Snort IDS not sending/collecting data to syslog server
251 views
Skip to first unread message
adrian fernandez
Apr 29, 2015, 7:02:56 AM4/29/15
to securit...@googlegroups.com
Hey everyone,
I have a SO device that isnt sending any actual data to the syslog server. It only sends cron and system info logs. Here is what i have coming in
CRON[14712]: pam_unix(cron:session): session closed for user root
CRON[14710]: pam_unix(cron:session): session closed for user root
CRON[14718]: (root) CMD (find /var/www/capme/pcap/*.pcap -mmin +5 -delete >/dev/null 2>&1)
CRON[14710]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[14713]: (root) CMD (perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1)
CRON[14714]: (root) CMD (/usr/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log 2>&1)
CRON[14712]: pam_unix(cron:session): session opened for user root by (uid=0)
That seems to be the only thing coming in for days.
Ive tried restarting server, performing a sudo service nsm restart command, updating via sudo apt-get install --reinstall securityonion-pfring-module..nothing seems to work. I wanted to check if anyone had any input on this before i rebuild.
I have a SO device that isnt sending any actual data to the syslog server. It only sends cron and system info logs. Here is what i have coming in
CRON[14712]: pam_unix(cron:session): session closed for user root
CRON[14710]: pam_unix(cron:session): session closed for user root
CRON[14718]: (root) CMD (find /var/www/capme/pcap/*.pcap -mmin +5 -delete >/dev/null 2>&1)
CRON[14710]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[14713]: (root) CMD (perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf > /dev/null 2>&1)
CRON[14714]: (root) CMD (/usr/sbin/nsm_sensor_clean -y >> /var/log/nsm/sensor-clean.log 2>&1)
CRON[14712]: pam_unix(cron:session): session opened for user root by (uid=0)
That seems to be the only thing coming in for days.
Ive tried restarting server, performing a sudo service nsm restart command, updating via sudo apt-get install --reinstall securityonion-pfring-module..nothing seems to work. I wanted to check if anyone had any input on this before i rebuild.
Heine Lysemose
Apr 29, 2015, 7:32:51 AM4/29/15
to securit...@googlegroups.com
Hi
Could you post the output from sudo sostat-redacted
Thanks,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
adrian fernandez
May 1, 2015, 3:46:20 PM5/1/15
to securit...@googlegroups.com
=========================================================================
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 4418 4 01 May 18:46:33
proxy proxy localhost running 4572 4 01 May 18:46:35
SO-server-eth1-1 worker localhost running 5010 2 01 May 18:46:37
SO-server-eth2-1 worker localhost running 5009 2 01 May 18:46:37
SO-server-eth3-1 worker localhost running 5011 2 01 May 18:46:37
Status: SO-server-eth1
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth2
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:118821 errors:0 dropped:0 overruns:0 frame:0
TX packets:50631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:148618213 (148.6 MB) TX bytes:5827594 (5.8 MB)
Interrupt:16 Memory:dfc00000-dfc20000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:10452 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1053748 (1.0 MB) TX bytes:0 (0.0 B)
Interrupt:17 Memory:dfb00000-dfb20000
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:18 Memory:dfa00000-dfa20000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:df900000-df920000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19442 errors:0 dropped:0 overruns:0 frame:0
TX packets:19442 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:152520207 (152.5 MB) TX bytes:152520207 (152.5 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
152520207 19442 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
152520207 19442 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
148618213 118821 0 0 0 3581
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
5827594 50631 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1053748 10452 0 0 0 3607
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1.8T 160G 1.6T 10% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 796M 788K 796M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 0 3.9G 0% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1430 avahi 12u IPv4 1637 0t0 UDP *:5353
avahi-dae 1430 avahi 13u IPv6 1638 0t0 UDP *:5353
avahi-dae 1430 avahi 14u IPv4 1639 0t0 UDP *:56795
avahi-dae 1430 avahi 15u IPv6 1640 0t0 UDP *:46126
cupsd 1452 root 8u IPv6 9792 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1452 root 9u IPv4 9793 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1739 root 3r IPv4 11349 0t0 TCP *:ssh_port (LISTEN)
sshd 1739 root 4u IPv6 11351 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1844 root 10u IPv4 11667 0t0 TCP X.X.X.X:57239->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1844 root 28u IPv4 10879 0t0 TCP X.X.X.X:54049->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 1861 root 9u IPv4 10095 0t0 TCP *:514 (LISTEN)
syslog-ng 1861 root 10u IPv4 10096 0t0 UDP *:514
syslog-ng 1861 root 14u IPv4 10102 0t0 UDP X.X.X.X:52134->X.X.X.X:514
syslog-ng 1861 root 15u IPv4 10103 0t0 UDP X.X.X.X:58552->X.X.X.X:514
mysqld 1971 mysql 10u IPv4 13574 0t0 TCP X.X.X.X:50000 (LISTEN)
searchd 1993 sphinxsearch 7u IPv4 1805 0t0 TCP *:9306 (LISTEN)
searchd 1993 sphinxsearch 8u IPv4 1806 0t0 TCP *:9312 (LISTEN)
snmpd 2093 snmp 8u IPv4 17272 0t0 UDP *:161
snmpd 2093 snmp 10u IPv4 17271 0t0 UDP *:35481
starman 2162 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2164 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2164 www-data 17u IPv4 22269 0t0 TCP X.X.X.X:38619->X.X.X.X:3154 (CLOSE_WAIT)
starman 2165 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2166 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2166 www-data 19u IPv4 21716 0t0 TCP X.X.X.X:38551->X.X.X.X:3154 (CLOSE_WAIT)
starman 2167 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2167 www-data 17u IPv4 30979 0t0 TCP X.X.X.X:38662->X.X.X.X:3154 (CLOSE_WAIT)
starman 2168 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2168 www-data 17u IPv4 21849 0t0 TCP X.X.X.X:38589->X.X.X.X:3154 (CLOSE_WAIT)
xrdp 2193 xrdp 6u IPv4 13583 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2197 root 6u IPv4 13397 0t0 TCP X.X.X.X:3350 (LISTEN)
/usr/sbin 2346 root 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2346 root 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2346 root 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2430 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2430 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2430 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2432 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2432 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2432 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2433 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2433 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2433 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2434 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2434 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2434 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2435 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2435 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2435 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
ntpd 3961 ntp 16u IPv4 17233 0t0 UDP *:123
ntpd 3961 ntp 17u IPv6 17234 0t0 UDP *:123
ntpd 3961 ntp 18u IPv4 17240 0t0 UDP X.X.X.X:123
ntpd 3961 ntp 19u IPv4 17241 0t0 UDP X.X.X.X:123
ntpd 3961 ntp 20u IPv6 17242 0t0 UDP [X.X.X.X]:123
ntpd 3961 ntp 21u IPv6 17243 0t0 UDP [X.X.X.X]:123
ssh 3987 root 3r IPv4 18699 0t0 TCP X.X.X.X:39970->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3987 root 4u IPv6 17992 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3987 root 5u IPv4 17993 0t0 TCP X.X.X.X:3306 (LISTEN)
ssh 3987 root 6u IPv4 21748 0t0 TCP X.X.X.X:3306->X.X.X.X:47169 (ESTABLISHED)
ssh 3987 root 7u IPv4 20105 0t0 TCP X.X.X.X:3306->X.X.X.X:47171 (ESTABLISHED)
ssh 3987 root 8u IPv4 20108 0t0 TCP X.X.X.X:3306->X.X.X.X:47173 (ESTABLISHED)
tclsh 4050 SO-user 3u IPv4 18713 0t0 TCP X.X.X.X:42500->X.X.X.X:7736 (ESTABLISHED)
bro 4418 SO-user 4u IPv4 19617 0t0 UDP X.X.X.X:53295->X.X.X.X:53
bro 4420 SO-user 0u IPv4 20532 0t0 TCP *:47761 (LISTEN)
bro 4420 SO-user 1u IPv6 20533 0t0 TCP *:47761 (LISTEN)
bro 4420 SO-user 2u IPv4 20574 0t0 TCP X.X.X.X:47761->X.X.X.X:54403 (ESTABLISHED)
bro 4420 SO-user 4u IPv4 19617 0t0 UDP X.X.X.X:53295->X.X.X.X:53
bro 4420 SO-user 251u IPv4 20686 0t0 TCP X.X.X.X:47761->X.X.X.X:54404 (ESTABLISHED)
bro 4420 SO-user 255u IPv4 19751 0t0 TCP X.X.X.X:47761->X.X.X.X:54407 (ESTABLISHED)
bro 4420 SO-user 256u IPv4 19753 0t0 TCP X.X.X.X:47761->X.X.X.X:54406 (ESTABLISHED)
bro 4572 SO-user 4u IPv4 18938 0t0 UDP X.X.X.X:53608->X.X.X.X:53
bro 4574 SO-user 0u IPv4 19656 0t0 TCP X.X.X.X:54403->X.X.X.X:47761 (ESTABLISHED)
bro 4574 SO-user 1u IPv4 19659 0t0 TCP *:47762 (LISTEN)
bro 4574 SO-user 2u IPv6 19660 0t0 TCP *:47762 (LISTEN)
bro 4574 SO-user 4u IPv4 18938 0t0 UDP X.X.X.X:53608->X.X.X.X:53
bro 4574 SO-user 251u IPv4 20687 0t0 TCP X.X.X.X:47762->X.X.X.X:33220 (ESTABLISHED)
bro 4574 SO-user 255u IPv4 18399 0t0 TCP X.X.X.X:47762->X.X.X.X:33224 (ESTABLISHED)
bro 4574 SO-user 256u IPv4 18400 0t0 TCP X.X.X.X:47762->X.X.X.X:33225 (ESTABLISHED)
bro 5009 SO-user 4u IPv4 19072 0t0 UDP X.X.X.X:47480->X.X.X.X:53
bro 5010 SO-user 4u IPv4 20678 0t0 UDP X.X.X.X:59663->X.X.X.X:53
bro 5011 SO-user 4u IPv4 19735 0t0 UDP X.X.X.X:51866->X.X.X.X:53
bro 5012 SO-user 0u IPv4 18394 0t0 TCP X.X.X.X:54404->X.X.X.X:47761 (ESTABLISHED)
bro 5012 SO-user 1u IPv4 19743 0t0 TCP X.X.X.X:33220->X.X.X.X:47762 (ESTABLISHED)
bro 5012 SO-user 2u IPv4 19746 0t0 TCP *:47764 (LISTEN)
bro 5012 SO-user 4u IPv4 19072 0t0 UDP X.X.X.X:47480->X.X.X.X:53
bro 5012 SO-user 251u IPv6 19747 0t0 TCP *:47764 (LISTEN)
bro 5015 SO-user 0u IPv4 18397 0t0 TCP X.X.X.X:54407->X.X.X.X:47761 (ESTABLISHED)
bro 5015 SO-user 1u IPv4 18398 0t0 TCP X.X.X.X:33224->X.X.X.X:47762 (ESTABLISHED)
bro 5015 SO-user 2u IPv4 18403 0t0 TCP *:47765 (LISTEN)
bro 5015 SO-user 4u IPv4 19735 0t0 UDP X.X.X.X:51866->X.X.X.X:53
bro 5015 SO-user 251u IPv6 18404 0t0 TCP *:47765 (LISTEN)
bro 5016 SO-user 0u IPv4 19750 0t0 TCP X.X.X.X:54406->X.X.X.X:47761 (ESTABLISHED)
bro 5016 SO-user 1u IPv4 19752 0t0 TCP X.X.X.X:33225->X.X.X.X:47762 (ESTABLISHED)
bro 5016 SO-user 2u IPv4 20692 0t0 TCP *:47763 (LISTEN)
bro 5016 SO-user 4u IPv4 20678 0t0 UDP X.X.X.X:59663->X.X.X.X:53
bro 5016 SO-user 251u IPv6 20693 0t0 TCP *:47763 (LISTEN)
tclsh 5087 SO-user 3u IPv4 19843 0t0 TCP X.X.X.X:42509->X.X.X.X:7736 (ESTABLISHED)
tclsh 5087 SO-user 4u IPv4 19166 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 5087 SO-user 6u IPv4 20104 0t0 TCP X.X.X.X:8101->X.X.X.X:56806 (ESTABLISHED)
barnyard2 5140 SO-user 3u IPv4 20103 0t0 TCP X.X.X.X:56806->X.X.X.X:8101 (ESTABLISHED)
barnyard2 5140 SO-user 4u IPv4 21759 0t0 TCP X.X.X.X:47171->X.X.X.X:3306 (ESTABLISHED)
tclsh 5190 SO-user 3u IPv4 20803 0t0 TCP X.X.X.X:42510->X.X.X.X:7736 (ESTABLISHED)
tclsh 5190 SO-user 4u IPv4 20804 0t0 TCP X.X.X.X:8201 (LISTEN)
tclsh 5190 SO-user 6u IPv4 20107 0t0 TCP X.X.X.X:8201->X.X.X.X:41449 (ESTABLISHED)
barnyard2 5243 SO-user 3u IPv4 20910 0t0 TCP X.X.X.X:41449->X.X.X.X:8201 (ESTABLISHED)
barnyard2 5243 SO-user 4u IPv4 20913 0t0 TCP X.X.X.X:47173->X.X.X.X:3306 (ESTABLISHED)
tclsh 5293 SO-user 3u IPv4 19376 0t0 TCP X.X.X.X:42511->X.X.X.X:7736 (ESTABLISHED)
tclsh 5293 SO-user 4u IPv4 21661 0t0 TCP X.X.X.X:8301 (LISTEN)
tclsh 5293 SO-user 6u IPv4 22655 0t0 TCP X.X.X.X:8301->X.X.X.X:39724 (ESTABLISHED)
barnyard2 5346 SO-user 3u IPv4 22654 0t0 TCP X.X.X.X:39724->X.X.X.X:8301 (ESTABLISHED)
barnyard2 5346 SO-user 4u IPv4 22658 0t0 TCP X.X.X.X:47169->X.X.X.X:3306 (ESTABLISHED)
sshd 5435 root 3r IPv4 22680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48372 (ESTABLISHED)
sshd 5620 SO-user 3u IPv4 22680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48372 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri May 1 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 5 minutes to allow master time to download new rules.
Copying rules from X.X.X.X.
Restarting Barnyard2.
Restarting: SO-server-eth1
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth2
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth1
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth2
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth3
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
4.54 3.83 1.96
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:54:15 up 9 min, 1 user, load average: 4.54, 3.83, 1.96
Tasks: 170 total, 14 running, 156 sleeping, 0 stopped, 0 zombie
Cpu(s): 61.3%us, 7.9%sy, 1.3%ni, 27.8%id, 1.8%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 8150248k total, 5563808k used, 2586440k free, 93288k buffers
Swap: 12434028k total, 0k used, 12434028k free, 905704k cached
%CPU %MEM COMMAND
85.9 4.9 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo-1 -i 1 -U
82.8 4.9 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
81.5 4.9 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i 1 -U
9.2 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
9.0 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
7.8 6.7 snort -c /etc/nsm/SO-server-eth3/snort.conf -u SO-user -g SO-user -i eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth3/snort-1.stats -U
7.8 6.7 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
7.7 6.6 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U
7.1 0.9 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.1 1.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 0.9 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 1.0 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 0.9 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
6.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.7 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.7 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.6 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
0.5 6.8 /usr/bin/searchd --nodetach
0.3 0.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.3 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.3 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.1 0.0 /sbin/init
0.1 0.2 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.5 /usr/bin/python /usr/bin/salt-minion
0.1 0.6 /usr/sbin/mysqld
0.1 0.0 [kworker/2:0]
0.1 0.1 /usr/sbin/lightdm-gtk-greeter
0.0 0.1 -bash
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/0:2]
0.0 0.0 [flush-8:0]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 Passenger spawn server
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/3]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [kworker/u:5]
0.0 0.0 [kworker/u:7]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/1:1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/2:2]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm
0.0 0.0 atd
0.0 0.0 cron
0.0 0.0 lightdm --session-child 16 19
0.0 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/bro/logs/ - 257 days
3.2G .
1.6M ./2014-08-18
9.3M ./2014-08-19
8.3M ./2014-08-20
8.6M ./2014-08-21
9.7M ./2014-08-22
11M ./2014-08-23
14M ./2014-08-24
15M ./2014-08-25
14M ./2014-08-26
9.8M ./2014-08-27
11M ./2014-08-28
10M ./2014-08-29
8.1M ./2014-08-30
8.5M ./2014-08-31
9.0M ./2014-09-01
10M ./2014-09-02
9.6M ./2014-09-03
12M ./2014-09-04
9.6M ./2014-09-05
8.0M ./2014-09-06
14M ./2014-09-07
15M ./2014-09-08
11M ./2014-09-09
11M ./2014-09-10
10M ./2014-09-11
13M ./2014-09-12
11M ./2014-09-13
10M ./2014-09-14
12M ./2014-09-15
11M ./2014-09-16
16M ./2014-09-17
11M ./2014-09-18
11M ./2014-09-19
11M ./2014-09-20
11M ./2014-09-21
14M ./2014-09-22
11M ./2014-09-23
13M ./2014-09-24
14M ./2014-09-25
13M ./2014-09-26
13M ./2014-09-27
12M ./2014-09-28
14M ./2014-09-29
12M ./2014-09-30
9.4M ./2014-10-01
10M ./2014-10-02
11M ./2014-10-03
11M ./2014-10-04
12M ./2014-10-05
12M ./2014-10-06
11M ./2014-10-07
9.8M ./2014-10-08
10M ./2014-10-09
12M ./2014-10-10
9.4M ./2014-10-11
9.2M ./2014-10-12
9.3M ./2014-10-13
11M ./2014-10-14
12M ./2014-10-15
11M ./2014-10-16
13M ./2014-10-17
11M ./2014-10-18
11M ./2014-10-19
13M ./2014-10-20
11M ./2014-10-21
12M ./2014-10-22
11M ./2014-10-23
11M ./2014-10-24
9.4M ./2014-10-25
9.2M ./2014-10-26
11M ./2014-10-27
9.7M ./2014-10-28
11M ./2014-10-29
9.3M ./2014-10-30
11M ./2014-10-31
8.4M ./2014-11-01
8.1M ./2014-11-02
11M ./2014-11-03
9.5M ./2014-11-04
11M ./2014-11-05
12M ./2014-11-06
12M ./2014-11-07
9.2M ./2014-11-08
9.2M ./2014-11-09
11M ./2014-11-10
9.4M ./2014-11-11
11M ./2014-11-12
9.8M ./2014-11-13
13M ./2014-11-14
11M ./2014-11-15
11M ./2014-11-16
13M ./2014-11-17
13M ./2014-11-18
16M ./2014-11-19
14M ./2014-11-20
15M ./2014-11-21
14M ./2014-11-22
14M ./2014-11-23
16M ./2014-11-24
15M ./2014-11-25
13M ./2014-11-26
11M ./2014-11-27
12M ./2014-11-28
11M ./2014-11-29
11M ./2014-11-30
13M ./2014-12-01
13M ./2014-12-02
13M ./2014-12-03
13M ./2014-12-04
13M ./2014-12-05
12M ./2014-12-06
12M ./2014-12-07
14M ./2014-12-08
13M ./2014-12-09
11M ./2014-12-10
12M ./2014-12-11
12M ./2014-12-12
11M ./2014-12-13
11M ./2014-12-14
12M ./2014-12-15
13M ./2014-12-16
14M ./2014-12-17
12M ./2014-12-18
12M ./2014-12-19
14M ./2014-12-20
15M ./2014-12-21
16M ./2014-12-22
14M ./2014-12-23
13M ./2014-12-24
13M ./2014-12-25
14M ./2014-12-26
13M ./2014-12-27
13M ./2014-12-28
14M ./2014-12-29
13M ./2014-12-30
14M ./2014-12-31
12M ./2015-01-01
13M ./2015-01-02
12M ./2015-01-03
13M ./2015-01-04
15M ./2015-01-05
14M ./2015-01-06
14M ./2015-01-07
12M ./2015-01-08
13M ./2015-01-09
12M ./2015-01-10
12M ./2015-01-11
13M ./2015-01-12
19M ./2015-01-13
19M ./2015-01-14
12M ./2015-01-15
12M ./2015-01-16
9.7M ./2015-01-17
11M ./2015-01-18
11M ./2015-01-19
13M ./2015-01-20
12M ./2015-01-21
11M ./2015-01-22
12M ./2015-01-23
11M ./2015-01-24
11M ./2015-01-25
13M ./2015-01-26
12M ./2015-01-27
11M ./2015-01-28
11M ./2015-01-29
11M ./2015-01-30
9.8M ./2015-01-31
9.9M ./2015-02-01
12M ./2015-02-02
12M ./2015-02-03
11M ./2015-02-04
12M ./2015-02-05
11M ./2015-02-06
11M ./2015-02-07
11M ./2015-02-08
13M ./2015-02-09
9.8M ./2015-02-10
11M ./2015-02-11
11M ./2015-02-12
13M ./2015-02-13
12M ./2015-02-14
12M ./2015-02-15
12M ./2015-02-16
12M ./2015-02-17
14M ./2015-02-18
14M ./2015-02-19
12M ./2015-02-20
9.5M ./2015-02-21
9.7M ./2015-02-22
12M ./2015-02-23
11M ./2015-02-24
11M ./2015-02-25
12M ./2015-02-26
12M ./2015-02-27
9.4M ./2015-02-28
9.3M ./2015-03-01
11M ./2015-03-02
9.9M ./2015-03-03
11M ./2015-03-04
11M ./2015-03-05
9.9M ./2015-03-06
8.7M ./2015-03-07
8.5M ./2015-03-08
9.6M ./2015-03-09
10M ./2015-03-10
11M ./2015-03-11
10M ./2015-03-12
10M ./2015-03-13
11M ./2015-03-14
11M ./2015-03-15
12M ./2015-03-16
11M ./2015-03-17
13M ./2015-03-18
11M ./2015-03-19
11M ./2015-03-20
9.8M ./2015-03-21
10M ./2015-03-22
11M ./2015-03-23
10M ./2015-03-24
11M ./2015-03-25
12M ./2015-03-26
11M ./2015-03-27
9.0M ./2015-03-28
8.8M ./2015-03-29
10M ./2015-03-30
9.7M ./2015-03-31
9.9M ./2015-04-01
11M ./2015-04-02
9.7M ./2015-04-03
11M ./2015-04-04
9.9M ./2015-04-05
11M ./2015-04-06
12M ./2015-04-07
11M ./2015-04-08
9.9M ./2015-04-09
10M ./2015-04-10
9.1M ./2015-04-11
9.5M ./2015-04-12
11M ./2015-04-13
13M ./2015-04-14
12M ./2015-04-15
13M ./2015-04-16
14M ./2015-04-17
10M ./2015-04-18
9.4M ./2015-04-19
11M ./2015-04-20
11M ./2015-04-21
15M ./2015-04-22
13M ./2015-04-23
13M ./2015-04-24
9.8M ./2015-04-25
9.0M ./2015-04-26
10M ./2015-04-27
9.9M ./2015-04-28
11M ./2015-04-29
13M ./2015-04-30
8.6M ./2015-05-01
402M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth1-1: 1430506456.210032 recvd=8781 dropped=0 link=8781
SO-server-eth2-1: 1430506456.410026 recvd=0 dropped=0 link=0
SO-server-eth3-1: 1430506456.610079 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
ERROR: No stats found in /nsm/sensor_data/SO-server-eth2/snort-1.stats
ERROR: No stats found in /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 6
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/5009-eth2.3
Appl. Name : bro-eth2
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5010-eth1.2
Appl. Name : bro-eth1
Tot Packets : 8801
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5011-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5118-eth1.4
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 7799
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/5221-eth2.5
Appl. Name : snort-cluster-53-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/5324-eth3.6
Appl. Name : snort-cluster-54-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1859 supervising syslog-ng
1861 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1971 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
1886 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
145G /nsm/elsa/data
36M /var/lib/mysql/syslog
3.0G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2013-07-15 14:37:51 2015-05-01 18:53:38
autossh
Checking for process:
3985 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
2162 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2164 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2165 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2166 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2167 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2168 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Service Status
=========================================================================
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager localhost running 4418 4 01 May 18:46:33
proxy proxy localhost running 4572 4 01 May 18:46:35
SO-server-eth1-1 worker localhost running 5010 2 01 May 18:46:37
SO-server-eth2-1 worker localhost running 5009 2 01 May 18:46:37
SO-server-eth3-1 worker localhost running 5011 2 01 May 18:46:37
Status: SO-server-eth1
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth2
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
Status: SO-server-eth3
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:118821 errors:0 dropped:0 overruns:0 frame:0
TX packets:50631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:148618213 (148.6 MB) TX bytes:5827594 (5.8 MB)
Interrupt:16 Memory:dfc00000-dfc20000
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:10452 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1053748 (1.0 MB) TX bytes:0 (0.0 B)
Interrupt:17 Memory:dfb00000-dfb20000
eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:18 Memory:dfa00000-dfa20000
eth3 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:df900000-df920000
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19442 errors:0 dropped:0 overruns:0 frame:0
TX packets:19442 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:152520207 (152.5 MB) TX bytes:152520207 (152.5 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
152520207 19442 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
152520207 19442 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
148618213 118821 0 0 0 3581
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
5827594 50631 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
1053748 10452 0 0 0 3607
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,NOARP,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1.8T 160G 1.6T 10% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 796M 788K 796M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.9G 0 3.9G 0% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1430 avahi 12u IPv4 1637 0t0 UDP *:5353
avahi-dae 1430 avahi 13u IPv6 1638 0t0 UDP *:5353
avahi-dae 1430 avahi 14u IPv4 1639 0t0 UDP *:56795
avahi-dae 1430 avahi 15u IPv6 1640 0t0 UDP *:46126
cupsd 1452 root 8u IPv6 9792 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 1452 root 9u IPv4 9793 0t0 TCP X.X.X.X:631 (LISTEN)
sshd 1739 root 3r IPv4 11349 0t0 TCP *:ssh_port (LISTEN)
sshd 1739 root 4u IPv6 11351 0t0 TCP *:ssh_port (LISTEN)
salt-mini 1844 root 10u IPv4 11667 0t0 TCP X.X.X.X:57239->X.X.X.X:4506 (ESTABLISHED)
salt-mini 1844 root 28u IPv4 10879 0t0 TCP X.X.X.X:54049->X.X.X.X:4505 (ESTABLISHED)
syslog-ng 1861 root 9u IPv4 10095 0t0 TCP *:514 (LISTEN)
syslog-ng 1861 root 10u IPv4 10096 0t0 UDP *:514
syslog-ng 1861 root 14u IPv4 10102 0t0 UDP X.X.X.X:52134->X.X.X.X:514
syslog-ng 1861 root 15u IPv4 10103 0t0 UDP X.X.X.X:58552->X.X.X.X:514
mysqld 1971 mysql 10u IPv4 13574 0t0 TCP X.X.X.X:50000 (LISTEN)
searchd 1993 sphinxsearch 7u IPv4 1805 0t0 TCP *:9306 (LISTEN)
searchd 1993 sphinxsearch 8u IPv4 1806 0t0 TCP *:9312 (LISTEN)
snmpd 2093 snmp 8u IPv4 17272 0t0 UDP *:161
snmpd 2093 snmp 10u IPv4 17271 0t0 UDP *:35481
starman 2162 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2164 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2164 www-data 17u IPv4 22269 0t0 TCP X.X.X.X:38619->X.X.X.X:3154 (CLOSE_WAIT)
starman 2165 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2166 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2166 www-data 19u IPv4 21716 0t0 TCP X.X.X.X:38551->X.X.X.X:3154 (CLOSE_WAIT)
starman 2167 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2167 www-data 17u IPv4 30979 0t0 TCP X.X.X.X:38662->X.X.X.X:3154 (CLOSE_WAIT)
starman 2168 www-data 5u IPv6 12385 0t0 TCP *:3154 (LISTEN)
starman 2168 www-data 17u IPv4 21849 0t0 TCP X.X.X.X:38589->X.X.X.X:3154 (CLOSE_WAIT)
xrdp 2193 xrdp 6u IPv4 13583 0t0 TCP *:3389 (LISTEN)
xrdp-sesm 2197 root 6u IPv4 13397 0t0 TCP X.X.X.X:3350 (LISTEN)
/usr/sbin 2346 root 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2346 root 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2346 root 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2430 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2430 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2430 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2432 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2432 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2432 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2433 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2433 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2433 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2434 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2434 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2434 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
/usr/sbin 2435 www-data 4u IPv4 1992 0t0 TCP *:443 (LISTEN)
/usr/sbin 2435 www-data 5u IPv4 1995 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2435 www-data 6u IPv4 1997 0t0 TCP *:444 (LISTEN)
ntpd 3961 ntp 16u IPv4 17233 0t0 UDP *:123
ntpd 3961 ntp 17u IPv6 17234 0t0 UDP *:123
ntpd 3961 ntp 18u IPv4 17240 0t0 UDP X.X.X.X:123
ntpd 3961 ntp 19u IPv4 17241 0t0 UDP X.X.X.X:123
ntpd 3961 ntp 20u IPv6 17242 0t0 UDP [X.X.X.X]:123
ntpd 3961 ntp 21u IPv6 17243 0t0 UDP [X.X.X.X]:123
ssh 3987 root 3r IPv4 18699 0t0 TCP X.X.X.X:39970->X.X.X.X:ssh_port (ESTABLISHED)
ssh 3987 root 4u IPv6 17992 0t0 TCP [X.X.X.X]:3306 (LISTEN)
ssh 3987 root 5u IPv4 17993 0t0 TCP X.X.X.X:3306 (LISTEN)
ssh 3987 root 6u IPv4 21748 0t0 TCP X.X.X.X:3306->X.X.X.X:47169 (ESTABLISHED)
ssh 3987 root 7u IPv4 20105 0t0 TCP X.X.X.X:3306->X.X.X.X:47171 (ESTABLISHED)
ssh 3987 root 8u IPv4 20108 0t0 TCP X.X.X.X:3306->X.X.X.X:47173 (ESTABLISHED)
tclsh 4050 SO-user 3u IPv4 18713 0t0 TCP X.X.X.X:42500->X.X.X.X:7736 (ESTABLISHED)
bro 4418 SO-user 4u IPv4 19617 0t0 UDP X.X.X.X:53295->X.X.X.X:53
bro 4420 SO-user 0u IPv4 20532 0t0 TCP *:47761 (LISTEN)
bro 4420 SO-user 1u IPv6 20533 0t0 TCP *:47761 (LISTEN)
bro 4420 SO-user 2u IPv4 20574 0t0 TCP X.X.X.X:47761->X.X.X.X:54403 (ESTABLISHED)
bro 4420 SO-user 4u IPv4 19617 0t0 UDP X.X.X.X:53295->X.X.X.X:53
bro 4420 SO-user 251u IPv4 20686 0t0 TCP X.X.X.X:47761->X.X.X.X:54404 (ESTABLISHED)
bro 4420 SO-user 255u IPv4 19751 0t0 TCP X.X.X.X:47761->X.X.X.X:54407 (ESTABLISHED)
bro 4420 SO-user 256u IPv4 19753 0t0 TCP X.X.X.X:47761->X.X.X.X:54406 (ESTABLISHED)
bro 4572 SO-user 4u IPv4 18938 0t0 UDP X.X.X.X:53608->X.X.X.X:53
bro 4574 SO-user 0u IPv4 19656 0t0 TCP X.X.X.X:54403->X.X.X.X:47761 (ESTABLISHED)
bro 4574 SO-user 1u IPv4 19659 0t0 TCP *:47762 (LISTEN)
bro 4574 SO-user 2u IPv6 19660 0t0 TCP *:47762 (LISTEN)
bro 4574 SO-user 4u IPv4 18938 0t0 UDP X.X.X.X:53608->X.X.X.X:53
bro 4574 SO-user 251u IPv4 20687 0t0 TCP X.X.X.X:47762->X.X.X.X:33220 (ESTABLISHED)
bro 4574 SO-user 255u IPv4 18399 0t0 TCP X.X.X.X:47762->X.X.X.X:33224 (ESTABLISHED)
bro 4574 SO-user 256u IPv4 18400 0t0 TCP X.X.X.X:47762->X.X.X.X:33225 (ESTABLISHED)
bro 5009 SO-user 4u IPv4 19072 0t0 UDP X.X.X.X:47480->X.X.X.X:53
bro 5010 SO-user 4u IPv4 20678 0t0 UDP X.X.X.X:59663->X.X.X.X:53
bro 5011 SO-user 4u IPv4 19735 0t0 UDP X.X.X.X:51866->X.X.X.X:53
bro 5012 SO-user 0u IPv4 18394 0t0 TCP X.X.X.X:54404->X.X.X.X:47761 (ESTABLISHED)
bro 5012 SO-user 1u IPv4 19743 0t0 TCP X.X.X.X:33220->X.X.X.X:47762 (ESTABLISHED)
bro 5012 SO-user 2u IPv4 19746 0t0 TCP *:47764 (LISTEN)
bro 5012 SO-user 4u IPv4 19072 0t0 UDP X.X.X.X:47480->X.X.X.X:53
bro 5012 SO-user 251u IPv6 19747 0t0 TCP *:47764 (LISTEN)
bro 5015 SO-user 0u IPv4 18397 0t0 TCP X.X.X.X:54407->X.X.X.X:47761 (ESTABLISHED)
bro 5015 SO-user 1u IPv4 18398 0t0 TCP X.X.X.X:33224->X.X.X.X:47762 (ESTABLISHED)
bro 5015 SO-user 2u IPv4 18403 0t0 TCP *:47765 (LISTEN)
bro 5015 SO-user 4u IPv4 19735 0t0 UDP X.X.X.X:51866->X.X.X.X:53
bro 5015 SO-user 251u IPv6 18404 0t0 TCP *:47765 (LISTEN)
bro 5016 SO-user 0u IPv4 19750 0t0 TCP X.X.X.X:54406->X.X.X.X:47761 (ESTABLISHED)
bro 5016 SO-user 1u IPv4 19752 0t0 TCP X.X.X.X:33225->X.X.X.X:47762 (ESTABLISHED)
bro 5016 SO-user 2u IPv4 20692 0t0 TCP *:47763 (LISTEN)
bro 5016 SO-user 4u IPv4 20678 0t0 UDP X.X.X.X:59663->X.X.X.X:53
bro 5016 SO-user 251u IPv6 20693 0t0 TCP *:47763 (LISTEN)
tclsh 5087 SO-user 3u IPv4 19843 0t0 TCP X.X.X.X:42509->X.X.X.X:7736 (ESTABLISHED)
tclsh 5087 SO-user 4u IPv4 19166 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 5087 SO-user 6u IPv4 20104 0t0 TCP X.X.X.X:8101->X.X.X.X:56806 (ESTABLISHED)
barnyard2 5140 SO-user 3u IPv4 20103 0t0 TCP X.X.X.X:56806->X.X.X.X:8101 (ESTABLISHED)
barnyard2 5140 SO-user 4u IPv4 21759 0t0 TCP X.X.X.X:47171->X.X.X.X:3306 (ESTABLISHED)
tclsh 5190 SO-user 3u IPv4 20803 0t0 TCP X.X.X.X:42510->X.X.X.X:7736 (ESTABLISHED)
tclsh 5190 SO-user 4u IPv4 20804 0t0 TCP X.X.X.X:8201 (LISTEN)
tclsh 5190 SO-user 6u IPv4 20107 0t0 TCP X.X.X.X:8201->X.X.X.X:41449 (ESTABLISHED)
barnyard2 5243 SO-user 3u IPv4 20910 0t0 TCP X.X.X.X:41449->X.X.X.X:8201 (ESTABLISHED)
barnyard2 5243 SO-user 4u IPv4 20913 0t0 TCP X.X.X.X:47173->X.X.X.X:3306 (ESTABLISHED)
tclsh 5293 SO-user 3u IPv4 19376 0t0 TCP X.X.X.X:42511->X.X.X.X:7736 (ESTABLISHED)
tclsh 5293 SO-user 4u IPv4 21661 0t0 TCP X.X.X.X:8301 (LISTEN)
tclsh 5293 SO-user 6u IPv4 22655 0t0 TCP X.X.X.X:8301->X.X.X.X:39724 (ESTABLISHED)
barnyard2 5346 SO-user 3u IPv4 22654 0t0 TCP X.X.X.X:39724->X.X.X.X:8301 (ESTABLISHED)
barnyard2 5346 SO-user 4u IPv4 22658 0t0 TCP X.X.X.X:47169->X.X.X.X:3306 (ESTABLISHED)
sshd 5435 root 3r IPv4 22680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48372 (ESTABLISHED)
sshd 5620 SO-user 3u IPv4 22680 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:48372 (ESTABLISHED)
=========================================================================
IDS Rules Update
=========================================================================
Fri May 1 07:01:01 UTC 2015
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 5 minutes to allow master time to download new rules.
Copying rules from X.X.X.X.
Restarting Barnyard2.
Restarting: SO-server-eth1
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth2
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting: SO-server-eth3
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: SO-server-eth1
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth2
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
Restarting: SO-server-eth3
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
=========================================================================
CPU Usage
=========================================================================
Load average for the last 1, 5, and 15 minutes:
4.54 3.83 1.96
Processing units: 4
If load average is higher than processing units,
then tune until load average is lower than processing units.
top - 18:54:15 up 9 min, 1 user, load average: 4.54, 3.83, 1.96
Tasks: 170 total, 14 running, 156 sleeping, 0 stopped, 0 zombie
Cpu(s): 61.3%us, 7.9%sy, 1.3%ni, 27.8%id, 1.8%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 8150248k total, 5563808k used, 2586440k free, 93288k buffers
Swap: 12434028k total, 0k used, 12434028k free, 905704k cached
%CPU %MEM COMMAND
85.9 4.9 barnyard2 -c /etc/nsm/SO-server-eth3/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth3/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth3/barnyard2.waldo-1 -i 1 -U
82.8 4.9 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U
81.5 4.9 barnyard2 -c /etc/nsm/SO-server-eth2/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth2/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth2/barnyard2.waldo-1 -i 1 -U
9.2 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
9.0 0.5 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
7.8 6.7 snort -c /etc/nsm/SO-server-eth3/snort.conf -u SO-user -g SO-user -i eth3 -F /etc/nsm/SO-server-eth3/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth3/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth3/snort-1.stats -U
7.8 6.7 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U
7.7 6.6 snort -c /etc/nsm/SO-server-eth2/snort.conf -u SO-user -g SO-user -i eth2 -F /etc/nsm/SO-server-eth2/bpf-ids.conf -l /nsm/sensor_data/SO-server-eth2/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth2/snort-1.stats -U
7.1 0.9 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.1 1.1 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 0.9 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 1.0 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
7.0 0.9 /opt/bro/bin/bro -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
6.9 1.0 /opt/bro/bin/bro -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.8 0.7 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.7 0.6 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.6 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
0.5 6.8 /usr/bin/searchd --nodetach
0.3 0.5 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.4 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.3 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.2 1.3 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.1 0.0 /sbin/init
0.1 0.2 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
0.1 0.5 /usr/bin/python /usr/bin/salt-minion
0.1 0.6 /usr/sbin/mysqld
0.1 0.0 [kworker/2:0]
0.1 0.1 /usr/sbin/lightdm-gtk-greeter
0.0 0.1 -bash
0.0 0.0 [kworker/1:0]
0.0 0.0 [kworker/3:1]
0.0 0.0 [kworker/0:1]
0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
0.0 0.0 [kworker/0:2]
0.0 0.0 [flush-8:0]
0.0 0.0 [jbd2/sda1-8]
0.0 0.0 /usr/sbin/console-kit-daemon --no-daemon
0.0 0.0 /usr/sbin/irqbalance
0.0 0.0 dbus-daemon --system --fork --activation=upstart
0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid
0.0 0.0 upstart-udev-bridge --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 /usr/lib/upower/upowerd
0.0 0.1 /usr/sbin/apache2 -k start
0.0 0.1 Passenger spawn server
0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126
0.0 0.0 /usr/lib/accountsservice/accounts-daemon
0.0 0.0 [ksoftirqd/1]
0.0 0.0 [ksoftirqd/2]
0.0 0.0 [kthreadd]
0.0 0.0 [ksoftirqd/0]
0.0 0.0 [migration/0]
0.0 0.0 [watchdog/0]
0.0 0.0 [migration/1]
0.0 0.0 [watchdog/1]
0.0 0.0 [migration/2]
0.0 0.0 [watchdog/2]
0.0 0.0 [migration/3]
0.0 0.0 [kworker/3:0]
0.0 0.0 [ksoftirqd/3]
0.0 0.0 [watchdog/3]
0.0 0.0 [cpuset]
0.0 0.0 [khelper]
0.0 0.0 [kdevtmpfs]
0.0 0.0 [netns]
0.0 0.0 [sync_supers]
0.0 0.0 [bdi-default]
0.0 0.0 [kintegrityd]
0.0 0.0 [kblockd]
0.0 0.0 [ata_sff]
0.0 0.0 [khubd]
0.0 0.0 [md]
0.0 0.0 [khungtaskd]
0.0 0.0 [kswapd0]
0.0 0.0 [ksmd]
0.0 0.0 [khugepaged]
0.0 0.0 [fsnotify_mark]
0.0 0.0 [ecryptfs-kthrea]
0.0 0.0 [crypto]
0.0 0.0 [kthrotld]
0.0 0.0 [scsi_eh_0]
0.0 0.0 [scsi_eh_1]
0.0 0.0 [scsi_eh_2]
0.0 0.0 [scsi_eh_3]
0.0 0.0 [scsi_eh_4]
0.0 0.0 [scsi_eh_5]
0.0 0.0 [kworker/u:5]
0.0 0.0 [kworker/u:7]
0.0 0.0 [devfreq_wq]
0.0 0.0 [kworker/1:1]
0.0 0.0 [ext4-dio-unwrit]
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 /sbin/udevd --daemon
0.0 0.0 [kmpathd]
0.0 0.0 [kmpath_handlerd]
0.0 0.0 upstart-socket-bridge --daemon
0.0 0.0 [kpsmoused]
0.0 0.0 [kworker/2:2]
0.0 0.0 avahi-daemon: running [SO-server.local]
0.0 0.0 avahi-daemon: chroot helper
0.0 0.0 /usr/sbin/bluetoothd
0.0 0.0 /usr/sbin/cupsd -F
0.0 0.0 [krfcommd]
0.0 0.0 /usr/sbin/sshd -D
0.0 0.0 /sbin/getty -8 38400 tty4
0.0 0.0 /sbin/getty -8 38400 tty5
0.0 0.0 /sbin/getty -8 38400 tty2
0.0 0.0 /sbin/getty -8 38400 tty3
0.0 0.0 /sbin/getty -8 38400 tty6
0.0 0.0 supervising syslog-ng
0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
0.0 0.0 lightdm
0.0 0.0 atd
0.0 0.0 cron
0.0 0.0 lightdm --session-child 16 19
0.0 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
0.0 0.0 /usr/sbin/xrdp
0.0 0.0 /usr/sbin/xrdp-sesman
0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0.0 0.0 /usr/lib/gvfs/gvfsd
0.0 0.0 /usr/lib/gvfs//gvfs-fuse-daemon -f /var/lib/lightdm/.gvfs
0.0 0.0 PassengerWatchdog
0.0 0.0 PassengerHelperAgent
0.0 0.0 PassengerLoggingAgent
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 /usr/sbin/apache2 -k start
0.0 0.0 lightdm --session-child 12 19
0.0 0.0 /sbin/getty -8 38400 tty1
0.0 0.0 /bin/sh -c perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth2 -U .status -p broctl -p broctl-live -p local -p SO-server-eth2-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth3 -U .status -p broctl -p broctl-live -p local -p SO-server-eth3-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth2/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth2/snort-1.stats
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth3/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth3/snort-1.stats
0.0 0.0 sshd: SO-user [priv]
0.0 0.0 sshd: SO-user@pts/0
0.0 0.0 sudo sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat-redacted
0.0 0.0 /bin/bash /usr/bin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user|SO-user|SO-user|SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
4.0K .
/nsm/sensor_data/SO-server-eth1/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/sensor_data/SO-server-eth2/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/sensor_data/SO-server-eth3/dailylogs/ - 9 days
40K .
4.0K ./2014-08-18
4.0K ./2014-08-26
4.0K ./2014-09-24
4.0K ./2014-09-30
4.0K ./2014-10-03
4.0K ./2014-10-10
4.0K ./2015-01-27
4.0K ./2015-04-29
4.0K ./2015-05-01
/nsm/bro/logs/ - 257 days
3.2G .
1.6M ./2014-08-18
9.3M ./2014-08-19
8.3M ./2014-08-20
8.6M ./2014-08-21
9.7M ./2014-08-22
11M ./2014-08-23
14M ./2014-08-24
15M ./2014-08-25
14M ./2014-08-26
9.8M ./2014-08-27
11M ./2014-08-28
10M ./2014-08-29
8.1M ./2014-08-30
8.5M ./2014-08-31
9.0M ./2014-09-01
10M ./2014-09-02
9.6M ./2014-09-03
12M ./2014-09-04
9.6M ./2014-09-05
8.0M ./2014-09-06
14M ./2014-09-07
15M ./2014-09-08
11M ./2014-09-09
11M ./2014-09-10
10M ./2014-09-11
13M ./2014-09-12
11M ./2014-09-13
10M ./2014-09-14
12M ./2014-09-15
11M ./2014-09-16
16M ./2014-09-17
11M ./2014-09-18
11M ./2014-09-19
11M ./2014-09-20
11M ./2014-09-21
14M ./2014-09-22
11M ./2014-09-23
13M ./2014-09-24
14M ./2014-09-25
13M ./2014-09-26
13M ./2014-09-27
12M ./2014-09-28
14M ./2014-09-29
12M ./2014-09-30
9.4M ./2014-10-01
10M ./2014-10-02
11M ./2014-10-03
11M ./2014-10-04
12M ./2014-10-05
12M ./2014-10-06
11M ./2014-10-07
9.8M ./2014-10-08
10M ./2014-10-09
12M ./2014-10-10
9.4M ./2014-10-11
9.2M ./2014-10-12
9.3M ./2014-10-13
11M ./2014-10-14
12M ./2014-10-15
11M ./2014-10-16
13M ./2014-10-17
11M ./2014-10-18
11M ./2014-10-19
13M ./2014-10-20
11M ./2014-10-21
12M ./2014-10-22
11M ./2014-10-23
11M ./2014-10-24
9.4M ./2014-10-25
9.2M ./2014-10-26
11M ./2014-10-27
9.7M ./2014-10-28
11M ./2014-10-29
9.3M ./2014-10-30
11M ./2014-10-31
8.4M ./2014-11-01
8.1M ./2014-11-02
11M ./2014-11-03
9.5M ./2014-11-04
11M ./2014-11-05
12M ./2014-11-06
12M ./2014-11-07
9.2M ./2014-11-08
9.2M ./2014-11-09
11M ./2014-11-10
9.4M ./2014-11-11
11M ./2014-11-12
9.8M ./2014-11-13
13M ./2014-11-14
11M ./2014-11-15
11M ./2014-11-16
13M ./2014-11-17
13M ./2014-11-18
16M ./2014-11-19
14M ./2014-11-20
15M ./2014-11-21
14M ./2014-11-22
14M ./2014-11-23
16M ./2014-11-24
15M ./2014-11-25
13M ./2014-11-26
11M ./2014-11-27
12M ./2014-11-28
11M ./2014-11-29
11M ./2014-11-30
13M ./2014-12-01
13M ./2014-12-02
13M ./2014-12-03
13M ./2014-12-04
13M ./2014-12-05
12M ./2014-12-06
12M ./2014-12-07
14M ./2014-12-08
13M ./2014-12-09
11M ./2014-12-10
12M ./2014-12-11
12M ./2014-12-12
11M ./2014-12-13
11M ./2014-12-14
12M ./2014-12-15
13M ./2014-12-16
14M ./2014-12-17
12M ./2014-12-18
12M ./2014-12-19
14M ./2014-12-20
15M ./2014-12-21
16M ./2014-12-22
14M ./2014-12-23
13M ./2014-12-24
13M ./2014-12-25
14M ./2014-12-26
13M ./2014-12-27
13M ./2014-12-28
14M ./2014-12-29
13M ./2014-12-30
14M ./2014-12-31
12M ./2015-01-01
13M ./2015-01-02
12M ./2015-01-03
13M ./2015-01-04
15M ./2015-01-05
14M ./2015-01-06
14M ./2015-01-07
12M ./2015-01-08
13M ./2015-01-09
12M ./2015-01-10
12M ./2015-01-11
13M ./2015-01-12
19M ./2015-01-13
19M ./2015-01-14
12M ./2015-01-15
12M ./2015-01-16
9.7M ./2015-01-17
11M ./2015-01-18
11M ./2015-01-19
13M ./2015-01-20
12M ./2015-01-21
11M ./2015-01-22
12M ./2015-01-23
11M ./2015-01-24
11M ./2015-01-25
13M ./2015-01-26
12M ./2015-01-27
11M ./2015-01-28
11M ./2015-01-29
11M ./2015-01-30
9.8M ./2015-01-31
9.9M ./2015-02-01
12M ./2015-02-02
12M ./2015-02-03
11M ./2015-02-04
12M ./2015-02-05
11M ./2015-02-06
11M ./2015-02-07
11M ./2015-02-08
13M ./2015-02-09
9.8M ./2015-02-10
11M ./2015-02-11
11M ./2015-02-12
13M ./2015-02-13
12M ./2015-02-14
12M ./2015-02-15
12M ./2015-02-16
12M ./2015-02-17
14M ./2015-02-18
14M ./2015-02-19
12M ./2015-02-20
9.5M ./2015-02-21
9.7M ./2015-02-22
12M ./2015-02-23
11M ./2015-02-24
11M ./2015-02-25
12M ./2015-02-26
12M ./2015-02-27
9.4M ./2015-02-28
9.3M ./2015-03-01
11M ./2015-03-02
9.9M ./2015-03-03
11M ./2015-03-04
11M ./2015-03-05
9.9M ./2015-03-06
8.7M ./2015-03-07
8.5M ./2015-03-08
9.6M ./2015-03-09
10M ./2015-03-10
11M ./2015-03-11
10M ./2015-03-12
10M ./2015-03-13
11M ./2015-03-14
11M ./2015-03-15
12M ./2015-03-16
11M ./2015-03-17
13M ./2015-03-18
11M ./2015-03-19
11M ./2015-03-20
9.8M ./2015-03-21
10M ./2015-03-22
11M ./2015-03-23
10M ./2015-03-24
11M ./2015-03-25
12M ./2015-03-26
11M ./2015-03-27
9.0M ./2015-03-28
8.8M ./2015-03-29
10M ./2015-03-30
9.7M ./2015-03-31
9.9M ./2015-04-01
11M ./2015-04-02
9.7M ./2015-04-03
11M ./2015-04-04
9.9M ./2015-04-05
11M ./2015-04-06
12M ./2015-04-07
11M ./2015-04-08
9.9M ./2015-04-09
10M ./2015-04-10
9.1M ./2015-04-11
9.5M ./2015-04-12
11M ./2015-04-13
13M ./2015-04-14
12M ./2015-04-15
13M ./2015-04-16
14M ./2015-04-17
10M ./2015-04-18
9.4M ./2015-04-19
11M ./2015-04-20
11M ./2015-04-21
15M ./2015-04-22
13M ./2015-04-23
13M ./2015-04-24
9.8M ./2015-04-25
9.0M ./2015-04-26
10M ./2015-04-27
9.9M ./2015-04-28
11M ./2015-04-29
13M ./2015-04-30
8.6M ./2015-05-01
402M ./stats
=========================================================================
Bro netstats
=========================================================================
Average packet loss as percent across all Bro workers: 0.000000
SO-server-eth1-1: 1430506456.210032 recvd=8781 dropped=0 link=8781
SO-server-eth2-1: 1430506456.410026 recvd=0 dropped=0 link=0
SO-server-eth3-1: 1430506456.610079 recvd=0 dropped=0 link=0
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
ERROR: No stats found in /nsm/sensor_data/SO-server-eth2/snort-1.stats
ERROR: No stats found in /nsm/sensor_data/SO-server-eth3/snort-1.stats
=========================================================================
pf_ring stats
=========================================================================
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 6
Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
/proc/net/pf_ring/5009-eth2.3
Appl. Name : bro-eth2
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5010-eth1.2
Appl. Name : bro-eth1
Tot Packets : 8801
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5011-eth3.1
Appl. Name : bro-eth3
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4096
Num Free Slots : 4096
/proc/net/pf_ring/5118-eth1.4
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 7799
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/5221-eth2.5
Appl. Name : snort-cluster-53-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
/proc/net/pf_ring/5324-eth3.6
Appl. Name : snort-cluster-54-socket-0
Tot Packets : 0
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Min Num Slots : 4098
Num Free Slots : 4098
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1859 supervising syslog-ng
1861 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1971 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 50000 port [tcp/*] succeeded!
Sphinx
Checking for process:
1886 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
2
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
145G /nsm/elsa/data
36M /var/lib/mysql/syslog
3.0G /var/lib/mysql/syslog_data
ELSA Index Date Range:
MIN(start) MAX(end)
2013-07-15 14:37:51 2015-05-01 18:53:38
autossh
Checking for process:
3985 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50005:localhost:3154
Checking APIKEY:
APIKEY matches server.
starman
Checking for processes:
2162 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2164 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2165 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2166 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2167 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
2168 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
Heine Lysemose
May 1, 2015, 4:39:37 PM5/1/15
to securit...@googlegroups.com
Hi
I think you should check up on how you are monitoring your traffic. You are not seeing much data on your wire...
Do u monitoring the traffic through a SPAN or a TAP?
Regards,
Lysemose
adrian fernandez
May 4, 2015, 9:27:31 AM5/4/15
to securit...@googlegroups.com
Hey Lysemose,
I am not sure to be honest. The IDS was implemented by another employee of ours that is no longer with us. I do know that this particular IDS was collecting data, but it seems to be rare. after some investigations, i found email alerts for this device on 4/23/15 and 3/27/15. Other than that, the syslogs only show cron jobs. How can i tell if it is through a SPAN or a TAP?
I am not sure to be honest. The IDS was implemented by another employee of ours that is no longer with us. I do know that this particular IDS was collecting data, but it seems to be rare. after some investigations, i found email alerts for this device on 4/23/15 and 3/27/15. Other than that, the syslogs only show cron jobs. How can i tell if it is through a SPAN or a TAP?
Heine Lysemose
May 4, 2015, 9:51:22 AM5/4/15
to securit...@googlegroups.com
Hi
Well I would follow the cable from the sensors ethernet port and see where it ends...
If it ends in a box before a switch, then you have a TAP, if not then it is feeded from a SPAN port on the switch. You can check the port status either from web admin interface or from a CLI.
Regards,
Lysemose
On Mon, May 4, 2015 at 3:22 PM, adrian fernandez <cisco...@gmail.com> wrote:
Hey Lysemose,
I am not sure to be honest. The IDS was implemented by another employee of ours that is no longer with us. I do know that this particular IDS was collecting data, but it seems to be rare. after some investigations, i found email alerts for this device on 4/23/15 and 3/27/15. Other than that, the syslogs only show cron jobs. How can i tell if it is through a SPAN or a TAP?
adrian fernandez
May 4, 2015, 11:07:25 AM5/4/15
to securit...@googlegroups.com
Hey Lysemose,
The server should be using a SPAN port. I just found out that the device in question is a backup/DR SO server. Most of their traffic goes through another main server, which seems to explain why i havent seen any real traffic from it. Is there anything i can do to simulate traffic on it? I want to test the device and make sure that it is functioning correctly.
The server should be using a SPAN port. I just found out that the device in question is a backup/DR SO server. Most of their traffic goes through another main server, which seems to explain why i havent seen any real traffic from it. Is there anything i can do to simulate traffic on it? I want to test the device and make sure that it is functioning correctly.
Heine Lysemose
May 4, 2015, 11:09:40 AM5/4/15
to securit...@googlegroups.com
Try this, http://m.youtube.com/watch?v=9dloF04GoJM
Regards,
Lysemose
On May 4, 2015 17:07, "adrian fernandez" <cisco...@gmail.com> wrote:
Hey Lysemose,
The server should be using a SPAN port. I just found out that the device in question is a backup/DR SO server. Most of their traffic goes through another main server, which seems to explain why i havent seen any real traffic from it. Is there anything i can do to simulate traffic on it? I want to test the device and make sure that it is functioning correctly.
adrian fernandez
May 4, 2015, 11:30:22 AM5/4/15
to securit...@googlegroups.com
Hey,
Didnt have the Pcap's that Doug was referring to in my system, but i was able to use other pcaps stored in /opt/samples. They ran successfully and sent packets, but didnt send actual syslogs out. Anything else i could check to see why it didnt send out?
Didnt have the Pcap's that Doug was referring to in my system, but i was able to use other pcaps stored in /opt/samples. They ran successfully and sent packets, but didnt send actual syslogs out. Anything else i could check to see why it didnt send out?
Heine Lysemose
May 4, 2015, 3:54:32 PM5/4/15
to securit...@googlegroups.com
Okay, so does any of the built-in interfaces show the alerts that the PCAPS should have created. I'm thinking of Sguil, Squert, Snorby or ELSA?
You are talking about syslog data, where do you want them to show up?
Regards,
Lysemose
On May 4, 2015 5:30 PM, "adrian fernandez" <cisco...@gmail.com> wrote:
Hey,
Didnt have the Pcap's that Doug was referring to in my system, but i was able to use other pcaps stored in /opt/samples. They ran successfully and sent packets, but didnt send actual syslogs out. Anything else i could check to see why it didnt send out?
adrian fernandez
May 4, 2015, 4:18:55 PM5/4/15
to securit...@googlegroups.com
Hey,
I am trying to send the syslogs to a Kiwi syslog server. Right now, I get syslogs, but only the cron and system info logs to it, not actual detection logs of any type, for example, "[1:2017968:3] ET INFO Suspicious Possible Process Dump in POST body " or.... "[1:2002945:10] ET POLICY Java Url Lib User Agent Web Crawl". I am not seeing any of that kind of traffic coming into my syslog server. I guess my main question would be what else can i check to pinpoint the issue?
I am trying to send the syslogs to a Kiwi syslog server. Right now, I get syslogs, but only the cron and system info logs to it, not actual detection logs of any type, for example, "[1:2017968:3] ET INFO Suspicious Possible Process Dump in POST body " or.... "[1:2002945:10] ET POLICY Java Url Lib User Agent Web Crawl". I am not seeing any of that kind of traffic coming into my syslog server. I guess my main question would be what else can i check to pinpoint the issue?
Heine Lysemose
May 4, 2015, 4:24:41 PM5/4/15
to securit...@googlegroups.com
So this is probably want you want then, https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
Regards,
Lysemose
On May 4, 2015 22:18, "adrian fernandez" <cisco...@gmail.com> wrote:
Hey,
I am trying to send the syslogs to a Kiwi syslog server. Right now, I get syslogs, but only the cron and system info logs to it, not actual detection logs of any type, for example, "[1:2017968:3] ET INFO Suspicious Possible Process Dump in POST body " or.... "[1:2002945:10] ET POLICY Java Url Lib User Agent Web Crawl". I am not seeing any of that kind of traffic coming into my syslog server. I guess my main question would be what else can i check to pinpoint the issue?
adrian fernandez
May 5, 2015, 10:15:19 AM5/5/15
to securit...@googlegroups.com
Hey Lysemose,
I am not so concerned with the event logs being sent to the syslog server, since i am receiving logs right now. My main issue is that the server doesnt seem to be sending the right logs.......like actual data, such as the ET Policy rules, etc etc. Not seeing them at all makes me think that the server is having an issue seeing data at all. Or it can be something else. I guess i am just stuck and do not know where to check. :(.
I am not so concerned with the event logs being sent to the syslog server, since i am receiving logs right now. My main issue is that the server doesnt seem to be sending the right logs.......like actual data, such as the ET Policy rules, etc etc. Not seeing them at all makes me think that the server is having an issue seeing data at all. Or it can be something else. I guess i am just stuck and do not know where to check. :(.
Reply all
Reply to author
Forward
0 new messages