How To configure Onion Security with Mikrotik RB 450G
Zain Adrian
See attach for Topology
For Lan Port and Port4 in Mikrotik -- eth1 in SecurityOnion , I configure with port Mirroring in Mikrotik Device.
And for eth0 i setup in PC for Management and Monitoring via snorby web based, Squert, Sguil
Is This Corect Topology for Setup Security Onion...?
For your information in localhost snorby ,, I dont see any signature ( Sorry, No data is avalaible yet, ), High severity (0) Medium Severity (0), low severity (0), in administration i see Sensor in eth1 , worker& job queue status OK
Please Help me
Doug Burks
Replies inline.
On Mon, Jan 27, 2014 at 6:26 AM, Zain Adrian <z.adr...@gmail.com> wrote:
> I Have A Routerboard Mikrotik RB450G, can I setup security onion in that Machine ?
traffic to another machine running Security Onion.
> See attach for Topology
When sending diagrams, please use standard graphic formats instead of
docx files.
> For Lan Port and Port4 in Mikrotik -- eth1 in SecurityOnion , I configure with port Mirroring in Mikrotik Device.
from the LAN port to Port4? And Port4 is connected to your Security
Onion machine?
> And for eth0 i setup in PC for Management and Monitoring via snorby web based, Squert, Sguil
use eth0 for this.
> Is This Corect Topology for Setup Security Onion...?
> For your information in localhost snorby ,, I dont see any signature ( Sorry, No data is avalaible yet, ), High severity (0) Medium Severity (0), low severity (0), in administration i see Sensor in eth1 , worker& job queue status OK
sudo sostat-redacted
It will redact IPv4 addresses, but there may be additional data that
you need to manually redact.
If you don't have sostat-redacted, you can either install all
available updates or do "sudo sostat" and manually redact.
--
Doug Burks
BBCan177
I am using a few Mikrotik 260GS without any issues. See attached screenshot of my routers mirroring settings.
I use port 2 and 3 for Mirroring two devices and Port 4 is the uplink port back to my Main Switch.
Port 5 is connected to eth1 of Security Onion for monitoring
You can also run this command to see if you are receiving any traffic in Security Onion
sudo tcpdump -nnvvAi eth1
Zain Adrian
* Sorry, I attached with docx file for that topology, I sending back with .png
* This is the Output of the sudo sostat-redacted ;
Did I'm Wrong Configuration..?
ipsids@ipsids-desktop:~$ sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager X.X.X.X stopped
proxy proxy X.X.X.X stopped
ipsids-desktop-eth2-1 worker X.X.X.X stopped
Status: ipsids-desktop-eth2
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* http_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:26:5a:eb:5a:84
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: fe80::226:5aff:feeb:5a84/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3598 errors:0 dropped:0 overruns:0 frame:0
TX packets:1822 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2181741 (2.1 MB) TX bytes:173040 (173.0 KB)
Interrupt:19 Base address:0xe800
eth2 Link encap:Ethernet HWaddr 00:1e:90:f5:41:95
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3388 (3.3 KB) TX bytes:0 (0.0 B)
Interrupt:47 Base address:0x4000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:7235 errors:0 dropped:0 overruns:0 frame:0
TX packets:7235 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11585497 (11.5 MB) TX bytes:11585497 (11.5 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
11585497 7235 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
11585497 7235 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:26:5a:eb:5a:84 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
2181741 3598 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
173040 1822 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1e:90:f5:41:95 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3388 28 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 228G 5.4G 211G 3% /
udev 864M 4.0K 864M 1% /dev
tmpfs 351M 884K 350M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 876M 88K 876M 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1160 root 3u IPv4 8098 0t0 TCP *:22 (LISTEN)
sshd 1160 root 4u IPv6 8100 0t0 TCP *:22 (LISTEN)
avahi-dae 1251 avahi 12u IPv4 9281 0t0 UDP *:5353
avahi-dae 1251 avahi 13u IPv6 9282 0t0 UDP *:5353
avahi-dae 1251 avahi 14u IPv4 9283 0t0 UDP *:58182
avahi-dae 1251 avahi 15u IPv6 9284 0t0 UDP *:43943
cupsd 1258 root 8u IPv6 9294 0t0 TCP [::1]:631 (LISTEN)
cupsd 1258 root 9u IPv4 9295 0t0 TCP X.X.X.X:631 (LISTEN)
salt-mini 1334 root 21u IPv4 12958 0t0 TCP X.X.X.X:56275->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 1344 root 9u IPv4 8740 0t0 TCP *:514 (LISTEN)
syslog-ng 1344 root 10u IPv4 8741 0t0 UDP *:514
salt-mast 1352 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
mysqld 1458 mysql 10u IPv4 12859 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 1458 mysql 32u IPv4 23482 0t0 TCP X.X.X.X:3306->X.X.X.X:37567 (ESTABLISHED)
ossec-csy 1537 ossecm 5u IPv4 10429 0t0 UDP X.X.X.X:32773->X.X.X.X:514
searchd 1544 sphinxsearch 7u IPv4 9520 0t0 TCP *:9306 (LISTEN)
searchd 1544 sphinxsearch 8u IPv4 9521 0t0 TCP *:9312 (LISTEN)
salt-mast 1605 root 27u IPv4 9653 0t0 TCP *:4505 (LISTEN)
salt-mast 1605 root 29u IPv4 12959 0t0 TCP X.X.X.X:4505->X.X.X.X:56275 (ESTABLISHED)
salt-mast 1616 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
salt-mast 1617 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
salt-mast 1626 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
salt-mast 1627 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
salt-mast 1630 root 19u IPv4 9651 0t0 TCP *:4506 (LISTEN)
/usr/sbin 2161 root 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2161 root 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2161 root 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2161 root 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
/usr/sbin 2201 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2201 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2201 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2201 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
/usr/sbin 2202 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2202 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2202 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2202 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
/usr/sbin 2203 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2203 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2203 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2203 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
/usr/sbin 2204 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2204 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2204 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2204 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
/usr/sbin 2205 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 2205 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2205 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2205 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
ntpd 2688 ntp 16u IPv4 13749 0t0 UDP *:123
ntpd 2688 ntp 17u IPv6 13750 0t0 UDP *:123
ntpd 2688 ntp 18u IPv4 13756 0t0 UDP X.X.X.X:123
ntpd 2688 ntp 19u IPv4 13757 0t0 UDP X.X.X.X:123
ntpd 2688 ntp 20u IPv6 13758 0t0 UDP [fe80::226:5aff:feeb:5a84]:123
ntpd 2688 ntp 21u IPv6 13759 0t0 UDP [::1]:123
tclsh 4023 root 13u IPv4 21187 0t0 TCP *:7734 (LISTEN)
tclsh 4023 root 14u IPv4 21188 0t0 TCP *:7736 (LISTEN)
tclsh 4023 root 15u IPv4 21482 0t0 TCP X.X.X.X:7736->X.X.X.X:58348 (ESTABLISHED)
tclsh 4023 root 16u IPv4 21694 0t0 TCP X.X.X.X:7736->X.X.X.X:58349 (ESTABLISHED)
tclsh 4023 root 17u IPv4 21998 0t0 TCP X.X.X.X:7736->X.X.X.X:58362 (ESTABLISHED)
tclsh 4023 root 18u IPv4 22090 0t0 TCP X.X.X.X:7736->X.X.X.X:58363 (ESTABLISHED)
tclsh 4023 root 19u IPv4 22974 0t0 TCP X.X.X.X:7736->X.X.X.X:58364 (ESTABLISHED)
tclsh 4023 root 20u IPv4 22990 0t0 TCP X.X.X.X:7736->X.X.X.X:58365 (ESTABLISHED)
tclsh 4023 root 21u IPv4 93773 0t0 TCP X.X.X.X:7736->X.X.X.X:58465 (ESTABLISHED)
tclsh 4073 root 3u IPv4 22824 0t0 TCP X.X.X.X:58362->X.X.X.X:7736 (ESTABLISHED)
tclsh 4073 root 7u IPv4 94420 0t0 TCP X.X.X.X:58465->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 4165 www-data 4u IPv4 12464 0t0 TCP *:443 (LISTEN)
/usr/sbin 4165 www-data 5u IPv4 12467 0t0 TCP *:9876 (LISTEN)
/usr/sbin 4165 www-data 6u IPv4 12469 0t0 TCP *:3154 (LISTEN)
/usr/sbin 4165 www-data 7u IPv4 12473 0t0 TCP *:444 (LISTEN)
tclsh 4242 root 3u IPv4 21481 0t0 TCP X.X.X.X:58348->X.X.X.X:7736 (ESTABLISHED)
tclsh 4401 root 3u IPv4 21693 0t0 TCP X.X.X.X:58349->X.X.X.X:7736 (ESTABLISHED)
tclsh 4401 root 4u IPv4 21700 0t0 TCP X.X.X.X:8001 (LISTEN)
tclsh 4401 root 6u IPv4 23478 0t0 TCP X.X.X.X:8001->X.X.X.X:37170 (ESTABLISHED)
barnyard2 4567 root 3u IPv4 23477 0t0 TCP X.X.X.X:37170->X.X.X.X:8001 (ESTABLISHED)
barnyard2 4567 root 4u IPv4 23481 0t0 TCP X.X.X.X:37567->X.X.X.X:3306 (ESTABLISHED)
tclsh 4600 root 3u IPv4 22089 0t0 TCP X.X.X.X:58363->X.X.X.X:7736 (ESTABLISHED)
tclsh 4617 root 3u IPv4 22973 0t0 TCP X.X.X.X:58364->X.X.X.X:7736 (ESTABLISHED)
tclsh 4647 root 3u IPv4 22989 0t0 TCP X.X.X.X:58365->X.X.X.X:7736 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Tue Jan 28 07:01:01 WIB 2014
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 30 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----14970
Dropped Rules:----0
Disabled Rules:---3370
Total Rules:------18340
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: ipsids-desktop-eth2
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: ipsids-desktop-eth2
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
top - 14:45:37 up 21 min, 1 user, load average: 0.70, 0.69, 0.74
Tasks: 187 total, 1 running, 185 sleeping, 0 stopped, 1 zombie
Cpu(s): 15.9%us, 4.2%sy, 0.1%ni, 67.9%id, 11.9%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 1792916k total, 1595592k used, 197324k free, 14980k buffers
Swap: 2956740k total, 494436k used, 2462304k free, 81572k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1516 root 20 0 182m 8076 4136 S 2 0.5 0:21.89 Xorg
7915 root 20 0 17336 1272 888 R 2 0.1 0:00.03 top
1 root 20 0 24736 2196 1116 S 0 0.1 0:01.02 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.42 ksoftirqd/0
6 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:00.29 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:06.37 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
13 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
14 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
15 root 20 0 0 0 0 S 0 0.0 0:00.00 kdevtmpfs
16 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
18 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
19 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
22 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
23 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
24 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
25 root 20 0 0 0 0 S 0 0.0 0:00.16 kworker/1:1
26 root 20 0 0 0 0 S 0 0.0 0:00.00 khungtaskd
27 root 20 0 0 0 0 S 0 0.0 0:07.22 kswapd0
28 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
29 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
30 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
31 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
32 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
41 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
42 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_1
43 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_2
44 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_3
46 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:3
47 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:4
69 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
70 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:2
253 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
254 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_5
257 root 0 -20 0 0 0 S 0 0.0 0:00.00 ttm_swap
323 root 20 0 0 0 0 S 0 0.0 0:00.32 jbd2/sda1-8
324 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
481 root 20 0 17236 272 272 S 0 0.0 0:00.11 upstart-udev-br
496 root 20 0 21920 636 636 S 0 0.0 0:00.09 udevd
611 root 20 0 21916 240 236 S 0 0.0 0:00.00 udevd
612 root 20 0 21884 240 236 S 0 0.0 0:00.00 udevd
693 root 0 -20 0 0 0 S 0 0.0 0:00.00 hd-audio0
702 root 0 -20 0 0 0 S 0 0.0 0:00.00 edac-poller
710 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
849 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpathd
864 root 0 -20 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
972 root 20 0 15192 304 220 S 0 0.0 0:00.00 upstart-socket-
1160 root 20 0 50036 1556 1552 S 0 0.1 0:00.00 sshd
1180 messageb 20 0 24704 1100 476 S 0 0.1 0:00.20 dbus-daemon
1202 root 20 0 21324 780 780 S 0 0.0 0:00.00 bluetoothd
1242 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1251 avahi 20 0 32316 852 760 S 0 0.0 0:00.01 avahi-daemon
1252 avahi 20 0 32184 140 124 S 0 0.0 0:00.00 avahi-daemon
1258 root 20 0 101m 1196 1044 S 0 0.1 0:00.01 cupsd
1321 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
1330 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
1334 root 20 0 431m 17m 3280 S 0 1.0 0:02.02 salt-minion
1343 root 20 0 26784 184 148 S 0 0.0 0:00.00 syslog-ng
1344 root 20 0 70712 2312 1896 S 0 0.1 0:00.47 syslog-ng
1348 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
1349 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
1352 root 20 0 484m 2764 2428 S 0 0.2 0:00.43 salt-master
1355 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
1378 root 20 0 4464 496 492 S 0 0.0 0:00.00 acpid
1380 root 20 0 19116 848 696 S 0 0.0 0:00.03 cron
1381 daemon 20 0 16912 196 196 S 0 0.0 0:00.00 atd
1382 sphinxse 20 0 79236 880 880 S 0 0.0 0:00.00 su
1385 root 20 0 15984 552 456 S 0 0.0 0:00.21 irqbalance
1388 root 20 0 1018m 1264 1052 S 0 0.1 0:00.07 console-kit-dae
1458 mysql 20 0 1310m 24m 4220 S 0 1.4 0:05.34 mysqld
1475 root 20 0 264m 1180 1180 S 0 0.1 0:00.03 lightdm
1478 root 20 0 190m 1840 964 S 0 0.1 0:00.13 polkitd
1537 ossecm 20 0 12920 432 376 S 0 0.0 0:00.01 ossec-csyslogd
1544 sphinxse 20 0 315m 15m 12m S 0 0.9 0:03.94 searchd
1559 root 20 0 12808 360 340 S 0 0.0 0:00.00 ossec-execd
1574 ossec 20 0 14508 768 536 S 0 0.0 0:11.92 ossec-analysisd
1578 root 20 0 4532 500 412 S 0 0.0 0:00.00 ossec-logcollec
1595 root 20 0 205m 2952 1960 S 0 0.2 0:00.31 salt-master
1605 root 20 0 228m 1080 940 S 0 0.1 0:00.00 salt-master
1611 root 20 0 228m 1488 888 S 0 0.1 0:00.00 salt-master
1616 root 20 0 610m 7652 2672 S 0 0.4 0:01.09 salt-master
1617 root 20 0 610m 7796 2540 S 0 0.4 0:00.85 salt-master
1626 root 20 0 610m 7728 2680 S 0 0.4 0:01.53 salt-master
1627 root 20 0 613m 18m 2800 S 0 1.1 0:01.55 salt-master
1630 root 20 0 613m 20m 3404 S 0 1.2 0:01.16 salt-master
1651 root 20 0 118m 1524 1212 S 0 0.1 0:00.05 accounts-daemon
1686 root 20 0 5784 1980 604 S 0 0.1 0:25.01 ossec-syscheckd
1691 ossec 20 0 13064 312 260 S 0 0.0 0:00.00 ossec-monitord
1767 root 20 0 214m 1448 1112 S 0 0.1 0:00.20 upowerd
1983 root 20 0 177m 1244 1244 S 0 0.1 0:00.03 lightdm
2004 root 20 0 0 0 0 S 0 0.0 0:00.14 flush-8:0
2038 root 20 0 101m 940 760 S 0 0.1 0:00.01 winbindd
2082 root 20 0 4404 504 500 S 0 0.0 0:00.00 sh
2084 root 20 0 209m 8880 2924 S 0 0.5 0:05.00 perl
2090 root 20 0 101m 772 592 S 0 0.0 0:00.00 winbindd
2161 root 20 0 176m 3852 2964 S 0 0.2 0:00.10 /usr/sbin/apach
2163 root 20 0 215m 832 832 S 0 0.0 0:00.00 PassengerWatchd
2167 root 20 0 288m 936 848 S 0 0.1 0:00.01 PassengerHelper
2171 root 20 0 108m 1280 1280 S 0 0.1 0:00.09 ruby1.9.1
2178 nobody 20 0 165m 1588 1572 S 0 0.1 0:00.00 PassengerLoggin
2201 www-data 20 0 387m 106m 4392 S 0 6.1 0:03.71 /usr/sbin/apach
2202 www-data 20 0 387m 17m 4384 S 0 1.0 0:04.58 /usr/sbin/apach
2203 www-data 20 0 387m 106m 4388 S 0 6.1 0:03.72 /usr/sbin/apach
2204 www-data 20 0 387m 106m 4384 S 0 6.1 0:04.15 /usr/sbin/apach
2205 www-data 20 0 387m 106m 4380 S 0 6.1 0:03.63 /usr/sbin/apach
2230 root 20 0 20028 676 672 S 0 0.0 0:00.00 getty
2688 ntp 20 0 37776 1472 1252 S 0 0.1 0:00.10 ntpd
2826 ipsids 20 0 4404 516 512 S 0 0.0 0:00.02 sh
2874 ipsids 20 0 12572 28 0 S 0 0.0 0:00.00 ssh-agent
2877 ipsids 20 0 26564 140 140 S 0 0.0 0:00.00 dbus-launch
2878 ipsids 20 0 25428 1232 400 S 0 0.1 0:00.19 dbus-daemon
2891 ipsids 20 0 47608 1660 1376 S 0 0.1 0:00.04 xfconfd
2899 ipsids 20 0 63868 1096 928 S 0 0.1 0:00.16 xscreensaver
2901 ipsids 20 0 158m 2204 1880 S 0 0.1 0:00.05 xfce4-session
2931 ipsids 20 0 154m 5276 3288 S 0 0.3 0:01.14 xfwm4
2933 ipsids 20 0 290m 5232 3040 S 0 0.3 0:00.44 xfce4-panel
2935 ipsids 20 0 368m 2404 1764 S 0 0.1 0:00.05 Thunar
2937 ipsids 20 0 464m 6572 3712 S 0 0.4 0:02.56 xfdesktop
2943 ipsids 20 0 128m 1580 1304 S 0 0.1 0:00.00 xfsettingsd
2945 ipsids 20 0 442m 2552 2108 S 0 0.1 0:00.12 nm-applet
2959 ipsids 20 0 186m 1568 1236 S 0 0.1 0:00.01 polkit-gnome-au
2963 ipsids 20 0 52424 1348 1216 S 0 0.1 0:00.01 gvfsd
2965 ipsids 20 0 203m 1024 1024 S 0 0.1 0:00.00 gvfs-fuse-daemo
2979 ipsids 20 0 257m 4048 3300 S 0 0.2 0:00.24 applet.py
2990 ipsids 20 0 570m 3528 3528 S 0 0.2 0:00.35 blueman-applet
2996 ipsids 20 0 57128 1148 1044 S 0 0.1 0:00.01 gconfd-2
3024 ipsids 20 0 737m 2140 1516 S 0 0.1 0:00.07 xfce4-volumed
3035 ipsids 20 0 213m 1528 1012 S 0 0.1 0:00.04 xfce4-power-man
3041 ipsids 20 0 376m 2424 2000 S 0 0.1 0:00.15 update-notifier
3085 ipsids 20 0 150m 1404 1060 S 0 0.1 0:00.04 xfce4-settings-
3094 root 20 0 188m 1380 1064 S 0 0.1 0:00.07 udisks-daemon
3097 root 20 0 45520 300 260 S 0 0.0 0:00.00 udisks-daemon
3114 ipsids 9 -11 348m 1128 988 S 0 0.1 0:00.08 pulseaudio
3116 rtkit 21 1 164m 856 848 S 0 0.0 0:00.01 rtkit-daemon
3137 ipsids 20 0 149m 2648 2240 S 0 0.1 0:00.03 panel-4-systray
3139 ipsids 20 0 392m 2736 2468 S 0 0.2 0:00.12 xfce4-indicator
3140 ipsids 20 0 148m 3628 2852 S 0 0.2 0:01.50 panel-7-datetim
3141 ipsids 20 0 169m 3200 2572 S 0 0.2 0:00.08 panel-9-xfsm-lo
3142 ipsids 20 0 181m 3104 2544 S 0 0.2 0:00.08 panel-24-thunar
3147 ipsids 20 0 57072 1156 1156 S 0 0.1 0:00.01 gvfsd-trash
3153 ipsids 20 0 70340 1352 1048 S 0 0.1 0:00.01 gvfs-gdu-volume
3160 ipsids 20 0 339m 1524 1356 S 0 0.1 0:00.03 indicator-appli
3162 ipsids 20 0 517m 1612 1220 S 0 0.1 0:00.04 indicator-sound
3164 ipsids 20 0 633m 1628 1352 S 0 0.1 0:00.04 indicator-messa
3167 ipsids 20 0 138m 1116 972 S 0 0.1 0:00.00 gvfs-afc-volume
3171 ipsids 20 0 60380 1140 956 S 0 0.1 0:00.00 gvfs-gphoto2-vo
3213 ipsids 20 0 57828 1260 1084 S 0 0.1 0:00.00 obex-data-serve
4023 root 20 0 121m 5760 2848 S 0 0.3 0:00.30 tclsh
4034 ipsids 20 0 255m 1016 1016 S 0 0.1 0:00.02 dconf-service
4073 root 20 0 36116 4868 2400 S 0 0.3 0:00.16 tclsh
4076 root 20 0 118m 960 488 S 0 0.1 0:00.07 tclsh
4077 root 20 0 118m 564 284 S 0 0.0 0:00.00 tclsh
4159 sguil 20 0 105m 64m 64m S 0 3.7 0:00.13 netsniff-ng
4165 www-data 20 0 387m 106m 4384 S 0 6.1 0:05.78 /usr/sbin/apach
4242 root 20 0 32920 2876 2196 S 0 0.2 0:00.04 tclsh
4401 root 20 0 32524 2440 2032 S 0 0.1 0:00.03 tclsh
4418 root 20 0 4348 232 232 S 0 0.0 0:00.00 tail
4537 sguil 20 0 533m 143m 9460 S 0 8.2 0:21.08 snort
4567 root 20 0 159m 57m 1280 S 0 3.3 1:27.72 barnyard2
4583 sguil 20 0 25732 3536 3208 S 0 0.2 0:00.11 prads
4585 root 20 0 4348 504 444 S 0 0.0 0:00.00 tail
4600 root 20 0 32396 3228 1932 S 0 0.2 0:00.02 tclsh
4602 root 20 0 4332 328 248 S 0 0.0 0:00.00 cat
4617 root 20 0 32512 3288 1976 S 0 0.2 0:00.08 tclsh
4647 root 20 0 32536 3356 2024 S 0 0.2 0:00.03 tclsh
4649 root 20 0 4344 536 444 S 0 0.0 0:00.00 tail
4886 root 19 -1 14892 1920 296 S 0 0.1 0:00.13 dema
4956 www-data 20 0 419m 89m 2220 S 0 5.1 0:06.18 ruby
5721 ipsids 20 0 250m 8552 4668 S 0 0.5 0:00.36 xfce4-terminal
5722 ipsids 20 0 0 0 0 Z 0 0.0 0:00.00 xfce4-ter <defunct>
5723 ipsids 20 0 28040 4764 1424 S 0 0.3 0:00.64 bash
6207 root 20 0 0 0 0 S 0 0.0 0:02.33 kworker/0:2
6990 root 20 0 0 0 0 S 0 0.0 0:01.11 kworker/0:0
7122 root 20 0 4404 596 492 S 0 0.0 0:00.00 sh
7125 root 20 0 4404 324 220 S 0 0.0 0:00.00 sh
7130 root 20 0 4312 352 272 S 0 0.0 0:00.00 sleep
7728 root 20 0 84604 2452 1816 S 0 0.1 0:00.02 sudo
7729 root 20 0 16548 1172 984 S 0 0.1 0:00.00 sostat-redacted
7730 root 20 0 16572 1444 1212 S 0 0.1 0:00.01 sostat
7731 root 20 0 15744 812 688 S 0 0.0 0:00.00 sed
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/ipsids-desktop-eth2/dailylogs/ - 8 days
18M .
8.0K ./2014-01-20
7.9M ./2014-01-21
9.7M ./2014-01-22
12K ./2014-01-23
8.0K ./2014-01-24
8.0K ./2014-01-25
12K ./2014-01-27
12K ./2014-01-28
/nsm/bro/logs/ - 4 days
1.8M .
648K ./2014-01-20
200K ./2014-01-21
52K ./2014-01-27
28K ./2014-01-28
908K ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/ipsids-desktop-eth2/snort-1.stats last reported pkt_drop_percent as 0.000
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 5.6.1 ($Revision: $)
Total rings : 1
Standard (non DNA) Options
Ring slots : 4096
Slot version : 15
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/4537-eth2.2
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 28
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4872
Num Free Slots : 4872
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
701
=========================================================================
Sguil events summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
4 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
3 10000:1 PADS New Asset - unknown @https
2 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
2 10000:2 PADS Changed Asset - domain DNS SQR No Error
1 10000:1 PADS New Asset - unknown @pop3
1 10000:2 PADS Changed Asset - unknown @domain
1 10000:1 PADS New Asset - unknown @domain
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
Total
16
=========================================================================
Top 50 URLs for yesterday
=========================================================================
Total
0
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Total
0
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
4 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
Total
4
ipsids@ipsids-desktop:~$
Doug Burks
- Security Onion is an IDS *not* an IPS (it will not block any
attacks, it will only detect them)
- the diagram shows that your Security Onion sniffing interface is
eth1, but sostat shows it is eth2
Based on your sostat output, everything appears to be running properly
and you do have alerts in your Snorby database (GPL SHELLCODE x86 inc
ebx NOOP). Did you already clear those alerts and you just haven't
had any others come in?
eth2 is only showing 28 packets received, which is quite low for an
active network. I'd recommend double-checking your cabling and port
mirroring configuration.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks