-0:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), udev:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), apache2.2-common:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), firefox:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), libhpmud0:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), securitySO-server-web-page:amd64 (20141015-0ubuntu0securitySO-server25, 20141015-0ubuntu0securitySO-server28), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-snort:amd64 (X.X.X.X-0ubuntu0securitySO-server3, X.X.X.X-0ubuntu0securitySO-server1), linux-headers-3.13.0-55-generic:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), openssh-client:amd64 (5.9p1-5ubuntu1.4, 5.9p1-5ubuntu1.7), mysql-client-core-5.5:amd64 (5.5.43-0ubuntu0.12.04.1, 5.5.44-0ubuntu0.12.04.1), dkms:amd64 (X.X.X.X-1ubuntu3.2, X.X.X.X-1ubuntu3.6), python-problem-report:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), apache2.2-bin:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-snorby:amd64 (20130525-0ubuntu0securitySO-server1, 20150704-0ubuntu0securitySO-server5), libapt-pkg4.12:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), firefox-locale-en:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), ghostscript-x:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), xul-ext-ubufox:amd64 (3.0-0ubuntu0.12.04.1, 3.2-0ubuntu0.12.04.1), e2fslibs:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), linux-image-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), grub-pc-bin:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libgs9:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), gir1.2-gudev-1.0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), gir1.2-gdkpixbuf-2.0:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), libudev0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), printer-driver-hpcups:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), gtk2-engines-pixbuf:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), securitySO-server-tcpudpflow:amd64 (001-0ubuntu0securitySO-server1, 001-0ubuntu0securitySO-server3), jockey-common:amd64 (0.9.7-0ubuntu7.14, 0.9.7-0ubuntu7.16), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), tzdata:amd64 (2015d-0ubuntu0.12.04, 2015f-0ubuntu0.12.04), ghostscript:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), python2.7-minimal:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), thunderbird-globalmenu:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), jockey-gtk:amd64 (0.9.7-0ubuntu7.14, 0.9.7-0ubuntu7.16), securitySO-server-elsa-extras:amd64 (20131117-1ubuntu0securitySO-server91, 20131117-1ubuntu0securitySO-server112), libpq5:amd64 (9.1.17-0ubuntu0.12.04, 9.1.18-0ubuntu0.12.04), python-apport:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), php5-mysql:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libss2:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), linux-libc-dev:amd64 (3.2.0-86.123, 3.2.0-91.129), patch:amd64 (2.6.1-3, 2.6.1-3ubuntu0.1), grub-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), php5-cli:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), grub2-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libgtk2.0-bin:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), sqlite3:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), securitySO-server-daq:amd64 (2.0.5-0ubuntu0securitySO-server1, 2.0.6-0ubuntu0securitySO-server1), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-bro:amd64 (2.3.2-0ubuntu0securitySO-server1, 2.4-0ubuntu0securitySO-server2), apport-gtk:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), php5-common:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), cups-filters:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), libnss3-1d:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), thunderbird-locale-en:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), libsqlite3-0:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), libgtk2.0-0:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), libtidy-0.99-0:amd64 (20091223cvs-1ubuntu2, 20091223cvs-1ubuntu2.1), securitySO-server-capme:amd64 (20121213-0ubuntu0securitySO-server21, 20121213-0ubuntu0securitySO-server23), libgdk-pixbuf2.0-common:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), securitySO-server-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securitySO-server120, 20120724-0ubuntu0securitySO-server122), printer-driver-hpijs:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), hplip-data:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5)
End-Date: 2015-10-05 16:42:48
Start-Date: 2015-10-06 14:42:49
Commandline: apt-get -y dist-upgrade
Upgrade: linux-image-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1), linux-headers-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1), linux-headers-3.13.0-65:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1)
End-Date: 2015-10-06 14:45:12
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1645 supervising syslog-ng
1646 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1711 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1691 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-SO-server/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
236M /nsm/elsa/data
3.0M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-10-05 04:24:36 2015-10-06 18:27:02
Here is the redacted SO Status output...
The web interface does not allow me to attach a file (attach file link does nothing for me), so I will just paste it here. Seems messy. I hope its not too obtrusive...
=========================================================================
Service Status
=========================================================================
Status: securitySO-server
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 3944 0 06 Oct 14:54:38
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
* http_agent (SO-user)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:496128 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:190036776 (190.0 MB) TX bytes:90 (90.0 B)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43655 errors:588 dropped:0 overruns:588 frame:0
TX packets:32836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5271358 (5.2 MB) TX bytes:12118458 (12.1 MB)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:45429 errors:0 dropped:0 overruns:0 frame:0
TX packets:45429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11145901 (11.1 MB) TX bytes:11145901 (11.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
11145901 45429 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
11145901 45429 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
190036776 496128 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
5271358 43655 588 0 0 342
RX errors: length crc frame fifo missed
0 0 0 588 0
TX: bytes packets errors dropped carrier collsns
12118458 32836 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 228G 24G 193G 11% /
udev 955M 4.0K 955M 1% /dev
tmpfs 194M 872K 193M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 969M 60K 969M 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1425 avahi 12u IPv4 9083 0t0 UDP *:5353
avahi-dae 1425 avahi 13u IPv6 9084 0t0 UDP *:5353
avahi-dae 1425 avahi 14u IPv4 9085 0t0 UDP *:40484
avahi-dae 1425 avahi 15u IPv6 9086 0t0 UDP *:38725
cupsd 1427 root 8u IPv6 10719 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1427 root 9u IPv4 10720 0t0 TCP X.X.X.X:631 (LISTEN)
dhclient3 1444 root 6u IPv4 8956 0t0 UDP *:68
sshd 1503 root 3u IPv4 11283 0t0 TCP *:ssh_port (LISTEN)
sshd 1503 root 4u IPv6 11285 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 1646 root 10u IPv4 10777 0t0 TCP *:514 (LISTEN)
syslog-ng 1646 root 11u IPv4 10778 0t0 UDP *:514
mysqld 1711 mysql 10u IPv4 12146 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1711 mysql 220u IPv4 26226 0t0 TCP X.X.X.X:3306->X.X.X.X:44856 (ESTABLISHED)
searchd 1836 sphinxsearch 7u IPv4 10873 0t0 TCP *:9306 (LISTEN)
searchd 1836 sphinxsearch 8u IPv4 10874 0t0 TCP *:9312 (LISTEN)
ntpd 2203 ntp 16u IPv4 12719 0t0 UDP *:123
ntpd 2203 ntp 17u IPv6 12720 0t0 UDP *:123
ntpd 2203 ntp 18u IPv4 12726 0t0 UDP X.X.X.X:123
ntpd 2203 ntp 19u IPv4 12727 0t0 UDP X.X.X.X:123
ntpd 2203 ntp 20u IPv6 12728 0t0 UDP [X.X.X.X]:123
ntpd 2203 ntp 21u IPv6 12729 0t0 UDP [X.X.X.X]:123
/usr/sbin 2217 root 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 2217 root 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2217 root 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2217 root 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
tclsh 3362 SO-user 13u IPv4 17163 0t0 TCP *:7734 (LISTEN)
tclsh 3362 SO-user 14u IPv4 17164 0t0 TCP *:7736 (LISTEN)
tclsh 3362 SO-user 15u IPv4 21614 0t0 TCP X.X.X.X:7736->X.X.X.X:39178 (ESTABLISHED)
tclsh 3362 SO-user 16u IPv4 20806 0t0 TCP X.X.X.X:7736->X.X.X.X:39179 (ESTABLISHED)
tclsh 3362 SO-user 17u IPv4 20881 0t0 TCP X.X.X.X:7736->X.X.X.X:39180 (ESTABLISHED)
tclsh 3362 SO-user 18u IPv4 21174 0t0 TCP X.X.X.X:7736->X.X.X.X:39181 (ESTABLISHED)
tclsh 3362 SO-user 19u IPv4 21263 0t0 TCP X.X.X.X:7736->X.X.X.X:39183 (ESTABLISHED)
tclsh 3362 SO-user 20u IPv4 22282 0t0 TCP X.X.X.X:7736->X.X.X.X:39184 (ESTABLISHED)
tclsh 3453 SO-user 3u IPv4 20880 0t0 TCP X.X.X.X:39180->X.X.X.X:7736 (ESTABLISHED)
bro 3944 SO-user 4u IPv4 18813 0t0 UDP X.X.X.X:39191->X.X.X.X:53
bro 4059 SO-user 0u IPv4 19937 0t0 TCP *:47760 (LISTEN)
bro 4059 SO-user 1u IPv6 19938 0t0 TCP *:47760 (LISTEN)
bro 4059 SO-user 4u IPv4 18813 0t0 UDP X.X.X.X:39191->X.X.X.X:53
tclsh 4348 SO-user 3u IPv4 21613 0t0 TCP X.X.X.X:39178->X.X.X.X:7736 (ESTABLISHED)
tclsh 4407 SO-user 3u IPv4 20805 0t0 TCP X.X.X.X:39179->X.X.X.X:7736 (ESTABLISHED)
tclsh 4407 SO-user 4u IPv4 20807 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 4407 SO-user 6u IPv4 25068 0t0 TCP X.X.X.X:8001->X.X.X.X:50960 (ESTABLISHED)
barnyard2 4520 SO-user 3u IPv4 26222 0t0 TCP X.X.X.X:50960->X.X.X.X:8001 (ESTABLISHED)
barnyard2 4520 SO-user 4u IPv4 26225 0t0 TCP X.X.X.X:44856->X.X.X.X:3306 (ESTABLISHED)
tclsh 4584 SO-user 3u IPv4 21173 0t0 TCP X.X.X.X:39181->X.X.X.X:7736 (ESTABLISHED)
tclsh 4612 SO-user 3u IPv4 21262 0t0 TCP X.X.X.X:39183->X.X.X.X:7736 (ESTABLISHED)
tclsh 4656 SO-user 3u IPv4 22281 0t0 TCP X.X.X.X:39184->X.X.X.X:7736 (ESTABLISHED)
sshd 8954 root 3u IPv4 1310865 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56279 (ESTABLISHED)
sshd 9134 SO-user 3u IPv4 1310865 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:56279 (ESTABLISHED)
sshd 9134 SO-user 9u IPv6 1312182 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 9134 SO-user 10u IPv4 1312183 0t0 TCP X.X.X.X:6010 (LISTEN)
/usr/sbin 9140 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 9140 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 9140 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 9140 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 10357 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 10357 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10357 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10357 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12132 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12132 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12132 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12132 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12642 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12642 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12642 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12642 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
/usr/sbin 12897 www-data 4u IPv4 13390 0t0 TCP *:443 (LISTEN)
/usr/sbin 12897 www-data 5u IPv4 13393 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12897 www-data 6u IPv4 13395 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12897 www-data 7u IPv4 13399 0t0 TCP *:444 (LISTEN)
ruby1.9.1 25098 www-data 12u IPv4 147963 0t0 TCP X.X.X.X:37016 (LISTEN)
ossec-csy 26959 ossecm 5u IPv4 879579 0t0 UDP X.X.X.X:58969->X.X.X.X:514
ossec-rem 26979 ossecr 4u IPv4 880734 0t0 UDP *:1514
=========================================================================
IDS Rules Update
=========================================================================
Tue Oct 6 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 30 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 40 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------26
Deleted:---10
Enabled Rules:----18354
Dropped Rules:----0
Disabled Rules:---4127
Total Rules:------22481
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Updating Snorby's sig_reference table...done.
Restarting Barnyard2.
Restarting: SO-server-eth0
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth0
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.26 0.37 0.47
Processing units: 2
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:28:39 up 3:35, 1 user, load average: 0.26, 0.37, 0.47
Tasks: 174 total, 1 running, 171 sleeping, 0 stopped, 2 zombie
Cpu(s): 14.1%us, 9.0%sy, 0.1%ni, 74.2%id, 2.6%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 1984036k total, 1809884k used, 174152k free, 29556k buffers
Swap: 3021580k total, 151288k used, 2870292k free, 289912k cached
%CPU %MEM COMMAND
26.8 4.8 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
1.3 4.9 Rack: /opt/snorby
1.0 3.6 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo-1 -i 1 -U
0.8 18.5 snort -c /etc/nsm/SO-server-eth0/snort.conf -u SO-user -g SO-user -i eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth0/snort-1.stats -U
0.7 0.1 /var/ossec/bin/ossec-syscheckd
0.6 0.1 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.4 4.9 delayed_job
0.4 4.4 /usr/sbin/mysqld
0.3 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.2 0.1 /var/ossec/bin/ossec-analysisd
0.2 13.2 /usr/bin/searchd --nodetach
0.2 0.1 /usr/sbin/lightdm-gtk-greeter
0.2 0.0 PassengerHelperAgent
0.2 0.4 -bash
0.1 0.1 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.1 0.4 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2015-10-06.log
0.0 3.4 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2015-10-06/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB -c
0.0 0.2 /bin/bash
0.0 0.0 [rcu_sched]
0.0 0.0 [kworker/0:2]
0.0 0.4 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.2 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 [kworker/0:0]
0.0 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.3 prads -i eth0 -c /etc/nsm/SO-server-eth0/prads.conf -u SO-user -g SO-user -L /nsm/sensor_data/SO-server-eth0/sancp/ -f /nsm/sensor_data/SO-server-eth0/pads.fifo -b ip or (vlan and ip)
0.0 0.0 [kworker/0:1]
0.0 0.0 [kworker/1:2]
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.1 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http.log
0.0 0.1 sshd: SO-user@pts/0
0.0 0.0 [jbd2/sda1-8]
0.0 0.2 sshd: SO-user [priv]
0.0 0.0 /sbin/init
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 [kswapd0]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 [khugepaged]
0.0 0.0 [/usr/sbin/apach] <defunct>
0.0 0.0 [kworker/u4:2]
0.0 0.0 [migration/0]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/1]
0.0 0.0 [kworker/u5:1]
0.0 0.0 [kworker/u4:0]
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/u4:1]
0.0 0.0 [tcpdump] <defunct>
0.0 0.0 [ksoftirqd/1]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /var/ossec/bin/ossec-remoted
0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 cron
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.2 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.1 /usr/lib/upower/upowerd
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.3 Passenger spawn server
0.0 0.1 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http.log
0.0 0.0 PassengerLoggingAgent
0.0 0.0 [kworker/u5:0]
0.0 0.0 lightdm
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 3.4 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [scsi_eh_0]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kthreadd]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [khungtaskd]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [ttm_swap]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [edac-poller]
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [hd-audio0]
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp/dhclient.eth1.leases -1 eth1
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 atd
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 PassengerWatchdog
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securitySO-server/SO-userd.conf -a /etc/nsm/securitySO-server/autocat.conf -g /etc/nsm/securitySO-server/SO-userd.queries -A /etc/nsm/securitySO-server/SO-userd.access -C /etc/nsm/securitySO-server/certs
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth0/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http.log
0.0 0.0 [kworker/1:0]
0.0 1.6 /usr/sbin/apache2 -k start
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session /usr/bin/byobu-shell
0.0 0.0 sh -c /usr/bin/byobu-shell
0.0 1.6 /usr/sbin/apache2 -k start
0.0 1.5 /usr/sbin/apache2 -k start
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.0 [kworker/1:1]
0.0 1.5 /usr/sbin/apache2 -k start
0.0 0.1 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-monitord
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 11419
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 2 days
18G .
9.9G ./2015-10-05
8.0G ./2015-10-06
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .
/nsm/bro/logs/ - 2 days
9.3M .
5.7M ./2015-10-05
3.2M ./2015-10-06
492K ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
bro: 1444156120.474641 recvd=493310 dropped=0 link=493310
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/3944-eth0.1
Appl. Name : <unknown>
Tot Packets : 493347
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/4468-eth0.3
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 483861
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4069
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
842
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
118 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
21 1:2012648 ET POLICY Dropbox Client Broadcasting
15 10000:1 PADS New Asset - unknown @https
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
12 1:2014819 ET INFO Packed Executable Download
8 10000:1 PADS New Asset - unknown @www
8 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
7 10000:1 PADS New Asset - unknown @ntp
7 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
6 1:2100498 GPL ATTACK_RESPONSE id check returned root
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 10000:1 PADS New Asset - unknown @imaps
3 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
3 10000:1 PADS New Asset - unknown @domain
3 10000:2 PADS Changed Asset - smb Windows SMB
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2 10000:1 PADS New Asset - http AppleTV2,1/7.1.2 (11D258)
2 1:2016847 ET INFO Possible Chrome Plugin install
2 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
2 10000:1 PADS New Asset - http WSDAPI
2 1:2013028 ET POLICY curl User-Agent Outbound
2 10000:1 PADS New Asset - http 494/6.2.6124 CFNetwork/711.5.6 Darwin/14.0.0
2 10000:1 PADS New Asset - http SXL/3.1
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.89 Mobile/12H321 Safari/600.1.4
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
1 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H321
1 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
1 10000:1 PADS New Asset - http curl/7.22.0 (x86_64-pc-linux (gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/X.X.X.X libidn/1.23 librtmp/2.3)
1 10000:1 PADS New Asset - http ooTunes/4.0.2 CFNetwork/711.5.6 Darwin/14.0.0
1 10000:1 PADS New Asset - smb Windows SMB
1 10000:1 PADS New Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - ssh OpenSSH 6.2 (Protocol 2.0)
1 10000:2 PADS Changed Asset - http Ruby
1 1:2014726 ET POLICY Outdated Windows Flash Version IE
1 10000:2 PADS Changed Asset - domain DNS SQR No Error
1 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
1 10000:2 PADS Changed Asset - http Debian/4.0, UPnP/1.0, MiniUPnPc/1.2
1 10000:1 PADS New Asset - http Server: httpd
1 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 10000:1 PADS New Asset - http mbam - consumer_licensed (Scheduler) - base:2.1.8.1057 ( rules:v2015.10.04.04 swissarmy:v2015.10.02.01 actions:v2015.09.30.01 domains:v2015.10.04.02 ips:v2015.10.04.01 akadomains:v2015.09.11.02 akaips:v2015.09.11.02)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
1 10000:1 PADS New Asset - ssh OpenSSH 6.2 (Protocol 2.0)
1 10000:1 PADS New Asset - http AppleCoreMedia/1.0.0.12H321 (iPhone; U; CPU OS 8_4_1 like Mac OS X; en_us)
1 10000:2 PADS Changed Asset - http mbam - consumer_licensed (Scheduler) - base:2.1.8.1057 ( rules:v2015.10.05.05 swissarmy:v2015.10.02.01 actions:v2015.09.30.01 domains:v2015.10.05.05 ips:v2015.10.04.01 akadomains:v2015.09.11.02 akaips:v2015.09.11.02)
1 10000:1 PADS New Asset - http Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 10000:1 PADS New Asset - unknown @ftp
1 10000:1 PADS New Asset - http Microsoft-Windows/6.1 UPnP/1.0 Windows-Media-Player (DMS/12.0.7601.17514 DLNADOC/1.50)
1 10000:1 PADS New Asset - http CFNetwork MooTunes, get your Mootunes! CFNetwork
1 10000:2 PADS Changed Asset - unknown @www
1 10000:2 PADS Changed Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - unknown @imaps
1 10000:1 PADS New Asset - dns TCP DNS Server
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
Total
444
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
303 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
41 1:2012648 ET POLICY Dropbox Client Broadcasting
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
20 10000:1 PADS New Asset - unknown @https
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
15 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
13 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
12 1:2014819 ET INFO Packed Executable Download
12 1:2014520 ET INFO EXE - Served Attached HTTP
11 1:2100498 GPL ATTACK_RESPONSE id check returned root
10 10000:1 PADS New Asset - unknown @www
10 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
10 10000:1 PADS New Asset - unknown @ntp
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
5 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
5 10000:2 PADS Changed Asset - ssl TLS 1.0 Client Hello
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
4 10000:2 PADS Changed Asset - ssh OpenSSH 5.9p1 (Protocol 2.0)
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
3 10000:1 PADS New Asset - unknown @imaps
3 10000:1 PADS New Asset - ssl SSL 2.0 Client Hello
3 10000:1 PADS New Asset - unknown @domain
3 10000:2 PADS Changed Asset - smb Windows SMB
2 10000:1 PADS New Asset - http 494/6.2.6124 CFNetwork/711.5.6 Darwin/14.0.0
2 10000:1 PADS New Asset - http Microsoft-Windows/6.1 UPnP/1.0 Windows-Media-Player (DMS/12.0.7601.17514 DLNADOC/1.50)
2 10000:1 PADS New Asset - http SXL/3.1
2 10000:1 PADS New Asset - http Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.89 Mobile/12H321 Safari/600.1.4
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 10000:2 PADS Changed Asset - unknown @imaps
2 10000:2 PADS Changed Asset - ssh OpenSSH 6.2 (Protocol 2.0)
2 10000:1 PADS New Asset - http AppleTV2,1/7.1.2 (11D258)
2 1:2016847 ET INFO Possible Chrome Plugin install
2 10000:1 PADS New Asset - http eo/1.5.1 CFNetwork/711.5.6 Darwin/14.0.0
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
2 10000:1 PADS New Asset - http Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
2 10000:1 PADS New Asset - http WSDAPI
2 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2 1:2013028 ET POLICY curl User-Agent Outbound
1 10000:1 PADS New Asset - unknown @ftp
1 10000:1 PADS New Asset - http CFNetwork MooTunes, get your Mootunes! CFNetwork
1 10000:2 PADS Changed Asset - unknown @www
1 1:2522585 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 293
1 10000:2 PADS Changed Asset - unknown @microsoft-ds
1 10000:2 PADS Changed Asset - http IMTransferAgent/1000 CFNetwork/711.5.6 Darwin/14.0.0
1 10000:2 PADS Changed Asset - unknown @https
1 10000:1 PADS New Asset - dns TCP DNS Server
1 10000:1 PADS New Asset - http Windows-Update (Agent)
1 10000:1 PADS New Asset - http Mozilla/5.0 (Unity3d)
Total
701
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
1112 URL go.vrvm.com
793 URL adcel.vrvm.com
720 URL download.windowsupdate.com
699 URL http.00.s.sophosxl.net
578 URL ad.vrvm.com
467 URL bcoveliveios-i.akamaihd.net
444 URL az698131.vo.msecnd.net
426 URL data-cdn.mbamupdates.com
358 URL ecx.images-amazon.com
312 URL fls-na.amazon.com
247 URL ads.mp.mydas.mobi
164 URL www.amazon.com
164 URL metrics.brightcove.com
160 URL cdn0.nflximg.net
158 URL cdn1.nflximg.net
152 URL dci.sophosupd.com
151 URL az337102.vo.msecnd.net
126 URL d2.sophosupd.com
126 URL www.netflix.com
121 URL g-ecx.images-amazon.com
111 URL displayadsservice.rumble.me
109 URL www.supercircuits.com
108 URL www.mpja.net
108 URL b.scorecardresearch.com
103 URL crl.microsoft.com
103 URL ast1.r10.io
77 URL X.X.X.X
76 URL www.google-analytics.com
73 URL i2.cdn.turner.com
72 URL a.fsdn.com
70 URL cnnios-f.akamaihd.net
70 URL images.outbrain.com
70 URL rumbles3.cloudapp.net
69 URL z-ecx.images-amazon.com
68 URL www.dell.com
68 URL img-s-msn-com.akamaized.net
68 URL dell.com
66 URL rumlservice.rumble.me
66 URL us.archive.ubuntu.com
66 URL 3.static.img-dpreview.com
63 URL cdn.i24news.tv
63 URL promotions.newegg.com
61 URL cdn.arstechnica.net
60 URL google.com
58 URL www.google.com
56 URL pagead2.googlesyndication.com
53 URL help.thruhere.net
52 URL www.zerohedge.com
46 URL v4.moatads.com
45 URL ocw.mit.edu
Total
12863
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
118 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
21 1:2012648 ET POLICY Dropbox Client Broadcasting
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 1:2014819 ET INFO Packed Executable Download
8 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
7 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
6 1:2100498 GPL ATTACK_RESPONSE id check returned root
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2016847 ET INFO Possible Chrome Plugin install
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
1 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
1 1:2014726 ET POLICY Outdated Windows Flash Version IE
Total
349
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
303 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
60 1:2016141 ET INFO Exectuable Download from dotted-quad Host
41 1:2012648 ET POLICY Dropbox Client Broadcasting
36 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
30 1:2000419 ET POLICY PE EXE or DLL Windows file download
15 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP
13 1:2017398 ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
12 1:2014520 ET INFO EXE - Served Attached HTTP
12 1:2014819 ET INFO Packed Executable Download
11 1:2100498 GPL ATTACK_RESPONSE id check returned root
10 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
6 1:2020565 ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
5 1:2012647 ET POLICY Dropbox.com Offsite File Backup in Use
4 1:2012886 ET POLICY Http Client Body contains passwd= in cleartext
3 1:2018170 ET POLICY Application Crash Report Sent to Microsoft
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2016847 ET INFO Possible Chrome Plugin install
2 1:2017926 ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check
2 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
2 1:2014726 ET POLICY Outdated Windows Flash Version IE
1 1:2019102 ET DOS Possible SSDP Amplification Scan in Progress
1 1:2002878 ET POLICY iTunes User Agent
1 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
1 1:2522585 ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 293
Total
575
=========================================================================
Last update
=========================================================================
Start-Date: 2015-10-05 16:33:37
Commandline: apt-get -y dist-upgrade
Install: linux-image-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, automatic), linux-headers-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, automatic), linux-headers-3.13.0-65:amd64 (3.13.0-65.105~precise1, automatic)
Upgrade: apt-transport-https:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), openssh-server:amd64 (5.9p1-5ubuntu1.4, 5.9p1-5ubuntu1.7), securitySO-server-bro-scripts:amd64 (20121004-0ubuntu0securitySO-server39, 20121004-0ubuntu0securitySO-server43), libgtk2.0-common:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), securitySO-server-setup:amd64 (20120912-0ubuntu0securitySO-server142, 20120912-0ubuntu0securitySO-server157), libgail18:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), libldap-2.4-2:amd64 (2.4.28-1.1ubuntu4.5, 2.4.28-1.1ubuntu4.6), unattended-upgrades:amd64 (0.76ubuntu1, 0.76ubuntu1.1), bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), libnss3:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), libsane-hpaio:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), libgudev-1.0-0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), libcomerr2:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), libsnmp15:amd64 (5.4.3~dfsg-2.4ubuntu1.2, 5.4.3~dfsg-2.4ubuntu1.3), libwmf0.2-7:amd64 (X.X.X.X-10ubuntu1, X.X.X.X-10ubuntu1.1), python3.2-minimal:amd64 (3.2.3-0ubuntu3.6, 3.2.3-0ubuntu3.7), libicu48:amd64 (X.X.X.X-3ubuntu0.5, X.X.X.X-3ubuntu0.6), thunderbird-locale-en-us:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), x11-utils:amd64 (7.6+4ubuntu0.1, 7.6+4ubuntu0.2), securitySO-server-sostat:amd64 (20120722-0ubuntu0securitySO-server34, 20120722-0ubuntu0securitySO-server35), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-SO-user-agent-ossec:amd64 (20120726-0ubuntu0securitySO-server15, 20120726-0ubuntu0securitySO-server16), php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libcupsfilters1:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), thunderbird:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), libpython2.7:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), ghostscript-cups:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), firefox-globalmenu:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), printer-driver-postscript-hp:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), hplip:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), php5-sqlite:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), libpcre3:amd64 (8.12-4, 8.12-4ubuntu0.1), libslp1:amd64 (1.2.1-7.8ubuntu1, 1.2.1-7.8ubuntu1.1), linux-image-3.13.0-55-generic:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), libgs9-common:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), libapache2-mod-php5:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libapt-inst1.4:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), apport:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), gir1.2-gtk-2.0:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), apache2-mpm-prefork:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securitySO-server-libcapture-tiny-perl:amd64 (0.22-0ubuntu0securitySO-server0, 0.22-0ubuntu0securitySO-server1), python2.7:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), php5-gd:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libfreetype6:amd64 (2.4.8-1ubuntu2.2, 2.4.8-1ubuntu2.3), python3.2:amd64 (3.2.3-0ubuntu3.6, 3.2.3-0ubuntu3.7), linux-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), e2fsprogs:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), grub-pc:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libmysqlclient18:amd64 (5.5.43-0ubuntu0.12.04.1, 5.5.44-0ubuntu0.12.04.1), libexpat1:amd64 (2.0.1-7.2ubuntu1.1, 2.0.1-7.2ubuntu1.2), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), apache2-utils:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt-utils:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), libsnmp-base:amd64 (5.4.3~dfsg-2.4ubuntu1.2, 5.4.3~dfsg-2.4ubuntu1.3), apache2:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), securitySO-server-rule-update:amd64 (20120726-0ubuntu0securitySO-server28, 20120726-0ubuntu0securitySO-server29), linux-headers-3.13.0-55:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), libgdk-pixbuf2.0-0:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), udev:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), apache2.2-common:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), apt:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), firefox:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), libhpmud0:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), securitySO-server-web-page:amd64 (20141015-0ubuntu0securitySO-server25, 20141015-0ubuntu0securitySO-server28), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-snort:amd64 (X.X.X.X-0ubuntu0securitySO-server3, X.X.X.X-0ubuntu0securitySO-server1), linux-headers-3.13.0-55-generic:amd64 (3.13.0-55.92~precise1, 3.13.0-55.94~precise1), openssh-client:amd64 (5.9p1-5ubuntu1.4, 5.9p1-5ubuntu1.7), mysql-client-core-5.5:amd64 (5.5.43-0ubuntu0.12.04.1, 5.5.44-0ubuntu0.12.04.1), dkms:amd64 (X.X.X.X-1ubuntu3.2, X.X.X.X-1ubuntu3.6), python-problem-report:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), apache2.2-bin:amd64 (2.2.22-1ubuntu1.9, 2.2.22-1ubuntu1.10), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-snorby:amd64 (20130525-0ubuntu0securitySO-server1, 20150704-0ubuntu0securitySO-server5), libapt-pkg4.12:amd64 (0.8.16~exp12ubuntu10.24, 0.8.16~exp12ubuntu10.25), firefox-locale-en:amd64 (38.0+build3-0ubuntu0.12.04.1, 41.0.1+build2-0ubuntu0.12.04.1), ghostscript-x:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), xul-ext-ubufox:amd64 (3.0-0ubuntu0.12.04.1, 3.2-0ubuntu0.12.04.1), e2fslibs:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), linux-image-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), grub-pc-bin:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libgs9:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), gir1.2-gudev-1.0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), gir1.2-gdkpixbuf-2.0:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), libudev0:amd64 (175-0ubuntu9.9, 175-0ubuntu9.10), printer-driver-hpcups:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), gtk2-engines-pixbuf:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), securitySO-server-tcpudpflow:amd64 (001-0ubuntu0securitySO-server1, 001-0ubuntu0securitySO-server3), jockey-common:amd64 (0.9.7-0ubuntu7.14, 0.9.7-0ubuntu7.16), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), tzdata:amd64 (2015d-0ubuntu0.12.04, 2015f-0ubuntu0.12.04), ghostscript:amd64 (9.05~dfsg-0ubuntu4.2, 9.05~dfsg-0ubuntu4.3), python2.7-minimal:amd64 (2.7.3-0ubuntu3.6, 2.7.3-0ubuntu3.8), thunderbird-globalmenu:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), linux-headers-generic-lts-trusty:amd64 (X.X.X.X.48, X.X.X.X.57), jockey-gtk:amd64 (0.9.7-0ubuntu7.14, 0.9.7-0ubuntu7.16), securitySO-server-elsa-extras:amd64 (20131117-1ubuntu0securitySO-server91, 20131117-1ubuntu0securitySO-server112), libpq5:amd64 (9.1.17-0ubuntu0.12.04, 9.1.18-0ubuntu0.12.04), python-apport:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), php5-mysql:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), libss2:amd64 (1.42-1ubuntu2.2, 1.42-1ubuntu2.3), linux-libc-dev:amd64 (3.2.0-86.123, 3.2.0-91.129), patch:amd64 (2.6.1-3, 2.6.1-3ubuntu0.1), grub-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), php5-cli:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), grub2-common:amd64 (1.99-21ubuntu3.17, 1.99-21ubuntu3.18), libgtk2.0-bin:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), sqlite3:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), securitySO-server-daq:amd64 (2.0.5-0ubuntu0securitySO-server1, 2.0.6-0ubuntu0securitySO-server1), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.10, 9.8.1.dfsg.P1-4ubuntu0.13), securitySO-server-bro:amd64 (2.3.2-0ubuntu0securitySO-server1, 2.4-0ubuntu0securitySO-server2), apport-gtk:amd64 (2.0.1-0ubuntu17.9, 2.0.1-0ubuntu17.11), php5-common:amd64 (5.3.10-1ubuntu3.18, 5.3.10-1ubuntu3.20), cups-filters:amd64 (1.0.18-0ubuntu0.2, 1.0.18-0ubuntu0.4), libnss3-1d:amd64 (3.17.4-0ubuntu0.12.04.1, 3.19.2-0ubuntu0.12.04.1), thunderbird-locale-en:amd64 (31.7.0+build1-0ubuntu0.12.04.1, 38.3.0+build1-0ubuntu0.12.04.1), libsqlite3-0:amd64 (3.7.9-2ubuntu1.1, 3.7.9-2ubuntu1.2), libgtk2.0-0:amd64 (2.24.10-0ubuntu6.1, 2.24.10-0ubuntu6.2), libtidy-0.99-0:amd64 (20091223cvs-1ubuntu2, 20091223cvs-1ubuntu2.1), securitySO-server-capme:amd64 (20121213-0ubuntu0securitySO-server21, 20121213-0ubuntu0securitySO-server23), libgdk-pixbuf2.0-common:amd64 (2.26.1-1ubuntu1.1, 2.26.1-1ubuntu1.2), securitySO-server-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securitySO-server120, 20120724-0ubuntu0securitySO-server122), printer-driver-hpijs:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5), hplip-data:amd64 (3.12.2-1ubuntu3.4, 3.12.2-1ubuntu3.5)
End-Date: 2015-10-05 16:42:48
Start-Date: 2015-10-06 14:42:49
Commandline: apt-get -y dist-upgrade
Upgrade: linux-image-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1), linux-headers-3.13.0-65-generic:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1), linux-headers-3.13.0-65:amd64 (3.13.0-65.105~precise1, 3.13.0-65.106~precise1)
End-Date: 2015-10-06 14:45:12
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1645 supervising syslog-ng
1646 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1711 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1691 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-SO-server/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
236M /nsm/elsa/data
3.0M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2015-10-05 04:24:36 2015-10-06 18:27:02
Heine Lysemose
Oct 6, 2015, 3:20:02 PM10/6/15
to securit...@googlegroups.com
Hi
Here's some quick observations which you can find the answers to in the Wiki page I mentioned before...
Disable services you don't need, a couple of them duplicates data between ELSA interface and Squil/Squert interface.
More memory, at least 8GB together decent performance.
Less rules, tune your ruleset to fit your environment.
Regards,
Lysemose
William E. Smith, Jr.
Oct 6, 2015, 3:39:53 PM10/6/15
to security-onion
Hi,
I just got finished reading the article on using a minimal install of SO in a VM to manage the SO server. Works better than just an ssh -X connection on my OS X machine. Plus the ability to open a folder containing carved out files after pivoting to network miner. Which previously would not work correctly. (for obvious reasons. i.e. file system not local) Then edited the desktop launch icons for Squert, Snorby etc to point to the remote SO server vs local host. And guess what, Squert has events shown using the Chromium browser. So I went back to Safari and nothing, nada. So my problem was the browser, Safari. Not the SO server. I feel a little dumb. And sorry for wasting bandwidth here and your time.
Tuning, yes, I have questions about that... For another Post.
As for as memory, the new hardware will have 16GB of RAM, 2 1GB NICS and a nice 3.4 Ghz Intel quad core processor. Thats about all Im going to squeeze out of management at the moment.
If i were to use a SSD for the OS and a large multi terabyte drive for storage, are the partitioning requirements unusual for such a setup? Does SO play nice in this type setup? Does it even benefit from the OS being on an SSD since most disk I/O will be to the slower, larger drive?
So many questions. Sorry
Thanks for the support,
Will
On Tuesday, October 6, 2015 at 2:20:02 PM UTC-5, Lysemose wrote:
> Hi
>
> 2 1:2013028 ...
I just got finished reading the article on using a minimal install of SO in a VM to manage the SO server. Works better than just an ssh -X connection on my OS X machine. Plus the ability to open a folder containing carved out files after pivoting to network miner. Which previously would not work correctly. (for obvious reasons. i.e. file system not local) Then edited the desktop launch icons for Squert, Snorby etc to point to the remote SO server vs local host. And guess what, Squert has events shown using the Chromium browser. So I went back to Safari and nothing, nada. So my problem was the browser, Safari. Not the SO server. I feel a little dumb. And sorry for wasting bandwidth here and your time.
Tuning, yes, I have questions about that... For another Post.
As for as memory, the new hardware will have 16GB of RAM, 2 1GB NICS and a nice 3.4 Ghz Intel quad core processor. Thats about all Im going to squeeze out of management at the moment.
If i were to use a SSD for the OS and a large multi terabyte drive for storage, are the partitioning requirements unusual for such a setup? Does SO play nice in this type setup? Does it even benefit from the OS being on an SSD since most disk I/O will be to the slower, larger drive?
So many questions. Sorry
Thanks for the support,
Will
On Tuesday, October 6, 2015 at 2:20:02 PM UTC-5, Lysemose wrote:
> Hi
>
Doug Burks
Oct 6, 2015, 4:02:38 PM10/6/15
to securit...@googlegroups.com
On Tue, Oct 6, 2015 at 3:39 PM, William E. Smith, Jr. <w35...@gmail.com> wrote:
> Hi,
>
>
> I just got finished reading the article on using a minimal install of SO in a VM to manage the SO server. Works better than just an ssh -X connection on my OS X machine. Plus the ability to open a folder containing carved out files after pivoting to network miner. Which previously would not work correctly. (for obvious reasons. i.e. file system not local) Then edited the desktop launch icons for Squert, Snorby etc to point to the remote SO server vs local host. And guess what, Squert has events shown using the Chromium browser. So I went back to Safari and nothing, nada. So my problem was the browser, Safari. Not the SO server. I feel a little dumb. And sorry for wasting bandwidth here and your time.
>
> Tuning, yes, I have questions about that... For another Post.
>
> As for as memory, the new hardware will have 16GB of RAM, 2 1GB NICS and a nice 3.4 Ghz Intel quad core processor. Thats about all Im going to squeeze out of management at the moment.
>
> If i were to use a SSD for the OS and a large multi terabyte drive for storage, are the partitioning requirements unusual for such a setup? Does SO play nice in this type setup? Does it even benefit from the OS being on an SSD since most disk I/O will be to the slower, larger drive?
>
> So many questions. Sorry
Since you've resolved the "No Events in Squert" issue that the subject
> Hi,
>
>
> I just got finished reading the article on using a minimal install of SO in a VM to manage the SO server. Works better than just an ssh -X connection on my OS X machine. Plus the ability to open a folder containing carved out files after pivoting to network miner. Which previously would not work correctly. (for obvious reasons. i.e. file system not local) Then edited the desktop launch icons for Squert, Snorby etc to point to the remote SO server vs local host. And guess what, Squert has events shown using the Chromium browser. So I went back to Safari and nothing, nada. So my problem was the browser, Safari. Not the SO server. I feel a little dumb. And sorry for wasting bandwidth here and your time.
>
> Tuning, yes, I have questions about that... For another Post.
>
> As for as memory, the new hardware will have 16GB of RAM, 2 1GB NICS and a nice 3.4 Ghz Intel quad core processor. Thats about all Im going to squeeze out of management at the moment.
>
> If i were to use a SSD for the OS and a large multi terabyte drive for storage, are the partitioning requirements unusual for such a setup? Does SO play nice in this type setup? Does it even benefit from the OS being on an SSD since most disk I/O will be to the slower, larger drive?
>
> So many questions. Sorry
of this thread refers to, please start a new thread for any additional
questions/problems with appropriate subjects.
William E. Smith, Jr.
Oct 6, 2015, 5:38:13 PM10/6/15
to security-onion
No problem, Thanks
Will
Will
On Tuesday, October 6, 2015 at 3:02:38 PM UTC-5, Doug Burks wrote:
Reply all
Reply to author
Forward
0 new messages