GeoIP not working - several things tried.

617 views
Skip to first unread message

allp...@gmail.com

unread,
Jul 5, 2015, 6:16:12 PM7/5/15
to securit...@googlegroups.com
I am learning to use SO, and as such I built a VM for testing and writing down my steps/fixes to do it right the first time I do it in production.

I have a VMWare workstation VM.
Ubuntu 64 base VM.
8 GB of RAM.
60 GB of HD.
Two 2.0 GHz. CPU's.
Two NICs.

I have been able to fix minor issues here and there, but not this. I have dug into thos forum and into other sites talking about this, but to avail.

GeoIP is not showing up. Country is not showing up. The Map in Squert is empty.

I have tried running the GeoIP job by hand three times.

cd /opt/snorby/
sudo RAILS_ENV=production bundle exec rails c


Snorby::Jobs::GeoipUpdatedbJob.new(true).perform
quit

No joy.

I installed the non free GeoIP stuff.

apt-get install geoip-database-contrib

Reran the GeoIP job.

No joy.

Let run overnight.

No joy.

Attached is my Top destinations/Top countries.

I am generating plenty of traffic... that was just a very small sample.

I went through the first few videos and imported those packets too. (It is in Snorby, so I would think it would be in Squert)

Can I please get some help?

Thank you for helping a n00b!
no-geoip.png

Heine Lysemose

unread,
Jul 6, 2015, 2:27:08 AM7/6/15
to securit...@googlegroups.com

Hi

Can you post the output from sudo sostat-redacted?

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted

allp...@gmail.com

unread,
Jul 6, 2015, 8:49:44 PM7/6/15
to securit...@googlegroups.com
For some reason I am unable to attach a file... as a result I am posting the output here... sorry!

That redaction command is sweet!

----------------------

=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 5577 3 05 Jul 02:07:00
proxy proxy localhost running 6109 3 05 Jul 02:07:08
SO-server-eth0-1 worker localhost running 6532 2 05 Jul 02:07:15
SO-server-eth0-2 worker localhost running 6531 2 05 Jul 02:07:15
Status: SO-server-eth0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent (SO-user)[ OK ]
* suricata (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (SO-user)[ OK ]
* pads_agent (SO-user)[ OK ]
* argus[ OK ]
* http_agent (SO-user)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:788708 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:352155939 (352.1 MB) TX bytes:70 (70.0 B)

eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47010 errors:0 dropped:0 overruns:0 frame:0
TX packets:19742 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22542194 (22.5 MB) TX bytes:2751510 (2.7 MB)
Interrupt:16 Base address:0x2000

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:768751 errors:0 dropped:0 overruns:0 frame:0
TX packets:768751 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:247311553 (247.3 MB) TX bytes:247311553 (247.3 MB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
247311553 768751 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
247311553 768751 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
352155939 788708 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
70 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
22542194 47010 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2751510 19742 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 52G 7.3G 42G 15% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 798M 848K 797M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 43M 3.9G 2% /run/shm

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1998 avahi 12u IPv4 8013 0t0 UDP *:5353
avahi-dae 1998 avahi 13u IPv6 8014 0t0 UDP *:5353
avahi-dae 1998 avahi 14u IPv4 8015 0t0 UDP *:45892
avahi-dae 1998 avahi 15u IPv6 8016 0t0 UDP *:38283
cupsd 2032 root 9u IPv6 1259494 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 2032 root 10u IPv4 1259495 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 2228 root 3u IPv4 14099 0t0 TCP *:ssh_port (LISTEN)
sshd 2228 root 4u IPv6 14101 0t0 TCP *:ssh_port (LISTEN)
salt-mini 2344 root 10u IPv4 20261 0t0 TCP X.X.X.X:57912->X.X.X.X:4506 (ESTABLISHED)
salt-mini 2344 root 21u IPv4 22670 0t0 TCP X.X.X.X:54469->X.X.X.X:4505 (ESTABLISHED)
mysqld 2675 mysql 10u IPv4 15752 0t0 TCP X.X.X.X:3306 (LISTEN)
mysqld 2675 mysql 51u IPv4 1822868 0t0 TCP X.X.X.X:3306->X.X.X.X:55524 (ESTABLISHED)
searchd 2803 sphinxsearch 7u IPv4 16464 0t0 TCP *:9306 (LISTEN)
searchd 2803 sphinxsearch 8u IPv4 15569 0t0 TCP *:9312 (LISTEN)
ossec-csy 2955 ossecm 5u IPv4 15587 0t0 UDP X.X.X.X:33064->X.X.X.X:514
/usr/sbin 3279 root 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 3279 root 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3279 root 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 3279 root 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
salt-mast 3593 root 12u IPv4 17771 0t0 TCP *:4505 (LISTEN)
salt-mast 3593 root 14u IPv4 20384 0t0 TCP X.X.X.X:4505->X.X.X.X:54469 (ESTABLISHED)
salt-mast 3605 root 20u IPv4 18572 0t0 TCP *:4506 (LISTEN)
salt-mast 3605 root 21u IPv4 20262 0t0 TCP X.X.X.X:4506->X.X.X.X:57912 (ESTABLISHED)
ntpd 5474 ntp 16u IPv4 23733 0t0 UDP *:123
ntpd 5474 ntp 17u IPv6 23734 0t0 UDP *:123
ntpd 5474 ntp 18u IPv4 23740 0t0 UDP X.X.X.X:123
ntpd 5474 ntp 19u IPv4 23741 0t0 UDP X.X.X.X:123
ntpd 5474 ntp 20u IPv6 23742 0t0 UDP [X.X.X.X]:123
ntpd 5474 ntp 21u IPv6 23743 0t0 UDP [X.X.X.X]:123
bro 5577 SO-user 4u IPv4 24858 0t0 UDP X.X.X.X:51602->X.X.X.X:53
bro 6109 SO-user 4u IPv4 25822 0t0 UDP X.X.X.X:43923->X.X.X.X:53
bro 6531 SO-user 4u IPv4 27965 0t0 UDP X.X.X.X:33469->X.X.X.X:53
bro 6532 SO-user 4u IPv4 26968 0t0 UDP X.X.X.X:46703->X.X.X.X:53
bro 6736 SO-user 0u IPv4 28350 0t0 TCP *:47762 (LISTEN)
bro 6736 SO-user 1u IPv6 28351 0t0 TCP *:47762 (LISTEN)
bro 6736 SO-user 2u IPv4 28791 0t0 TCP X.X.X.X:47762->X.X.X.X:48253 (ESTABLISHED)
bro 6736 SO-user 4u IPv4 25822 0t0 UDP X.X.X.X:43923->X.X.X.X:53
bro 6736 SO-user 157u IPv4 28793 0t0 TCP X.X.X.X:47762->X.X.X.X:48255 (ESTABLISHED)
bro 6736 SO-user 254u IPv4 28640 0t0 TCP X.X.X.X:59890->X.X.X.X:47761 (ESTABLISHED)
bro 6738 SO-user 0u IPv4 26353 0t0 TCP *:47761 (LISTEN)
bro 6738 SO-user 1u IPv6 26354 0t0 TCP *:47761 (LISTEN)
bro 6738 SO-user 2u IPv4 26360 0t0 TCP X.X.X.X:47761->X.X.X.X:59880 (ESTABLISHED)
bro 6738 SO-user 4u IPv4 24858 0t0 UDP X.X.X.X:51602->X.X.X.X:53
bro 6738 SO-user 157u IPv4 28795 0t0 TCP X.X.X.X:47761->X.X.X.X:59882 (ESTABLISHED)
bro 6738 SO-user 254u IPv4 28641 0t0 TCP X.X.X.X:47761->X.X.X.X:59890 (ESTABLISHED)
bro 6743 SO-user 0u IPv4 26358 0t0 TCP X.X.X.X:48253->X.X.X.X:47762 (ESTABLISHED)
bro 6743 SO-user 1u IPv4 26359 0t0 TCP X.X.X.X:59880->X.X.X.X:47761 (ESTABLISHED)
bro 6743 SO-user 2u IPv4 26363 0t0 TCP *:47763 (LISTEN)
bro 6743 SO-user 4u IPv4 26968 0t0 UDP X.X.X.X:46703->X.X.X.X:53
bro 6743 SO-user 251u IPv6 26364 0t0 TCP *:47763 (LISTEN)
bro 6744 SO-user 0u IPv4 28792 0t0 TCP X.X.X.X:48255->X.X.X.X:47762 (ESTABLISHED)
bro 6744 SO-user 1u IPv4 28794 0t0 TCP X.X.X.X:59882->X.X.X.X:47761 (ESTABLISHED)
bro 6744 SO-user 2u IPv4 28798 0t0 TCP *:47764 (LISTEN)
bro 6744 SO-user 4u IPv4 27965 0t0 UDP X.X.X.X:33469->X.X.X.X:53
bro 6744 SO-user 251u IPv6 28799 0t0 TCP *:47764 (LISTEN)
chromium- 8106 SO-user 138u IPv4 40403 0t0 UDP *:5353
wish 23136 SO-user 4u IPv4 1361042 0t0 TCP X.X.X.X:44468->X.X.X.X:7734 (ESTABLISHED)
tclsh 33588 SO-user 13u IPv4 1185140 0t0 TCP *:7734 (LISTEN)
tclsh 33588 SO-user 14u IPv4 1185141 0t0 TCP *:7736 (LISTEN)
tclsh 33588 SO-user 15u IPv4 1372114 0t0 TCP X.X.X.X:7736->X.X.X.X:34493 (ESTABLISHED)
tclsh 33588 SO-user 16u IPv4 1377661 0t0 TCP X.X.X.X:7736->X.X.X.X:34511 (ESTABLISHED)
tclsh 33588 SO-user 17u IPv4 1377455 0t0 TCP X.X.X.X:7736->X.X.X.X:34508 (ESTABLISHED)
tclsh 33588 SO-user 18u IPv4 1377234 0t0 TCP X.X.X.X:7736->X.X.X.X:34515 (ESTABLISHED)
tclsh 33588 SO-user 19u IPv4 1859691 0t0 TCP X.X.X.X:7736->X.X.X.X:36533 (ESTABLISHED)
tclsh 33588 SO-user 20u IPv4 1360182 0t0 TCP X.X.X.X:7734->X.X.X.X:44468 (ESTABLISHED)
tclsh 33588 SO-user 21u IPv4 1374138 0t0 TCP X.X.X.X:7736->X.X.X.X:34505 (ESTABLISHED)
barnyard2 54739 SO-user 3u IPv4 1820311 0t0 TCP X.X.X.X:46684->X.X.X.X:8000 (ESTABLISHED)
barnyard2 54739 SO-user 4u IPv4 1821840 0t0 TCP X.X.X.X:55524->X.X.X.X:3306 (ESTABLISHED)
tclsh 98686 SO-user 3u IPv4 1857998 0t0 TCP X.X.X.X:36533->X.X.X.X:7736 (ESTABLISHED)
ruby1.9.1 98711 www-data 12u IPv4 1359055 0t0 TCP X.X.X.X:43741 (LISTEN)
syslog-ng 101231 root 17u IPv4 1866332 0t0 TCP *:514 (LISTEN)
syslog-ng 101231 root 18u IPv4 1866333 0t0 UDP *:514
tclsh 104485 SO-user 3u IPv4 1372113 0t0 TCP X.X.X.X:34493->X.X.X.X:7736 (ESTABLISHED)
tclsh 104991 SO-user 3u IPv4 1374137 0t0 TCP X.X.X.X:34505->X.X.X.X:7736 (ESTABLISHED)
tclsh 105202 SO-user 3u IPv4 1376768 0t0 TCP X.X.X.X:34508->X.X.X.X:7736 (ESTABLISHED)
tclsh 105432 SO-user 3u IPv4 1377660 0t0 TCP X.X.X.X:34511->X.X.X.X:7736 (ESTABLISHED)
/usr/sbin 105629 www-data 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 105629 www-data 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 105629 www-data 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 105629 www-data 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
/usr/sbin 105644 www-data 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 105644 www-data 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 105644 www-data 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 105644 www-data 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
/usr/sbin 105708 www-data 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 105708 www-data 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 105708 www-data 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 105708 www-data 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
/usr/sbin 105709 www-data 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 105709 www-data 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 105709 www-data 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 105709 www-data 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
/usr/sbin 105710 www-data 4u IPv4 16963 0t0 TCP *:443 (LISTEN)
/usr/sbin 105710 www-data 5u IPv4 16966 0t0 TCP *:9876 (LISTEN)
/usr/sbin 105710 www-data 6u IPv4 16968 0t0 TCP *:3154 (LISTEN)
/usr/sbin 105710 www-data 7u IPv4 16972 0t0 TCP *:444 (LISTEN)
tclsh 105739 SO-user 3u IPv4 1378523 0t0 TCP X.X.X.X:34515->X.X.X.X:7736 (ESTABLISHED)
tclsh 105739 SO-user 4u IPv4 1377259 0t0 TCP X.X.X.X:8000 (LISTEN)
tclsh 105739 SO-user 6u IPv4 1821230 0t0 TCP X.X.X.X:8000->X.X.X.X:46684 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
0.61 0.73 0.54
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 00:34:11 up 1 day, 22:26, 1 user, load average: 0.61, 0.73, 0.54
Tasks: 543 total, 2 running, 538 sleeping, 0 stopped, 3 zombie
Cpu(s): 2.8%us, 1.0%sy, 0.1%ni, 95.5%id, 0.6%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 8162932k total, 6951740k used, 1211192k free, 248980k buffers
Swap: 12468020k total, 0k used, 12468020k free, 2847108k cached

%CPU %MEM COMMAND
13.3 2.0 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
13.3 1.9 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
12.1 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
11.9 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
9.5 1.0 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
9.5 1.0 /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
2.8 0.7 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
2.5 0.7 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.3 1.3 /usr/bin/python /usr/bin/salt-master
0.8 9.9 suricata --user SO-user --group SO-user -c /etc/nsm/SO-server-eth0/suricata.yaml --pfring=eth0 -F /etc/nsm/SO-server-eth0/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth0
0.4 1.0 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials=Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_73/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_08/UMA-Uniformity-Trial-50-Percent/default/ --renderer-print-preview --enable-offline-auto-reload --enable-offline-load-stale-cache --enable-threaded-compositing --enable-delegated-renderer --enable-impl-side-painting --disable-accelerated-video-decode --channel=8106.1.1907285997
0.2 3.5 /usr/bin/searchd --nodetach
0.2 0.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.2 1.1 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials=Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_73/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_08/UMA-Uniformity-Trial-50-Percent/default/ --renderer-print-preview --enable-offline-auto-reload --enable-offline-load-stale-cache --enable-threaded-compositing --enable-delegated-renderer --enable-impl-side-painting --disable-accelerated-video-decode --channel=8106.4.163599512
0.2 2.0 /usr/lib/chromium-browser/chromium-browser https://localhost:444
0.1 1.3 delayed_job
0.1 1.2 /usr/sbin/mysqld
0.1 0.8 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.0 gksudo wireshark
0.1 1.7 /usr/lib/chromium-browser/chromium-browser --type=gpu-process --channel=8106.0.1476732177 --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,15 --disable-accelerated-video-decode --gpu-vendor-id=0x15ad --gpu-device-id=0x0405 --gpu-driver-vendor --gpu-driver-version
0.0 0.2 /usr/lib/vmware-tools/sbin64/vmtoolsd -n vmusr
0.0 0.3 wish /usr/bin/SO-user.tk
0.0 0.0 [rcu_sched]
0.0 0.0 /var/ossec/bin/ossec-syscheckd
0.0 0.8 barnyard2 -c /etc/nsm/SO-server-eth0/barnyard2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth0 -f snort.unified2 -w /etc/nsm/SO-server-eth0/barnyard2.waldo -i 1 -U
0.0 0.6 /usr/bin/python /usr/bin/salt-minion
0.0 1.0 wireshark
0.0 0.0 PassengerHelperAgent
0.0 0.1 argus -i eth0 -F /etc/nsm/SO-server-eth0/argus.conf -w /nsm/sensor_data/SO-server-eth0/argus/2015-07-07.log
0.0 0.0 [kworker/u256:2]
0.0 0.0 [kworker/1:2]
0.0 0.0 tclsh /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.4 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuos/2]
0.0 0.0 [jbd2/sda1-8]
0.0 1.1 Rack: /opt/snorby
0.0 0.0 prads -i eth0 -c /etc/nsm/SO-server-eth0/prads.conf -u SO-user -g SO-user -L /nsm/sensor_data/SO-server-eth0/sancp/ -f /nsm/sensor_data/SO-server-eth0/pads.fifo -b ip or (vlan and ip)
0.0 0.0 [kworker/u256:0]
0.0 0.1 xfwm4 --replace
0.0 0.0 /usr/sbin/irqbalance
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.6 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 1.4 /usr/sbin/apache2 -k start
0.0 0.0 [ksoftirqd/0]
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/2]
0.0 0.8 netsniff-ng -i eth0 -o /nsm/sensor_data/SO-server-eth0/dailylogs/2015-07-07/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB --mmap
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 [scsi_eh_4]
0.0 0.0 [ksoftirqd/3]
0.0 0.2 xfce4-panel
0.0 0.0 /sbin/init
0.0 0.0 [kworker/2:1]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 xscreensaver -no-splash
0.0 0.0 tclsh /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http_eth0.log
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 [kworker/0:0]
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 [kworker/3:2]
0.0 0.2 xfdesktop
0.0 0.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials=Prerender/Prerender15minTTL/PrerenderFromOmnibox/OmniboxPrerenderEnabled/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_73/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_08/UMA-Uniformity-Trial-50-Percent/default/ --renderer-print-preview --enable-offline-auto-reload --enable-offline-load-stale-cache --enable-threaded-compositing --enable-delegated-renderer --enable-impl-side-painting --disable-accelerated-video-decode --channel=8106.23.303846251
0.0 0.4 /usr/bin/python /usr/bin/terminator
0.0 0.5 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials=Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_73/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_08/UMA-Uniformity-Trial-50-Percent/default/ --renderer-print-preview --enable-offline-auto-reload --enable-offline-load-stale-cache --enable-threaded-compositing --enable-delegated-renderer --enable-impl-side-painting --disable-accelerated-video-decode --channel=8106.21.1563301259
0.0 0.0 [migration/1]
0.0 0.0 [migration/3]
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 tpvmlpd2
0.0 0.1 update-notifier
0.0 0.0 zeitgeist-datahub
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/2]
0.0 0.0 xfce4-power-manager
0.0 0.0 [khugepaged]
0.0 0.0 cron
0.0 0.0 [migration/0]
0.0 0.0 [wireshark] <defunct>
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [watchdog/1]
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/xfce4/panel-plugins/libdatetime.so 7 20971555 datetime DateTime Date and Time plugin with a simple calendar
0.0 0.0 /usr/lib/rtkit/rtkit-daemon
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 [watchdog/2]
0.0 0.0 [watchdog/3]
0.0 0.0 /usr/lib/udisks/udisks-daemon
0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 0.0 [kworker/u257:1]
0.0 0.0 /usr/lib/xfce4/xfconf/xfconfd
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.3 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
0.0 0.0 [kworker/3:1]
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 /bin/bash
0.0 0.4 /usr/bin/python /usr/bin/blueman-applet
0.0 0.0 PassengerLoggingAgent
0.0 0.2 /usr/bin/python /usr/share/system-config-printer/applet.py
0.0 0.1 /usr/lib/x86_64-linux-gnu/colord/colord
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent.conf
0.0 0.1 nm-applet
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
0.0 0.0 tclsh /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 xfce4-settings-helper
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 /usr/bin/zeitgeist-daemon
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel-plugins/xfce4-indicator-plugin 5 20971554 indicator Indicator Plugin An indicator of something that needs your attention on the desktop
0.0 0.0 [khungtaskd]
0.0 0.1 Passenger spawn server
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.1 xfce4-volumed
0.0 0.4 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.1 /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 xfce4-session
0.0 0.1 /usr/lib/zeitgeist/zeitgeist-fts
0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 20971553 systray Notification Area Area where notification icons appear
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libthunar-tpa.so 24 20971568 thunar-tpa Trash Applet Display the trash can
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfsm-logout-plugin.so 9 20971561 xfsm-logout-plugin Session Menu Shows a menu with options to lock the screen, suspend, shutdown, or log out
0.0 0.0 Thunar --daemon
0.0 0.0 /usr/lib/indicator-sound/indicator-sound-service
0.0 0.0 xfsettingsd --force
0.0 0.0 /usr/lib/indicator-messages/indicator-messages-service
0.0 0.0 lightdm
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/indicator-application/indicator-application-service
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kthreadd]
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
0.0 0.0 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /home/SO-user/.gvfs
0.0 0.0 /usr/lib/gvfs/gvfs-gdu-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0
0.0 0.0 /usr/bin/obex-data-server --no-daemon
0.0 0.0 /usr/lib/gvfs/gvfsd-metadata
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuos/12]
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuos/21]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcuos/32]
0.0 0.0 [rcuos/33]
0.0 0.0 [rcuos/34]
0.0 0.0 [rcuos/35]
0.0 0.0 [rcuos/36]
0.0 0.0 [rcuos/37]
0.0 0.0 [rcuos/38]
0.0 0.0 [rcuos/39]
0.0 0.0 [rcuos/40]
0.0 0.0 [rcuos/41]
0.0 0.0 [rcuos/42]
0.0 0.0 [rcuos/43]
0.0 0.0 [rcuos/44]
0.0 0.0 [rcuos/45]
0.0 0.0 [rcuos/46]
0.0 0.0 [rcuos/47]
0.0 0.0 [rcuos/48]
0.0 0.0 [rcuos/49]
0.0 0.0 [rcuos/50]
0.0 0.0 [rcuos/51]
0.0 0.0 [rcuos/52]
0.0 0.0 [rcuos/53]
0.0 0.0 [rcuos/54]
0.0 0.0 [rcuos/55]
0.0 0.0 [rcuos/56]
0.0 0.0 [rcuos/57]
0.0 0.0 [rcuos/58]
0.0 0.0 [rcuos/59]
0.0 0.0 [rcuos/60]
0.0 0.0 [rcuos/61]
0.0 0.0 [rcuos/62]
0.0 0.0 [rcuos/63]
0.0 0.0 [rcuos/64]
0.0 0.0 [rcuos/65]
0.0 0.0 [rcuos/66]
0.0 0.0 [rcuos/67]
0.0 0.0 [rcuos/68]
0.0 0.0 [rcuos/69]
0.0 0.0 [rcuos/70]
0.0 0.0 [rcuos/71]
0.0 0.0 [rcuos/72]
0.0 0.0 [rcuos/73]
0.0 0.0 [rcuos/74]
0.0 0.0 [rcuos/75]
0.0 0.0 [rcuos/76]
0.0 0.0 [rcuos/77]
0.0 0.0 [rcuos/78]
0.0 0.0 [rcuos/79]
0.0 0.0 [rcuos/80]
0.0 0.0 [rcuos/81]
0.0 0.0 [rcuos/82]
0.0 0.0 [rcuos/83]
0.0 0.0 [rcuos/84]
0.0 0.0 [rcuos/85]
0.0 0.0 [rcuos/86]
0.0 0.0 [rcuos/87]
0.0 0.0 [rcuos/88]
0.0 0.0 [rcuos/89]
0.0 0.0 [rcuos/90]
0.0 0.0 [rcuos/91]
0.0 0.0 [rcuos/92]
0.0 0.0 [rcuos/93]
0.0 0.0 [rcuos/94]
0.0 0.0 [rcuos/95]
0.0 0.0 [rcuos/96]
0.0 0.0 [rcuos/97]
0.0 0.0 [rcuos/98]
0.0 0.0 [rcuos/99]
0.0 0.0 [rcuos/100]
0.0 0.0 [rcuos/101]
0.0 0.0 [rcuos/102]
0.0 0.0 [rcuos/103]
0.0 0.0 [rcuos/104]
0.0 0.0 [rcuos/105]
0.0 0.0 [rcuos/106]
0.0 0.0 [rcuos/107]
0.0 0.0 [rcuos/108]
0.0 0.0 [rcuos/109]
0.0 0.0 [rcuos/110]
0.0 0.0 [rcuos/111]
0.0 0.0 [rcuos/112]
0.0 0.0 [rcuos/113]
0.0 0.0 [rcuos/114]
0.0 0.0 [rcuos/115]
0.0 0.0 [rcuos/116]
0.0 0.0 [rcuos/117]
0.0 0.0 [rcuos/118]
0.0 0.0 [rcuos/119]
0.0 0.0 [rcuos/120]
0.0 0.0 [rcuos/121]
0.0 0.0 [rcuos/122]
0.0 0.0 [rcuos/123]
0.0 0.0 [rcuos/124]
0.0 0.0 [rcuos/125]
0.0 0.0 [rcuos/126]
0.0 0.0 [rcuos/127]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuob/0]
0.0 0.0 [rcuob/1]
0.0 0.0 [rcuob/2]
0.0 0.0 [rcuob/3]
0.0 0.0 [rcuob/4]
0.0 0.0 [rcuob/5]
0.0 0.0 [rcuob/6]
0.0 0.0 [rcuob/7]
0.0 0.0 [rcuob/8]
0.0 0.0 [rcuob/9]
0.0 0.0 [rcuob/10]
0.0 0.0 [rcuob/11]
0.0 0.0 [rcuob/12]
0.0 0.0 [rcuob/13]
0.0 0.0 [rcuob/14]
0.0 0.0 [rcuob/15]
0.0 0.0 [rcuob/16]
0.0 0.0 [rcuob/17]
0.0 0.0 [rcuob/18]
0.0 0.0 [rcuob/19]
0.0 0.0 [rcuob/20]
0.0 0.0 [rcuob/21]
0.0 0.0 [rcuob/22]
0.0 0.0 [rcuob/23]
0.0 0.0 [rcuob/24]
0.0 0.0 [rcuob/25]
0.0 0.0 [rcuob/26]
0.0 0.0 [rcuob/27]
0.0 0.0 [rcuob/28]
0.0 0.0 [rcuob/29]
0.0 0.0 [rcuob/30]
0.0 0.0 [rcuob/31]
0.0 0.0 [rcuob/32]
0.0 0.0 [rcuob/33]
0.0 0.0 [rcuob/34]
0.0 0.0 [rcuob/35]
0.0 0.0 [rcuob/36]
0.0 0.0 [rcuob/37]
0.0 0.0 [rcuob/38]
0.0 0.0 [rcuob/39]
0.0 0.0 [rcuob/40]
0.0 0.0 [rcuob/41]
0.0 0.0 [rcuob/42]
0.0 0.0 [rcuob/43]
0.0 0.0 [rcuob/44]
0.0 0.0 [rcuob/45]
0.0 0.0 [rcuob/46]
0.0 0.0 [rcuob/47]
0.0 0.0 [rcuob/48]
0.0 0.0 [rcuob/49]
0.0 0.0 [rcuob/50]
0.0 0.0 [rcuob/51]
0.0 0.0 [rcuob/52]
0.0 0.0 [rcuob/53]
0.0 0.0 [rcuob/54]
0.0 0.0 [rcuob/55]
0.0 0.0 [rcuob/56]
0.0 0.0 [rcuob/57]
0.0 0.0 [rcuob/58]
0.0 0.0 [rcuob/59]
0.0 0.0 [rcuob/60]
0.0 0.0 [rcuob/61]
0.0 0.0 [rcuob/62]
0.0 0.0 [rcuob/63]
0.0 0.0 [rcuob/64]
0.0 0.0 [rcuob/65]
0.0 0.0 [rcuob/66]
0.0 0.0 [rcuob/67]
0.0 0.0 [rcuob/68]
0.0 0.0 [rcuob/69]
0.0 0.0 [rcuob/70]
0.0 0.0 [rcuob/71]
0.0 0.0 [rcuob/72]
0.0 0.0 [rcuob/73]
0.0 0.0 [rcuob/74]
0.0 0.0 [rcuob/75]
0.0 0.0 [rcuob/76]
0.0 0.0 [rcuob/77]
0.0 0.0 [rcuob/78]
0.0 0.0 [rcuob/79]
0.0 0.0 [rcuob/80]
0.0 0.0 [rcuob/81]
0.0 0.0 [rcuob/82]
0.0 0.0 [rcuob/83]
0.0 0.0 [rcuob/84]
0.0 0.0 [rcuob/85]
0.0 0.0 [rcuob/86]
0.0 0.0 [rcuob/87]
0.0 0.0 [rcuob/88]
0.0 0.0 [rcuob/89]
0.0 0.0 [rcuob/90]
0.0 0.0 [rcuob/91]
0.0 0.0 [rcuob/92]
0.0 0.0 [rcuob/93]
0.0 0.0 [rcuob/94]
0.0 0.0 [rcuob/95]
0.0 0.0 [rcuob/96]
0.0 0.0 [rcuob/97]
0.0 0.0 [rcuob/98]
0.0 0.0 [rcuob/99]
0.0 0.0 [rcuob/100]
0.0 0.0 [rcuob/101]
0.0 0.0 [rcuob/102]
0.0 0.0 [rcuob/103]
0.0 0.0 [rcuob/104]
0.0 0.0 [rcuob/105]
0.0 0.0 [rcuob/106]
0.0 0.0 [rcuob/107]
0.0 0.0 [rcuob/108]
0.0 0.0 [rcuob/109]
0.0 0.0 [rcuob/110]
0.0 0.0 [rcuob/111]
0.0 0.0 [rcuob/112]
0.0 0.0 [rcuob/113]
0.0 0.0 [rcuob/114]
0.0 0.0 [rcuob/115]
0.0 0.0 [rcuob/116]
0.0 0.0 [rcuob/117]
0.0 0.0 [rcuob/118]
0.0 0.0 [rcuob/119]
0.0 0.0 [rcuob/120]
0.0 0.0 [rcuob/121]
0.0 0.0 [rcuob/122]
0.0 0.0 [rcuob/123]
0.0 0.0 [rcuob/124]
0.0 0.0 [rcuob/125]
0.0 0.0 [rcuob/126]
0.0 0.0 [rcuob/127]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [writeback]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kworker/u257:0]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [mpt_poll_0]
0.0 0.0 [mpt/0]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [ttm_swap]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [scsi_eh_6]
0.0 0.0 [scsi_eh_7]
0.0 0.0 [scsi_eh_8]
0.0 0.0 [scsi_eh_9]
0.0 0.0 [scsi_eh_10]
0.0 0.0 [scsi_eh_11]
0.0 0.0 [scsi_eh_12]
0.0 0.0 [scsi_eh_13]
0.0 0.0 [scsi_eh_14]
0.0 0.0 [scsi_eh_15]
0.0 0.0 [scsi_eh_16]
0.0 0.0 [scsi_eh_17]
0.0 0.0 [scsi_eh_18]
0.0 0.0 [scsi_eh_19]
0.0 0.0 [scsi_eh_20]
0.0 0.0 [scsi_eh_21]
0.0 0.0 [scsi_eh_22]
0.0 0.0 [scsi_eh_23]
0.0 0.0 [scsi_eh_24]
0.0 0.0 [scsi_eh_25]
0.0 0.0 [scsi_eh_26]
0.0 0.0 [scsi_eh_27]
0.0 0.0 [scsi_eh_28]
0.0 0.0 [scsi_eh_29]
0.0 0.0 [scsi_eh_30]
0.0 0.0 [scsi_eh_31]
0.0 0.0 [scsi_eh_32]
0.0 0.0 [bioset]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/0:2]
0.0 0.0 [hci0]
0.0 0.0 [hci0]
0.0 0.0 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- wireshark
0.0 0.0 [krfcommd]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 atd
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.2 /usr/bin/python /usr/bin/salt-master
0.0 0.0 [lightdm] <defunct>
0.0 0.0 /usr/bin/dbus-launch --exit-with-session startxfce4
0.0 0.0 udisks-daemon: not polling any devices
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/cat
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p local -p SO-server-eth0-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort.stats
0.0 0.0 [/usr/bin/termin] <defunct>
0.0 0.0 /usr/lib/chromium-browser/chrome-sandbox /usr/lib/chromium-browser/chromium-browser --type=zygote
0.0 0.1 /usr/lib/chromium-browser/chromium-browser --type=gpu-broker
0.0 0.0 /usr/lib/dconf/dconf-service
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 PassengerWatchdog
0.0 0.0 su - SO-user -- /usr/bin/http_agent.tcl -c /etc/nsm/SO-server-eth0/http_agent.conf -e /etc/nsm/SO-server-eth0/http_agent.exclude -f /nsm/bro/logs/current/http_eth0.log
0.0 0.0 tail -n 0 -F /nsm/bro/logs/current/http_eth0.log
0.0 0.0 supervising syslog-ng
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 su - SO-user -- /usr/bin/sancp_agent.tcl -c /etc/nsm/SO-server-eth0/sancp_agent.conf
0.0 0.0 [kworker/u256:3]
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/pads_agent.tcl -c /etc/nsm/SO-server-eth0/pads_agent.conf
0.0 0.0 cat /nsm/sensor_data/SO-server-eth0/pads.fifo
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth0/pcap_agent.conf
0.0 1.3 /usr/sbin/apache2 -k start
0.0 1.2 /usr/sbin/apache2 -k start
0.0 1.2 /usr/sbin/apache2 -k start
0.0 1.2 /usr/sbin/apache2 -k start
0.0 1.2 /usr/sbin/apache2 -k start
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth0/snort_agent.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort.stats
0.0 0.0 sudo sostat-xxxxxx
0.0 0.0 /bin/bash /usr/bin/sostat-xxxxxx
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth0/snort.stats

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth0: 1750

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 5 days
1.1G .
401M ./2015-07-03
374M ./2015-07-04
235M ./2015-07-05
113M ./2015-07-06
932K ./2015-07-07

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 4 days
14M .
1.2M ./2015-07-03
3.1M ./2015-07-04
3.6M ./2015-07-05
2.9M ./2015-07-06
2.6M ./stats

=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000

SO-server-eth0-1: 1436229251.978621 recvd=393599 dropped=0 link=393599
SO-server-eth0-2: 1436229252.178155 recvd=394831 dropped=0 link=394831

=========================================================================
IDS Engine (suricata) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth0/stats.log
tcp.ssn_memcap_drop | RxPFReth02 | 0
tcp.segment_memcap_drop | RxPFReth02 | 0


=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 4

Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

/proc/net/pf_ring/54911-eth0.354
Appl. Name : Suricata
Tot Packets : 54256
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

/proc/net/pf_ring/54912-eth0.355
Appl. Name : Suricata
Tot Packets : 50640
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098

/proc/net/pf_ring/6531-eth0.2
Appl. Name : bro-eth0
Tot Packets : 394831
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

/proc/net/pf_ring/6532-eth0.1
Appl. Name : bro-eth0
Tot Packets : 393599
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096

=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
15354

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
298 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
10 1:2000419 ET POLICY PE EXE or DLL Windows file download
8 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
5 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
3 1:2014997 ET POLICY Pandora Usage
1 10000:2 PADS Changed Asset - unknown @domain
1 10000:1 PADS New Asset - unknown @pop3s
1 10000:1 PADS New Asset - unknown @https
1 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Total
328

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
6805 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
3146 1:2210045 SURICATA STREAM Packet with invalid ack
3144 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
1035 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
301 1:2101411 GPL SNMP public access udp
297 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
38 1:2000419 ET POLICY PE EXE or DLL Windows file download
35 1:2014997 ET POLICY Pandora Usage
34 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
20 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
18 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
17 1:2014519 ET INFO EXE - Served Inline HTTP
12 1:2200029 SURICATA ICMPv6 unknown type
10 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
9 10000:1 PADS New Asset - unknown @https
9 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
8 10000:2 PADS Changed Asset - domain DNS SQR No Error
7 1:2200025 SURICATA ICMPv4 unknown code
6 10000:1 PADS New Asset - unknown @ntp
5 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
5 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
5 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
5 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
5 10000:1 PADS New Asset - unknown @domain
4 1:2016847 ET INFO Possible Chrome Plugin install
4 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
4 10000:1 PADS New Asset - ssl TLS 1.0 Client Hello
4 10000:2 PADS Changed Asset - unknown @domain
4 1:2018489 ET SCAN NMAP OS Detection Probe
3 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3 10000:1 PADS New Asset - unknown @www
2 10000:2 PADS Changed Asset - http Apache 2.2.9 (Ubuntu)
2 1:2210038 SURICATA STREAM FIN out of window
2 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
2 10000:1 PADS New Asset - unknown @snmp
2 10000:1 PADS New Asset - smb Windows SMB
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2210030 SURICATA STREAM FIN invalid ack
2 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2 10000:1 PADS New Asset - http Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
2 10000:1 PADS New Asset - ssl OpenSSL
2 10000:1 PADS New Asset - http WSDAPI
2 10000:1 PADS New Asset - http Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
2 10000:2 PADS Changed Asset - http Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
2 1:2012325 ET WEB_CLIENT Obfuscated Javascript // ptth
1 10000:2 PADS Changed Asset - http Ruby
1 10000:2 PADS Changed Asset - http Mozilla/5.0 (X11; U; Linux i686; en (US; rv:1.6) Gecko/20040614 Firefox/0.8)
1 1:2001219 ET SCAN Potential SSH Scan
1 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
1 1:2009550 ET TROJAN Banker PWS/Infostealer HTTP GET Checkin
Total
15067

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
698 URL stats.pandora.com
440 URL www.pandora.com
196 URL crl.microsoft.com
144 URL X.X.X.X
143 URL www.welivesecurity.com
132 URL us.archive.ubuntu.com
71 URL xxxxxx-10.xxxxxx
68 URL xxxxxx-03.xxxxxx
68 URL krebsonsecurity.com
67 URL X.X.X.X
64 URL securityintelligence.com
58 URL www.microsoft.com
56 URL download.cdn.mozilla.net
50 URL www.net-security.org
49 URL xxxxxx-04.xxxxxx
48 URL community.websense.com
47 URL xxxxxx-12.xxxxxx
46 URL xxxxxx-16.xxxxxx
46 URL xxxxxx-19.xxxxxx
45 URL api.mywot.com
44 URL security.ubuntu.com
39 URL www.senderbase.org
34 URL xxxxxx-15.xxxxxx
32 URL extras.ubuntu.com
32 URL xxxxxx-06.xxxxxx
28 URL lt.andomedia.com
28 URL www.yougetsignal.com
28 URL lt150.tritondigital.com
26 URL blog.fortinet.com
26 URL www.infosecisland.com
25 URL xxxxxx-01.xxxxxx
24 URL assets.cloud.techsmith.com
23 URL 2.bp.blogspot.com
23 URL xxxxxx-14.xxxxxx
22 URL 1.bp.blogspot.com
21 URL 4.bp.blogspot.com
21 URL news.netcraft.com
19 URL www.secureworks.com
19 URL 3.bp.blogspot.com
19 URL xxxxxx-07.xxxxxx
17 URL x3.vindicosuite.com
17 URL blogs.technet.com
16 URL xxxxxx-18.xxxxxx
15 URL player.ooyala.com
15 URL maps.gstatic.com
15 URL centralops.net
15 URL l.ooyala.com
14 URL www.bellevue.edu
14 URL ppa.launchpad.net
14 URL static.jsbin.com
Total
3561

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
298 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
10 1:2000419 ET POLICY PE EXE or DLL Windows file download
8 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
5 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
3 1:2014997 ET POLICY Pandora Usage
Total
324

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
6805 1:2210020 SURICATA STREAM ESTABLISHED packet out of window
3146 1:2210045 SURICATA STREAM Packet with invalid ack
3144 1:2210029 SURICATA STREAM ESTABLISHED invalid ack
1036 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
301 1:2101411 GPL SNMP public access udp
297 1:2016922 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
38 1:2000419 ET POLICY PE EXE or DLL Windows file download
35 1:2014997 ET POLICY Pandora Usage
26 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
20 1:2210021 SURICATA STREAM ESTABLISHED retransmission packet before last ack
18 1:2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
17 1:2014519 ET INFO EXE - Served Inline HTTP
10 1:2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
9 1:2101390 GPL SHELLCODE x86 inc ebx NOOP
8 1:2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
7 1:2200025 SURICATA ICMPv4 unknown code
5 1:2010937 ET POLICY Suspicious inbound to mySQL port 3306
5 1:2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
5 1:2010935 ET POLICY Suspicious inbound to MSSQL port 1433
5 1:2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
4 1:2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
4 1:2018489 ET SCAN NMAP OS Detection Probe
4 1:2016847 ET INFO Possible Chrome Plugin install
3 1:2021076 ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2 1:2013028 ET POLICY curl User-Agent Outbound
2 1:2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
2 1:2210038 SURICATA STREAM FIN out of window
2 1:2210030 SURICATA STREAM FIN invalid ack
2 1:2012325 ET WEB_CLIENT Obfuscated Javascript // ptth
2 1:2020716 ET POLICY Possible External IP Lookup ipinfo.io
1 1:2016875 ET POLICY Unsupported/Fake FireFox Version 0.
1 1:2016141 ET INFO Exectuable Download from dotted-quad Host
1 1:2013475 ET POLICY SUSPICIOUS *.doc.exe in HTTP URL
1 1:2002911 ET SCAN Potential VNC Scan 5900-5920
1 1:2002910 ET SCAN Potential VNC Scan 5800-5820
1 1:2001219 ET SCAN Potential SSH Scan
1 1:2003068 ET SCAN Potential SSH Scan OUTBOUND
1 1:2010438 ET MALWARE Possible Malicious Applet Access (justexploit kit)
1 1:2016254 ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request
1 1:2019023 ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014
1 1:2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
1 1:2009550 ET TROJAN Banker PWS/Infostealer HTTP GET Checkin
1 1:2011857 ET TROJAN SpyEye C&C Check-in URI
1 1:2103000 GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt
1 1:2100538 GPL NETBIOS SMB IPC$ unicode share access
1 1:2013743 ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
1 1:2012811 ET DNS DNS Query to a .tk domain - Likely Hostile
Total
14981

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
101230 supervising syslog-ng
101231 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
2675 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
2464 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/SO-server/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
286M /nsm/elsa/data
12M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data

ELSA Index Date Range:
MIN(start) MAX(end)
2015-07-03 01:36:57 2015-07-07 00:33:27

allp...@gmail.com

unread,
Jul 6, 2015, 8:51:42 PM7/6/15
to securit...@googlegroups.com
BTW, all of those malware events is from the test pcap files. I followed the videos that imported them. :)

Doug Burks

unread,
Jul 7, 2015, 11:21:02 AM7/7/15
to securit...@googlegroups.com
On Sat, Jul 4, 2015 at 11:02 PM, <allp...@gmail.com> wrote:
> GeoIP is not showing up. Country is not showing up. The Map in Squert is empty.
>
> I have tried running the GeoIP job by hand three times.
>
> cd /opt/snorby/
> sudo RAILS_ENV=production bundle exec rails c
>
>
> Snorby::Jobs::GeoipUpdatedbJob.new(true).perform
> quit
>
> No joy.

That's the GeoIP job for Snorby, which has no effect on Squert.

Squert has its own GeoIP cronjob (/etc/cron.d/squert-ip2c) which pulls
GeoIP information using FTP. Do you have full Internet access
(including FTP access)?

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

allp...@gmail.com

unread,
Jul 7, 2015, 7:41:17 PM7/7/15
to securit...@googlegroups.com
I had thought about full access and notice a fwe days ago that certain ports were not open in UFW and that had caused other issues. (See attached) I had turned off UFW for now, and made sure that my border firewall had a rule that allowed SecurityOnion to use any service with any IP. (Rule 1)

So yes, I have full internet access.


I found this on another post you did:

sudo /usr/bin/php -e /var/www/squert/.inc/ip2c.php 1
sudo (cd /var/www/squert/.scripts/Ip2c/; rm -f *.md5; ./ip2c.tcl)

The first line runs,but the second gives me the following error: bash: syntax error near unexpected token 'cd'

I even copied that line right out of the cron job... same error. See attached for image of cron and error.

Thank you.

ufw.png
ip2c.png
croncopy.png

allp...@gmail.com

unread,
Jul 7, 2015, 8:51:34 PM7/7/15
to securit...@googlegroups.com
I checked and am able to connect to my websites FTP server.

Heine Lysemose

unread,
Jul 8, 2015, 2:04:12 AM7/8/15
to securit...@googlegroups.com

What if you cd into the scripts directory manually and execute the second part from there?

Regards,
Lysemose

On Jul 8, 2015 02:51, <allp...@gmail.com> wrote:
I checked and am able to connect to my websites FTP server.

allp...@gmail.com

unread,
Jul 8, 2015, 7:09:36 PM7/8/15
to securit...@googlegroups.com
Ahh, now we are getting somewhere. I get a connection denied in the FTP response!

Standard query A ftp.afrinic.net

Response: 501 Connection denied. Bye

I am guessing it is just me... I will look into why I am blocked.

allp...@gmail.com

unread,
Jul 8, 2015, 8:46:32 PM7/8/15
to securit...@googlegroups.com
I was not seeing this in my firewall logs because I proxy FTP on my trusted network. (I forgot I only allow FTP to one site!) My test VM is on that network and thus subject to the FTP proxy rules. For a test I turned off FTP proxy, and the IP was no longer blocked. It is now working!

FTP proxy Log:
2015:07:08-20:23:51 redacted frox[18558]: Denied by ACLs.
2015:07:08-20:23:51 redacted frox[18558]: Closing session
2015:07:08-20:31:59 redacted frox[19371]: Connect from xxx.xxx.xxx.xxx
2015:07:08-20:31:59 redacted frox[19371]: ... to 196.216.2.9()


I made an exception for the SO IP so that the FTP proxy skips it.

I did notice that my 1 hit to South Africa is not colored on the map. Is there a minimum number before it turns a color?

Thank you so much for your help!

Reply all
Reply to author
Forward
0 new messages