SSH issues

[Scorellis]

I am trying to repair an issue with ssh - is there a guide somewhere that fully explains the workings of how security onion uses ssh, and all related configuration files and known_hosts files are involved? I don't fully understand what's going wrong or how it could have gone wrong, but if I had a better understanding I could probably repair this issue with no problem.

[Wes Lambert]

You may want to take a look in the setup script (/usr/bin/sosetup) to get a better understanding.

Thanks,
Wes

On Jul 18, 2016 4:49 PM, "Scorellis" <scor...@gmail.com> wrote:

I am trying to repair an issue with ssh - is there a guide somewhere that fully explains the workings of how security onion uses ssh, and all related configuration files and known_hosts files are involved?  I don't fully understand what's going wrong or how it could have gone wrong, but if I had a better understanding I could probably repair this issue with no problem.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Scorellis]

who would $SSH_USERNAME be? It looks like that must get passed in ..

Frankly I think it might be easiest just to redo it. Is there a best practices way to do that? Documented somewhere?

[Wes Lambert]

SSH_USERNAME should be the user for which Security Onion would try to utliIe to connect a sensor to a master.

Would you be able to better describe the issue you are having with SSH?

Otherwise, it may be quickest to just re-run Setup.

Thanks,
Wes

[Scorellis]

Well, I ran setup originally on these machines and there were (to my knowledge) no entries in the hosts file. I am not certain this is the cause of the outage, and am only mentioning it because it is the only thing I can think of that may have somehow messed things up. At some point after setup, someone made all the entries in the hosts files to map server names to IP addresses so that it would be easier to ssh from one server to another.

The entries were incorrect. Recently, we had to run setup after a couple of the deployments were damaged. I believe that may be when my problems with ssh began.

Now, I have corrected them, but when I try to ssh from the server to one of the sensors as that user, it requests a password. My understanding is that it shouldn't ask for a password. I am thinking I could just drop the installation user's public key into the known hosts folder, and that should remedy it, but possibly I should regenerate the keys?

What are the ramifications of rerunning sosetup?

Thank you as always for your kind help :)

[Wes]

Re-running setup on the sensor would wipe all of the data/config for that respective sensor.

Are you having any problems with your deployment functioning incorrectly, like sensors reporting back to the master? If so, please include the output of sostat-redacted as a text file or using a service like Pastebin.com.

Each sensor's securityonion.pub (/root/.ssh/securityonion.pub on the sensor) should be in the user's home .ssh folder on the master.

So, during setup, if you setup the sensor to connect to the master with user "sensor1", then the securityonion.pub of the sensor should be located in /home/sensor1/.ssh/authorized_keys on the master.

Thanks,
Wes

[Scorellis]

Wes, I was able to get everything working earlier this morning. The problem was that autossh hadn't started or had failed. Things are calmer now. I believe the root cause was a massive influx (known cause) of alerts. Here is the sostat, any other suggestions you may have are welcome.

Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com/

48 packages can be updated.
25 updates are security updates.

Last login: Mon Jul 18 19:23:17 2016 from 172.17.102.168
sellis@Seven:~$ sudo service nsm stop
Stopping: securityonion
* stopping: sguil server [ OK ]
Stopping: HIDS
* stopping: ossec_agent (sguil) [ OK ]
Stopping: Bro
stopping seven-eth4-1 ...
stopping seven-eth4-2 ...
stopping proxy ...
stopping manager ...
Stopping: Seven-eth4
* stopping: netsniff-ng (full packet data) [ OK ]
* stopping: pcap_agent (sguil) [ OK ]
* stopping: snort_agent-1 (sguil) [ OK ]
* stopping: snort_agent-2 (sguil) [ OK ]
* stopping: snort_agent-3 (sguil) [ OK ]
* stopping: snort_agent-4 (sguil) [ OK ]
* stopping: snort-1 (alert data) [ OK ]
* stopping: snort-2 (alert data) [ OK ]
* stopping: snort-3 (alert data) [ OK ]
* stopping: snort-4 (alert data) [ OK ]
* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* stopping: barnyard2-2 (spooler, unified2 format) [ OK ]
* stopping: barnyard2-3 (spooler, unified2 format) [ OK ]
* stopping: barnyard2-4 (spooler, unified2 format) [ OK ]
sellis@Seven:~$ cd /
sellis@Seven:/$ cd nsm
sellis@Seven:/nsm$ ls -la
total 24
drwxr-xr-x 6 root root 4096 Jan 28 16:49 .
drwxr-xr-x 24 root root 4096 Jul 12 16:56 ..
drwxr-xr-x 5 sguil sguil 4096 Dec 18 2015 bro
drwxr-xr-x 3 root root 4096 Jan 28 16:49 elsa
drwxr-xr-x 8 root root 4096 Jan 28 16:49 sensor_data
drwxr-xr-x 3 root root 4096 Jan 28 16:48 server_data
sellis@Seven:/nsm$ cd /
sellis@Seven:/$ cd etc/nsm/securityonion
sellis@Seven:/etc/nsm/securityonion$ ls -la
total 40
drwxrwxr-x 3 sguil sguil 4096 Mar 9 16:25 .
drwxr-xr-x 13 root root 4096 Jun 21 16:01 ..
-rwxrwxr-x 1 sguil sguil 2221 Sep 20 2011 autocat.conf
drwxrwxr-x 2 sguil sguil 4096 Jan 28 16:48 certs
-rwxrwxr-x 1 sguil sguil 390 Jan 28 16:48 server.conf
-rwxrwxr-x 1 sguil sguil 1286 Oct 9 2010 sguild.access
-rwxrwxr-x 1 sguil sguil 2776 Mar 9 16:25 sguild.conf
-rwxrwxr-x 1 sguil sguil 2992 Oct 9 2010 sguild.email
-rwxrwxr-x 1 sguil sguil 789 Oct 9 2010 sguild.queries
-rwxrwxr-x 1 sguil sguil 344 Oct 9 2010 sguild.users
sellis@Seven:/etc/nsm/securityonion$ more squild.conf
squild.conf: No such file or directory
sellis@Seven:/etc/nsm/securityonion$ more sguild.conf
# sguild.conf: auto-generated by NSMnow Administration on Thu Jan 28 16:48:57 UT
C 2016
# Path to the sguild libs.
set SGUILD_LIB_PATH "/usr/lib/sguild"

# DEBUG 0=off 1=important stuff 2=everything. Option 2 is VERY chatty.
set DEBUG 1

# Run sguild in daemon mode. 1=on 0=off
# This overrides above and will set DEBUG off.
# set DAEMON 1 is the same as using -D
set DAEMON 0

# Syslog Facility to log to in DAEMON mode
# Note the Errors will go to SYSLOGFACILITY.err
# DEBUG == 1 messages go to SYSLOGFACILITY.notice
# DEBUG == 2 messages go to SYSLOGFACILITY.info
# So, even at DEBUG == 2 you can send the 'important'
# debug level 1 messages one place and the noisy info stuff another
# by twiddling your syslog.conf
set SYSLOGFACILITY daemon

# Use the below to configure alert aggregation. Aggregation will
# always use the source IP and signature (message). By default
# we use the sensor ID too. If you want to override this,
# then set the below to 0.
set SENSOR_AGGREGATION_ON 1

# If the server is on a multi interface machine and you want it
# to only listen on a specific IP addr, then uncomment and put
# the correct values here. You can listen on seperate addrs for
# clients and sensors.
# set BIND_SENSOR_IP_ADDR 127.0.0.1
# set BIND_CLIENT_IP_ADDR 127.0.0.1

# What port for sguild to listen on.
# Client Connects
set SERVERPORT 7734

# Sensor connects
set SENSORPORT 7736

# Path to look for rules. Sguild will append the hostname (/etc/snort/rules/<hos
tname>/*.rules)
# Some day we'll move the rules into the DB.
set RULESDIR "/nsm/server_data/securityonion/rules"

# Where to temporarily store portscan and session data for loading into the DB
set TMPDATADIR /tmp

# DataBase Info
set DBHOST localhost
set DBPORT 3306
set DBNAME "securityonion_db"
set DBUSER "sguil"
set DBPASS "password"

# Configs for xscript function
# Where you want to archive raw file locally when xscripts are requested.
set LOCAL_LOG_DIR "/nsm/server_data/securityonion/archive"

# Where to store DB LOADable files until loaderd can put them in the DB
set TMP_LOAD_DIR "/nsm/server_data/securityonion/load"

# We're using a newer version of tcpflow that includes
# extra output that confuses Sguil. tcpflow-no-tags
# is a shim that sends the correct options to tcpflow
# such that its output is what Sguil is expecting.
set TCPFLOW "/usr/bin/tcpflow-no-tags"

# p0f - (C) Michal Zalewski <lcamtuf\@gis.net>, William Stearns <wstearns\@pobox
.com>
# If you have p0f (a passive OS fingerprinting system) installed, you can have
# xscriptd attempt to use it by enabling it here. Get p0f at http://www.stearns.
org
#
# 1=ON, 0=OFF
set P0F 1

# Path of the p0f binary. Switches -q and -s <filename> are appended on exec,
# add any others you may need here.
set P0F_PATH "/usr/sbin/p0f"
sellis@Seven:/etc/nsm/securityonion$ mysql -V
mysql Ver 14.14 Distrib 5.5.49, for debian-linux-gnu (x86_64) using readline 6.3
sellis@Seven:/etc/nsm/securityonion$ ssh Rphal
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for rphal has changed,
and the key for the corresponding IP address 172.17.77.9
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/sellis/.ssh/known_hosts:2
remove with: ssh-keygen -f "/home/sellis/.ssh/known_hosts" -R 172.17.77.9
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
be:d9:22:ee:97:98:8d:7e:bf:91:9c:04:30:36:15:39.
Please contact your system administrator.
Add correct host key in /home/sellis/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/sellis/.ssh/known_hosts:4
remove with: ssh-keygen -f "/home/sellis/.ssh/known_hosts" -R rphal
ECDSA host key for rphal has changed and you have requested strict checking.
Host key verification failed.
sellis@Seven:/etc/nsm/securityonion$ ^C
sellis@Seven:/etc/nsm/securityonion$ logout
Connection to seven closed.
p-dv-mac-scor:~ sellis$ ssh seven
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com/

48 packages can be updated.
25 updates are security updates.

Last login: Mon Jul 18 19:25:21 2016 from 172.17.102.168
sellis@Seven:~$ sudo -i
root@Seven:~# ssh Rphal
The authenticity of host 'rphal (172.17.77.9)' can't be established.
ECDSA key fingerprint is be:d9:22:ee:97:98:8d:7e:bf:91:9c:04:30:36:15:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rphal' (ECDSA) to the list of known hosts.
root@rphal's password:
Permission denied, please try again.
root@rphal's password:
Permission denied, please try again.
root@rphal's password:
Permission denied (publickey,password).
root@Seven:~# ssh 172.17.79.6
The authenticity of host '172.17.79.6 (172.17.79.6)' can't be established.
ECDSA key fingerprint is e4:5c:ec:18:d6:c6:aa:6a:6e:43:bf:93:00:30:d4:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.79.6' (ECDSA) to the list of known hosts.
ro...@172.17.79.6's password:
Received disconnect from 172.17.79.6: 11: Logged out.
root@Seven:~#
root@Seven:~# ssh 172.17.79.6
ro...@172.17.79.6's password:
Permission denied, please try again.
ro...@172.17.79.6's password:
Permission denied, please try again.
ro...@172.17.79.6's password:
Permission denied (publickey,password).
root@Seven:~# su sellis
sellis@Seven:/root$ ssh 172.17.79.6
The authenticity of host '172.17.79.6 (172.17.79.6)' can't be established.
ECDSA key fingerprint is e4:5c:ec:18:d6:c6:aa:6a:6e:43:bf:93:00:30:d4:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.79.6' (ECDSA) to the list of known hosts.
sel...@172.17.79.6's password:
Permission denied, please try again.
sel...@172.17.79.6's password:
Permission denied, please try again.
sel...@172.17.79.6's password:
Received disconnect from 172.17.79.6: 11: Logged out.
sellis@Seven:/root$ pwd
/root
sellis@Seven:/root$ cd .ssh
bash: cd: .ssh: Permission denied
sellis@Seven:/root$ su -i
su: invalid option -- 'i'
Usage: su [options] [LOGIN]

Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login make the shell a login shell
-m, -p,
--preserve-environment do not reset environment variables, and
keep the same shell
-s, --shell SHELL use SHELL instead of the default in passwd

sellis@Seven:/root$ whoami
sellis
sellis@Seven:/root$ cd ~
sellis@Seven:~$ ssh 172.17.77.9
sel...@172.17.77.9's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

Last login: Mon Jul 18 20:16:48 2016 from 172.17.102.168
sellis@Rphal:~$ cd .ssh
sellis@Rphal:~/.ssh$ vi known_hosts
sellis@Rphal:~/.ssh$ ssh seven
The authenticity of host 'seven (172.17.109.5)' can't be established.
ECDSA key fingerprint is 73:f3:fa:e2:87:d9:a6:80:2e:fd:83:67:dc:0a:0b:e9.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
sellis@Rphal:~/.ssh$ ls -la
total 24
drwx------ 2 sellis sellis 4096 Jul 18 21:09 .
drwxr-xr-x 16 sellis sellis 4096 Jul 18 21:09 ..
-rw-r--r-- 1 sellis sellis 515 Apr 13 18:27 authorized_keys
-rw------- 1 sellis sellis 1679 Feb 4 17:50 id_rsa
-rw-r--r-- 1 sellis sellis 394 Feb 4 17:50 id_rsa.pub
-rw-r--r-- 1 sellis sellis 444 Apr 20 19:19 known_hosts
sellis@Rphal:~/.ssh$ vi id_rsa.pub
sellis@Rphal:~/.ssh$ su -i
su: invalid option -- 'i'
Usage: su [options] [LOGIN]

Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login make the shell a login shell
-m, -p,
--preserve-environment do not reset environment variables, and
keep the same shell
-s, --shell SHELL use SHELL instead of the default in passwd

sellis@Rphal:~/.ssh$ cd ~
sellis@Rphal:~$ logout
Connection to 172.17.77.9 closed.
sellis@Seven:~$ ssh seven
sellis@seven's password:

sellis@Seven:~$ exit
root@Seven:~# logout
sellis@Seven:~$ logout
Connection to seven closed.
p-dv-mac-scor:~ sellis$ ss seven
-bash: ss: command not found
p-dv-mac-scor:~ sellis$ ssh seven
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com/

48 packages can be updated.
25 updates are security updates.

Last login: Mon Jul 18 21:06:04 2016 from 172.17.102.168
sellis@Seven:~$ ssh 172.17.77.9
sel...@172.17.77.9's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

Last login: Mon Jul 18 21:01:58 2016 from seven
sellis@Rphal:~$ Write failed: Broken pipe
p-dv-mac-scor:~ sellis$ ping seven
PING seven (172.17.109.5): 56 data bytes
64 bytes from 172.17.109.5: icmp_seq=0 ttl=63 time=0.237 ms
64 bytes from 172.17.109.5: icmp_seq=1 ttl=63 time=0.361 ms
64 bytes from 172.17.109.5: icmp_seq=2 ttl=63 time=0.304 ms
64 bytes from 172.17.109.5: icmp_seq=3 ttl=63 time=0.307 ms
64 bytes from 172.17.109.5: icmp_seq=4 ttl=63 time=0.266 ms
^C
--- seven ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.237/0.295/0.361/0.042 ms
p-dv-mac-scor:~ sellis$ ssh Rpha
ssh: Could not resolve hostname Rpha: nodename nor servname provided, or not known
p-dv-mac-scor:~ sellis$ ssh Rphal
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-65-generic x86_64)

* Documentation: https://help.ubuntu.com/

57 packages can be updated.
34 updates are security updates.

Last login: Tue Jul 19 14:42:18 2016 from p-dv-sbx-wled.kcura.corp
sellis@Rphal:~$ logout
Connection to Rphal closed.
p-dv-mac-scor:~ sellis$ ssh rphal
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-65-generic x86_64)

* Documentation: https://help.ubuntu.com/

57 packages can be updated.
34 updates are security updates.

Last login: Tue Jul 19 17:42:32 2016 from 172.17.102.168
sellis@Rphal:~$ sudo soup
###########################################################################
This script will automatically install all available updates
and remove any old kernels (keeping at least two kernels).

For distributed deployments, please ensure this script is
run on the master server before updating sensors.

If mysql-server updates are available, it will stop sensor processes
to ensure a clean update.

At the end of the script, if mysql-server and/or kernel updates
were installed, you will be prompted to reboot.
###########################################################################

Press Enter to continue or Ctrl-C to cancel.

Checking for kernels that can be removed...
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libntdb1 linux-headers-3.19.0-58 linux-headers-3.19.0-59
linux-headers-3.19.0-59-generic linux-image-3.19.0-59-generic
linux-image-extra-3.19.0-59-generic python-ntdb
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
linux-headers-3.19.0-58-generic* linux-image-3.19.0-58-generic*
linux-image-extra-3.19.0-58-generic*
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 222 MB disk space will be freed.
(Reading database ... 212108 files and directories currently installed.)
Removing linux-headers-3.19.0-58-generic (3.19.0-58.64~14.04.1) ...
Removing linux-image-extra-3.19.0-58-generic (3.19.0-58.64~14.04.1) ...
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
run-parts: executing /etc/kernel/postinst.d/dkms 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
update-initramfs: Generating /boot/initrd.img-3.19.0-58-generic
run-parts: executing /etc/kernel/postinst.d/pm-utils 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
run-parts: executing /etc/kernel/postinst.d/update-notifier 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.19.0-65-generic
Found initrd image: /boot/initrd.img-3.19.0-65-generic
Found linux image: /boot/vmlinuz-3.19.0-59-generic
Found initrd image: /boot/initrd.img-3.19.0-59-generic
Found linux image: /boot/vmlinuz-3.19.0-58-generic
Found initrd image: /boot/initrd.img-3.19.0-58-generic
Found memtest86+ image: /memtest86+.elf
Found memtest86+ image: /memtest86+.bin
Found Ubuntu 14.04.4 LTS (14.04) on /dev/mapper/securityonion--vg-root
done
Purging configuration files for linux-image-extra-3.19.0-58-generic (3.19.0-58.64~14.04.1) ...
Removing linux-image-3.19.0-58-generic (3.19.0-58.64~14.04.1) ...
Examining /etc/kernel/prerm.d.
run-parts: executing /etc/kernel/prerm.d/dkms 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
dkms: removing: pf_ring 6 (3.19.0-58-generic) (x86_64)

-------- Uninstall Beginning --------
Module: pf_ring
Version: 6
Kernel: 3.19.0-58-generic (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.

pf_ring.ko:
- Uninstallation
- Deleting from: /lib/modules/3.19.0-58-generic/updates/dkms/
- Original module
- No original module was found for this module on this kernel.
- Use the dkms install command to reinstall any previous module version.

depmod....

DKMS: uninstall completed.
Examining /etc/kernel/postrm.d .
run-parts: executing /etc/kernel/postrm.d/initramfs-tools 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
update-initramfs: Deleting /boot/initrd.img-3.19.0-58-generic
run-parts: executing /etc/kernel/postrm.d/zz-update-grub 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.19.0-65-generic
Found initrd image: /boot/initrd.img-3.19.0-65-generic
Found linux image: /boot/vmlinuz-3.19.0-59-generic
Found initrd image: /boot/initrd.img-3.19.0-59-generic
Found memtest86+ image: /memtest86+.elf
Found memtest86+ image: /memtest86+.bin
Found Ubuntu 14.04.4 LTS (14.04) on /dev/mapper/securityonion--vg-root
done
Purging configuration files for linux-image-3.19.0-58-generic (3.19.0-58.64~14.04.1) ...
Examining /etc/kernel/postrm.d .
run-parts: executing /etc/kernel/postrm.d/initramfs-tools 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic
run-parts: executing /etc/kernel/postrm.d/zz-update-grub 3.19.0-58-generic /boot/vmlinuz-3.19.0-58-generic

Checking for updates...
Reading package lists... Done
Building dependency tree
Reading state information... Done
securityonion-pfring-module is already the newest version.
The following packages were automatically installed and are no longer required:
libntdb1 linux-headers-3.19.0-58 linux-headers-3.19.0-59
linux-headers-3.19.0-59-generic linux-image-3.19.0-59-generic
linux-image-extra-3.19.0-59-generic python-ntdb
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
libntdb1 linux-headers-3.19.0-58 linux-headers-3.19.0-59
linux-headers-3.19.0-59-generic linux-image-3.19.0-59-generic
linux-image-extra-3.19.0-59-generic python-ntdb
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
###########################################################################
All updates have been installed.
Press Enter to reboot or Ctrl-C to cancel.


Broadcast message from sellis@Rphal
(/dev/pts/0) at 17:50 ...

The system is going down for reboot NOW!
sellis@Rphal:~$ Connection to rphal closed by remote host.
Connection to rphal closed.
p-dv-mac-scor:~ sellis$ ssh seven
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-65-generic x86_64)

* Documentation: https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

Last login: Tue Jul 19 17:53:31 2016 from 172.17.102.168
sellis@Seven:~$ sudo sostat
=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 13855 3 19 Jul 14:51:45
proxy proxy localhost running 14024 3 19 Jul 14:51:47
seven-eth4-1 worker localhost running 14324 2 19 Jul 14:51:48
seven-eth4-2 worker localhost running 14329 2 19 Jul 14:51:48
Status: Seven-eth4
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort_agent-2 (sguil)[ OK ]
* snort_agent-3 (sguil)[ OK ]
* snort_agent-4 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth3 Link encap:Ethernet HWaddr 14:18:77:3e:25:9b
inet addr:172.17.109.5 Bcast:172.17.109.255 Mask:255.255.255.0
inet6 addr: fe80::1618:77ff:fe3e:259b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58554 errors:0 dropped:0 overruns:0 frame:0
TX packets:43332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9450803 (9.4 MB) TX bytes:15446827 (15.4 MB)
Interrupt:103 Memory:92000000-927fffff

eth4 Link encap:Ethernet HWaddr 00:0e:1e:bb:c8:10
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:271913007 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:202038128686 (202.0 GB) TX bytes:168 (168.0 B)
Interrupt:114 Memory:c9000000-c97fffff

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:552187 errors:0 dropped:0 overruns:0 frame:0
TX packets:552187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3592444197 (3.5 GB) TX bytes:3592444197 (3.5 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
3592444197 552187 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3592444197 552187 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 14:18:77:3e:25:95 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 14:18:77:3e:25:97 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 14:18:77:3e:25:99 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 14:18:77:3e:25:9b brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
9450803 58554 0 0 0 5702
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15446827 43332 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:0e:1e:bb:c8:10 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
202038128686 271913007 0 0 0 21170567
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
168 2 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:0e:1e:bb:c8:12 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 189G 4.0K 189G 1% /dev
tmpfs 38G 1.8M 38G 1% /run
/dev/dm-0 8.3T 6.9T 1.1T 88% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 189G 0 189G 0% /run/shm
none 100M 4.0K 100M 1% /run/user
/dev/sda2 237M 124M 101M 56% /boot

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 931 avahi 12u IPv4 195 0t0 UDP *:5353
avahi-dae 931 avahi 13u IPv6 196 0t0 UDP *:5353
avahi-dae 931 avahi 14u IPv4 197 0t0 UDP *:49231
avahi-dae 931 avahi 15u IPv6 198 0t0 UDP *:49838
cups-brow 1152 root 8u IPv4 19537 0t0 UDP *:631
sshd 1877 root 3u IPv4 27864 0t0 TCP *:22 (LISTEN)
sshd 1877 root 4u IPv6 27866 0t0 TCP *:22 (LISTEN)
syslog-ng 1935 root 9u IPv4 34880 0t0 TCP *:514 (LISTEN)
syslog-ng 1935 root 10u IPv4 34881 0t0 UDP *:514
mysqld 1941 mysql 10u IPv4 14637 0t0 TCP 127.0.0.1:3306 (LISTEN)
searchd 1957 sphinxsearch 7u IPv4 465 0t0 TCP *:9306 (LISTEN)
searchd 1957 sphinxsearch 8u IPv4 466 0t0 TCP *:9312 (LISTEN)
ossec-csy 2142 ossecm 5u IPv4 24655 0t0 UDP 127.0.0.1:52606->127.0.0.1:514
ntpd 3410 ntp 16u IPv4 32883 0t0 UDP *:123
ntpd 3410 ntp 17u IPv6 32884 0t0 UDP *:123
ntpd 3410 ntp 18u IPv4 32890 0t0 UDP 127.0.0.1:123
ntpd 3410 ntp 19u IPv4 32891 0t0 UDP 172.17.109.5:123
ntpd 3410 ntp 20u IPv6 32892 0t0 UDP [::1]:123
ntpd 3410 ntp 21u IPv6 32893 0t0 UDP [fe80::1618:77ff:fe3e:259b]:123
/usr/sbin 8772 root 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 8772 root 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10834 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10834 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10836 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10836 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10837 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10837 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10840 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10840 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10842 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10842 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
tclsh 13575 sguil 13u IPv4 45984 0t0 TCP *:7734 (LISTEN)
tclsh 13575 sguil 14u IPv6 45985 0t0 TCP *:7734 (LISTEN)
tclsh 13575 sguil 15u IPv4 45988 0t0 TCP *:7736 (LISTEN)
tclsh 13575 sguil 16u IPv6 45989 0t0 TCP *:7736 (LISTEN)
tclsh 13575 sguil 17u IPv4 329868 0t0 TCP 172.17.109.5:7736->172.17.77.6:58561 (ESTABLISHED)
tclsh 13575 sguil 18u IPv4 45990 0t0 TCP 127.0.0.1:7736->127.0.0.1:45361 (ESTABLISHED)
tclsh 13575 sguil 19u IPv4 52781 0t0 TCP 127.0.0.1:7736->127.0.0.1:50269 (ESTABLISHED)
tclsh 13575 sguil 20u IPv4 49987 0t0 TCP 127.0.0.1:7736->127.0.0.1:58979 (ESTABLISHED)
tclsh 13575 sguil 21u IPv4 58938 0t0 TCP 127.0.0.1:7736->127.0.0.1:42698 (ESTABLISHED)
tclsh 13575 sguil 22u IPv4 65572 0t0 TCP 127.0.0.1:7736->127.0.0.1:40047 (ESTABLISHED)
tclsh 13575 sguil 23u IPv4 331952 0t0 TCP 172.17.109.5:7736->172.17.77.6:57139 (ESTABLISHED)
tclsh 13575 sguil 24u IPv4 338162 0t0 TCP 172.17.109.5:7736->172.17.77.6:36306 (ESTABLISHED)
tclsh 13575 sguil 25u IPv4 349953 0t0 TCP 172.17.109.5:7736->172.17.93.9:37339 (ESTABLISHED)
tclsh 13575 sguil 26u IPv4 358796 0t0 TCP 172.17.109.5:7736->172.17.93.9:41006 (ESTABLISHED)
tclsh 13575 sguil 27u IPv4 331953 0t0 TCP 172.17.109.5:7736->172.17.77.6:36204 (ESTABLISHED)
tclsh 13575 sguil 28u IPv4 331956 0t0 TCP 172.17.109.5:7736->172.17.77.6:41590 (ESTABLISHED)
tclsh 13575 sguil 29u IPv4 181808 0t0 TCP 172.17.109.5:7736->172.17.93.9:47876 (ESTABLISHED)
tclsh 13575 sguil 30u IPv4 572442 0t0 TCP 172.17.109.5:7736->172.17.77.9:38371 (ESTABLISHED)
tclsh 13575 sguil 31u IPv4 331957 0t0 TCP 172.17.109.5:7736->172.17.77.6:55452 (ESTABLISHED)
tclsh 13575 sguil 32u IPv4 342257 0t0 TCP 172.17.109.5:7736->172.17.77.6:37498 (ESTABLISHED)
tclsh 13575 sguil 33u IPv4 342262 0t0 TCP 172.17.109.5:7736->172.17.77.6:59661 (ESTABLISHED)
tclsh 13575 sguil 34u IPv4 329000 0t0 TCP 172.17.109.5:7736->172.17.77.6:39959 (ESTABLISHED)
tclsh 13575 sguil 35u IPv4 570623 0t0 TCP 172.17.109.5:7736->172.17.77.9:53316 (ESTABLISHED)
tclsh 13575 sguil 36u IPv4 532422 0t0 TCP 172.17.109.5:7736->172.17.77.9:41714 (ESTABLISHED)
tclsh 13575 sguil 37u IPv4 329909 0t0 TCP 172.17.109.5:7736->172.17.77.6:51139 (ESTABLISHED)
tclsh 13575 sguil 38u IPv4 351430 0t0 TCP 172.17.109.5:7736->172.17.77.6:33407 (ESTABLISHED)
tclsh 13575 sguil 39u IPv4 548065 0t0 TCP 172.17.109.5:7736->172.17.77.9:55633 (ESTABLISHED)
tclsh 13575 sguil 40u IPv4 349385 0t0 TCP 172.17.109.5:7736->172.17.77.6:49576 (ESTABLISHED)
tclsh 13575 sguil 41u IPv4 342319 0t0 TCP 172.17.109.5:7736->172.17.77.6:48550 (ESTABLISHED)
tclsh 13575 sguil 42u IPv4 572562 0t0 TCP 172.17.109.5:7736->172.17.77.9:42869 (ESTABLISHED)
tclsh 13575 sguil 43u IPv4 329924 0t0 TCP 172.17.109.5:7736->172.17.77.6:50860 (ESTABLISHED)
tclsh 13575 sguil 44u IPv4 332041 0t0 TCP 172.17.109.5:7736->172.17.77.6:51393 (ESTABLISHED)
tclsh 13575 sguil 45u IPv4 181762 0t0 TCP 172.17.109.5:7736->172.17.77.6:60091 (ESTABLISHED)
tclsh 13575 sguil 46u IPv4 332059 0t0 TCP 172.17.109.5:7736->172.17.77.6:35741 (ESTABLISHED)
tclsh 13575 sguil 47u IPv4 532423 0t0 TCP 172.17.109.5:7736->172.17.77.9:48186 (ESTABLISHED)
tclsh 13575 sguil 48u IPv4 570624 0t0 TCP 172.17.109.5:7736->172.17.77.9:57939 (ESTABLISHED)
tclsh 13575 sguil 49u IPv4 566752 0t0 TCP 172.17.109.5:7736->172.17.77.9:33175 (ESTABLISHED)
tclsh 13575 sguil 50u IPv4 572563 0t0 TCP 172.17.109.5:7736->172.17.77.9:36829 (ESTABLISHED)
tclsh 13575 sguil 51u IPv4 572564 0t0 TCP 172.17.109.5:7736->172.17.77.9:40430 (ESTABLISHED)
tclsh 13575 sguil 52u IPv4 572565 0t0 TCP 172.17.109.5:7736->172.17.77.9:36553 (ESTABLISHED)
tclsh 13575 sguil 53u IPv4 181778 0t0 TCP 172.17.109.5:7736->172.17.77.6:41772 (ESTABLISHED)
tclsh 13575 sguil 54u IPv4 556718 0t0 TCP 172.17.109.5:7736->172.17.77.9:51461 (ESTABLISHED)
tclsh 13575 sguil 55u IPv4 332060 0t0 TCP 172.17.109.5:7736->172.17.77.6:46072 (ESTABLISHED)
tclsh 13575 sguil 56u IPv4 567778 0t0 TCP 172.17.109.5:7736->172.17.77.9:38076 (ESTABLISHED)
tclsh 13575 sguil 57u IPv4 181779 0t0 TCP 172.17.109.5:7736->172.17.77.6:33613 (ESTABLISHED)
tclsh 13575 sguil 58u IPv4 342322 0t0 TCP 172.17.109.5:7736->172.17.77.6:48991 (ESTABLISHED)
tclsh 13575 sguil 59u IPv4 181780 0t0 TCP 172.17.109.5:7736->172.17.77.6:37915 (ESTABLISHED)
tclsh 13575 sguil 60u IPv4 342323 0t0 TCP 172.17.109.5:7736->172.17.77.6:36507 (ESTABLISHED)
tclsh 13575 sguil 61u IPv4 332061 0t0 TCP 172.17.109.5:7736->172.17.77.6:38178 (ESTABLISHED)
tclsh 13575 sguil 62u IPv4 338267 0t0 TCP 172.17.109.5:7736->172.17.77.6:36575 (ESTABLISHED)
tclsh 13575 sguil 63u IPv4 181781 0t0 TCP 172.17.109.5:7736->172.17.77.6:54366 (ESTABLISHED)
tclsh 13575 sguil 64u IPv4 342603 0t0 TCP 172.17.109.5:7736->172.17.93.9:42606 (ESTABLISHED)
tclsh 13575 sguil 65u IPv4 548066 0t0 TCP 172.17.109.5:7736->172.17.77.9:40000 (ESTABLISHED)
tclsh 13575 sguil 66u IPv4 548067 0t0 TCP 172.17.109.5:7736->172.17.77.9:55314 (ESTABLISHED)
tclsh 13575 sguil 67u IPv4 548068 0t0 TCP 172.17.109.5:7736->172.17.77.9:58763 (ESTABLISHED)
tclsh 13575 sguil 68u IPv4 548069 0t0 TCP 172.17.109.5:7736->172.17.77.9:38114 (ESTABLISHED)
tclsh 13575 sguil 69u IPv4 554943 0t0 TCP 172.17.109.5:7736->172.17.77.9:32845 (ESTABLISHED)
tclsh 13575 sguil 70u IPv4 532425 0t0 TCP 172.17.109.5:7736->172.17.77.9:40735 (ESTABLISHED)
tclsh 13575 sguil 71u IPv4 556750 0t0 TCP 172.17.109.5:7736->172.17.77.9:41274 (ESTABLISHED)
tclsh 13575 sguil 72u IPv4 532435 0t0 TCP 172.17.109.5:7736->172.17.77.9:57023 (ESTABLISHED)
tclsh 13575 sguil 73u IPv4 570644 0t0 TCP 172.17.109.5:7736->172.17.77.9:35959 (ESTABLISHED)
tclsh 13575 sguil 74u IPv4 532436 0t0 TCP 172.17.109.5:7736->172.17.77.9:44813 (ESTABLISHED)
tclsh 13575 sguil 75u IPv4 548076 0t0 TCP 172.17.109.5:7736->172.17.77.9:35086 (ESTABLISHED)
tclsh 13575 sguil 76u IPv4 532437 0t0 TCP 172.17.109.5:7736->172.17.77.9:38627 (ESTABLISHED)
tclsh 13575 sguil 77u IPv4 572575 0t0 TCP 172.17.109.5:7736->172.17.77.9:36391 (ESTABLISHED)
tclsh 13575 sguil 78u IPv4 570645 0t0 TCP 172.17.109.5:7736->172.17.77.9:39883 (ESTABLISHED)
tclsh 13575 sguil 79u IPv4 65586 0t0 TCP 127.0.0.1:7736->127.0.0.1:46016 (ESTABLISHED)
tclsh 13575 sguil 80u IPv4 532438 0t0 TCP 172.17.109.5:7736->172.17.77.9:41885 (ESTABLISHED)
tclsh 13575 sguil 81u IPv4 449056 0t0 TCP 127.0.0.1:7734->127.0.0.1:47464 (ESTABLISHED)
tclsh 13620 sguil 3u IPv4 58117 0t0 TCP 127.0.0.1:50269->127.0.0.1:7736 (ESTABLISHED)
bro 13855 sguil 4u IPv4 60834 0t0 UDP 172.17.109.5:54346->172.17.72.10:53
bro 13858 sguil 0u IPv4 58679 0t0 TCP *:47761 (LISTEN)
bro 13858 sguil 1u IPv6 58680 0t0 TCP *:47761 (LISTEN)
bro 13858 sguil 2u IPv4 58681 0t0 TCP 127.0.0.1:47761->127.0.0.1:54708 (ESTABLISHED)
bro 13858 sguil 4u IPv4 60834 0t0 UDP 172.17.109.5:54346->172.17.72.10:53
bro 13858 sguil 268u IPv4 51924 0t0 TCP 127.0.0.1:47761->127.0.0.1:54710 (ESTABLISHED)
bro 13858 sguil 273u IPv4 51927 0t0 TCP 127.0.0.1:47761->127.0.0.1:54711 (ESTABLISHED)
bro 14024 sguil 4u IPv4 61624 0t0 UDP 172.17.109.5:55226->172.17.72.10:53
bro 14026 sguil 0u IPv4 52673 0t0 TCP 127.0.0.1:54708->127.0.0.1:47761 (ESTABLISHED)
bro 14026 sguil 4u IPv4 61624 0t0 UDP 172.17.109.5:55226->172.17.72.10:53
bro 14026 sguil 266u IPv4 52678 0t0 TCP *:47762 (LISTEN)
bro 14026 sguil 267u IPv6 52679 0t0 TCP *:47762 (LISTEN)
bro 14026 sguil 268u IPv4 51921 0t0 TCP 127.0.0.1:47762->127.0.0.1:40271 (ESTABLISHED)
bro 14026 sguil 273u IPv4 49809 0t0 TCP 127.0.0.1:47762->127.0.0.1:40274 (ESTABLISHED)
bro 14324 sguil 4u IPv4 57801 0t0 UDP 172.17.109.5:57897->172.17.72.10:53
bro 14329 sguil 4u IPv4 31139 0t0 UDP 172.17.109.5:60588->172.17.72.10:53
bro 14330 sguil 0u IPv4 62949 0t0 TCP 127.0.0.1:40271->127.0.0.1:47762 (ESTABLISHED)
bro 14330 sguil 4u IPv4 57801 0t0 UDP 172.17.109.5:57897->172.17.72.10:53
bro 14330 sguil 266u IPv4 62952 0t0 TCP 127.0.0.1:54710->127.0.0.1:47761 (ESTABLISHED)
bro 14330 sguil 271u IPv4 62957 0t0 TCP *:47763 (LISTEN)
bro 14330 sguil 272u IPv6 62958 0t0 TCP *:47763 (LISTEN)
bro 14333 sguil 0u IPv4 62959 0t0 TCP 127.0.0.1:54711->127.0.0.1:47761 (ESTABLISHED)
bro 14333 sguil 4u IPv4 31139 0t0 UDP 172.17.109.5:60588->172.17.72.10:53
bro 14333 sguil 266u IPv4 62962 0t0 TCP 127.0.0.1:40274->127.0.0.1:47762 (ESTABLISHED)
bro 14333 sguil 271u IPv4 62967 0t0 TCP *:47764 (LISTEN)
bro 14333 sguil 272u IPv6 62968 0t0 TCP *:47764 (LISTEN)
tclsh 14434 sguil 3u IPv4 47721 0t0 TCP 127.0.0.1:45361->127.0.0.1:7736 (ESTABLISHED)
tclsh 14452 sguil 3u IPv4 61669 0t0 TCP 127.0.0.1:8401 (LISTEN)
tclsh 14452 sguil 5u IPv4 61767 0t0 TCP 127.0.0.1:8401->127.0.0.1:50938 (ESTABLISHED)
tclsh 14452 sguil 7u IPv4 61770 0t0 TCP 127.0.0.1:58979->127.0.0.1:7736 (ESTABLISHED)
tclsh 14470 sguil 3u IPv4 44945 0t0 TCP 127.0.0.1:8402 (LISTEN)
tclsh 14470 sguil 5u IPv4 44979 0t0 TCP 127.0.0.1:8402->127.0.0.1:46802 (ESTABLISHED)
tclsh 14470 sguil 7u IPv4 44982 0t0 TCP 127.0.0.1:42698->127.0.0.1:7736 (ESTABLISHED)
tclsh 14504 sguil 3u IPv4 40434 0t0 TCP 127.0.0.1:8403 (LISTEN)
tclsh 14504 sguil 5u IPv4 40481 0t0 TCP 127.0.0.1:8403->127.0.0.1:33097 (ESTABLISHED)
tclsh 14504 sguil 7u IPv4 40484 0t0 TCP 127.0.0.1:40047->127.0.0.1:7736 (ESTABLISHED)
tclsh 14553 sguil 3u IPv4 17762 0t0 TCP 127.0.0.1:8404 (LISTEN)
tclsh 14553 sguil 5u IPv4 17878 0t0 TCP 127.0.0.1:8404->127.0.0.1:35844 (ESTABLISHED)
tclsh 14553 sguil 7u IPv4 17881 0t0 TCP 127.0.0.1:46016->127.0.0.1:7736 (ESTABLISHED)
barnyard2 15059 sguil 3u IPv4 63584 0t0 TCP 127.0.0.1:50938->127.0.0.1:8401 (ESTABLISHED)
barnyard2 15149 sguil 3u IPv4 49986 0t0 TCP 127.0.0.1:46802->127.0.0.1:8402 (ESTABLISHED)
barnyard2 15238 sguil 3u IPv4 55650 0t0 TCP 127.0.0.1:33097->127.0.0.1:8403 (ESTABLISHED)
barnyard2 15326 sguil 3u IPv4 52133 0t0 TCP 127.0.0.1:35844->127.0.0.1:8404 (ESTABLISHED)
sshd 44621 root 3u IPv4 258992 0t0 TCP 172.17.109.5:22->172.17.77.6:37264 (ESTABLISHED)
sshd 44658 sellis 3u IPv4 258992 0t0 TCP 172.17.109.5:22->172.17.77.6:37264 (ESTABLISHED)
sshd 44658 sellis 9u IPv6 344163 0t0 TCP [::1]:50002 (LISTEN)
sshd 44658 sellis 10u IPv4 344164 0t0 TCP 127.0.0.1:50002 (LISTEN)
sshd 47627 root 3u IPv4 337420 0t0 TCP 172.17.109.5:22->172.17.93.9:46739 (ESTABLISHED)
sshd 47664 sellis 3u IPv4 337420 0t0 TCP 172.17.109.5:22->172.17.93.9:46739 (ESTABLISHED)
sshd 47664 sellis 9u IPv6 338509 0t0 TCP [::1]:50000 (LISTEN)
sshd 47664 sellis 10u IPv4 338510 0t0 TCP 127.0.0.1:50000 (LISTEN)
sshd 71061 root 3u IPv4 414030 0t0 TCP 172.17.109.5:22->172.17.102.168:52803 (ESTABLISHED)
sshd 71104 sellis 3u IPv4 414030 0t0 TCP 172.17.109.5:22->172.17.102.168:52803 (ESTABLISHED)
sshd 71104 sellis 9u IPv6 435802 0t0 TCP [::1]:6010 (LISTEN)
sshd 71104 sellis 10u IPv4 435803 0t0 TCP 127.0.0.1:6010 (LISTEN)
sshd 71104 sellis 12u IPv4 414148 0t0 TCP 127.0.0.1:6010->127.0.0.1:44204 (ESTABLISHED)
wish 71744 sellis 3u IPv4 418204 0t0 TCP 127.0.0.1:44204->127.0.0.1:6010 (ESTABLISHED)
wish 71744 sellis 4u IPv4 418209 0t0 TCP 127.0.0.1:47464->127.0.0.1:7734 (ESTABLISHED)
sshd 101465 root 3u IPv4 570491 0t0 TCP 172.17.109.5:22->172.17.77.9:40911 (ESTABLISHED)
sshd 101509 sellis 3u IPv4 570491 0t0 TCP 172.17.109.5:22->172.17.77.9:40911 (ESTABLISHED)
sshd 101509 sellis 9u IPv6 566405 0t0 TCP [::1]:50001 (LISTEN)
sshd 101509 sellis 10u IPv4 566406 0t0 TCP 127.0.0.1:50001 (LISTEN)
sshd 105156 root 3u IPv4 572664 0t0 TCP 172.17.109.5:22->172.17.102.168:53092 (ESTABLISHED)
sshd 105193 sellis 3u IPv4 572664 0t0 TCP 172.17.109.5:22->172.17.102.168:53092 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Tue Jul 19 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 35 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 50 rules
Done
Setting Flowbit State....
Enabled 89 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------6
Deleted:---87
Enabled Rules:----19748
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24002
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: Seven-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: Seven-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data)[ OK ]
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
4.62 4.67 4.67
Processing units: 32
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 18:01:30 up 3:11, 2 users, load average: 4.62, 4.67, 4.67
Tasks: 453 total, 6 running, 447 sleeping, 0 stopped, 0 zombie
%Cpu(s): 15.3 us, 0.9 sy, 0.0 ni, 83.4 id, 0.1 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem: 39616294+total, 23910588+used, 15705705+free, 251844 buffers
KiB Swap: 40254668+total, 0 used, 40254668+free. 21890592+cached Mem

%CPU %MEM COMMAND
99.8 0.1 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_6
99.3 0.2 snort -c /etc/nsm/Seven-eth4/snort.conf -u sguil -g sguil -i eth4 -l /nsm/sensor_data/Seven-eth4/snort-4 --pe
92.4 0.2 snort -c /etc/nsm/Seven-eth4/snort.conf -u sguil -g sguil -i eth4 -l /nsm/sensor_data/Seven-eth4/snort-1 --pe
75.2 0.2 snort -c /etc/nsm/Seven-eth4/snort.conf -u sguil -g sguil -i eth4 -l /nsm/sensor_data/Seven-eth4/snort-2 --pe
64.0 0.2 snort -c /etc/nsm/Seven-eth4/snort.conf -u sguil -g sguil -i eth4 -l /nsm/sensor_data/Seven-eth4/snort-3 --pe
29.0 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/f
26.3 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/f
20.8 0.0 /usr/sbin/mysqld
19.3 0.4 netsniff-ng -i eth4 -o /nsm/sensor_data/Seven-eth4/dailylogs/2016-07-19/ --user 1001 --group 1001 -s --prefix
4.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/clu
3.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.9 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1.9 1.1 /usr/bin/searchd --nodetach
1.7 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/clust
1.7 0.0 wish /usr/bin/sguil.tk -- -d 0
1.2 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.9 0.0 [kworker/u290:0]
0.5 0.0 [jbd2/dm-0-8]
0.4 0.0 [rcu_sched]
0.3 0.0 -bash
0.2 0.0 [rcuos/12]
0.2 0.0 /var/ossec/bin/ossec-syscheckd
0.2 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/ns
0.2 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/clu
0.1 0.0 [rcuos/21]
0.1 0.0 /usr/bin/freshclam -d --quiet
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/f
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/f
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuob/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuob/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuob/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuob/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuob/5]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuob/6]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuob/7]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuob/8]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuob/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuob/10]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuob/11]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [rcuob/12]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuob/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuob/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuob/15]
0.0 0.0 [watchdog/16]
0.0 0.0 [migration/16]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [kworker/16:0]
0.0 0.0 [kworker/16:0H]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuob/16]
0.0 0.0 [watchdog/17]
0.0 0.0 [migration/17]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [kworker/17:0]
0.0 0.0 [kworker/17:0H]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuob/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [migration/18]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kworker/18:0H]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuob/18]
0.0 0.0 [watchdog/19]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [kworker/19:0H]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuob/19]
0.0 0.0 [watchdog/20]
0.0 0.0 [migration/20]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/20:0H]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuob/20]
0.0 0.0 [watchdog/21]
0.0 0.0 [migration/21]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 [kworker/21:0H]
0.0 0.0 [rcuob/21]
0.0 0.0 [watchdog/22]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [kworker/22:0]
0.0 0.0 [kworker/22:0H]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuob/22]
0.0 0.0 [watchdog/23]
0.0 0.0 [migration/23]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [kworker/23:0H]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuob/23]
0.0 0.0 [watchdog/24]
0.0 0.0 [migration/24]
0.0 0.0 [ksoftirqd/24]
0.0 0.0 [kworker/24:0]
0.0 0.0 [kworker/24:0H]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuob/24]
0.0 0.0 [watchdog/25]
0.0 0.0 [migration/25]
0.0 0.0 [ksoftirqd/25]
0.0 0.0 [kworker/25:0H]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuob/25]
0.0 0.0 [watchdog/26]
0.0 0.0 [migration/26]
0.0 0.0 [ksoftirqd/26]
0.0 0.0 [kworker/26:0]
0.0 0.0 [kworker/26:0H]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuob/26]
0.0 0.0 [watchdog/27]
0.0 0.0 [migration/27]
0.0 0.0 [ksoftirqd/27]
0.0 0.0 [kworker/27:0H]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuob/27]
0.0 0.0 [watchdog/28]
0.0 0.0 [migration/28]
0.0 0.0 [ksoftirqd/28]
0.0 0.0 [kworker/28:0]
0.0 0.0 [kworker/28:0H]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuob/28]
0.0 0.0 [watchdog/29]
0.0 0.0 [migration/29]
0.0 0.0 [ksoftirqd/29]
0.0 0.0 [kworker/29:0H]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuob/29]
0.0 0.0 [watchdog/30]
0.0 0.0 [migration/30]
0.0 0.0 [ksoftirqd/30]
0.0 0.0 [kworker/30:0]
0.0 0.0 [kworker/30:0H]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuob/30]
0.0 0.0 [watchdog/31]
0.0 0.0 [migration/31]
0.0 0.0 [ksoftirqd/31]
0.0 0.0 [kworker/31:0]
0.0 0.0 [kworker/31:0H]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcuob/31]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [kworker/0:1]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/u288:1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [bnx2x]
0.0 0.0 [bnx2x_iov]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/29:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/30:1]
0.0 0.0 [kworker/24:1]
0.0 0.0 [kworker/26:1]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [usb-storage]
0.0 0.0 [bioset]
0.0 0.0 [kworker/28:1]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/20:1]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [edac-poller]
0.0 0.0 avahi-daemon: running [Seven.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [krfcommd]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 [kworker/4:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 cron
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 lightdm
0.0 0.0 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - sguil -- /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g
0.0 0.0 [kworker/25:2]
0.0 0.0 su - sguil -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/os
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/ns
0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/ns
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager lo
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy loca
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/clust
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p se
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p se
0.0 0.0 su - sguil -- /usr/bin/pcap_agent.tcl -c /etc/nsm/Seven-eth4/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/Seven-eth4/pcap_agent.conf
0.0 0.0 su - sguil -- /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/Seven-eth4/snort-1.stats
0.0 0.0 su - sguil -- /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-2.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/Seven-eth4/snort-2.stats
0.0 0.0 su - sguil -- /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-3.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/Seven-eth4/snort-3.stats
0.0 0.0 su - sguil -- /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/Seven-eth4/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/Seven-eth4/snort-4.stats
0.0 0.0 barnyard2 -c /etc/nsm/Seven-eth4/barnyard2-1.conf -u sguil -g sguil -d /nsm/sensor_data/Seven-eth4/snort-1 -f
0.0 0.0 barnyard2 -c /etc/nsm/Seven-eth4/barnyard2-2.conf -u sguil -g sguil -d /nsm/sensor_data/Seven-eth4/snort-2 -f
0.0 0.0 barnyard2 -c /etc/nsm/Seven-eth4/barnyard2-3.conf -u sguil -g sguil -d /nsm/sensor_data/Seven-eth4/snort-3 -f
0.0 0.0 barnyard2 -c /etc/nsm/Seven-eth4/barnyard2-4.conf -u sguil -g sguil -d /nsm/sensor_data/Seven-eth4/snort-4 -f
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/27:1H]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/31:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/15:2]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/19:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 [kworker/11:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/27:2]
0.0 0.0 [kworker/25:1H]
0.0 0.0 [kworker/23:1H]
0.0 0.0 [kworker/17:1H]
0.0 0.0 [kworker/19:2]
0.0 0.0 [kworker/21:1H]
0.0 0.0 [kworker/19:0]
0.0 0.0 [kworker/9:2]
0.0 0.0 sshd: sellis [priv]
0.0 0.0 sshd: sellis
0.0 0.0 sshd: sellis [priv]
0.0 0.0 [kworker/9:0]
0.0 0.0 sshd: sellis
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/29:1H]
0.0 0.0 [kworker/14:2]
0.0 0.0 [kworker/31:2]
0.0 0.0 [kworker/25:0]
0.0 0.0 [kworker/27:0]
0.0 0.0 sshd: sellis [priv]
0.0 0.0 sshd: sellis@pts/1
0.0 0.0 -bash
0.0 0.0 [kworker/u289:0]
0.0 0.0 [kworker/21:2]
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/23:2]
0.0 0.0 [kworker/29:2]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/5:2]
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/u290:1]
0.0 0.0 [kworker/13:2]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/u288:2]
0.0 0.0 [kworker/21:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/11:0]
0.0 0.0 [kworker/u289:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/8:2]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/23:0]
0.0 0.0 sshd: sellis [priv]
0.0 0.0 [kworker/3:2]
0.0 0.0 sshd: sellis
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/u289:2]
0.0 0.0 sshd: sellis [priv]
0.0 0.0 [kworker/19:1]
0.0 0.0 sshd: sellis@pts/0
0.0 0.0 sudo sostat
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth4: 11009602

=========================================================================
Packet Loss Stats
=========================================================================

NIC:

eth4:

RX packets:271913007 dropped:0 TX packets:2 dropped:0

-------------------------------------------------------------------------

pf_ring:

Appl. Name : bro-eth4
Tot Packets : 118911989
Tot Pkt Lost : 7


Appl. Name : bro-eth4
Tot Packets : 151540124
Tot Pkt Lost : 6


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 65482841
Tot Pkt Lost : 6556850


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 62050811
Tot Pkt Lost : 5205987


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 53080963
Tot Pkt Lost : 3375667


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 89126122
Tot Pkt Lost : 29345414

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

/nsm/sensor_data/Seven-eth4/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/Seven-eth4/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/Seven-eth4/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/Seven-eth4/snort-4.stats last reported pkt_drop_percent as 3.015

-------------------------------------------------------------------------

Bro:

Average packet loss as percent across all Bro workers: 0.000005

seven-eth4-1: 1468951290.629331 recvd=118916480 dropped=7 link=118916480
seven-eth4-2: 1468951290.829411 recvd=151548502 dropped=6 link=151548502

No capture loss reported.

-------------------------------------------------------------------------

Netsniff-NG:
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160714142957 Processed: +258129 Lost: -7911
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160715000004 Processed: +231919 Lost: -1784
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160716000004 Processed: +259959 Lost: -14566
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160718000003 Processed: +220802 Lost: -837
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160719000004 Processed: +231137 Lost: -64965
File: /var/log/nsm/Seven-eth4/netsniff-ng.log.20160719145149 Processed: +200210 Lost: -1928

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 6

Standard (non DNA/ZC) Options
Ring slots : 131070
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/Seven-eth0/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/Seven-eth1/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/Seven-eth2/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/Seven-eth3/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/Seven-eth4/dailylogs/ - 5 days
3.2T .
1.1T ./2016-07-15
487G ./2016-07-16
390G ./2016-07-17
702G ./2016-07-18
526G ./2016-07-19

/nsm/sensor_data/Seven-eth5/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 7 days
7.5G .
1.5G ./2016-07-13
1.5G ./2016-07-14
1.4G ./2016-07-15
816M ./2016-07-16
543M ./2016-07-17
906M ./2016-07-18
821M ./2016-07-19
152M ./stats

=========================================================================
Sguil Uncategorized Events
=========================================================================
+----------+
| COUNT(*) |
+----------+
| 105366 |
+----------+

=========================================================================
Sguil events summary for yesterday
=========================================================================
+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| 3944 | 1:2013222 | ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt |
| 2877 | 1:517730020 | Snort Alert [1:517730020:0] |
| 1791 | 1:517730023 | kSEC Detect SSLv3 internal |
| 1129 | 1:2019415 | ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack |
| 626 | 1:2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected |
| 516 | 1:2013028 | ET POLICY curl User-Agent Outbound |
| 381 | 1:2014170 | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
| 344 | 1:2013273 | ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141 |
| 228 | 1:2015707 | ET INFO JAVA - document.createElement applet |
| 211 | 1:2013414 | ET POLICY Executable served from Amazon S3 |
| 202 | 1:2101390 | GPL SHELLCODE x86 inc ebx NOOP |
| 189 | 1:2001581 | ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection |
| 156 | 1:2017657 | ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage |
| 98 | 1:2001583 | ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection |
| 94 | 1:2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
| 63 | 1:2008120 | ET TFTP Outbound TFTP Read Request |
| 60 | 1:2011891 | ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt |
| 51 | 1:2008210 | ET MALWARE Misspelled Mozilla User-Agent (Mozila) |
| 44 | 1:2012870 | ET POLICY HTTP Outbound Request contains pw |
| 40 | 1:2012252 | ET SHELLCODE Common 0a0a0a0a Heap Spray String |
| 39 | 1:2022082 | ET POLICY External IP Lookup ip-api.com |
| 36 | 1:2016921 | ET INFO Suspicious Mozilla UA with no Space after colon |
| 36 | 1:2000418 | ET POLICY Executable and linking format (ELF) file download |
| 36 | 1:2020896 | ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2 |
| 25 | 1:517730021 | kSEC Detect possible DROWN attack SSLv2 |
| 24 | 1:2010527 | ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source) |
| 24 | 1:2016766 | ET INFO PDF - Acrobat Enumeration - var PDFObject |
| 21 | 1:2016879 | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
| 18 | 1:2014297 | ET POLICY Vulnerable Java Version 1.7.x Detected |
| 18 | 1:2012325 | ET WEB_CLIENT Obfuscated Javascript // ptth |
| 15 | 1:2012888 | ET POLICY Http Client Body contains pwd= in cleartext |
| 14 | 1:2001569 | ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection |
| 12 | 1:2012692 | ET POLICY Microsoft user-agent automated process response to automated request |
| 12 | 1:2012272 | ET WEB_CLIENT Hex Obfuscation of eval % Encoding |
| 12 | 1:2014518 | ET INFO EXE - OSX Disk Image Download |
| 12 | 1:2013267 | ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a |
| 12 | 1:2012398 | ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding |
| 12 | 1:2009020 | ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection |
| 12 | 1:2012266 | ET WEB_CLIENT Hex Obfuscation of unescape % Encoding |
| 12 | 1:2019232 | ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers |
| 10 | 1:2102314 | GPL SHELLCODE x86 0x90 NOOP unicode |
| 9 | 1:2018403 | ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe |
| 8 | 1:2009099 | ET P2P ThunderNetwork UDP Traffic |
| 6 | 1:2007765 | ET POLICY Logmein.com Host List Download |
| 5 | 1:2523333 | ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 667 |
| 5 | 1:2012810 | ET POLICY HTTP Request to a *.tk domain |
| 5 | 1:2012843 | ET POLICY Cleartext WordPress Login |
| 5 | 1:2404156 | ET CNC Zeus Tracker Reported CnC Server TCP group 4 |
| 5 | 1:2010514 | ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source) |
| 5 | 1:2000427 | ET DELETED PE EXE Install Windows file download |
| 4 | 1:2008116 | ET TFTP Outbound TFTP Write Request |
| 4 | 1:2016876 | ET POLICY Unsupported/Fake FireFox Version 1. |
| 4 | 1:2013933 | ET POLICY HTTP traffic on port 443 (CONNECT) |
| 3 | 1:2014756 | ET POLICY Logmein.com/Join.me SSL Remote Control Access |
| 3 | 1:2018959 | ET POLICY PE EXE or DLL Windows file download HTTP |
| 2 | 1:2010781 | ET POLICY PsExec service created |
| 2 | 1:2020716 | ET POLICY Possible External IP Lookup ipinfo.io |
| 2 | 1:2001855 | ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts) |
| 2 | 1:2010067 | ET POLICY Data POST to an image file (jpg) |
| 2 | 1:2014726 | ET POLICY Outdated Windows Flash Version IE |
| 2 | 1:2021378 | ET POLICY External IP Lookup - checkip.dyndns.org |
| 2 | 1:2013535 | ET INFO HTTP Request to a *.tc domain |
| 2 | 1:2000345 | ET TROJAN IRC Nick change on non-standard port |
| 2 | 1:2018302 | ET INFO Possible Phish - Mirrored Website Comment Observed |
| 2 | 1:2012088 | ET SHELLCODE Possible Call with No Offset TCP Shellcode |
| 2 | 1:2014753 | ET DELETED probable malicious Glazunov Javascript injection |
| 2 | 1:2010645 | ET POLICY User-Agent (Launcher) |
| 1 | 1:2003492 | ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
| 1 | 1:2018907 | ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true) |
| 1 | 1:2013667 | ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request |
| 1 | 1:2522201 | ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 101 |
| 1 | 1:2014384 | ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt |
| 1 | 1:2019512 | ET POLICY Possible IP Check api.ipify.org |
| 1 | 1:2018389 | ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port) |
| 1 | 1:2522205 | ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 103 |
| 1 | 1:2018372 | ET CURRENT_EVENTS Malformed HeartBeat Request |
| 1 | 1:2014932 | ET POLICY DynDNS CheckIp External IP Address Server Response |
| 1 | 1:517730023 | kSEC Detect SSLv3 external -> perimeter|internal |
| 1 | 1:2021972 | ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (3) |
| 1 | 1:2016765 | ET INFO PDF - Acrobat Enumeration - pdfobject.js |
| 1 | 1:2018905 | ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) |
+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
+-------+
| Total |
+-------+
| 13565 |
+-------+

=========================================================================
Top 50 All time Sguil Events
=========================================================================
+--------+-------------+------------------------------------------------------------------------------------------+
| Totals | GenID:SigID | Signature |
+--------+-------------+------------------------------------------------------------------------------------------+
| 149252 | 1:2022028 | ET WEB_SERVER Possible CVE-2014-6271 Attempt |
| 144876 | 1:2001582 | ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection |
| 136293 | 1:2019232 | ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers |
| 126088 | 1:517730023 | kSEC Detect SSLv3 internal |
| 50694 | 1:2001583 | ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection |
| 42426 | 1:2019415 | ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack |
| 26978 | 1:2013222 | ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt |
| 20154 | 1:2008712 | ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) |
| 20145 | 1:2014384 | ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt |
| 17577 | 1:2013028 | ET POLICY curl User-Agent Outbound |
| 15466 | 1:2001581 | ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection |
| 13295 | 1:2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected |
| 12839 | 1:2001569 | ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection |
| 10825 | 1:2013273 | ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141 |
| 9499 | 1:2016184 | ET WEB_SERVER ColdFusion administrator access |
| 7651 | 1:517730021 | kSEC Detect possible DROWN attack SSLv2 |
| 6053 | 1:2016921 | ET INFO Suspicious Mozilla UA with no Space after colon |
| 5286 | 1:2101390 | GPL SHELLCODE x86 inc ebx NOOP |
| 4485 | 1:517730020 | Snort Alert [1:517730020:0] |
| 4155 | 1:2014170 | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
| 3795 | 1:2013414 | ET POLICY Executable served from Amazon S3 |
| 3725 | 1:2018131 | ET WORM TheMoon.linksys.router 1 |
| 3629 | 1:2016777 | ET INFO HTTP Request to a *.pw domain |
| 3581 | 1:2017639 | ET INFO JAR Size Under 30K Size - Potentially Hostile |
| 3550 | 1:2015707 | ET INFO JAVA - document.createElement applet |
| 2121 | 1:2008702 | ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) |
| 1705 | 1:2022082 | ET POLICY External IP Lookup ip-api.com |
| 1556 | 1:2012252 | ET SHELLCODE Common 0a0a0a0a Heap Spray String |
| 1548 | 1:2017657 | ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage |
| 1541 | 1:2522311 | ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 156 |
| 1374 | 1:2011708 | ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x) |
| 1325 | 1:2021997 | ET POLICY External IP Lookup api.ipify.org |
| 1141 | 1:2012170 | ET GAMES Blizzard Web Downloader Install Detected |
| 1111 | 1:2001891 | ET USER_AGENTS Suspicious User Agent (agent) |
| 1030 | 1:2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
| 1017 | 1:2014756 | ET POLICY Logmein.com/Join.me SSL Remote Control Access |
| 1005 | 1:2001579 | ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection |
| 949 | 1:2008210 | ET MALWARE Misspelled Mozilla User-Agent (Mozila) |
| 927 | 1:2022813 | ET MALWARE SearchProtect PUA User-Agent Observed |
| 893 | 1:2019842 | ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve |
| 795 | 1:2013263 | ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl) |
| 771 | 1:2015820 | ET INFO Suspicious Windows NT version 7 User-Agent |
| 703 | 1:2522653 | ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 327 |
| 683 | 1:2000418 | ET POLICY Executable and linking format (ELF) file download |
| 675 | 1:2014518 | ET INFO EXE - OSX Disk Image Download |
| 672 | 1:2017072 | ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013 |
| 515 | 1:2008438 | ET MALWARE Possible Windows executable sent when remote host claims to send a Text File |
| 510 | 1:2018372 | ET CURRENT_EVENTS Malformed HeartBeat Request |
| 482 | 1:2016879 | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
| 480 | 1:2017094 | ET EXPLOIT IPMI Cipher 0 Authentication mode set |
+--------+-------------+------------------------------------------------------------------------------------------+
+--------+
| Total |
+--------+
| 885052 |
+--------+

=========================================================================
Last update
=========================================================================
Start-Date: 2016-07-11 16:27:34
Commandline: apt-get install securityonion-elsa-extras
Upgrade: securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion30, 20151011-1ubuntu1securityonion32)
End-Date: 2016-07-11 16:27:37

Start-Date: 2016-07-19 14:44:49
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.19.0-65:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-extra-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-headers-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic)
Upgrade: kpartx:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), libnl-genl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), securityonion-squert:amd64 (20141015-0ubuntu0securityonion14, 20141015-0ubuntu0securityonion15), dpkg:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-capme:amd64 (20121213-0ubuntu0securityonion47, 20121213-0ubuntu0securityonion60), dkms:amd64 (2.2.0.3-1.1ubuntu5.14.04.5, 2.2.0.3-1.1ubuntu5.14.04.6), libarchive13:amd64 (3.1.2-7ubuntu2.2, 3.1.2-7ubuntu2.3), gimp:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), dpkg-dev:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), libgimp2.0:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion133, 20120724-0ubuntu0securityonion138), grub-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), chromium-codecs-ffmpeg-extra:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnspr4:amd64 (4.10.10-0ubuntu0.14.04.1, 4.12-0ubuntu0.14.04.1), linux-image-generic-lts-vivid:amd64 (3.19.0.59.42, 3.19.0.65.47), python-libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), libnss3-1d:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), libnl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), libimobiledevice4:amd64 (1.1.5+git20140313.bafe6a9e-0ubuntu1, 1.1.5+git20140313.bafe6a9e-0ubuntu1.1), libgd3:amd64 (2.1.0-3ubuntu0.1, 2.1.0-3ubuntu0.2), libmagickcore5-extra:amd64 (6.7.7.10-6ubuntu3, 6.7.7.10-6ubuntu3.1), grub2-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.2, 2.4.31-1+nmu2ubuntu8.3), chromium-browser-l10n:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnss3-nssdb:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), gimp-data:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion57, 20141015-0ubuntu0securityonion60), libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), linux-headers-generic-lts-vivid:amd64 (3.19.0.59.42, 3.19.0.65.47), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1, 1.17.1-0ubuntu3.1~trusty1.1), libmagickwand5:amd64 (6.7.7.10-6ubuntu3, 6.7.7.10-6ubuntu3.1), wget:amd64 (1.15-1ubuntu1.14.04.1, 1.15-1ubuntu1.14.04.2), libdpkg-perl:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion53, 20120722-0ubuntu0securityonion57), imagemagick:amd64 (6.7.7.10-6ubuntu3, 6.7.7.10-6ubuntu3.1), libnss3:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), linux-generic-lts-vivid:amd64 (3.19.0.59.42, 3.19.0.65.47), grub-pc-bin:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), apache2-data:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), grub-pc:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), sbsigntool:amd64 (0.6-0ubuntu7, 0.6-0ubuntu7.2), kpartx-boot:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), securityonion-setup:amd64 (20120912-0ubuntu0securityonion215, 20120912-0ubuntu0securityonion222), libmagickcore5:amd64 (6.7.7.10-6ubuntu3, 6.7.7.10-6ubuntu3.1), libexpat1:amd64 (2.1.0-4ubuntu1.2, 2.1.0-4ubuntu1.3), apache2:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), tzdata:amd64 (2016d-0ubuntu0.14.04, 2016f-0ubuntu0.14.04), apache2-bin:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), imagemagick-common:amd64 (6.7.7.10-6ubuntu3, 6.7.7.10-6ubuntu3.1), linux-libc-dev:amd64 (3.13.0-87.133, 3.13.0-92.139), libnl-route-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), chromium-browser:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121)
End-Date: 2016-07-19 14:47:18

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1935 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1941 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1920 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1957 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
3.7T /nsm/elsa/data
194M /var/lib/mysql/syslog
11M /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
+---------------------+---------------------+
| MIN(start) | MAX(end) |
+---------------------+---------------------+
| 2016-05-22 00:33:42 | 2016-07-19 18:00:13 |
+---------------------+---------------------+

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 Pyrrho 172.17.93.9
50001 Rphal 172.17.77.9
50002 corax 172.17.77.6
sellis@Seven:~$ sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 13855 3 19 Jul 14:51:45
proxy proxy localhost running 14024 3 19 Jul 14:51:47
seven-eth4-1 worker localhost running 14324 2 19 Jul 14:51:48
seven-eth4-2 worker localhost running 14329 2 19 Jul 14:51:48
Status: SO-server-eth4
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59351 errors:0 dropped:0 overruns:0 frame:0
TX packets:44036 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9550428 (9.5 MB) TX bytes:15699876 (15.6 MB)
Interrupt:103 Memory:92000000-927fffff

eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:272722913 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:202517667569 (202.5 GB) TX bytes:168 (168.0 B)
Interrupt:114 Memory:c9000000-c97fffff

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:556320 errors:0 dropped:0 overruns:0 frame:0
TX packets:556320 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3605673899 (3.6 GB) TX bytes:3605673899 (3.6 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3605673899 556320 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3605673899 556320 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
9550428 59351 0 0 0 5722
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15699876 44036 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
202517667569 272722913 0 0 0 21250374
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
168 2 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 189G 4.0K 189G 1% /dev
tmpfs 38G 1.8M 38G 1% /run
/dev/dm-0 8.3T 6.9T 1.1T 88% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 189G 0 189G 0% /run/shm
none 100M 4.0K 100M 1% /run/user
/dev/sda2 237M 124M 101M 56% /boot

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 931 avahi 12u IPv4 195 0t0 UDP *:5353
avahi-dae 931 avahi 13u IPv6 196 0t0 UDP *:5353
avahi-dae 931 avahi 14u IPv4 197 0t0 UDP *:49231
avahi-dae 931 avahi 15u IPv6 198 0t0 UDP *:49838
cups-brow 1152 root 8u IPv4 19537 0t0 UDP *:631
sshd 1877 root 3u IPv4 27864 0t0 TCP *:ssh_port (LISTEN)
sshd 1877 root 4u IPv6 27866 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 1935 root 9u IPv4 34880 0t0 TCP *:514 (LISTEN)
syslog-ng 1935 root 10u IPv4 34881 0t0 UDP *:514
mysqld 1941 mysql 10u IPv4 14637 0t0 TCP X.X.X.X:3306 (LISTEN)
searchd 1957 sphinxsearch 7u IPv4 465 0t0 TCP *:9306 (LISTEN)
searchd 1957 sphinxsearch 8u IPv4 466 0t0 TCP *:9312 (LISTEN)
ossec-csy 2142 ossecm 5u IPv4 24655 0t0 UDP X.X.X.X:52606->X.X.X.X:514
ntpd 3410 ntp 16u IPv4 32883 0t0 UDP *:123
ntpd 3410 ntp 17u IPv6 32884 0t0 UDP *:123
ntpd 3410 ntp 18u IPv4 32890 0t0 UDP X.X.X.X:123
ntpd 3410 ntp 19u IPv4 32891 0t0 UDP X.X.X.X:123
ntpd 3410 ntp 20u IPv6 32892 0t0 UDP [X.X.X.X]:123
ntpd 3410 ntp 21u IPv6 32893 0t0 UDP [X.X.X.X]:123
/usr/sbin 8772 root 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 8772 root 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10834 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10834 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10836 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10836 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10837 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10837 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10840 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10840 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10842 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10842 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
tclsh 13575 SO-user 13u IPv4 45984 0t0 TCP *:7734 (LISTEN)
tclsh 13575 SO-user 14u IPv6 45985 0t0 TCP *:7734 (LISTEN)
tclsh 13575 SO-user 15u IPv4 45988 0t0 TCP *:7736 (LISTEN)
tclsh 13575 SO-user 16u IPv6 45989 0t0 TCP *:7736 (LISTEN)
tclsh 13575 SO-user 17u IPv4 329868 0t0 TCP X.X.X.X:7736->X.X.X.X:58561 (ESTABLISHED)
tclsh 13575 SO-user 18u IPv4 45990 0t0 TCP X.X.X.X:7736->X.X.X.X:45361 (ESTABLISHED)
tclsh 13575 SO-user 19u IPv4 52781 0t0 TCP X.X.X.X:7736->X.X.X.X:50269 (ESTABLISHED)
tclsh 13575 SO-user 20u IPv4 49987 0t0 TCP X.X.X.X:7736->X.X.X.X:58979 (ESTABLISHED)
tclsh 13575 SO-user 21u IPv4 58938 0t0 TCP X.X.X.X:7736->X.X.X.X:42698 (ESTABLISHED)
tclsh 13575 SO-user 22u IPv4 65572 0t0 TCP X.X.X.X:7736->X.X.X.X:40047 (ESTABLISHED)
tclsh 13575 SO-user 23u IPv4 331952 0t0 TCP X.X.X.X:7736->X.X.X.X:57139 (ESTABLISHED)
tclsh 13575 SO-user 24u IPv4 338162 0t0 TCP X.X.X.X:7736->X.X.X.X:36306 (ESTABLISHED)
tclsh 13575 SO-user 25u IPv4 349953 0t0 TCP X.X.X.X:7736->X.X.X.X:37339 (ESTABLISHED)
tclsh 13575 SO-user 26u IPv4 358796 0t0 TCP X.X.X.X:7736->X.X.X.X:41006 (ESTABLISHED)
tclsh 13575 SO-user 27u IPv4 331953 0t0 TCP X.X.X.X:7736->X.X.X.X:36204 (ESTABLISHED)
tclsh 13575 SO-user 28u IPv4 331956 0t0 TCP X.X.X.X:7736->X.X.X.X:41590 (ESTABLISHED)
tclsh 13575 SO-user 29u IPv4 181808 0t0 TCP X.X.X.X:7736->X.X.X.X:47876 (ESTABLISHED)
tclsh 13575 SO-user 30u IPv4 572442 0t0 TCP X.X.X.X:7736->X.X.X.X:38371 (ESTABLISHED)
tclsh 13575 SO-user 31u IPv4 331957 0t0 TCP X.X.X.X:7736->X.X.X.X:55452 (ESTABLISHED)
tclsh 13575 SO-user 32u IPv4 342257 0t0 TCP X.X.X.X:7736->X.X.X.X:37498 (ESTABLISHED)
tclsh 13575 SO-user 33u IPv4 342262 0t0 TCP X.X.X.X:7736->X.X.X.X:59661 (ESTABLISHED)
tclsh 13575 SO-user 34u IPv4 329000 0t0 TCP X.X.X.X:7736->X.X.X.X:39959 (ESTABLISHED)
tclsh 13575 SO-user 35u IPv4 570623 0t0 TCP X.X.X.X:7736->X.X.X.X:53316 (ESTABLISHED)
tclsh 13575 SO-user 36u IPv4 532422 0t0 TCP X.X.X.X:7736->X.X.X.X:41714 (ESTABLISHED)
tclsh 13575 SO-user 37u IPv4 329909 0t0 TCP X.X.X.X:7736->X.X.X.X:51139 (ESTABLISHED)
tclsh 13575 SO-user 38u IPv4 351430 0t0 TCP X.X.X.X:7736->X.X.X.X:33407 (ESTABLISHED)
tclsh 13575 SO-user 39u IPv4 548065 0t0 TCP X.X.X.X:7736->X.X.X.X:55633 (ESTABLISHED)
tclsh 13575 SO-user 40u IPv4 349385 0t0 TCP X.X.X.X:7736->X.X.X.X:49576 (ESTABLISHED)
tclsh 13575 SO-user 41u IPv4 342319 0t0 TCP X.X.X.X:7736->X.X.X.X:48550 (ESTABLISHED)
tclsh 13575 SO-user 42u IPv4 572562 0t0 TCP X.X.X.X:7736->X.X.X.X:42869 (ESTABLISHED)
tclsh 13575 SO-user 43u IPv4 329924 0t0 TCP X.X.X.X:7736->X.X.X.X:50860 (ESTABLISHED)
tclsh 13575 SO-user 44u IPv4 332041 0t0 TCP X.X.X.X:7736->X.X.X.X:51393 (ESTABLISHED)
tclsh 13575 SO-user 45u IPv4 181762 0t0 TCP X.X.X.X:7736->X.X.X.X:60091 (ESTABLISHED)
tclsh 13575 SO-user 46u IPv4 332059 0t0 TCP X.X.X.X:7736->X.X.X.X:35741 (ESTABLISHED)
tclsh 13575 SO-user 47u IPv4 532423 0t0 TCP X.X.X.X:7736->X.X.X.X:48186 (ESTABLISHED)
tclsh 13575 SO-user 48u IPv4 570624 0t0 TCP X.X.X.X:7736->X.X.X.X:57939 (ESTABLISHED)
tclsh 13575 SO-user 49u IPv4 566752 0t0 TCP X.X.X.X:7736->X.X.X.X:33175 (ESTABLISHED)
tclsh 13575 SO-user 50u IPv4 572563 0t0 TCP X.X.X.X:7736->X.X.X.X:36829 (ESTABLISHED)
tclsh 13575 SO-user 51u IPv4 572564 0t0 TCP X.X.X.X:7736->X.X.X.X:40430 (ESTABLISHED)
tclsh 13575 SO-user 52u IPv4 572565 0t0 TCP X.X.X.X:7736->X.X.X.X:36553 (ESTABLISHED)
tclsh 13575 SO-user 53u IPv4 181778 0t0 TCP X.X.X.X:7736->X.X.X.X:41772 (ESTABLISHED)
tclsh 13575 SO-user 54u IPv4 556718 0t0 TCP X.X.X.X:7736->X.X.X.X:51461 (ESTABLISHED)
tclsh 13575 SO-user 55u IPv4 332060 0t0 TCP X.X.X.X:7736->X.X.X.X:46072 (ESTABLISHED)
tclsh 13575 SO-user 56u IPv4 567778 0t0 TCP X.X.X.X:7736->X.X.X.X:38076 (ESTABLISHED)
tclsh 13575 SO-user 57u IPv4 181779 0t0 TCP X.X.X.X:7736->X.X.X.X:33613 (ESTABLISHED)
tclsh 13575 SO-user 58u IPv4 342322 0t0 TCP X.X.X.X:7736->X.X.X.X:48991 (ESTABLISHED)
tclsh 13575 SO-user 59u IPv4 181780 0t0 TCP X.X.X.X:7736->X.X.X.X:37915 (ESTABLISHED)
tclsh 13575 SO-user 60u IPv4 342323 0t0 TCP X.X.X.X:7736->X.X.X.X:36507 (ESTABLISHED)
tclsh 13575 SO-user 61u IPv4 332061 0t0 TCP X.X.X.X:7736->X.X.X.X:38178 (ESTABLISHED)
tclsh 13575 SO-user 62u IPv4 338267 0t0 TCP X.X.X.X:7736->X.X.X.X:36575 (ESTABLISHED)
tclsh 13575 SO-user 63u IPv4 181781 0t0 TCP X.X.X.X:7736->X.X.X.X:54366 (ESTABLISHED)
tclsh 13575 SO-user 64u IPv4 342603 0t0 TCP X.X.X.X:7736->X.X.X.X:42606 (ESTABLISHED)
tclsh 13575 SO-user 65u IPv4 548066 0t0 TCP X.X.X.X:7736->X.X.X.X:40000 (ESTABLISHED)
tclsh 13575 SO-user 66u IPv4 548067 0t0 TCP X.X.X.X:7736->X.X.X.X:55314 (ESTABLISHED)
tclsh 13575 SO-user 67u IPv4 548068 0t0 TCP X.X.X.X:7736->X.X.X.X:58763 (ESTABLISHED)
tclsh 13575 SO-user 68u IPv4 548069 0t0 TCP X.X.X.X:7736->X.X.X.X:38114 (ESTABLISHED)
tclsh 13575 SO-user 69u IPv4 554943 0t0 TCP X.X.X.X:7736->X.X.X.X:32845 (ESTABLISHED)
tclsh 13575 SO-user 70u IPv4 532425 0t0 TCP X.X.X.X:7736->X.X.X.X:40735 (ESTABLISHED)
tclsh 13575 SO-user 71u IPv4 556750 0t0 TCP X.X.X.X:7736->X.X.X.X:41274 (ESTABLISHED)
tclsh 13575 SO-user 72u IPv4 532435 0t0 TCP X.X.X.X:7736->X.X.X.X:57023 (ESTABLISHED)
tclsh 13575 SO-user 73u IPv4 570644 0t0 TCP X.X.X.X:7736->X.X.X.X:35959 (ESTABLISHED)
tclsh 13575 SO-user 74u IPv4 532436 0t0 TCP X.X.X.X:7736->X.X.X.X:44813 (ESTABLISHED)
tclsh 13575 SO-user 75u IPv4 548076 0t0 TCP X.X.X.X:7736->X.X.X.X:35086 (ESTABLISHED)
tclsh 13575 SO-user 76u IPv4 532437 0t0 TCP X.X.X.X:7736->X.X.X.X:38627 (ESTABLISHED)
tclsh 13575 SO-user 77u IPv4 572575 0t0 TCP X.X.X.X:7736->X.X.X.X:36391 (ESTABLISHED)
tclsh 13575 SO-user 78u IPv4 570645 0t0 TCP X.X.X.X:7736->X.X.X.X:39883 (ESTABLISHED)
tclsh 13575 SO-user 79u IPv4 65586 0t0 TCP X.X.X.X:7736->X.X.X.X:46016 (ESTABLISHED)
tclsh 13575 SO-user 80u IPv4 532438 0t0 TCP X.X.X.X:7736->X.X.X.X:41885 (ESTABLISHED)
tclsh 13575 SO-user 81u IPv4 449056 0t0 TCP X.X.X.X:7734->X.X.X.X:47464 (ESTABLISHED)
tclsh 13620 SO-user 3u IPv4 58117 0t0 TCP X.X.X.X:50269->X.X.X.X:7736 (ESTABLISHED)
bro 13855 SO-user 4u IPv4 60834 0t0 UDP X.X.X.X:54346->X.X.X.X:53
bro 13858 SO-user 0u IPv4 58679 0t0 TCP *:47761 (LISTEN)
bro 13858 SO-user 1u IPv6 58680 0t0 TCP *:47761 (LISTEN)
bro 13858 SO-user 2u IPv4 58681 0t0 TCP X.X.X.X:47761->X.X.X.X:54708 (ESTABLISHED)
bro 13858 SO-user 4u IPv4 60834 0t0 UDP X.X.X.X:54346->X.X.X.X:53
bro 13858 SO-user 268u IPv4 51924 0t0 TCP X.X.X.X:47761->X.X.X.X:54710 (ESTABLISHED)
bro 13858 SO-user 273u IPv4 51927 0t0 TCP X.X.X.X:47761->X.X.X.X:54711 (ESTABLISHED)
bro 14024 SO-user 4u IPv4 61624 0t0 UDP X.X.X.X:55226->X.X.X.X:53
bro 14026 SO-user 0u IPv4 52673 0t0 TCP X.X.X.X:54708->X.X.X.X:47761 (ESTABLISHED)
bro 14026 SO-user 4u IPv4 61624 0t0 UDP X.X.X.X:55226->X.X.X.X:53
bro 14026 SO-user 266u IPv4 52678 0t0 TCP *:47762 (LISTEN)
bro 14026 SO-user 267u IPv6 52679 0t0 TCP *:47762 (LISTEN)
bro 14026 SO-user 268u IPv4 51921 0t0 TCP X.X.X.X:47762->X.X.X.X:40271 (ESTABLISHED)
bro 14026 SO-user 273u IPv4 49809 0t0 TCP X.X.X.X:47762->X.X.X.X:40274 (ESTABLISHED)
bro 14324 SO-user 4u IPv4 57801 0t0 UDP X.X.X.X:57897->X.X.X.X:53
bro 14329 SO-user 4u IPv4 31139 0t0 UDP X.X.X.X:60588->X.X.X.X:53
bro 14330 SO-user 0u IPv4 62949 0t0 TCP X.X.X.X:40271->X.X.X.X:47762 (ESTABLISHED)
bro 14330 SO-user 4u IPv4 57801 0t0 UDP X.X.X.X:57897->X.X.X.X:53
bro 14330 SO-user 266u IPv4 62952 0t0 TCP X.X.X.X:54710->X.X.X.X:47761 (ESTABLISHED)
bro 14330 SO-user 271u IPv4 62957 0t0 TCP *:47763 (LISTEN)
bro 14330 SO-user 272u IPv6 62958 0t0 TCP *:47763 (LISTEN)
bro 14333 SO-user 0u IPv4 62959 0t0 TCP X.X.X.X:54711->X.X.X.X:47761 (ESTABLISHED)
bro 14333 SO-user 4u IPv4 31139 0t0 UDP X.X.X.X:60588->X.X.X.X:53
bro 14333 SO-user 266u IPv4 62962 0t0 TCP X.X.X.X:40274->X.X.X.X:47762 (ESTABLISHED)
bro 14333 SO-user 271u IPv4 62967 0t0 TCP *:47764 (LISTEN)
bro 14333 SO-user 272u IPv6 62968 0t0 TCP *:47764 (LISTEN)
tclsh 14434 SO-user 3u IPv4 47721 0t0 TCP X.X.X.X:45361->X.X.X.X:7736 (ESTABLISHED)
tclsh 14452 SO-user 3u IPv4 61669 0t0 TCP X.X.X.X:8401 (LISTEN)
tclsh 14452 SO-user 5u IPv4 61767 0t0 TCP X.X.X.X:8401->X.X.X.X:50938 (ESTABLISHED)
tclsh 14452 SO-user 7u IPv4 61770 0t0 TCP X.X.X.X:58979->X.X.X.X:7736 (ESTABLISHED)
tclsh 14470 SO-user 3u IPv4 44945 0t0 TCP X.X.X.X:8402 (LISTEN)
tclsh 14470 SO-user 5u IPv4 44979 0t0 TCP X.X.X.X:8402->X.X.X.X:46802 (ESTABLISHED)
tclsh 14470 SO-user 7u IPv4 44982 0t0 TCP X.X.X.X:42698->X.X.X.X:7736 (ESTABLISHED)
tclsh 14504 SO-user 3u IPv4 40434 0t0 TCP X.X.X.X:8403 (LISTEN)
tclsh 14504 SO-user 5u IPv4 40481 0t0 TCP X.X.X.X:8403->X.X.X.X:33097 (ESTABLISHED)
tclsh 14504 SO-user 7u IPv4 40484 0t0 TCP X.X.X.X:40047->X.X.X.X:7736 (ESTABLISHED)
tclsh 14553 SO-user 3u IPv4 17762 0t0 TCP X.X.X.X:8404 (LISTEN)
tclsh 14553 SO-user 5u IPv4 17878 0t0 TCP X.X.X.X:8404->X.X.X.X:35844 (ESTABLISHED)
tclsh 14553 SO-user 7u IPv4 17881 0t0 TCP X.X.X.X:46016->X.X.X.X:7736 (ESTABLISHED)
barnyard2 15059 SO-user 3u IPv4 63584 0t0 TCP X.X.X.X:50938->X.X.X.X:8401 (ESTABLISHED)
barnyard2 15149 SO-user 3u IPv4 49986 0t0 TCP X.X.X.X:46802->X.X.X.X:8402 (ESTABLISHED)
barnyard2 15238 SO-user 3u IPv4 55650 0t0 TCP X.X.X.X:33097->X.X.X.X:8403 (ESTABLISHED)
barnyard2 15326 SO-user 3u IPv4 52133 0t0 TCP X.X.X.X:35844->X.X.X.X:8404 (ESTABLISHED)
sshd 44621 root 3u IPv4 258992 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37264 (ESTABLISHED)
sshd 44658 SO-user 3u IPv4 258992 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37264 (ESTABLISHED)
sshd 44658 SO-user 9u IPv6 344163 0t0 TCP [X.X.X.X]:50002 (LISTEN)
sshd 44658 SO-user 10u IPv4 344164 0t0 TCP X.X.X.X:50002 (LISTEN)
sshd 47627 root 3u IPv4 337420 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46739 (ESTABLISHED)
sshd 47664 SO-user 3u IPv4 337420 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46739 (ESTABLISHED)
sshd 47664 SO-user 9u IPv6 338509 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 47664 SO-user 10u IPv4 338510 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 71061 root 3u IPv4 414030 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52803 (ESTABLISHED)
sshd 71104 SO-user 3u IPv4 414030 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52803 (ESTABLISHED)
sshd 71104 SO-user 9u IPv6 435802 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 71104 SO-user 10u IPv4 435803 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 71104 SO-user 12u IPv4 414148 0t0 TCP X.X.X.X:6010->X.X.X.X:44204 (ESTABLISHED)
wish 71744 SO-user 3u IPv4 418204 0t0 TCP X.X.X.X:44204->X.X.X.X:6010 (ESTABLISHED)
wish 71744 SO-user 4u IPv4 418209 0t0 TCP X.X.X.X:47464->X.X.X.X:7734 (ESTABLISHED)
sshd 101465 root 3u IPv4 570491 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40911 (ESTABLISHED)
sshd 101509 SO-user 3u IPv4 570491 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40911 (ESTABLISHED)
sshd 101509 SO-user 9u IPv6 566405 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 101509 SO-user 10u IPv4 566406 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 105156 root 3u IPv4 572664 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53092 (ESTABLISHED)
sshd 105193 SO-user 3u IPv4 572664 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53092 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Tue Jul 19 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 35 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 50 rules
Done
Setting Flowbit State....
Enabled 89 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------6
Deleted:---87
Enabled Rules:----19748
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24002
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data)[ OK ]
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
4.18 4.56 4.64
Processing units: 32
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 18:02:10 up 3:11, 2 users, load average: 4.18, 4.56, 4.64
Tasks: 466 total, 9 running, 457 sleeping, 0 stopped, 0 zombie
%Cpu(s): 15.3 us, 0.9 sy, 0.0 ni, 83.4 id, 0.1 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem: 39616294+total, 24080272+used, 15536022+free, 252008 buffers
KiB Swap: 40254668+total, 0 used, 40254668+free. 22052470+cached Mem

%CPU %MEM COMMAND
99.9 0.1 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_6
99.3 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-4.stats -U
92.4 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-1.stats -U
75.1 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-2.stats -U
64.0 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-3.stats -U
29.0 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
26.3 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
23.2 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
20.7 0.0 /usr/sbin/mysqld
19.3 0.4 netsniff-ng -i eth4 -o /nsm/sensor_data/SO-server-eth4/dailylogs/2016-07-19/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 1600 iB --interval 150 iB --mmap
4.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
3.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.9 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1.9 1.1 /usr/bin/searchd --nodetach
1.7 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.7 0.0 wish /usr/bin/SO-user.tk -- -d 0
1.0 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
0.9 0.0 [kworker/u290:0]
0.5 0.0 [jbd2/dm-0-8]
0.4 0.0 [rcu_sched]
0.2 0.0 [rcuos/12]
0.2 0.0 /var/ossec/bin/ossec-syscheckd
0.2 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.2 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.1 0.0 [rcuos/21]
0.1 0.0 /usr/bin/freshclam -d --quiet
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.1 0.0 -bash
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuob/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuob/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuob/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuob/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuob/5]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuob/6]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuob/7]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuob/8]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuob/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuob/10]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuob/11]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [rcuob/12]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuob/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuob/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuob/15]
0.0 0.0 [watchdog/16]
0.0 0.0 [migration/16]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [kworker/16:0]
0.0 0.0 [kworker/16:0H]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuob/16]
0.0 0.0 [watchdog/17]
0.0 0.0 [migration/17]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [kworker/17:0]
0.0 0.0 [kworker/17:0H]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuob/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [migration/18]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kworker/18:0H]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuob/18]
0.0 0.0 [watchdog/19]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [kworker/19:0H]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuob/19]
0.0 0.0 [watchdog/20]
0.0 0.0 [migration/20]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/20:0H]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuob/20]
0.0 0.0 [watchdog/21]
0.0 0.0 [migration/21]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 [kworker/21:0H]
0.0 0.0 [rcuob/21]
0.0 0.0 [watchdog/22]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [kworker/22:0]
0.0 0.0 [kworker/22:0H]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuob/22]
0.0 0.0 [watchdog/23]
0.0 0.0 [migration/23]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [kworker/23:0H]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuob/23]
0.0 0.0 [watchdog/24]
0.0 0.0 [migration/24]
0.0 0.0 [ksoftirqd/24]
0.0 0.0 [kworker/24:0]
0.0 0.0 [kworker/24:0H]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuob/24]
0.0 0.0 [watchdog/25]
0.0 0.0 [migration/25]
0.0 0.0 [ksoftirqd/25]
0.0 0.0 [kworker/25:0H]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuob/25]
0.0 0.0 [watchdog/26]
0.0 0.0 [migration/26]
0.0 0.0 [ksoftirqd/26]
0.0 0.0 [kworker/26:0]
0.0 0.0 [kworker/26:0H]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuob/26]
0.0 0.0 [watchdog/27]
0.0 0.0 [migration/27]
0.0 0.0 [ksoftirqd/27]
0.0 0.0 [kworker/27:0H]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuob/27]
0.0 0.0 [watchdog/28]
0.0 0.0 [migration/28]
0.0 0.0 [ksoftirqd/28]
0.0 0.0 [kworker/28:0]
0.0 0.0 [kworker/28:0H]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuob/28]
0.0 0.0 [watchdog/29]
0.0 0.0 [migration/29]
0.0 0.0 [ksoftirqd/29]
0.0 0.0 [kworker/29:0H]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuob/29]
0.0 0.0 [watchdog/30]
0.0 0.0 [migration/30]
0.0 0.0 [ksoftirqd/30]
0.0 0.0 [kworker/30:0]
0.0 0.0 [kworker/30:0H]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuob/30]
0.0 0.0 [watchdog/31]
0.0 0.0 [migration/31]
0.0 0.0 [ksoftirqd/31]
0.0 0.0 [kworker/31:0]
0.0 0.0 [kworker/31:0H]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcuob/31]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [kworker/0:1]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/u288:1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [bnx2x]
0.0 0.0 [bnx2x_iov]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/29:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/30:1]
0.0 0.0 [kworker/24:1]
0.0 0.0 [kworker/26:1]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [usb-storage]
0.0 0.0 [bioset]
0.0 0.0 [kworker/28:1]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/20:1]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [edac-poller]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [krfcommd]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 [kworker/4:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 cron
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 lightdm
0.0 0.0 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/25:2]
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth4/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth4/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-2.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-2.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-3.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-3.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-4.stats
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-1 -i 1 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-2 -i 2 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-3 -i 3 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-4 -i 4 -U
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/27:1H]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/31:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/15:2]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/19:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 [kworker/11:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/27:2]
0.0 0.0 [kworker/25:1H]
0.0 0.0 [kworker/23:1H]
0.0 0.0 [kworker/17:1H]
0.0 0.0 [kworker/19:2]
0.0 0.0 [kworker/21:1H]
0.0 0.0 [kworker/19:0]
0.0 0.0 [kworker/9:2]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/9:0]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/29:1H]
0.0 0.0 [kworker/14:2]
0.0 0.0 [kworker/31:2]
0.0 0.0 [kworker/25:0]
0.0 0.0 [kworker/27:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 -bash
0.0 0.0 [kworker/u289:0]
0.0 0.0 [kworker/21:2]
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/23:2]
0.0 0.0 [kworker/29:2]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/5:2]
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/u290:1]
0.0 0.0 [kworker/13:2]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/u288:2]
0.0 0.0 [kworker/21:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/11:0]
0.0 0.0 [kworker/u289:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/8:2]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/23:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/3:2]
0.0 0.0 sshd: SO-user
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/u289:2]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/19:1]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth4: 11009602

=========================================================================
Packet Loss Stats
=========================================================================

NIC:

eth4:

RX packets:272741665 dropped:0 TX packets:2 dropped:0

-------------------------------------------------------------------------

pf_ring:

Appl. Name : bro-eth4
Tot Packets : 119357104
Tot Pkt Lost : 7


Appl. Name : bro-eth4
Tot Packets : 151932402
Tot Pkt Lost : 6


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 65712009
Tot Pkt Lost : 6556850


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 62225085
Tot Pkt Lost : 5205987


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 53296946
Tot Pkt Lost : 3375667


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 89344199
Tot Pkt Lost : 29345414

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

/nsm/sensor_data/SO-server-eth4/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-4.stats last reported pkt_drop_percent as 3.015

-------------------------------------------------------------------------

Bro:

Average packet loss as percent across all Bro workers: 0.000005

seven-eth4-1: 1468951331.041255 recvd=119362080 dropped=7 link=119362080
seven-eth4-2: 1468951331.240921 recvd=151945315 dropped=6 link=151945315

No capture loss reported.

-------------------------------------------------------------------------

Netsniff-NG:
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160714142957 Processed: +258129 Lost: -7911
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160715000004 Processed: +231919 Lost: -1784
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160716000004 Processed: +259959 Lost: -14566
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160718000003 Processed: +220802 Lost: -837
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160719000004 Processed: +231137 Lost: -64965
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160719145149 Processed: +200210 Lost: -1928

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 6

Standard (non DNA/ZC) Options
Ring slots : 131070
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth4/dailylogs/ - 5 days
3.2T .
1.1T ./2016-07-15
487G ./2016-07-16
390G ./2016-07-17
702G ./2016-07-18
527G ./2016-07-19

/nsm/sensor_data/SO-server-eth5/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 7 days
7.5G .
1.5G ./2016-07-13
1.5G ./2016-07-14
1.4G ./2016-07-15
816M ./2016-07-16
543M ./2016-07-17
906M ./2016-07-18
821M ./2016-07-19
152M ./stats

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
105390

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
Total
13565

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
Total
885076

=========================================================================
Last update
=========================================================================
Start-Date: 2016-07-11 16:27:34
Commandline: apt-get install securityonion-elsa-extras
Upgrade: securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion30, 20151011-1ubuntu1securityonion32)
End-Date: 2016-07-11 16:27:37

Start-Date: 2016-07-19 14:44:49
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.19.0-65:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-extra-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-headers-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic)
Upgrade: kpartx:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), libnl-genl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), securityonion-squert:amd64 (20141015-0ubuntu0securityonion14, 20141015-0ubuntu0securityonion15), dpkg:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-capme:amd64 (20121213-0ubuntu0securityonion47, 20121213-0ubuntu0securityonion60), dkms:amd64 (X.X.X.X-1.1ubuntu5.14.04.5, X.X.X.X-1.1ubuntu5.14.04.6), libarchive13:amd64 (3.1.2-7ubuntu2.2, 3.1.2-7ubuntu2.3), gimp:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), dpkg-dev:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), libgimp2.0:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion133, 20120724-0ubuntu0securityonion138), grub-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), chromium-codecs-ffmpeg-extra:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnspr4:amd64 (4.10.10-0ubuntu0.14.04.1, 4.12-0ubuntu0.14.04.1), linux-image-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), python-libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), libnss3-1d:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), libnl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), libimobiledevice4:amd64 (1.1.5+git20140313.bafe6a9e-0ubuntu1, 1.1.5+git20140313.bafe6a9e-0ubuntu1.1), libgd3:amd64 (2.1.0-3ubuntu0.1, 2.1.0-3ubuntu0.2), libmagickcore5-extra:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), grub2-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.2, 2.4.31-1+nmu2ubuntu8.3), chromium-browser-l10n:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnss3-nssdb:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), gimp-data:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion57, 20141015-0ubuntu0securityonion60), libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), linux-headers-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1, 1.17.1-0ubuntu3.1~trusty1.1), libmagickwand5:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), wget:amd64 (1.15-1ubuntu1.14.04.1, 1.15-1ubuntu1.14.04.2), libdpkg-perl:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion53, 20120722-0ubuntu0securityonion57), imagemagick:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), libnss3:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), linux-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), grub-pc-bin:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), apache2-data:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), grub-pc:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), sbsigntool:amd64 (0.6-0ubuntu7, 0.6-0ubuntu7.2), kpartx-boot:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), securityonion-setup:amd64 (20120912-0ubuntu0securityonion215, 20120912-0ubuntu0securityonion222), libmagickcore5:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), libexpat1:amd64 (2.1.0-4ubuntu1.2, 2.1.0-4ubuntu1.3), apache2:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), tzdata:amd64 (2016d-0ubuntu0.14.04, 2016f-0ubuntu0.14.04), apache2-bin:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), imagemagick-common:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), linux-libc-dev:amd64 (3.13.0-87.133, 3.13.0-92.139), libnl-route-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), chromium-browser:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121)
End-Date: 2016-07-19 14:47:18

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1935 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1941 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1920 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1957 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
3.7T /nsm/elsa/data
194M /var/lib/mysql/syslog
11M /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-05-22 00:33:42 2016-07-19 18:01:13

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
50002 SO-node X.X.X.X
sellis@Seven:~$ clear

sellis@Seven:~$ sudo sostat-redacted
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
manager manager localhost running 13855 3 19 Jul 14:51:45
proxy proxy localhost running 14024 3 19 Jul 14:51:47
seven-eth4-1 worker localhost running 14324 2 19 Jul 14:51:48
seven-eth4-2 worker localhost running 14329 2 19 Jul 14:51:48
Status: SO-server-eth4
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort_agent-2 (SO-user)[ OK ]
* snort_agent-3 (SO-user)[ OK ]
* snort_agent-4 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* snort-3 (alert data)[ OK ]
* snort-4 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* barnyard2-3 (spooler, unified2 format)[ OK ]
* barnyard2-4 (spooler, unified2 format)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65706 errors:0 dropped:0 overruns:0 frame:0
TX packets:48151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10327188 (10.3 MB) TX bytes:17206763 (17.2 MB)
Interrupt:103 Memory:92000000-927fffff

eth4 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:277493167 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:204996479738 (204.9 GB) TX bytes:168 (168.0 B)
Interrupt:114 Memory:c9000000-c97fffff

lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:569689 errors:0 dropped:0 overruns:0 frame:0
TX packets:569689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3662754428 (3.6 GB) TX bytes:3662754428 (3.6 GB)


=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3662754428 569689 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3662754428 569689 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
10327188 65706 0 0 0 5815
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
17206763 48151 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
6: eth4: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
204996479738 277493167 0 0 0 21596499
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
168 2 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 189G 4.0K 189G 1% /dev
tmpfs 38G 1.8M 38G 1% /run
/dev/dm-0 8.3T 6.9T 1.1T 88% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 189G 0 189G 0% /run/shm
none 100M 4.0K 100M 1% /run/user
/dev/sda2 237M 124M 101M 56% /boot

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 931 avahi 12u IPv4 195 0t0 UDP *:5353
avahi-dae 931 avahi 13u IPv6 196 0t0 UDP *:5353
avahi-dae 931 avahi 14u IPv4 197 0t0 UDP *:49231
avahi-dae 931 avahi 15u IPv6 198 0t0 UDP *:49838
cups-brow 1152 root 8u IPv4 19537 0t0 UDP *:631
sshd 1877 root 3u IPv4 27864 0t0 TCP *:ssh_port (LISTEN)
sshd 1877 root 4u IPv6 27866 0t0 TCP *:ssh_port (LISTEN)
syslog-ng 1935 root 9u IPv4 34880 0t0 TCP *:514 (LISTEN)
syslog-ng 1935 root 10u IPv4 34881 0t0 UDP *:514
mysqld 1941 mysql 10u IPv4 14637 0t0 TCP X.X.X.X:3306 (LISTEN)
searchd 1957 sphinxsearch 7u IPv4 465 0t0 TCP *:9306 (LISTEN)
searchd 1957 sphinxsearch 8u IPv4 466 0t0 TCP *:9312 (LISTEN)
ossec-csy 2142 ossecm 5u IPv4 24655 0t0 UDP X.X.X.X:52606->X.X.X.X:514
ntpd 3410 ntp 16u IPv4 32883 0t0 UDP *:123
ntpd 3410 ntp 17u IPv6 32884 0t0 UDP *:123
ntpd 3410 ntp 18u IPv4 32890 0t0 UDP X.X.X.X:123
ntpd 3410 ntp 19u IPv4 32891 0t0 UDP X.X.X.X:123
ntpd 3410 ntp 20u IPv6 32892 0t0 UDP [X.X.X.X]:123
ntpd 3410 ntp 21u IPv6 32893 0t0 UDP [X.X.X.X]:123
/usr/sbin 8772 root 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 8772 root 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10834 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10834 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10836 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10836 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10837 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10837 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10840 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10840 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10842 www-data 5u IPv6 45600 0t0 TCP *:443 (LISTEN)
/usr/sbin 10842 www-data 7u IPv6 45604 0t0 TCP *:3154 (LISTEN)
tclsh 13575 SO-user 13u IPv4 45984 0t0 TCP *:7734 (LISTEN)
tclsh 13575 SO-user 14u IPv6 45985 0t0 TCP *:7734 (LISTEN)
tclsh 13575 SO-user 15u IPv4 45988 0t0 TCP *:7736 (LISTEN)
tclsh 13575 SO-user 16u IPv6 45989 0t0 TCP *:7736 (LISTEN)
tclsh 13575 SO-user 17u IPv4 329868 0t0 TCP X.X.X.X:7736->X.X.X.X:58561 (ESTABLISHED)
tclsh 13575 SO-user 18u IPv4 45990 0t0 TCP X.X.X.X:7736->X.X.X.X:45361 (ESTABLISHED)
tclsh 13575 SO-user 19u IPv4 52781 0t0 TCP X.X.X.X:7736->X.X.X.X:50269 (ESTABLISHED)
tclsh 13575 SO-user 20u IPv4 49987 0t0 TCP X.X.X.X:7736->X.X.X.X:58979 (ESTABLISHED)
tclsh 13575 SO-user 21u IPv4 58938 0t0 TCP X.X.X.X:7736->X.X.X.X:42698 (ESTABLISHED)
tclsh 13575 SO-user 22u IPv4 65572 0t0 TCP X.X.X.X:7736->X.X.X.X:40047 (ESTABLISHED)
tclsh 13575 SO-user 23u IPv4 331952 0t0 TCP X.X.X.X:7736->X.X.X.X:57139 (ESTABLISHED)
tclsh 13575 SO-user 24u IPv4 338162 0t0 TCP X.X.X.X:7736->X.X.X.X:36306 (ESTABLISHED)
tclsh 13575 SO-user 25u IPv4 349953 0t0 TCP X.X.X.X:7736->X.X.X.X:37339 (ESTABLISHED)
tclsh 13575 SO-user 26u IPv4 358796 0t0 TCP X.X.X.X:7736->X.X.X.X:41006 (ESTABLISHED)
tclsh 13575 SO-user 27u IPv4 331953 0t0 TCP X.X.X.X:7736->X.X.X.X:36204 (ESTABLISHED)
tclsh 13575 SO-user 28u IPv4 331956 0t0 TCP X.X.X.X:7736->X.X.X.X:41590 (ESTABLISHED)
tclsh 13575 SO-user 29u IPv4 181808 0t0 TCP X.X.X.X:7736->X.X.X.X:47876 (ESTABLISHED)
tclsh 13575 SO-user 30u IPv4 572442 0t0 TCP X.X.X.X:7736->X.X.X.X:38371 (ESTABLISHED)
tclsh 13575 SO-user 31u IPv4 331957 0t0 TCP X.X.X.X:7736->X.X.X.X:55452 (ESTABLISHED)
tclsh 13575 SO-user 32u IPv4 342257 0t0 TCP X.X.X.X:7736->X.X.X.X:37498 (ESTABLISHED)
tclsh 13575 SO-user 33u IPv4 342262 0t0 TCP X.X.X.X:7736->X.X.X.X:59661 (ESTABLISHED)
tclsh 13575 SO-user 34u IPv4 329000 0t0 TCP X.X.X.X:7736->X.X.X.X:39959 (ESTABLISHED)
tclsh 13575 SO-user 35u IPv4 570623 0t0 TCP X.X.X.X:7736->X.X.X.X:53316 (ESTABLISHED)
tclsh 13575 SO-user 36u IPv4 532422 0t0 TCP X.X.X.X:7736->X.X.X.X:41714 (ESTABLISHED)
tclsh 13575 SO-user 37u IPv4 329909 0t0 TCP X.X.X.X:7736->X.X.X.X:51139 (ESTABLISHED)
tclsh 13575 SO-user 38u IPv4 351430 0t0 TCP X.X.X.X:7736->X.X.X.X:33407 (ESTABLISHED)
tclsh 13575 SO-user 39u IPv4 548065 0t0 TCP X.X.X.X:7736->X.X.X.X:55633 (ESTABLISHED)
tclsh 13575 SO-user 40u IPv4 349385 0t0 TCP X.X.X.X:7736->X.X.X.X:49576 (ESTABLISHED)
tclsh 13575 SO-user 41u IPv4 342319 0t0 TCP X.X.X.X:7736->X.X.X.X:48550 (ESTABLISHED)
tclsh 13575 SO-user 42u IPv4 572562 0t0 TCP X.X.X.X:7736->X.X.X.X:42869 (ESTABLISHED)
tclsh 13575 SO-user 43u IPv4 329924 0t0 TCP X.X.X.X:7736->X.X.X.X:50860 (ESTABLISHED)
tclsh 13575 SO-user 44u IPv4 332041 0t0 TCP X.X.X.X:7736->X.X.X.X:51393 (ESTABLISHED)
tclsh 13575 SO-user 45u IPv4 181762 0t0 TCP X.X.X.X:7736->X.X.X.X:60091 (ESTABLISHED)
tclsh 13575 SO-user 46u IPv4 332059 0t0 TCP X.X.X.X:7736->X.X.X.X:35741 (ESTABLISHED)
tclsh 13575 SO-user 47u IPv4 532423 0t0 TCP X.X.X.X:7736->X.X.X.X:48186 (ESTABLISHED)
tclsh 13575 SO-user 48u IPv4 570624 0t0 TCP X.X.X.X:7736->X.X.X.X:57939 (ESTABLISHED)
tclsh 13575 SO-user 49u IPv4 566752 0t0 TCP X.X.X.X:7736->X.X.X.X:33175 (ESTABLISHED)
tclsh 13575 SO-user 50u IPv4 572563 0t0 TCP X.X.X.X:7736->X.X.X.X:36829 (ESTABLISHED)
tclsh 13575 SO-user 51u IPv4 572564 0t0 TCP X.X.X.X:7736->X.X.X.X:40430 (ESTABLISHED)
tclsh 13575 SO-user 52u IPv4 572565 0t0 TCP X.X.X.X:7736->X.X.X.X:36553 (ESTABLISHED)
tclsh 13575 SO-user 53u IPv4 181778 0t0 TCP X.X.X.X:7736->X.X.X.X:41772 (ESTABLISHED)
tclsh 13575 SO-user 54u IPv4 556718 0t0 TCP X.X.X.X:7736->X.X.X.X:51461 (ESTABLISHED)
tclsh 13575 SO-user 55u IPv4 332060 0t0 TCP X.X.X.X:7736->X.X.X.X:46072 (ESTABLISHED)
tclsh 13575 SO-user 56u IPv4 567778 0t0 TCP X.X.X.X:7736->X.X.X.X:38076 (ESTABLISHED)
tclsh 13575 SO-user 57u IPv4 181779 0t0 TCP X.X.X.X:7736->X.X.X.X:33613 (ESTABLISHED)
tclsh 13575 SO-user 58u IPv4 342322 0t0 TCP X.X.X.X:7736->X.X.X.X:48991 (ESTABLISHED)
tclsh 13575 SO-user 59u IPv4 181780 0t0 TCP X.X.X.X:7736->X.X.X.X:37915 (ESTABLISHED)
tclsh 13575 SO-user 60u IPv4 342323 0t0 TCP X.X.X.X:7736->X.X.X.X:36507 (ESTABLISHED)
tclsh 13575 SO-user 61u IPv4 332061 0t0 TCP X.X.X.X:7736->X.X.X.X:38178 (ESTABLISHED)
tclsh 13575 SO-user 62u IPv4 338267 0t0 TCP X.X.X.X:7736->X.X.X.X:36575 (ESTABLISHED)
tclsh 13575 SO-user 63u IPv4 181781 0t0 TCP X.X.X.X:7736->X.X.X.X:54366 (ESTABLISHED)
tclsh 13575 SO-user 64u IPv4 342603 0t0 TCP X.X.X.X:7736->X.X.X.X:42606 (ESTABLISHED)
tclsh 13575 SO-user 65u IPv4 548066 0t0 TCP X.X.X.X:7736->X.X.X.X:40000 (ESTABLISHED)
tclsh 13575 SO-user 66u IPv4 548067 0t0 TCP X.X.X.X:7736->X.X.X.X:55314 (ESTABLISHED)
tclsh 13575 SO-user 67u IPv4 548068 0t0 TCP X.X.X.X:7736->X.X.X.X:58763 (ESTABLISHED)
tclsh 13575 SO-user 68u IPv4 548069 0t0 TCP X.X.X.X:7736->X.X.X.X:38114 (ESTABLISHED)
tclsh 13575 SO-user 69u IPv4 554943 0t0 TCP X.X.X.X:7736->X.X.X.X:32845 (ESTABLISHED)
tclsh 13575 SO-user 70u IPv4 532425 0t0 TCP X.X.X.X:7736->X.X.X.X:40735 (ESTABLISHED)
tclsh 13575 SO-user 71u IPv4 556750 0t0 TCP X.X.X.X:7736->X.X.X.X:41274 (ESTABLISHED)
tclsh 13575 SO-user 72u IPv4 532435 0t0 TCP X.X.X.X:7736->X.X.X.X:57023 (ESTABLISHED)
tclsh 13575 SO-user 73u IPv4 570644 0t0 TCP X.X.X.X:7736->X.X.X.X:35959 (ESTABLISHED)
tclsh 13575 SO-user 74u IPv4 532436 0t0 TCP X.X.X.X:7736->X.X.X.X:44813 (ESTABLISHED)
tclsh 13575 SO-user 75u IPv4 548076 0t0 TCP X.X.X.X:7736->X.X.X.X:35086 (ESTABLISHED)
tclsh 13575 SO-user 76u IPv4 532437 0t0 TCP X.X.X.X:7736->X.X.X.X:38627 (ESTABLISHED)
tclsh 13575 SO-user 77u IPv4 572575 0t0 TCP X.X.X.X:7736->X.X.X.X:36391 (ESTABLISHED)
tclsh 13575 SO-user 78u IPv4 570645 0t0 TCP X.X.X.X:7736->X.X.X.X:39883 (ESTABLISHED)
tclsh 13575 SO-user 79u IPv4 65586 0t0 TCP X.X.X.X:7736->X.X.X.X:46016 (ESTABLISHED)
tclsh 13575 SO-user 80u IPv4 532438 0t0 TCP X.X.X.X:7736->X.X.X.X:41885 (ESTABLISHED)
tclsh 13575 SO-user 81u IPv4 449056 0t0 TCP X.X.X.X:7734->X.X.X.X:47464 (ESTABLISHED)
tclsh 13620 SO-user 3u IPv4 58117 0t0 TCP X.X.X.X:50269->X.X.X.X:7736 (ESTABLISHED)
bro 13855 SO-user 4u IPv4 60834 0t0 UDP X.X.X.X:54346->X.X.X.X:53
bro 13858 SO-user 0u IPv4 58679 0t0 TCP *:47761 (LISTEN)
bro 13858 SO-user 1u IPv6 58680 0t0 TCP *:47761 (LISTEN)
bro 13858 SO-user 2u IPv4 58681 0t0 TCP X.X.X.X:47761->X.X.X.X:54708 (ESTABLISHED)
bro 13858 SO-user 4u IPv4 60834 0t0 UDP X.X.X.X:54346->X.X.X.X:53
bro 13858 SO-user 268u IPv4 51924 0t0 TCP X.X.X.X:47761->X.X.X.X:54710 (ESTABLISHED)
bro 13858 SO-user 273u IPv4 51927 0t0 TCP X.X.X.X:47761->X.X.X.X:54711 (ESTABLISHED)
bro 14024 SO-user 4u IPv4 61624 0t0 UDP X.X.X.X:55226->X.X.X.X:53
bro 14026 SO-user 0u IPv4 52673 0t0 TCP X.X.X.X:54708->X.X.X.X:47761 (ESTABLISHED)
bro 14026 SO-user 4u IPv4 61624 0t0 UDP X.X.X.X:55226->X.X.X.X:53
bro 14026 SO-user 266u IPv4 52678 0t0 TCP *:47762 (LISTEN)
bro 14026 SO-user 267u IPv6 52679 0t0 TCP *:47762 (LISTEN)
bro 14026 SO-user 268u IPv4 51921 0t0 TCP X.X.X.X:47762->X.X.X.X:40271 (ESTABLISHED)
bro 14026 SO-user 273u IPv4 49809 0t0 TCP X.X.X.X:47762->X.X.X.X:40274 (ESTABLISHED)
bro 14324 SO-user 4u IPv4 57801 0t0 UDP X.X.X.X:57897->X.X.X.X:53
bro 14329 SO-user 4u IPv4 31139 0t0 UDP X.X.X.X:60588->X.X.X.X:53
bro 14330 SO-user 0u IPv4 62949 0t0 TCP X.X.X.X:40271->X.X.X.X:47762 (ESTABLISHED)
bro 14330 SO-user 4u IPv4 57801 0t0 UDP X.X.X.X:57897->X.X.X.X:53
bro 14330 SO-user 266u IPv4 62952 0t0 TCP X.X.X.X:54710->X.X.X.X:47761 (ESTABLISHED)
bro 14330 SO-user 271u IPv4 62957 0t0 TCP *:47763 (LISTEN)
bro 14330 SO-user 272u IPv6 62958 0t0 TCP *:47763 (LISTEN)
bro 14333 SO-user 0u IPv4 62959 0t0 TCP X.X.X.X:54711->X.X.X.X:47761 (ESTABLISHED)
bro 14333 SO-user 4u IPv4 31139 0t0 UDP X.X.X.X:60588->X.X.X.X:53
bro 14333 SO-user 266u IPv4 62962 0t0 TCP X.X.X.X:40274->X.X.X.X:47762 (ESTABLISHED)
bro 14333 SO-user 271u IPv4 62967 0t0 TCP *:47764 (LISTEN)
bro 14333 SO-user 272u IPv6 62968 0t0 TCP *:47764 (LISTEN)
tclsh 14434 SO-user 3u IPv4 47721 0t0 TCP X.X.X.X:45361->X.X.X.X:7736 (ESTABLISHED)
tclsh 14452 SO-user 3u IPv4 61669 0t0 TCP X.X.X.X:8401 (LISTEN)
tclsh 14452 SO-user 5u IPv4 61767 0t0 TCP X.X.X.X:8401->X.X.X.X:50938 (ESTABLISHED)
tclsh 14452 SO-user 7u IPv4 61770 0t0 TCP X.X.X.X:58979->X.X.X.X:7736 (ESTABLISHED)
tclsh 14470 SO-user 3u IPv4 44945 0t0 TCP X.X.X.X:8402 (LISTEN)
tclsh 14470 SO-user 5u IPv4 44979 0t0 TCP X.X.X.X:8402->X.X.X.X:46802 (ESTABLISHED)
tclsh 14470 SO-user 7u IPv4 44982 0t0 TCP X.X.X.X:42698->X.X.X.X:7736 (ESTABLISHED)
tclsh 14504 SO-user 3u IPv4 40434 0t0 TCP X.X.X.X:8403 (LISTEN)
tclsh 14504 SO-user 5u IPv4 40481 0t0 TCP X.X.X.X:8403->X.X.X.X:33097 (ESTABLISHED)
tclsh 14504 SO-user 7u IPv4 40484 0t0 TCP X.X.X.X:40047->X.X.X.X:7736 (ESTABLISHED)
tclsh 14553 SO-user 3u IPv4 17762 0t0 TCP X.X.X.X:8404 (LISTEN)
tclsh 14553 SO-user 5u IPv4 17878 0t0 TCP X.X.X.X:8404->X.X.X.X:35844 (ESTABLISHED)
tclsh 14553 SO-user 7u IPv4 17881 0t0 TCP X.X.X.X:46016->X.X.X.X:7736 (ESTABLISHED)
barnyard2 15059 SO-user 3u IPv4 63584 0t0 TCP X.X.X.X:50938->X.X.X.X:8401 (ESTABLISHED)
barnyard2 15149 SO-user 3u IPv4 49986 0t0 TCP X.X.X.X:46802->X.X.X.X:8402 (ESTABLISHED)
barnyard2 15238 SO-user 3u IPv4 55650 0t0 TCP X.X.X.X:33097->X.X.X.X:8403 (ESTABLISHED)
barnyard2 15326 SO-user 3u IPv4 52133 0t0 TCP X.X.X.X:35844->X.X.X.X:8404 (ESTABLISHED)
sshd 44621 root 3u IPv4 258992 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37264 (ESTABLISHED)
sshd 44658 SO-user 3u IPv4 258992 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:37264 (ESTABLISHED)
sshd 44658 SO-user 9u IPv6 344163 0t0 TCP [X.X.X.X]:50002 (LISTEN)
sshd 44658 SO-user 10u IPv4 344164 0t0 TCP X.X.X.X:50002 (LISTEN)
sshd 47627 root 3u IPv4 337420 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46739 (ESTABLISHED)
sshd 47664 SO-user 3u IPv4 337420 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:46739 (ESTABLISHED)
sshd 47664 SO-user 9u IPv6 338509 0t0 TCP [X.X.X.X]:50000 (LISTEN)
sshd 47664 SO-user 10u IPv4 338510 0t0 TCP X.X.X.X:50000 (LISTEN)
sshd 71061 root 3u IPv4 414030 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52803 (ESTABLISHED)
sshd 71104 SO-user 3u IPv4 414030 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:52803 (ESTABLISHED)
sshd 71104 SO-user 9u IPv6 435802 0t0 TCP [X.X.X.X]:6010 (LISTEN)
sshd 71104 SO-user 10u IPv4 435803 0t0 TCP X.X.X.X:6010 (LISTEN)
sshd 71104 SO-user 12u IPv4 414148 0t0 TCP X.X.X.X:6010->X.X.X.X:44204 (ESTABLISHED)
wish 71744 SO-user 3u IPv4 418204 0t0 TCP X.X.X.X:44204->X.X.X.X:6010 (ESTABLISHED)
wish 71744 SO-user 4u IPv4 418209 0t0 TCP X.X.X.X:47464->X.X.X.X:7734 (ESTABLISHED)
sshd 101465 root 3u IPv4 570491 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40911 (ESTABLISHED)
sshd 101509 SO-user 3u IPv4 570491 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:40911 (ESTABLISHED)
sshd 101509 SO-user 9u IPv6 566405 0t0 TCP [X.X.X.X]:50001 (LISTEN)
sshd 101509 SO-user 10u IPv4 566406 0t0 TCP X.X.X.X:50001 (LISTEN)
sshd 105156 root 3u IPv4 572664 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53092 (ESTABLISHED)
sshd 105193 SO-user 3u IPv4 572664 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:53092 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Tue Jul 19 07:01:01 UTC 2016
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 35 minutes to avoid overwhelming rule sites.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Modifying Sids....
Done!
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 50 rules
Done
Setting Flowbit State....
Enabled 89 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/nsm/sid_changes.log....
Done
Rule Stats...
New:-------6
Deleted:---87
Enabled Rules:----19748
Dropped Rules:----0
Disabled Rules:---4254
Total Rules:------24002
No IP Blacklist Changes
Done
Please review /var/log/nsm/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: SO-server-eth4
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-3 (spooler, unified2 format)[ OK ]
* starting: barnyard2-3 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-4 (spooler, unified2 format)[ OK ]
* starting: barnyard2-4 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth4
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]
* stopping: snort-3 (alert data)[ OK ]
* starting: snort-3 (alert data)[ OK ]
* stopping: snort-4 (alert data)[ OK ]
* starting: snort-4 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
4.66 4.54 4.61
Processing units: 32
If load average is higher than processing units,
then tune until load average is lower than processing units.

top - 18:05:17 up 3:14, 2 users, load average: 4.66, 4.54, 4.61
Tasks: 461 total, 7 running, 454 sleeping, 0 stopped, 0 zombie
%Cpu(s): 15.3 us, 0.9 sy, 0.0 ni, 83.4 id, 0.1 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem: 39616294+total, 24014598+used, 15601696+free, 252728 buffers
KiB Swap: 40254668+total, 0 used, 40254668+free. 22007307+cached Mem

%CPU %MEM COMMAND
100 0.0 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate temp_2
99.3 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-4 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-4.stats -U
92.2 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-1.stats -U
75.1 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-2.stats -U
64.0 0.2 snort -c /etc/nsm/SO-server-eth4/snort.conf -u SO-user -g SO-user -i eth4 -l /nsm/sensor_data/SO-server-eth4/snort-3 --perfmon-file /nsm/sensor_data/SO-server-eth4/snort-3.stats -U
29.0 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
26.2 0.4 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
20.8 0.0 /usr/sbin/mysqld
19.3 0.4 netsniff-ng -i eth4 -o /nsm/sensor_data/SO-server-eth4/dailylogs/2016-07-19/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 1600 iB --interval 150 iB --mmap
4.3 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
3.2 0.0 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
2.9 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
2.0 0.0 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
1.9 1.1 /usr/bin/searchd --nodetach
1.7 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
1.7 0.0 wish /usr/bin/SO-user.tk -- -d 0
0.9 0.0 [kworker/u290:0]
0.5 0.0 [jbd2/dm-0-8]
0.4 0.0 [rcu_sched]
0.2 0.0 [rcuos/12]
0.2 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.2 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.1 0.0 [rcuos/21]
0.1 0.0 /usr/bin/freshclam -d --quiet
0.1 0.0 /var/ossec/bin/ossec-syscheckd
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.1 0.2 /opt/bro/bin/bro -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /sbin/init
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [kworker/0:0]
0.0 0.0 [kworker/0:0H]
0.0 0.0 [rcu_bh]
0.0 0.0 [rcuos/0]
0.0 0.0 [rcuob/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/1]
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [kworker/1:0H]
0.0 0.0 [rcuos/1]
0.0 0.0 [rcuob/1]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/2]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kworker/2:0]
0.0 0.0 [kworker/2:0H]
0.0 0.0 [rcuos/2]
0.0 0.0 [rcuob/2]
0.0 0.0 [watchdog/3]
0.0 0.0 [migration/3]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [kworker/3:0H]
0.0 0.0 [rcuos/3]
0.0 0.0 [rcuob/3]
0.0 0.0 [watchdog/4]
0.0 0.0 [migration/4]
0.0 0.0 [ksoftirqd/4]
0.0 0.0 [kworker/4:0H]
0.0 0.0 [rcuos/4]
0.0 0.0 [rcuob/4]
0.0 0.0 [watchdog/5]
0.0 0.0 [migration/5]
0.0 0.0 [ksoftirqd/5]
0.0 0.0 [kworker/5:0H]
0.0 0.0 [rcuos/5]
0.0 0.0 [rcuob/5]
0.0 0.0 [watchdog/6]
0.0 0.0 [migration/6]
0.0 0.0 [ksoftirqd/6]
0.0 0.0 [kworker/6:0]
0.0 0.0 [kworker/6:0H]
0.0 0.0 [rcuos/6]
0.0 0.0 [rcuob/6]
0.0 0.0 [watchdog/7]
0.0 0.0 [migration/7]
0.0 0.0 [ksoftirqd/7]
0.0 0.0 [kworker/7:0H]
0.0 0.0 [rcuos/7]
0.0 0.0 [rcuob/7]
0.0 0.0 [watchdog/8]
0.0 0.0 [migration/8]
0.0 0.0 [ksoftirqd/8]
0.0 0.0 [kworker/8:0H]
0.0 0.0 [rcuos/8]
0.0 0.0 [rcuob/8]
0.0 0.0 [watchdog/9]
0.0 0.0 [migration/9]
0.0 0.0 [ksoftirqd/9]
0.0 0.0 [kworker/9:0H]
0.0 0.0 [rcuos/9]
0.0 0.0 [rcuob/9]
0.0 0.0 [watchdog/10]
0.0 0.0 [migration/10]
0.0 0.0 [ksoftirqd/10]
0.0 0.0 [kworker/10:0H]
0.0 0.0 [rcuos/10]
0.0 0.0 [rcuob/10]
0.0 0.0 [watchdog/11]
0.0 0.0 [migration/11]
0.0 0.0 [ksoftirqd/11]
0.0 0.0 [kworker/11:0H]
0.0 0.0 [rcuos/11]
0.0 0.0 [rcuob/11]
0.0 0.0 [watchdog/12]
0.0 0.0 [migration/12]
0.0 0.0 [ksoftirqd/12]
0.0 0.0 [kworker/12:0]
0.0 0.0 [kworker/12:0H]
0.0 0.0 [rcuob/12]
0.0 0.0 [watchdog/13]
0.0 0.0 [migration/13]
0.0 0.0 [ksoftirqd/13]
0.0 0.0 [kworker/13:0H]
0.0 0.0 [rcuos/13]
0.0 0.0 [rcuob/13]
0.0 0.0 [watchdog/14]
0.0 0.0 [migration/14]
0.0 0.0 [ksoftirqd/14]
0.0 0.0 [kworker/14:0H]
0.0 0.0 [rcuos/14]
0.0 0.0 [rcuob/14]
0.0 0.0 [watchdog/15]
0.0 0.0 [migration/15]
0.0 0.0 [ksoftirqd/15]
0.0 0.0 [kworker/15:0H]
0.0 0.0 [rcuos/15]
0.0 0.0 [rcuob/15]
0.0 0.0 [watchdog/16]
0.0 0.0 [migration/16]
0.0 0.0 [ksoftirqd/16]
0.0 0.0 [kworker/16:0]
0.0 0.0 [kworker/16:0H]
0.0 0.0 [rcuos/16]
0.0 0.0 [rcuob/16]
0.0 0.0 [watchdog/17]
0.0 0.0 [migration/17]
0.0 0.0 [ksoftirqd/17]
0.0 0.0 [kworker/17:0]
0.0 0.0 [kworker/17:0H]
0.0 0.0 [rcuos/17]
0.0 0.0 [rcuob/17]
0.0 0.0 [watchdog/18]
0.0 0.0 [migration/18]
0.0 0.0 [ksoftirqd/18]
0.0 0.0 [kworker/18:0]
0.0 0.0 [kworker/18:0H]
0.0 0.0 [rcuos/18]
0.0 0.0 [rcuob/18]
0.0 0.0 [watchdog/19]
0.0 0.0 [migration/19]
0.0 0.0 [ksoftirqd/19]
0.0 0.0 [kworker/19:0H]
0.0 0.0 [rcuos/19]
0.0 0.0 [rcuob/19]
0.0 0.0 [watchdog/20]
0.0 0.0 [migration/20]
0.0 0.0 [ksoftirqd/20]
0.0 0.0 [kworker/20:0]
0.0 0.0 [kworker/20:0H]
0.0 0.0 [rcuos/20]
0.0 0.0 [rcuob/20]
0.0 0.0 [watchdog/21]
0.0 0.0 [migration/21]
0.0 0.0 [ksoftirqd/21]
0.0 0.0 [kworker/21:0H]
0.0 0.0 [rcuob/21]
0.0 0.0 [watchdog/22]
0.0 0.0 [migration/22]
0.0 0.0 [ksoftirqd/22]
0.0 0.0 [kworker/22:0]
0.0 0.0 [kworker/22:0H]
0.0 0.0 [rcuos/22]
0.0 0.0 [rcuob/22]
0.0 0.0 [watchdog/23]
0.0 0.0 [migration/23]
0.0 0.0 [ksoftirqd/23]
0.0 0.0 [kworker/23:0H]
0.0 0.0 [rcuos/23]
0.0 0.0 [rcuob/23]
0.0 0.0 [watchdog/24]
0.0 0.0 [migration/24]
0.0 0.0 [ksoftirqd/24]
0.0 0.0 [kworker/24:0]
0.0 0.0 [kworker/24:0H]
0.0 0.0 [rcuos/24]
0.0 0.0 [rcuob/24]
0.0 0.0 [watchdog/25]
0.0 0.0 [migration/25]
0.0 0.0 [ksoftirqd/25]
0.0 0.0 [kworker/25:0H]
0.0 0.0 [rcuos/25]
0.0 0.0 [rcuob/25]
0.0 0.0 [watchdog/26]
0.0 0.0 [migration/26]
0.0 0.0 [ksoftirqd/26]
0.0 0.0 [kworker/26:0]
0.0 0.0 [kworker/26:0H]
0.0 0.0 [rcuos/26]
0.0 0.0 [rcuob/26]
0.0 0.0 [watchdog/27]
0.0 0.0 [migration/27]
0.0 0.0 [ksoftirqd/27]
0.0 0.0 [kworker/27:0H]
0.0 0.0 [rcuos/27]
0.0 0.0 [rcuob/27]
0.0 0.0 [watchdog/28]
0.0 0.0 [migration/28]
0.0 0.0 [ksoftirqd/28]
0.0 0.0 [kworker/28:0]
0.0 0.0 [kworker/28:0H]
0.0 0.0 [rcuos/28]
0.0 0.0 [rcuob/28]
0.0 0.0 [watchdog/29]
0.0 0.0 [migration/29]
0.0 0.0 [ksoftirqd/29]
0.0 0.0 [kworker/29:0H]
0.0 0.0 [rcuos/29]
0.0 0.0 [rcuob/29]
0.0 0.0 [watchdog/30]
0.0 0.0 [migration/30]
0.0 0.0 [ksoftirqd/30]
0.0 0.0 [kworker/30:0]
0.0 0.0 [kworker/30:0H]
0.0 0.0 [rcuos/30]
0.0 0.0 [rcuob/30]
0.0 0.0 [watchdog/31]
0.0 0.0 [migration/31]
0.0 0.0 [ksoftirqd/31]
0.0 0.0 [kworker/31:0]
0.0 0.0 [kworker/31:0H]
0.0 0.0 [rcuos/31]
0.0 0.0 [rcuob/31]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [perf]
0.0 0.0 [khungtaskd]
0.0 0.0 [writeback]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [crypto]
0.0 0.0 [kintegrityd]
0.0 0.0 [bioset]
0.0 0.0 [kblockd]
0.0 0.0 [kworker/0:1]
0.0 0.0 [ata_sff]
0.0 0.0 [md]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/2:1]
0.0 0.0 [kswapd0]
0.0 0.0 [kswapd1]
0.0 0.0 [vmstat]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [kthrotld]
0.0 0.0 [acpi_thermal_pm]
0.0 0.0 [ipv6_addrconf]
0.0 0.0 [kworker/4:1]
0.0 0.0 [kworker/u288:1]
0.0 0.0 [deferwq]
0.0 0.0 [charger_manager]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_tmf_0]
0.0 0.0 [bnx2x]
0.0 0.0 [bnx2x_iov]
0.0 0.0 [kworker/12:1]
0.0 0.0 [kworker/6:1]
0.0 0.0 [kworker/17:1]
0.0 0.0 [kworker/29:1]
0.0 0.0 [kworker/18:1]
0.0 0.0 [kworker/22:1]
0.0 0.0 [kworker/30:1]
0.0 0.0 [kworker/24:1]
0.0 0.0 [kworker/26:1]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [kdmflush]
0.0 0.0 [bioset]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_tmf_1]
0.0 0.0 [usb-storage]
0.0 0.0 [bioset]
0.0 0.0 [kworker/28:1]
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 [kworker/16:1]
0.0 0.0 [kworker/20:1]
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 [ext4-rsv-conver]
0.0 0.0 /lib/systemd/systemd-udevd --daemon
0.0 0.0 upstart-file-bridge --daemon
0.0 0.0 dbus-daemon --system --fork
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /lib/systemd/systemd-logind
0.0 0.0 [edac-poller]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/cupsd -f
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 [krfcommd]
0.0 0.0 [kvm-irqfd-clean]
0.0 0.0 /usr/sbin/cups-browsed
0.0 0.0 [kworker/4:2]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 cron
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 supervising syslog-ng
0.0 0.0 [kauditd]
0.0 0.0 /usr/sbin/kerneloops
0.0 0.0 /var/ossec/bin/ossec-csyslogd
0.0 0.0 /var/ossec/bin/ossec-execd
0.0 0.0 /var/ossec/bin/ossec-analysisd
0.0 0.0 /var/ossec/bin/ossec-logcollector
0.0 0.0 /var/ossec/bin/ossec-monitord
0.0 0.0 lightdm
0.0 0.0 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 lightdm --session-child 16 19
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 [kworker/25:2]
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth4 -U .status -p broctl -p broctl-live -p local -p seven-eth4-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth4/pcap_agent.conf
0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth4/pcap_agent.conf
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-2.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-2.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-2.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-3.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-3.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-3.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-4.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth4/snort_agent-4.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth4/snort-4.stats
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-1 -i 1 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-2 -i 2 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-3.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-3 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-3 -i 3 -U
0.0 0.0 barnyard2 -c /etc/nsm/SO-server-eth4/barnyard2-4.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth4/snort-4 -f snort.unified2 -w /etc/nsm/SO-server-eth4/barnyard2.waldo-4 -i 4 -U
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 [kworker/27:1H]
0.0 0.0 [kworker/15:1H]
0.0 0.0 [kworker/9:1H]
0.0 0.0 [kworker/31:1H]
0.0 0.0 [kworker/1:1H]
0.0 0.0 [kworker/15:2]
0.0 0.0 [kworker/3:1H]
0.0 0.0 [kworker/5:1H]
0.0 0.0 [kworker/19:1H]
0.0 0.0 [kworker/13:1H]
0.0 0.0 [kworker/11:1H]
0.0 0.0 [kworker/7:1H]
0.0 0.0 [kworker/10:2]
0.0 0.0 [kworker/27:2]
0.0 0.0 [kworker/25:1H]
0.0 0.0 [kworker/23:1H]
0.0 0.0 [kworker/17:1H]
0.0 0.0 [kworker/19:2]
0.0 0.0 [kworker/21:1H]
0.0 0.0 [kworker/19:0]
0.0 0.0 [kworker/9:2]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/9:0]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/15:0]
0.0 0.0 [kworker/8:1]
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/29:1H]
0.0 0.0 [kworker/31:2]
0.0 0.0 [kworker/25:0]
0.0 0.0 [kworker/27:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/1
0.0 0.0 -bash
0.0 0.0 [kworker/21:2]
0.0 0.0 [kworker/11:2]
0.0 0.0 [kworker/23:2]
0.0 0.0 [kworker/29:2]
0.0 0.0 [kworker/13:1]
0.0 0.0 [kworker/5:2]
0.0 0.0 [kworker/1:2]
0.0 0.0 [kworker/u290:1]
0.0 0.0 [kworker/13:2]
0.0 0.0 [kworker/5:0]
0.0 0.0 [kworker/u288:2]
0.0 0.0 [kworker/21:0]
0.0 0.0 [kworker/7:0]
0.0 0.0 [kworker/11:0]
0.0 0.0 [kworker/u289:1]
0.0 0.0 [kworker/7:1]
0.0 0.0 [kworker/14:0]
0.0 0.0 [kworker/8:2]
0.0 0.0 [kworker/10:0]
0.0 0.0 [kworker/23:0]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/3:2]
0.0 0.0 sshd: SO-user
0.0 0.0 [kworker/14:1]
0.0 0.0 [kworker/u289:2]
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 [kworker/19:1]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 -bash
0.0 0.0 CRON
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node|SO-node|SO-node|SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 [kworker/3:0]
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu

=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth4: 11009602

=========================================================================
Packet Loss Stats
=========================================================================

NIC:

eth4:

RX packets:277515520 dropped:0 TX packets:2 dropped:0

-------------------------------------------------------------------------

pf_ring:

Appl. Name : bro-eth4
Tot Packets : 121777411
Tot Pkt Lost : 7


Appl. Name : bro-eth4
Tot Packets : 154281732
Tot Pkt Lost : 6


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 66429127
Tot Pkt Lost : 6556850


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 63569446
Tot Pkt Lost : 5205987


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 55000143
Tot Pkt Lost : 3375667


Appl. Name : snort-cluster-55-socket-0
Tot Packets : 90348981
Tot Pkt Lost : 29381910

-------------------------------------------------------------------------

IDS Engine (snort) packet drops:

/nsm/sensor_data/SO-server-eth4/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-2.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-3.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/SO-server-eth4/snort-4.stats last reported pkt_drop_percent as 3.015

-------------------------------------------------------------------------

Bro:

Average packet loss as percent across all Bro workers: 0.000005

seven-eth4-1: 1468951518.157177 recvd=121783809 dropped=7 link=121783809
seven-eth4-2: 1468951518.357343 recvd=154295201 dropped=6 link=154295201

No capture loss reported.

-------------------------------------------------------------------------

Netsniff-NG:
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160714142957 Processed: +258129 Lost: -7911
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160715000004 Processed: +231919 Lost: -1784
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160716000004 Processed: +259959 Lost: -14566
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160718000003 Processed: +220802 Lost: -837
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160719000004 Processed: +231137 Lost: -64965
File: /var/log/nsm/SO-server-eth4/netsniff-ng.log.20160719145149 Processed: +200210 Lost: -1928

=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.2.0 (unknown)
Total rings : 6

Standard (non DNA/ZC) Options
Ring slots : 131070
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 4
Cluster Fragment Discard : 0

=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth1/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth2/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth3/dailylogs/ - 0 days
4.0K .

/nsm/sensor_data/SO-server-eth4/dailylogs/ - 5 days
3.2T .
1.1T ./2016-07-15
487G ./2016-07-16
390G ./2016-07-17
702G ./2016-07-18
529G ./2016-07-19

/nsm/sensor_data/SO-server-eth5/dailylogs/ - 0 days
4.0K .

/nsm/bro/logs/ - 7 days
7.5G .
1.5G ./2016-07-13
1.5G ./2016-07-14
1.4G ./2016-07-15
816M ./2016-07-16
543M ./2016-07-17
906M ./2016-07-18
821M ./2016-07-19
152M ./stats

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
105413

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
Total
13565

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
Total
885095

=========================================================================
Last update
=========================================================================
Start-Date: 2016-07-11 16:27:34
Commandline: apt-get install securityonion-elsa-extras
Upgrade: securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion30, 20151011-1ubuntu1securityonion32)
End-Date: 2016-07-11 16:27:37

Start-Date: 2016-07-19 14:44:49
Commandline: apt-get -y dist-upgrade
Install: linux-headers-3.19.0-65:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-extra-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-image-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic), linux-headers-3.19.0-65-generic:amd64 (3.19.0-65.73~14.04.1, automatic)
Upgrade: kpartx:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), libnl-genl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), securityonion-squert:amd64 (20141015-0ubuntu0securityonion14, 20141015-0ubuntu0securityonion15), dpkg:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-capme:amd64 (20121213-0ubuntu0securityonion47, 20121213-0ubuntu0securityonion60), dkms:amd64 (X.X.X.X-1.1ubuntu5.14.04.5, X.X.X.X-1.1ubuntu5.14.04.6), libarchive13:amd64 (3.1.2-7ubuntu2.2, 3.1.2-7ubuntu2.3), gimp:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), dpkg-dev:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), libgimp2.0:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion133, 20120724-0ubuntu0securityonion138), grub-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), chromium-codecs-ffmpeg-extra:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnspr4:amd64 (4.10.10-0ubuntu0.14.04.1, 4.12-0ubuntu0.14.04.1), linux-image-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), python-libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), libnss3-1d:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), libnl-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), libimobiledevice4:amd64 (1.1.5+git20140313.bafe6a9e-0ubuntu1, 1.1.5+git20140313.bafe6a9e-0ubuntu1.1), libgd3:amd64 (2.1.0-3ubuntu0.1, 2.1.0-3ubuntu0.2), libmagickcore5-extra:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), grub2-common:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.2, 2.4.31-1+nmu2ubuntu8.3), chromium-browser-l10n:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121), libnss3-nssdb:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), gimp-data:amd64 (2.8.10-0ubuntu1, 2.8.10-0ubuntu1.1), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion57, 20141015-0ubuntu0securityonion60), libxml2:amd64 (2.9.1+dfsg1-3ubuntu4.7, 2.9.1+dfsg1-3ubuntu4.8), linux-headers-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), xserver-xorg-core-lts-vivid:amd64 (1.17.1-0ubuntu3.1~trusty1, 1.17.1-0ubuntu3.1~trusty1.1), libmagickwand5:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), wget:amd64 (1.15-1ubuntu1.14.04.1, 1.15-1ubuntu1.14.04.2), libdpkg-perl:amd64 (1.17.5ubuntu5.6, 1.17.5ubuntu5.7), securityonion-sostat:amd64 (20120722-0ubuntu0securityonion53, 20120722-0ubuntu0securityonion57), imagemagick:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), libnss3:amd64 (3.21-0ubuntu0.14.04.2, 3.23-0ubuntu0.14.04.1), linux-generic-lts-vivid:amd64 (X.X.X.X.42, X.X.X.X.47), grub-pc-bin:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), apache2-data:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), grub-pc:amd64 (2.02~beta2-9ubuntu1.7, 2.02~beta2-9ubuntu1.11), sbsigntool:amd64 (0.6-0ubuntu7, 0.6-0ubuntu7.2), kpartx-boot:amd64 (0.4.9-3ubuntu7.11, 0.4.9-3ubuntu7.13), securityonion-setup:amd64 (20120912-0ubuntu0securityonion215, 20120912-0ubuntu0securityonion222), libmagickcore5:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), libexpat1:amd64 (2.1.0-4ubuntu1.2, 2.1.0-4ubuntu1.3), apache2:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), tzdata:amd64 (2016d-0ubuntu0.14.04, 2016f-0ubuntu0.14.04), apache2-bin:amd64 (2.4.7-1ubuntu4.9, 2.4.7-1ubuntu4.13), imagemagick-common:amd64 (X.X.X.X-6ubuntu3, X.X.X.X-6ubuntu3.1), linux-libc-dev:amd64 (3.13.0-87.133, 3.13.0-92.139), libnl-route-3-200:amd64 (3.2.21-1ubuntu1.1, 3.2.21-1ubuntu3), chromium-browser:amd64 (50.0.2661.102-0ubuntu0.14.04.1.1117, 51.0.2704.79-0ubuntu0.14.04.1.1121)
End-Date: 2016-07-19 14:47:18

=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1935 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!

MySQL
Checking for process:
1941 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!

Sphinx
Checking for process:
1920 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1957 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!

ELSA Buffers in Queue:
4
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue

ELSA Directory Sizes:
3.7T /nsm/elsa/data
194M /var/lib/mysql/syslog
11M /var/lib/mysql/syslog_data

ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
2016-05-22 00:33:42 2016-07-19 18:04:13

ELSA Log Node SSH Tunnels:
PORT NODE IP/STATUS
50000 SO-node X.X.X.X
50001 SO-node X.X.X.X
50002 SO-node X.X.X.X