Re: [security-onion] Snorby
865 views
Skip to first unread message
Doug Burks
Aug 2, 2012, 12:39:43 PM8/2/12
to securit...@googlegroups.com
Hi Mike,
Are you running the latest version of Security Onion (20120518)?
Update 20120321 fixed all known issues with the Snorby worker
processes:
http://securityonion.blogspot.com/2012/03/security-onion-20120321-now-available.html
Hope that helps!
Thanks,
Doug
On Thu, Aug 2, 2012 at 12:34 PM, Mike landoll <mlan...@gmail.com> wrote:
> On the newly installed SO server snorby's worker processes are can seem to stay running, any clue's as to where I might look to see what is happening with them? when i start the jobs manually they run...
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Are you running the latest version of Security Onion (20120518)?
Update 20120321 fixed all known issues with the Snorby worker
processes:
http://securityonion.blogspot.com/2012/03/security-onion-20120321-now-available.html
Hope that helps!
Thanks,
Doug
On Thu, Aug 2, 2012 at 12:34 PM, Mike landoll <mlan...@gmail.com> wrote:
> On the newly installed SO server snorby's worker processes are can seem to stay running, any clue's as to where I might look to see what is happening with them? when i start the jobs manually they run...
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Aug 2, 2012, 1:44:53 PM8/2/12
to securit...@googlegroups.com
The 20120321 update installed Snorby 2.5.1. As long as your Snorby
version is 2.5.1, you shouldn't need to re-run update 20120321.
Please send the output of the following:
sudo sostat
Thanks,
Doug
On Thu, Aug 2, 2012 at 1:38 PM, Mike landoll <mlan...@gmail.com> wrote:
> running 20120518
> can i rerun the 20120321 update to correct any issues, is there a way to see what is actually causing the issue and fix it manually?
version is 2.5.1, you shouldn't need to re-run update 20120321.
Please send the output of the following:
sudo sostat
Thanks,
Doug
On Thu, Aug 2, 2012 at 1:38 PM, Mike landoll <mlan...@gmail.com> wrote:
> running 20120518
> can i rerun the 20120321 update to correct any issues, is there a way to see what is actually causing the issue and fix it manually?
Doug Burks
Aug 10, 2012, 4:23:25 AM8/10/12
to securit...@googlegroups.com
Hi Mike,
Have you tried checking the Snorby log files in the following locations?
/usr/local/share/snorby/log/
/var/log/apache2/
Thanks,
Doug
On Thu, Aug 2, 2012 at 1:50 PM, Mike landoll <mlan...@gmail.com> wrote:
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: SecurityOnion-eth0
> * pcap_agent (sguil)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: SecurityOnion-eth1
> * pcap_agent (sguil)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager 192.168.0.221 running 23668 3 02 Aug 16:23:04
> proxy-1 proxy 192.168.0.221 running 23705 3 02 Aug 16:23:06
> SecurityOnion-eth0 worker 192.168.0.221 running 23760 2 02 Aug 16:23:08
> SecurityOnion-eth1 worker 192.168.0.221 running 23761 2 02 Aug 16:23:08
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:15:17:36:15:e6
> inet6 addr: fe80::215:17ff:fe36:15e6/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:883916245 errors:0 dropped:30 overruns:0 frame:0
> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3598517353 (3.5 GB) TX bytes:1368 (1.3 KB)
> Memory:97a60000-97a80000
>
> eth1 Link encap:Ethernet HWaddr 00:15:17:36:15:e7
> inet6 addr: fe80::215:17ff:fe36:15e7/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:103818193 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2784685175 (2.7 GB) TX bytes:2052 (2.0 KB)
> Memory:97a20000-97a40000
>
> eth2 Link encap:Ethernet HWaddr e4:1f:13:2e:5d:b8
> inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::e61f:13ff:fe2e:5db8/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1796909 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2456790 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:434535162 (434.5 MB) TX bytes:3032252846 (3.0 GB)
> Interrupt:28 Memory:92000000-92012800
>
> eth3 Link encap:Ethernet HWaddr e4:1f:13:2e:5d:ba
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:40 Memory:94000000-94012800
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:5602950 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5602950 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:3302185210 (3.3 GB) TX bytes:3302185210 (3.3 GB)
>
> usb0 Link encap:Ethernet HWaddr e6:1f:13:27:ad:bb
> inet6 addr: fe80::e41f:13ff:fe27:adbb/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:32802 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2135226 (2.1 MB) TX bytes:0 (0.0 B)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 92G 10G 78G 12% /
> none 7.9G 212K 7.9G 1% /dev
> none 7.9G 124K 7.9G 1% /dev/shm
> none 7.9G 200K 7.9G 1% /var/run
> none 7.9G 0 7.9G 0% /var/lock
> none 7.9G 0 7.9G 0% /lib/init/rw
> /dev/sdb1 669G 21G 615G 4% /nsm
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 1076 root 3u IPv4 4841 0t0 TCP *:22 (LISTEN)
> sshd 1076 root 4u IPv6 4843 0t0 TCP *:22 (LISTEN)
> avahi-dae 1116 avahi 13u IPv4 4970 0t0 UDP *:5353
> avahi-dae 1116 avahi 14u IPv4 4972 0t0 UDP *:35195
> mysqld 1299 mysql 10u IPv4 5336 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 1299 mysql 65u IPv4 1980831 0t0 TCP 127.0.0.1:3306->127.0.0.1:44083 (ESTABLISHED)
> mysqld 1299 mysql 66u IPv4 1988455 0t0 TCP 127.0.0.1:3306->127.0.0.1:44100 (ESTABLISHED)
> vino-serv 1439 root 16u IPv6 6902 0t0 TCP *:5900 (LISTEN)
> vino-serv 1439 root 18u IPv6 1828194 0t0 TCP 192.168.0.221:5900->192.168.0.234:58446 (ESTABLISHED)
> splunkd 1655 root 4u IPv4 7651 0t0 TCP *:8089 (LISTEN)
> splunkd 1655 root 50r IPv4 2753270 0t0 TCP 127.0.0.1:8089->127.0.0.1:55477 (ESTABLISHED)
> splunkd 1655 root 82u IPv4 49389 0t0 TCP 127.0.0.1:8089->127.0.0.1:50561 (ESTABLISHED)
> python 1954 root 5u IPv4 9475 0t0 TCP *:81 (LISTEN)
> python 1954 root 8u IPv4 2753267 0t0 TCP 192.168.0.221:81->192.168.0.148:58895 (ESTABLISHED)
> python 1954 root 10u IPv4 2753269 0t0 TCP 127.0.0.1:55477->127.0.0.1:8089 (ESTABLISHED)
> cupsd 2438 root 5u IPv6 1186004 0t0 TCP [::1]:631 (LISTEN)
> cupsd 2438 root 6u IPv4 1186005 0t0 TCP 127.0.0.1:631 (LISTEN)
> apache2 2512 root 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2512 root 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2512 root 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2550 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2550 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2550 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2551 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2551 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2551 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2552 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2552 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2552 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2553 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2553 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2553 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> ntpd 2974 ntp 16u IPv4 12486 0t0 UDP *:123
> ntpd 2974 ntp 17u IPv6 12487 0t0 UDP *:123
> ntpd 2974 ntp 18u IPv4 12491 0t0 UDP 127.0.0.1:123
> ntpd 2974 ntp 19u IPv4 12492 0t0 UDP 192.168.0.221:123
> ntpd 2974 ntp 20u IPv6 12493 0t0 UDP [::1]:123
> ntpd 2974 ntp 21u IPv6 12494 0t0 UDP [fe80::e61f:13ff:fe2e:5db8]:123
> ntpd 2974 ntp 22u IPv6 12495 0t0 UDP [fe80::e41f:13ff:fe27:adbb]:123
> ntpd 2974 ntp 23u IPv6 12496 0t0 UDP [fe80::215:17ff:fe36:15e6]:123
> ntpd 2974 ntp 24u IPv6 12497 0t0 UDP [fe80::215:17ff:fe36:15e7]:123
> tclsh 18109 root 13u IPv4 979148 0t0 TCP *:7734 (LISTEN)
> tclsh 18109 root 14u IPv4 979149 0t0 TCP *:7736 (LISTEN)
> tclsh 18109 root 15u IPv4 1979766 0t0 TCP 127.0.0.1:7736->127.0.0.1:45269 (ESTABLISHED)
> tclsh 18109 root 16u IPv4 1979967 0t0 TCP 127.0.0.1:7736->127.0.0.1:45270 (ESTABLISHED)
> tclsh 18109 root 17u IPv4 1980200 0t0 TCP 127.0.0.1:7736->127.0.0.1:45275 (ESTABLISHED)
> tclsh 18109 root 18u IPv4 1981745 0t0 TCP 127.0.0.1:7736->127.0.0.1:45282 (ESTABLISHED)
> tclsh 18109 root 19u IPv4 1987203 0t0 TCP 127.0.0.1:7736->127.0.0.1:45288 (ESTABLISHED)
> tclsh 18109 root 20u IPv4 1987212 0t0 TCP 127.0.0.1:7736->127.0.0.1:45289 (ESTABLISHED)
> tclsh 18109 root 21u IPv4 1987435 0t0 TCP 127.0.0.1:7736->127.0.0.1:45291 (ESTABLISHED)
> tclsh 18109 root 22u IPv4 1987628 0t0 TCP 127.0.0.1:7736->127.0.0.1:45292 (ESTABLISHED)
> tclsh 18109 root 23u IPv4 1988994 0t0 TCP 127.0.0.1:7736->127.0.0.1:45298 (ESTABLISHED)
> tclsh 18109 root 24u IPv4 2002332 0t0 TCP 127.0.0.1:7736->127.0.0.1:45301 (ESTABLISHED)
> tclsh 18109 root 25u IPv4 1810484 0t0 TCP 192.168.0.221:7734->192.168.0.220:50968 (ESTABLISHED)
> tclsh 18109 root 26u IPv4 2002532 0t0 TCP 127.0.0.1:7736->127.0.0.1:45302 (ESTABLISHED)
> tclsh 18109 root 27u IPv4 1974366 0t0 TCP 127.0.0.1:7736->127.0.0.1:45238 (ESTABLISHED)
> splunkd 18355 root 14u IPv4 49388 0t0 TCP 127.0.0.1:50561->127.0.0.1:8089 (ESTABLISHED)
> tclsh 20490 root 3u IPv4 1974365 0t0 TCP 127.0.0.1:45238->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21804 root 3u IPv4 1979765 0t0 TCP 127.0.0.1:45269->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21842 root 3u IPv4 1979966 0t0 TCP 127.0.0.1:45270->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21878 root 3u IPv4 1980199 0t0 TCP 127.0.0.1:45275->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21878 root 4u IPv4 1980202 0t0 TCP 127.0.0.1:8000 (LISTEN)
> tclsh 21878 root 6u IPv4 1980827 0t0 TCP 127.0.0.1:8000->127.0.0.1:36157 (ESTABLISHED)
> barnyard2 21963 root 3u IPv4 1980826 0t0 TCP 127.0.0.1:36157->127.0.0.1:8000 (ESTABLISHED)
> barnyard2 21963 root 4u IPv4 1980830 0t0 TCP 127.0.0.1:44083->127.0.0.1:3306 (ESTABLISHED)
> tclsh 22091 root 3u IPv4 1981744 0t0 TCP 127.0.0.1:45282->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22203 root 3u IPv4 1987020 0t0 TCP 127.0.0.1:45288->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22241 root 3u IPv4 1987208 0t0 TCP 127.0.0.1:45289->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22282 root 3u IPv4 1987434 0t0 TCP 127.0.0.1:45291->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22317 root 3u IPv4 1987627 0t0 TCP 127.0.0.1:45292->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22317 root 4u IPv4 1987630 0t0 TCP 127.0.0.1:8001 (LISTEN)
> tclsh 22317 root 6u IPv4 1988451 0t0 TCP 127.0.0.1:8001->127.0.0.1:55683 (ESTABLISHED)
> barnyard2 22419 root 3u IPv4 1988450 0t0 TCP 127.0.0.1:55683->127.0.0.1:8001 (ESTABLISHED)
> barnyard2 22419 root 4u IPv4 1988454 0t0 TCP 127.0.0.1:44100->127.0.0.1:3306 (ESTABLISHED)
> tclsh 22544 root 3u IPv4 1988993 0t0 TCP 127.0.0.1:45298->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22660 root 3u IPv4 2002331 0t0 TCP 127.0.0.1:45301->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22704 root 3u IPv4 2002531 0t0 TCP 127.0.0.1:45302->127.0.0.1:7736 (ESTABLISHED)
> bro 23668 root 4u IPv4 2004254 0t0 UDP 192.168.0.221:54961->192.168.0.10:53
> bro 23669 root 0u IPv4 2004260 0t0 TCP *:47761 (LISTEN)
> bro 23669 root 1u IPv4 2005139 0t0 TCP 192.168.0.221:47761->192.168.0.221:41879 (ESTABLISHED)
> bro 23669 root 2u IPv4 2005323 0t0 TCP 192.168.0.221:47761->192.168.0.221:41881 (ESTABLISHED)
> bro 23669 root 4u IPv4 2004254 0t0 UDP 192.168.0.221:54961->192.168.0.10:53
> bro 23669 root 8u IPv4 2005330 0t0 TCP 192.168.0.221:47761->192.168.0.221:41884 (ESTABLISHED)
> bro 23705 root 4u IPv4 2005135 0t0 UDP 192.168.0.221:55966->192.168.0.10:53
> bro 23706 root 0u IPv4 2005138 0t0 TCP 192.168.0.221:41879->192.168.0.221:47761 (ESTABLISHED)
> bro 23706 root 1u IPv4 2005140 0t0 TCP *:47762 (LISTEN)
> bro 23706 root 2u IPv4 2005324 0t0 TCP 192.168.0.221:47762->192.168.0.221:47027 (ESTABLISHED)
> bro 23706 root 4u IPv4 2005135 0t0 UDP 192.168.0.221:55966->192.168.0.10:53
> bro 23706 root 7u IPv4 2005327 0t0 TCP 192.168.0.221:47762->192.168.0.221:47028 (ESTABLISHED)
> bro 23760 root 4u IPv4 2005310 0t0 UDP 192.168.0.221:47352->192.168.0.10:53
> bro 23761 root 4u IPv4 2005312 0t0 UDP 192.168.0.221:44824->192.168.0.10:53
> bro 23762 root 0u IPv4 2005321 0t0 TCP 192.168.0.221:41881->192.168.0.221:47761 (ESTABLISHED)
> bro 23762 root 1u IPv4 2005322 0t0 TCP 192.168.0.221:47027->192.168.0.221:47762 (ESTABLISHED)
> bro 23762 root 2u IPv4 2005325 0t0 TCP *:47764 (LISTEN)
> bro 23762 root 4u IPv4 2005312 0t0 UDP 192.168.0.221:44824->192.168.0.10:53
> bro 23763 root 0u IPv4 2005326 0t0 TCP 192.168.0.221:47028->192.168.0.221:47762 (ESTABLISHED)
> bro 23763 root 1u IPv4 2005328 0t0 TCP 192.168.0.221:41884->192.168.0.221:47761 (ESTABLISHED)
> bro 23763 root 2u IPv4 2005329 0t0 TCP *:47763 (LISTEN)
> bro 23763 root 4u IPv4 2005310 0t0 UDP 192.168.0.221:47352->192.168.0.10:53
> apache2 31285 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31285 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31285 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> ruby 31445 nobody 10u IPv4 1843006 0t0 TCP 127.0.0.1:40796 (LISTEN)
> apache2 31456 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31456 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31456 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31532 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31532 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31532 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31533 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31533 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31533 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31534 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31534 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31534 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31535 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31535 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31535 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> Thu Aug 2 07:01:01 UTC 2012
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Running PulledPork.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.5.0 The Drowning Rat
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for emerging.rules.tar.gz....
> No Match
> Done
> Rules tarball download of emerging.rules.tar.gz....
> They Match
> Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Reading rules...
> Processing /etc/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/pulledpork/disablesid.conf....
> Modified 0 rules
> Done
> Modifying Sids....
> Done!
> Setting Flowbit State....
> Enabled 9 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Writing /etc/nsm/rules/so_rules.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing /etc/snort/sid-msg.map....
> Done
> Writing /var/log/sid_changes.log....
> Done
> Rule Stats....
> New:-------29
> Deleted:---18
> Enabled Rules:----13348
> Dropped Rules:----0
> Disabled Rules:---2609
> Total Rules:------15957
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> Restarting Barnyard2.
> Restarting: SecurityOnion-eth0
> * stopping: barnyard2 (spooler, unified2 format)[ OK ]
> * starting: barnyard2 (spooler, unified2 format)[ OK ]
> Restarting: SecurityOnion-eth1
> * stopping: barnyard2 (spooler, unified2 format)[ OK ]
> * starting: barnyard2 (spooler, unified2 format)[ OK ]
> Restarting IDS Engine.
> Restarting: SecurityOnion-eth0
> * stopping: snort (alert data)[ OK ]
> * starting: snort (alert data)[ OK ]
> Restarting: SecurityOnion-eth1
> * stopping: snort (alert data)[ OK ]
> * starting: snort (alert data)[ OK ]
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 17:48:04 up 22:36, 2 users, load average: 2.96, 2.82, 2.73
> Tasks: 301 total, 2 running, 299 sleeping, 0 stopped, 0 zombie
> Cpu(s): 19.3%us, 5.9%sy, 2.6%ni, 69.0%id, 2.5%wa, 0.0%hi, 0.7%si, 0.0%s
> Mem: 16516852k total, 8172024k used, 8344828k free, 37744k buffers
> Swap: 23593836k total, 0k used, 23593836k free, 6220404k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 1655 root 20 0 372m 302m 11m S 85 1.9 587:10.90 splunkd
> 18355 root 20 0 38768 19m 9.9m S 32 0.1 319:54.02 splunkd
> 23706 root 25 5 27272 14m 488 S 10 0.1 6:24.57 bro
> 21928 sguil 20 0 519m 282m 134m S 8 1.8 7:46.74 snort
> 23669 root 25 5 27264 14m 488 S 8 0.1 6:27.60 bro
> 23760 root 20 0 44232 37m 9.9m S 8 0.2 6:59.22 bro
> 23761 root 20 0 83200 75m 9.9m S 8 0.5 7:56.61 bro
> 23668 root 20 0 22624 15m 3444 S 6 0.1 4:45.67 bro
> 23705 root 20 0 23548 16m 3436 S 6 0.1 4:43.08 bro
> 23762 root 25 5 29296 17m 4560 S 6 0.1 5:42.08 bro
> 23763 root 25 5 29292 17m 4552 S 6 0.1 5:43.52 bro
> 448 root 20 0 0 0 0 S 2 0.0 3:19.97 flush-8:16
> 1954 root 20 0 220m 36m 4692 S 2 0.2 5:59.73 python
> 22109 sguil 20 0 6200 5032 4828 S 2 0.0 1:05.15 daemonlogger
> 22371 sguil 20 0 522m 304m 134m S 2 1.9 7:08.14 snort
> 22506 sguil 20 0 7716 6444 5012 S 2 0.0 0:38.69 pads
> 22621 sguil 20 0 35936 11m 3188 S 2 0.1 0:56.38 argus
> 1 root 20 0 2888 1800 1240 S 0 0.0 0:01.36 init
> 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
> 3 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/0
> 4 root 20 0 0 0 0 S 0 0.0 0:03.16 ksoftirqd/0
> 5 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
> 6 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/1
> 7 root 20 0 0 0 0 S 0 0.0 0:01.01 ksoftirqd/1
> 8 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
> 9 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/2
> 10 root 20 0 0 0 0 S 0 0.0 0:00.94 ksoftirqd/2
> 11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
> 12 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/3
> 13 root 20 0 0 0 0 S 0 0.0 0:00.84 ksoftirqd/3
> 14 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
> 15 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/4
> 16 root 20 0 0 0 0 S 0 0.0 0:00.83 ksoftirqd/4
> 17 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/4
> 18 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/5
> 19 root 20 0 0 0 0 S 0 0.0 0:01.12 ksoftirqd/5
> 20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/5
> 21 root RT 0 0 0 0 S 0 0.0 0:00.08 migration/6
> 22 root 20 0 0 0 0 S 0 0.0 0:00.84 ksoftirqd/6
> 23 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/6
> 24 root RT 0 0 0 0 S 0 0.0 0:00.06 migration/7
> 25 root 20 0 0 0 0 S 0 0.0 0:00.89 ksoftirqd/7
> 26 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/7
> 27 root 20 0 0 0 0 S 0 0.0 0:01.64 events/0
> 28 root 20 0 0 0 0 S 0 0.0 0:00.24 events/1
> 29 root 20 0 0 0 0 S 0 0.0 0:01.50 events/2
> 30 root 20 0 0 0 0 S 0 0.0 0:00.23 events/3
> 31 root 20 0 0 0 0 S 0 0.0 0:00.26 events/4
> 32 root 20 0 0 0 0 S 0 0.0 0:00.25 events/5
> 33 root 20 0 0 0 0 S 0 0.0 0:00.26 events/6
> 34 root 20 0 0 0 0 S 0 0.0 0:00.27 events/7
> 35 root 20 0 0 0 0 S 0 0.0 0:00.00 cpuset
> 36 root 20 0 0 0 0 S 0 0.0 0:00.00 khelper
> 37 root 20 0 0 0 0 S 0 0.0 0:00.00 netns
> 38 root 20 0 0 0 0 S 0 0.0 0:00.00 async/mgr
> 39 root 20 0 0 0 0 S 0 0.0 0:00.00 pm
> 41 root 20 0 0 0 0 S 0 0.0 0:00.04 sync_supers
> 42 root 20 0 0 0 0 S 0 0.0 0:00.06 bdi-default
> 43 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/0
> 44 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/1
> 45 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/2
> 46 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/3
> 47 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/4
> 48 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/5
> 49 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/6
> 50 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/7
> 51 root 20 0 0 0 0 S 0 0.0 0:00.58 kblockd/0
> 52 root 20 0 0 0 0 S 0 0.0 0:00.24 kblockd/1
> 53 root 20 0 0 0 0 S 0 0.0 0:00.21 kblockd/2
> 54 root 20 0 0 0 0 S 0 0.0 0:00.21 kblockd/3
> 55 root 20 0 0 0 0 S 0 0.0 0:00.51 kblockd/4
> 56 root 20 0 0 0 0 S 0 0.0 0:00.39 kblockd/5
> 57 root 20 0 0 0 0 S 0 0.0 0:00.64 kblockd/6
> 58 root 20 0 0 0 0 S 0 0.0 0:00.62 kblockd/7
> 59 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpid
> 60 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpi_notify
> 61 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpi_hotplug
> 62 root 20 0 0 0 0 S 0 0.0 0:00.77 ata/0
> 63 root 20 0 0 0 0 S 0 0.0 0:00.47 ata/1
> 64 root 20 0 0 0 0 S 0 0.0 0:00.36 ata/2
> 65 root 20 0 0 0 0 S 0 0.0 0:01.96 ata/3
> 66 root 20 0 0 0 0 S 0 0.0 0:02.86 ata/4
> 67 root 20 0 0 0 0 S 0 0.0 0:01.92 ata/5
> 68 root 20 0 0 0 0 S 0 0.0 0:01.49 ata/6
> 69 root 20 0 0 0 0 S 0 0.0 0:06.90 ata/7
> 70 root 20 0 0 0 0 S 0 0.0 0:00.00 ata_aux
> 71 root 20 0 0 0 0 S 0 0.0 0:00.00 ksuspend_usbd
> 72 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> 73 root 20 0 0 0 0 S 0 0.0 0:00.00 kseriod
> 74 root 20 0 0 0 0 S 0 0.0 0:00.00 kmmcd
> 83 root 20 0 0 0 0 S 0 0.0 0:00.03 khungtaskd
> 84 root 20 0 0 0 0 S 0 0.0 1:01.53 kswapd0
> 85 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> 86 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/0
> 87 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/1
> 88 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/2
> 89 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/3
> 90 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/4
> 91 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/5
> 92 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/6
> 93 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/7
> 94 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
> 95 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/0
> 96 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/1
> 97 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/2
> 98 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/3
> 99 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/4
> 100 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/5
> 101 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/6
> 102 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/7
> 106 root 20 0 0 0 0 S 0 0.0 0:31.84 scsi_eh_0
> 107 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
> 110 root 20 0 0 0 0 S 0 0.0 0:00.02 scsi_eh_2
> 111 root 20 0 0 0 0 S 0 0.0 0:00.02 scsi_eh_3
> 114 root 20 0 0 0 0 S 0 0.0 0:00.00 kstriped
> 115 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/0
> 116 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/1
> 117 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/2
> 118 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/3
> 119 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/4
> 120 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/5
> 121 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/6
> 122 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/7
> 123 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
> 124 root 20 0 0 0 0 S 0 0.0 0:00.00 ksnapd
> 125 root 20 0 0 0 0 S 0 0.0 0:14.55 kondemand/0
> 126 root 20 0 0 0 0 S 0 0.0 0:15.11 kondemand/1
> 127 root 20 0 0 0 0 S 0 0.0 0:11.64 kondemand/2
> 128 root 20 0 0 0 0 S 0 0.0 0:10.30 kondemand/3
> 129 root 20 0 0 0 0 S 0 0.0 0:13.43 kondemand/4
> 130 root 20 0 0 0 0 S 0 0.0 0:13.56 kondemand/5
> 131 root 20 0 0 0 0 R 0 0.0 0:12.05 kondemand/6
> 132 root 20 0 0 0 0 S 0 0.0 0:10.24 kondemand/7
> 133 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/0
> 134 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/1
> 135 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/2
> 136 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/3
> 137 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/4
> 138 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/5
> 139 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/6
> 140 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/7
> 313 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
> 406 root 20 0 0 0 0 S 0 0.0 0:19.20 jbd2/sda1-8
> 407 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 408 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 409 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 410 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 411 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 412 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 413 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 414 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 449 root 20 0 0 0 0 S 0 0.0 0:24.94 flush-8:0
> 475 root 20 0 2312 900 668 S 0 0.0 0:00.04 upstart-udev-br
> 478 root 16 -4 2556 956 324 S 0 0.0 0:00.03 udevd
> 858 root 18 -2 2660 988 352 S 0 0.0 0:00.01 udevd
> 860 root 18 -2 2660 988 352 S 0 0.0 0:00.00 udevd
> 982 root 20 0 0 0 0 S 0 0.0 0:18.33 jbd2/sdb1-8
> 983 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 984 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 986 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 987 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 988 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 990 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 992 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 993 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 1076 root 20 0 5548 2132 1716 S 0 0.0 0:00.06 sshd
> 1097 messageb 20 0 3144 1460 792 S 0 0.0 0:00.14 dbus-daemon
> 1109 root 20 0 18784 3276 2700 S 0 0.0 0:00.36 gdm-binary
> 1116 avahi 20 0 3072 1624 1312 S 0 0.0 0:00.36 avahi-daemon
> 1117 root 20 0 19004 3964 3292 S 0 0.0 0:00.06 NetworkManager
> 1119 avahi 20 0 2924 544 316 S 0 0.0 0:00.00 avahi-daemon
> 1134 root 20 0 4168 2292 1860 S 0 0.0 0:00.01 modem-manager
> 1136 root 20 0 20560 3164 2264 S 0 0.0 0:00.04 console-kit-dae
> 1202 root 20 0 20504 3780 2984 S 0 0.0 0:00.01 gdm-simple-slav
> 1236 root 20 0 1788 564 484 S 0 0.0 0:00.00 getty
> 1240 root 20 0 1788 572 488 S 0 0.0 0:00.00 getty
> 1248 root 20 0 1788 568 488 S 0 0.0 0:00.00 getty
> 1249 root 20 0 1788 564 488 S 0 0.0 0:00.00 getty
> 1254 root 20 0 1788 572 488 S 0 0.0 0:00.00 getty
> 1266 root 20 0 2824 588 468 S 0 0.0 0:04.81 irqbalance
> 1269 root 20 0 2044 856 504 S 0 0.0 0:00.00 acpid
> 1286 daemon 20 0 2244 432 292 S 0 0.0 0:00.00 atd
> 1299 mysql 20 0 157m 60m 6848 S 0 0.4 10:54.19 mysqld
> 1340 root 20 0 54664 21m 9536 S 0 0.1 649:48.98 Xorg
> 1352 root 20 0 4836 1736 1468 S 0 0.0 0:00.00 wpa_supplicant
> 1439 root 20 0 31504 11m 8876 S 0 0.1 0:45.69 vino-server
> 1450 root 20 0 3380 776 512 S 0 0.0 0:00.00 dbus-launch
> 1451 root 20 0 2660 900 672 S 0 0.0 0:00.00 dbus-daemon
> 1453 root 20 0 4932 2992 2108 S 0 0.0 0:00.14 gconfd-2
> 1457 gdm 20 0 3380 776 512 S 0 0.0 0:00.00 dbus-launch
> 1480 root 20 0 20856 3568 2816 S 0 0.0 0:00.05 gdm-session-wor
> 1483 haldaemo 20 0 16496 4132 3328 S 0 0.0 0:00.43 hald
> 1484 root 20 0 3532 1284 1076 S 0 0.0 0:00.00 hald-runner
> 1508 root 20 0 3608 1224 1052 S 0 0.0 0:00.00 hald-addon-inpu
> 1521 root 20 0 3612 1236 1056 S 0 0.0 0:18.02 hald-addon-stor
> 1522 root 20 0 3620 1224 1048 S 0 0.0 0:00.00 hald-addon-cpuf
> 1523 haldaemo 20 0 3416 1176 1000 S 0 0.0 0:00.00 hald-addon-acpi
> 1656 root 20 0 23192 2096 992 S 0 0.0 0:06.02 splunkd
> 2438 root 20 0 6696 2552 1912 S 0 0.0 0:00.01 cupsd
> 2512 root 20 0 39708 9020 5284 S 0 0.1 0:01.00 apache2
> 2515 root 20 0 5396 1760 1532 S 0 0.0 0:00.00 PassengerWatchd
> 2518 root 20 0 16604 2376 1876 S 0 0.0 0:04.02 PassengerHelper
> 2525 root 20 0 11012 7672 2288 S 0 0.0 0:27.24 ruby
> 2530 nobody 20 0 9576 3132 2576 S 0 0.0 0:00.10 PassengerLoggin
> 2550 www-data 20 0 39896 6268 2284 S 0 0.0 0:00.06 apache2
> 2551 www-data 20 0 41024 7196 2288 S 0 0.0 0:00.09 apache2
> 2552 www-data 20 0 39888 6028 2040 S 0 0.0 0:00.03 apache2
> 2553 www-data 20 0 41032 7176 2272 S 0 0.0 0:00.04 apache2
> 2569 root 20 0 1788 568 488 S 0 0.0 0:00.00 getty
> 2974 ntp 20 0 4420 1368 1028 S 0 0.0 0:01.48 ntpd
> 3016 root 20 0 30656 10m 8220 S 0 0.1 0:00.64 notify-osd
> 3018 root 20 0 4940 2140 1840 S 0 0.0 0:00.00 gvfsd
> 3060 root 20 0 2372 900 708 S 0 0.0 0:00.01 cron
> 3061 mike 20 0 23980 2512 2064 S 0 0.0 0:00.01 gnome-keyring-d
> 3079 mike 20 0 1828 568 488 S 0 0.0 0:00.00 sh
> 3108 mike 20 0 3280 356 144 S 0 0.0 0:00.07 ssh-agent
> 3111 mike 20 0 3380 764 504 S 0 0.0 0:00.00 dbus-launch
> 3112 mike 20 0 2912 1108 680 S 0 0.0 0:00.08 dbus-daemon
> 3121 mike 20 0 5540 3252 1968 S 0 0.0 0:01.68 xscreensaver
> 3125 mike 20 0 26692 7280 5548 S 0 0.0 0:00.57 xfce4-session
> 3127 mike 20 0 3852 1988 1692 S 0 0.0 0:00.02 xfconfd
> 3133 mike 20 0 6500 3136 2216 S 0 0.0 0:00.17 gconfd-2
> 3135 mike 20 0 19408 9216 7612 S 0 0.1 0:01.46 xfwm4
> 3136 mike 20 0 16480 3288 2256 S 0 0.0 0:00.00 xfsettingsd
> 3137 mike 20 0 77364 15m 11m S 0 0.1 0:09.20 Thunar
> 3139 mike 20 0 3216 1508 1104 S 0 0.0 0:00.34 gam_server
> 3140 mike 20 0 33232 11m 9112 S 0 0.1 0:05.18 xfce4-panel
> 3141 mike 20 0 72776 16m 12m S 0 0.1 0:03.23 xfdesktop
> 3144 mike 20 0 17308 3436 2268 S 0 0.0 0:00.02 xfce4-power-man
> 3145 mike 20 0 19368 4432 2704 S 0 0.0 0:00.47 xfce4-settings-
> 3150 mike 20 0 42704 13m 9568 S 0 0.1 0:04.39 xfce4-menu-plug
> 3151 mike 20 0 32240 10m 8480 S 0 0.1 0:00.54 xfce4-places-pl
> 3153 mike 20 0 6508 2272 1892 S 0 0.0 0:00.01 gvfsd
> 3156 mike 20 0 178m 10m 8236 S 0 0.1 0:00.05 xfce4-mixer-plu
> 3160 mike 9 -11 84728 3376 2544 S 0 0.0 0:00.01 pulseaudio
> 3162 rtkit 21 1 23928 1224 1016 S 0 0.0 0:00.33 rtkit-daemon
> 3167 root 20 0 6176 3716 2956 S 0 0.0 0:00.03 polkitd
> 3178 mike 20 0 45348 12m 9748 S 0 0.1 0:00.27 nm-applet
> 3188 mike 20 0 18292 5992 4880 S 0 0.0 0:00.01 polkit-gnome-au
> 3190 mike 20 0 32596 10m 8568 S 0 0.1 0:00.58 notify-osd
> 3196 mike 20 0 166m 6004 4304 S 0 0.0 0:00.02 xfce4-volumed
> 3202 mike 20 0 32896 11m 9184 S 0 0.1 0:00.81 update-notifier
> 3204 mike 20 0 31372 14m 8676 S 0 0.1 0:00.11 python
> 3212 root 20 0 5320 2828 2340 S 0 0.0 0:00.05 udisks-daemon
> 3213 root 20 0 5184 864 592 S 0 0.0 0:07.56 udisks-daemon
> 8583 root 20 0 5464 2336 928 S 0 0.0 0:00.25 screen
> 8717 root 20 0 4592 1892 1472 S 0 0.0 0:00.00 bash
> 13639 syslog 20 0 34412 1416 1056 S 0 0.0 0:00.28 rsyslogd
> 13731 ossec 20 0 3136 1744 680 S 0 0.0 0:04.82 ossec-analysisd
> 13735 root 20 0 1956 496 380 S 0 0.0 0:00.68 ossec-logcollec
> 13848 root 20 0 3008 1864 612 S 0 0.0 0:27.74 ossec-syscheckd
> 13852 ossec 20 0 2236 756 504 S 0 0.0 0:00.03 ossec-monitord
> 15450 mike 20 0 40988 10m 8940 S 0 0.1 0:00.09 xfce4-terminal
> 15451 mike 20 0 1984 712 588 S 0 0.0 0:00.00 gnome-pty-helpe
> 15452 mike 20 0 6128 3508 1552 S 0 0.0 0:00.15 bash
> 15485 root 20 0 4216 1368 1168 S 0 0.0 0:00.01 sostat
> 15810 root 20 0 2676 1192 808 R 0 0.0 0:00.00 top
> 17562 www-data 20 0 69060 54m 2692 S 0 0.3 1:16.98 ruby
> 18109 root 20 0 99684 93m 3312 S 0 0.6 6:21.52 tclsh
> 18125 root 20 0 8764 2948 1088 S 0 0.0 0:02.03 tclsh
> 18126 root 20 0 8764 2612 772 S 0 0.0 0:00.00 tclsh
> 18356 root 20 0 23712 2552 872 S 0 0.0 0:00.00 splunkd
> 20490 root 20 0 7036 4488 2404 S 0 0.0 0:00.07 tclsh
> 20491 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 21804 root 20 0 6488 4312 2648 S 0 0.0 0:00.07 tclsh
> 21842 root 20 0 6600 4252 2660 S 0 0.0 0:03.48 tclsh
> 21878 root 20 0 6064 3808 2656 S 0 0.0 0:00.11 tclsh
> 21880 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 21963 root 20 0 11520 5988 1776 S 0 0.0 0:02.21 barnyard2
> 22006 sguil 20 0 8380 6184 5180 S 0 0.0 0:40.36 sancp
> 22054 sguil 20 0 7852 6660 5008 S 0 0.0 1:01.52 pads
> 22091 root 20 0 5788 3556 2636 S 0 0.0 0:01.86 tclsh
> 22093 root 20 0 3252 640 536 S 0 0.0 0:00.11 cat
> 22163 sguil 20 0 34304 9.8m 3188 S 0 0.1 1:08.37 argus
> 22203 root 20 0 6080 3840 2644 S 0 0.0 0:23.37 tclsh
> 22241 root 20 0 6084 3828 2648 S 0 0.0 0:00.05 tclsh
> 22244 root 20 0 3260 740 636 S 0 0.0 0:00.07 tail
> 22282 root 20 0 6600 4252 2660 S 0 0.0 0:05.84 tclsh
> 22317 root 20 0 6064 3804 2656 S 0 0.0 0:00.29 tclsh
> 22319 root 20 0 3256 676 576 S 0 0.0 0:00.04 tail
> 22419 root 20 0 11604 6000 1780 S 0 0.0 0:02.65 barnyard2
> 22462 sguil 20 0 9172 6984 5180 S 0 0.0 0:35.16 sancp
> 22544 root 20 0 5788 3560 2636 S 0 0.0 0:01.89 tclsh
> 22546 root 20 0 3252 632 536 S 0 0.0 0:00.11 cat
> 22571 sguil 20 0 2232 1072 872 S 0 0.0 1:44.86 daemonlogger
> 22660 root 20 0 6196 3920 2644 S 0 0.0 2:13.82 tclsh
> 22666 root 20 0 3260 736 636 S 0 0.0 0:00.13 tail
> 22704 root 20 0 7036 4484 2404 S 0 0.0 0:00.06 tclsh
> 22705 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 23652 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 23694 root 20 0 4232 1412 1192 S 0 0.0 0:00.00 bash
> 23736 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 23738 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 31285 www-data 20 0 39884 6124 2116 S 0 0.0 0:00.01 apache2
> 31445 nobody 20 0 71044 58m 3308 S 0 0.4 0:04.43 ruby
> 31456 www-data 20 0 39884 5344 1384 S 0 0.0 0:00.00 apache2
> 31532 www-data 20 0 39888 5492 1528 S 0 0.0 0:00.01 apache2
> 31533 www-data 20 0 40996 7084 2272 S 0 0.0 0:00.02 apache2
> 31534 www-data 20 0 40876 6848 2248 S 0 0.0 0:00.01 apache2
> 31535 www-data 20 0 39888 5492 1528 S 0 0.0 0:00.01 apache2
> 32529 nobody 20 0 69580 56m 2692 S 0 0.3 0:08.64 ruby
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/SecurityOnion-eth0/dailylogs/
> 7.2G .
> 7.2G ./2012-08-02
>
> /nsm/sensor_data/SecurityOnion-eth1/dailylogs/
> 11G .
> 11G ./2012-08-02
>
> /nsm/bro/logs/
> 438M .
> 20M ./2012-07-27
> 43M ./2012-07-28
> 49M ./2012-07-29
> 91M ./2012-07-30
> 82M ./2012-07-31
> 90M ./2012-08-01
> 57M ./2012-08-02
> 8.5M ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/SecurityOnion-eth0/snort.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/SecurityOnion-eth1/snort.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 12511
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> Totals SignatureID SignatureName
> 1831 1390 GPL SHELLCODE x86 inc ebx NOOP
> 1624 653 GPL SHELLCODE x86 0x90 unicode NOOP
> 1346 2102314 GPL SHELLCODE x86 0x90 NOOP unicode
> 592 2009702 ET POLICY DNS Update From External net
> 515 2009375 ET CHAT General MSN Chat Activity
> 512 2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
> 297 2100538 GPL NETBIOS SMB IPC$ unicode share access
> 257 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
> 173 2010785 ET CHAT Facebook Chat (buddy list)
> 164 2101411 GPL SNMP public access udp
> 132 2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 98 2012647 ET POLICY Dropbox.com Offsite File Backup in Use
> 80 2001330 ET POLICY RDP connection confirm
> 79 651 GPL SHELLCODE x86 stealth NOOP
> 73 2001805 ET POLICY ICQ Message
> 73 2452 GPL CHAT Yahoo IM ping
> 60 2011124 ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
> 54 937 GPL WEB_SERVER _vti_rpc access
> 43 2003479 ET POLICY Radmin Remote Control Session Setup Initiate
> 41 2001329 ET POLICY RDP connection request
> 38 2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
> 34 2101633 GPL CHAT AIM receive message
> 32 1424 GPL SHELLCODE x86 0xEB0C NOOP
> 31 648 GPL SHELLCODE x86 NOOP
> 22 2002192 ET CHAT MSN status change
> 20 2014997 ET POLICY Pandora Usage
> 11 2014827 ET CURRENT_EVENTS FedEX Spam Inbound
> 10 2008597 ET SCAN Cisco Torch SNMP Scan
> 9 2011979 ET CURRENT_EVENTS FedEX Spam Inbound
> 6 2015483 ET INFO Java .jar request to dotted-quad domain
> 4 2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
> 4 2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
> 4 2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 3 2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
> 3 1201 GPL WEB_SERVER 403 Forbidden
> 2 2012078 ET POLICY Windows-Based OpenSSL Tunnel Outbound
> 2 2001682 ET CHAT MSN IM Poll via HTTP
> 2 2101990 GPL CHAT MSN user search
> 2 2002878 ET POLICY iTunes User Agent
> 2 2011409 ET DNS DNS Query for Suspicious .co.cc Domain
> 2 2002823 ET POLICY POSSIBLE Web Crawl using Wget
> 2 100000230 GPL CHAT MISC Jabber/Google Talk Outgoing Traffic
> 2 2012889 ET POLICY Http Client Body contains pw= in cleartext
> 2 2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
> 2 2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 2 2000334 ET P2P BitTorrent peer sync
> 1 2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
> 1 2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
> 1 2406198 ET RBN Known Russian Business Network IP TCP (100)
> 1 2406378 ET RBN Known Russian Business Network IP TCP (190)
> 1 2406197 ET RBN Known Russian Business Network IP UDP (99)
> 1 2010819 ET CHAT Facebook Chat using XMPP
> 1 2003287 ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)
> 1 2406485 ET RBN Known Russian Business Network IP UDP (243)
> 1 2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
> 1 2500062 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32)
> 1 2014819 ET INFO Packed Executable Download
> 1 2500030 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (16)
> 1 2001795 ET DOS Excessive SMTP MAIL-FROM DDoS
> Total
> 8310
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> Totals SignatureID SignatureName
> 23485 1390 GPL SHELLCODE x86 inc ebx NOOP
> 12254 653 GPL SHELLCODE x86 0x90 unicode NOOP
> 9520 2102314 GPL SHELLCODE x86 0x90 NOOP unicode
> 4209 2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 2672 2002911 ET SCAN Potential VNC Scan 5900-5920
> 1698 2009702 ET POLICY DNS Update From External net
> 1584 651 GPL SHELLCODE x86 stealth NOOP
> 1502 2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 1481 2100538 GPL NETBIOS SMB IPC$ unicode share access
> 1372 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
> 1352 2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
> 1090 2002910 ET SCAN Potential VNC Scan 5800-5820
> 911 2101418 GPL SNMP request tcp
> 668 2010785 ET CHAT Facebook Chat (buddy list)
> 587 2003068 ET SCAN Potential SSH Scan OUTBOUND
> 587 2001219 ET SCAN Potential SSH Scan
> 520 2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
> 515 2009375 ET CHAT General MSN Chat Activity
> 475 2012647 ET POLICY Dropbox.com Offsite File Backup in Use
> 432 648 GPL SHELLCODE x86 NOOP
> 414 2003479 ET POLICY Radmin Remote Control Session Setup Initiate
> 347 2452 GPL CHAT Yahoo IM ping
> 326 2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
> 232 2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
> 206 2001805 ET POLICY ICQ Message
> 196 2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
> 190 1424 GPL SHELLCODE x86 0xEB0C NOOP
> 169 2100687 GPL EXPLOIT xp_cmdshell - program execution
> 164 2001330 ET POLICY RDP connection confirm
> 164 2101411 GPL SNMP public access udp
> 131 2014997 ET POLICY Pandora Usage
> 118 2101633 GPL CHAT AIM receive message
> 114 2002192 ET CHAT MSN status change
> 102 2011124 ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
> 90 2014726 ET POLICY Outdated Windows Flash Version IE
> 82 2001329 ET POLICY RDP connection request
> 70 937 GPL WEB_SERVER _vti_rpc access
> 67 2100540 GPL CHAT MSN message
> 56 2009832 ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND
> 49 2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
> 45 2010937 ET POLICY Suspicious inbound to mySQL port 3306
> 45 2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
> 28 2101759 GPL EXPLOIT xp_cmdshell program execution 445
> 27 2010781 ET POLICY PsExec service created
> 21 2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
> 21 2000334 ET P2P BitTorrent peer sync
> 21 2014828 ET CURRENT_EVENTS UPS Spam Inbound
> 20 2100368 GPL ICMP_INFO PING BSDtype
> 20 2100366 GPL ICMP_INFO PING *NIX
> 20 2100480 GPL ICMP_INFO PING speedera
> Total
> 70872
Have you tried checking the Snorby log files in the following locations?
/usr/local/share/snorby/log/
/var/log/apache2/
Thanks,
Doug
On Thu, Aug 2, 2012 at 1:50 PM, Mike landoll <mlan...@gmail.com> wrote:
>
> =========================================================================
> Service Status
> =========================================================================
> Status: securityonion
> * sguil server[ OK ]
> Status: SecurityOnion-eth0
> * pcap_agent (sguil)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: SecurityOnion-eth1
> * pcap_agent (sguil)[ OK ]
> * sancp_agent (sguil)[ OK ]
> * snort_agent (sguil)[ OK ]
> * pads_agent (sguil)[ OK ]
> * snort (alert data)[ OK ]
> * barnyard2 (spooler, unified2 format)[ OK ]
> * sancp (session data)[ OK ]
> * pads (asset info)[ OK ]
> * daemonlogger (full packet data)[ OK ]
> * argus[ OK ]
> * http_agent (sguil)[ OK ]
> Status: HIDS
> * ossec_agent (sguil)[ OK ]
> Status: Bro
> Name Type Host Status Pid Peers Started
> manager manager 192.168.0.221 running 23668 3 02 Aug 16:23:04
> proxy-1 proxy 192.168.0.221 running 23705 3 02 Aug 16:23:06
> SecurityOnion-eth0 worker 192.168.0.221 running 23760 2 02 Aug 16:23:08
> SecurityOnion-eth1 worker 192.168.0.221 running 23761 2 02 Aug 16:23:08
>
> =========================================================================
> Interface Status
> =========================================================================
> eth0 Link encap:Ethernet HWaddr 00:15:17:36:15:e6
> inet6 addr: fe80::215:17ff:fe36:15e6/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:883916245 errors:0 dropped:30 overruns:0 frame:0
> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3598517353 (3.5 GB) TX bytes:1368 (1.3 KB)
> Memory:97a60000-97a80000
>
> eth1 Link encap:Ethernet HWaddr 00:15:17:36:15:e7
> inet6 addr: fe80::215:17ff:fe36:15e7/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:103818193 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2784685175 (2.7 GB) TX bytes:2052 (2.0 KB)
> Memory:97a20000-97a40000
>
> eth2 Link encap:Ethernet HWaddr e4:1f:13:2e:5d:b8
> inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::e61f:13ff:fe2e:5db8/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1796909 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2456790 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:434535162 (434.5 MB) TX bytes:3032252846 (3.0 GB)
> Interrupt:28 Memory:92000000-92012800
>
> eth3 Link encap:Ethernet HWaddr e4:1f:13:2e:5d:ba
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:40 Memory:94000000-94012800
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:5602950 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5602950 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:3302185210 (3.3 GB) TX bytes:3302185210 (3.3 GB)
>
> usb0 Link encap:Ethernet HWaddr e6:1f:13:27:ad:bb
> inet6 addr: fe80::e41f:13ff:fe27:adbb/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:32802 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2135226 (2.1 MB) TX bytes:0 (0.0 B)
>
>
> =========================================================================
> Disk Usage
> =========================================================================
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda1 92G 10G 78G 12% /
> none 7.9G 212K 7.9G 1% /dev
> none 7.9G 124K 7.9G 1% /dev/shm
> none 7.9G 200K 7.9G 1% /var/run
> none 7.9G 0 7.9G 0% /var/lock
> none 7.9G 0 7.9G 0% /lib/init/rw
> /dev/sdb1 669G 21G 615G 4% /nsm
>
> =========================================================================
> Network Sockets
> =========================================================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 1076 root 3u IPv4 4841 0t0 TCP *:22 (LISTEN)
> sshd 1076 root 4u IPv6 4843 0t0 TCP *:22 (LISTEN)
> avahi-dae 1116 avahi 13u IPv4 4970 0t0 UDP *:5353
> avahi-dae 1116 avahi 14u IPv4 4972 0t0 UDP *:35195
> mysqld 1299 mysql 10u IPv4 5336 0t0 TCP 127.0.0.1:3306 (LISTEN)
> mysqld 1299 mysql 65u IPv4 1980831 0t0 TCP 127.0.0.1:3306->127.0.0.1:44083 (ESTABLISHED)
> mysqld 1299 mysql 66u IPv4 1988455 0t0 TCP 127.0.0.1:3306->127.0.0.1:44100 (ESTABLISHED)
> vino-serv 1439 root 16u IPv6 6902 0t0 TCP *:5900 (LISTEN)
> vino-serv 1439 root 18u IPv6 1828194 0t0 TCP 192.168.0.221:5900->192.168.0.234:58446 (ESTABLISHED)
> splunkd 1655 root 4u IPv4 7651 0t0 TCP *:8089 (LISTEN)
> splunkd 1655 root 50r IPv4 2753270 0t0 TCP 127.0.0.1:8089->127.0.0.1:55477 (ESTABLISHED)
> splunkd 1655 root 82u IPv4 49389 0t0 TCP 127.0.0.1:8089->127.0.0.1:50561 (ESTABLISHED)
> python 1954 root 5u IPv4 9475 0t0 TCP *:81 (LISTEN)
> python 1954 root 8u IPv4 2753267 0t0 TCP 192.168.0.221:81->192.168.0.148:58895 (ESTABLISHED)
> python 1954 root 10u IPv4 2753269 0t0 TCP 127.0.0.1:55477->127.0.0.1:8089 (ESTABLISHED)
> cupsd 2438 root 5u IPv6 1186004 0t0 TCP [::1]:631 (LISTEN)
> cupsd 2438 root 6u IPv4 1186005 0t0 TCP 127.0.0.1:631 (LISTEN)
> apache2 2512 root 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2512 root 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2512 root 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2550 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2550 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2550 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2551 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2551 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2551 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2552 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2552 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2552 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 2553 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 2553 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 2553 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> ntpd 2974 ntp 16u IPv4 12486 0t0 UDP *:123
> ntpd 2974 ntp 17u IPv6 12487 0t0 UDP *:123
> ntpd 2974 ntp 18u IPv4 12491 0t0 UDP 127.0.0.1:123
> ntpd 2974 ntp 19u IPv4 12492 0t0 UDP 192.168.0.221:123
> ntpd 2974 ntp 20u IPv6 12493 0t0 UDP [::1]:123
> ntpd 2974 ntp 21u IPv6 12494 0t0 UDP [fe80::e61f:13ff:fe2e:5db8]:123
> ntpd 2974 ntp 22u IPv6 12495 0t0 UDP [fe80::e41f:13ff:fe27:adbb]:123
> ntpd 2974 ntp 23u IPv6 12496 0t0 UDP [fe80::215:17ff:fe36:15e6]:123
> ntpd 2974 ntp 24u IPv6 12497 0t0 UDP [fe80::215:17ff:fe36:15e7]:123
> tclsh 18109 root 13u IPv4 979148 0t0 TCP *:7734 (LISTEN)
> tclsh 18109 root 14u IPv4 979149 0t0 TCP *:7736 (LISTEN)
> tclsh 18109 root 15u IPv4 1979766 0t0 TCP 127.0.0.1:7736->127.0.0.1:45269 (ESTABLISHED)
> tclsh 18109 root 16u IPv4 1979967 0t0 TCP 127.0.0.1:7736->127.0.0.1:45270 (ESTABLISHED)
> tclsh 18109 root 17u IPv4 1980200 0t0 TCP 127.0.0.1:7736->127.0.0.1:45275 (ESTABLISHED)
> tclsh 18109 root 18u IPv4 1981745 0t0 TCP 127.0.0.1:7736->127.0.0.1:45282 (ESTABLISHED)
> tclsh 18109 root 19u IPv4 1987203 0t0 TCP 127.0.0.1:7736->127.0.0.1:45288 (ESTABLISHED)
> tclsh 18109 root 20u IPv4 1987212 0t0 TCP 127.0.0.1:7736->127.0.0.1:45289 (ESTABLISHED)
> tclsh 18109 root 21u IPv4 1987435 0t0 TCP 127.0.0.1:7736->127.0.0.1:45291 (ESTABLISHED)
> tclsh 18109 root 22u IPv4 1987628 0t0 TCP 127.0.0.1:7736->127.0.0.1:45292 (ESTABLISHED)
> tclsh 18109 root 23u IPv4 1988994 0t0 TCP 127.0.0.1:7736->127.0.0.1:45298 (ESTABLISHED)
> tclsh 18109 root 24u IPv4 2002332 0t0 TCP 127.0.0.1:7736->127.0.0.1:45301 (ESTABLISHED)
> tclsh 18109 root 25u IPv4 1810484 0t0 TCP 192.168.0.221:7734->192.168.0.220:50968 (ESTABLISHED)
> tclsh 18109 root 26u IPv4 2002532 0t0 TCP 127.0.0.1:7736->127.0.0.1:45302 (ESTABLISHED)
> tclsh 18109 root 27u IPv4 1974366 0t0 TCP 127.0.0.1:7736->127.0.0.1:45238 (ESTABLISHED)
> splunkd 18355 root 14u IPv4 49388 0t0 TCP 127.0.0.1:50561->127.0.0.1:8089 (ESTABLISHED)
> tclsh 20490 root 3u IPv4 1974365 0t0 TCP 127.0.0.1:45238->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21804 root 3u IPv4 1979765 0t0 TCP 127.0.0.1:45269->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21842 root 3u IPv4 1979966 0t0 TCP 127.0.0.1:45270->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21878 root 3u IPv4 1980199 0t0 TCP 127.0.0.1:45275->127.0.0.1:7736 (ESTABLISHED)
> tclsh 21878 root 4u IPv4 1980202 0t0 TCP 127.0.0.1:8000 (LISTEN)
> tclsh 21878 root 6u IPv4 1980827 0t0 TCP 127.0.0.1:8000->127.0.0.1:36157 (ESTABLISHED)
> barnyard2 21963 root 3u IPv4 1980826 0t0 TCP 127.0.0.1:36157->127.0.0.1:8000 (ESTABLISHED)
> barnyard2 21963 root 4u IPv4 1980830 0t0 TCP 127.0.0.1:44083->127.0.0.1:3306 (ESTABLISHED)
> tclsh 22091 root 3u IPv4 1981744 0t0 TCP 127.0.0.1:45282->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22203 root 3u IPv4 1987020 0t0 TCP 127.0.0.1:45288->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22241 root 3u IPv4 1987208 0t0 TCP 127.0.0.1:45289->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22282 root 3u IPv4 1987434 0t0 TCP 127.0.0.1:45291->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22317 root 3u IPv4 1987627 0t0 TCP 127.0.0.1:45292->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22317 root 4u IPv4 1987630 0t0 TCP 127.0.0.1:8001 (LISTEN)
> tclsh 22317 root 6u IPv4 1988451 0t0 TCP 127.0.0.1:8001->127.0.0.1:55683 (ESTABLISHED)
> barnyard2 22419 root 3u IPv4 1988450 0t0 TCP 127.0.0.1:55683->127.0.0.1:8001 (ESTABLISHED)
> barnyard2 22419 root 4u IPv4 1988454 0t0 TCP 127.0.0.1:44100->127.0.0.1:3306 (ESTABLISHED)
> tclsh 22544 root 3u IPv4 1988993 0t0 TCP 127.0.0.1:45298->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22660 root 3u IPv4 2002331 0t0 TCP 127.0.0.1:45301->127.0.0.1:7736 (ESTABLISHED)
> tclsh 22704 root 3u IPv4 2002531 0t0 TCP 127.0.0.1:45302->127.0.0.1:7736 (ESTABLISHED)
> bro 23668 root 4u IPv4 2004254 0t0 UDP 192.168.0.221:54961->192.168.0.10:53
> bro 23669 root 0u IPv4 2004260 0t0 TCP *:47761 (LISTEN)
> bro 23669 root 1u IPv4 2005139 0t0 TCP 192.168.0.221:47761->192.168.0.221:41879 (ESTABLISHED)
> bro 23669 root 2u IPv4 2005323 0t0 TCP 192.168.0.221:47761->192.168.0.221:41881 (ESTABLISHED)
> bro 23669 root 4u IPv4 2004254 0t0 UDP 192.168.0.221:54961->192.168.0.10:53
> bro 23669 root 8u IPv4 2005330 0t0 TCP 192.168.0.221:47761->192.168.0.221:41884 (ESTABLISHED)
> bro 23705 root 4u IPv4 2005135 0t0 UDP 192.168.0.221:55966->192.168.0.10:53
> bro 23706 root 0u IPv4 2005138 0t0 TCP 192.168.0.221:41879->192.168.0.221:47761 (ESTABLISHED)
> bro 23706 root 1u IPv4 2005140 0t0 TCP *:47762 (LISTEN)
> bro 23706 root 2u IPv4 2005324 0t0 TCP 192.168.0.221:47762->192.168.0.221:47027 (ESTABLISHED)
> bro 23706 root 4u IPv4 2005135 0t0 UDP 192.168.0.221:55966->192.168.0.10:53
> bro 23706 root 7u IPv4 2005327 0t0 TCP 192.168.0.221:47762->192.168.0.221:47028 (ESTABLISHED)
> bro 23760 root 4u IPv4 2005310 0t0 UDP 192.168.0.221:47352->192.168.0.10:53
> bro 23761 root 4u IPv4 2005312 0t0 UDP 192.168.0.221:44824->192.168.0.10:53
> bro 23762 root 0u IPv4 2005321 0t0 TCP 192.168.0.221:41881->192.168.0.221:47761 (ESTABLISHED)
> bro 23762 root 1u IPv4 2005322 0t0 TCP 192.168.0.221:47027->192.168.0.221:47762 (ESTABLISHED)
> bro 23762 root 2u IPv4 2005325 0t0 TCP *:47764 (LISTEN)
> bro 23762 root 4u IPv4 2005312 0t0 UDP 192.168.0.221:44824->192.168.0.10:53
> bro 23763 root 0u IPv4 2005326 0t0 TCP 192.168.0.221:47028->192.168.0.221:47762 (ESTABLISHED)
> bro 23763 root 1u IPv4 2005328 0t0 TCP 192.168.0.221:41884->192.168.0.221:47761 (ESTABLISHED)
> bro 23763 root 2u IPv4 2005329 0t0 TCP *:47763 (LISTEN)
> bro 23763 root 4u IPv4 2005310 0t0 UDP 192.168.0.221:47352->192.168.0.10:53
> apache2 31285 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31285 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31285 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> ruby 31445 nobody 10u IPv4 1843006 0t0 TCP 127.0.0.1:40796 (LISTEN)
> apache2 31456 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31456 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31456 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31532 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31532 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31532 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31533 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31533 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31533 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31534 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31534 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31534 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
> apache2 31535 www-data 4u IPv6 9643 0t0 TCP *:443 (LISTEN)
> apache2 31535 www-data 6u IPv6 9647 0t0 TCP *:9876 (LISTEN)
> apache2 31535 www-data 8u IPv6 9654 0t0 TCP *:3000 (LISTEN)
>
> =========================================================================
> IDS Rules Update
> =========================================================================
> Thu Aug 2 07:01:01 UTC 2012
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Running PulledPork.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.5.0 The Drowning Rat
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for emerging.rules.tar.gz....
> No Match
> Done
> Rules tarball download of emerging.rules.tar.gz....
> They Match
> Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Reading rules...
> Processing /etc/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/pulledpork/disablesid.conf....
> Modified 0 rules
> Done
> Modifying Sids....
> Done!
> Setting Flowbit State....
> Enabled 9 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Writing /etc/nsm/rules/so_rules.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing /etc/snort/sid-msg.map....
> Done
> Writing /var/log/sid_changes.log....
> Done
> Rule Stats....
> New:-------29
> Deleted:---18
> Enabled Rules:----13348
> Dropped Rules:----0
> Disabled Rules:---2609
> Total Rules:------15957
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> Restarting Barnyard2.
> Restarting: SecurityOnion-eth0
> * stopping: barnyard2 (spooler, unified2 format)[ OK ]
> * starting: barnyard2 (spooler, unified2 format)[ OK ]
> Restarting: SecurityOnion-eth1
> * stopping: barnyard2 (spooler, unified2 format)[ OK ]
> * starting: barnyard2 (spooler, unified2 format)[ OK ]
> Restarting IDS Engine.
> Restarting: SecurityOnion-eth0
> * stopping: snort (alert data)[ OK ]
> * starting: snort (alert data)[ OK ]
> Restarting: SecurityOnion-eth1
> * stopping: snort (alert data)[ OK ]
> * starting: snort (alert data)[ OK ]
>
> =========================================================================
> CPU Usage
> =========================================================================
> top - 17:48:04 up 22:36, 2 users, load average: 2.96, 2.82, 2.73
> Tasks: 301 total, 2 running, 299 sleeping, 0 stopped, 0 zombie
> Cpu(s): 19.3%us, 5.9%sy, 2.6%ni, 69.0%id, 2.5%wa, 0.0%hi, 0.7%si, 0.0%s
> Mem: 16516852k total, 8172024k used, 8344828k free, 37744k buffers
> Swap: 23593836k total, 0k used, 23593836k free, 6220404k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 1655 root 20 0 372m 302m 11m S 85 1.9 587:10.90 splunkd
> 18355 root 20 0 38768 19m 9.9m S 32 0.1 319:54.02 splunkd
> 23706 root 25 5 27272 14m 488 S 10 0.1 6:24.57 bro
> 21928 sguil 20 0 519m 282m 134m S 8 1.8 7:46.74 snort
> 23669 root 25 5 27264 14m 488 S 8 0.1 6:27.60 bro
> 23760 root 20 0 44232 37m 9.9m S 8 0.2 6:59.22 bro
> 23761 root 20 0 83200 75m 9.9m S 8 0.5 7:56.61 bro
> 23668 root 20 0 22624 15m 3444 S 6 0.1 4:45.67 bro
> 23705 root 20 0 23548 16m 3436 S 6 0.1 4:43.08 bro
> 23762 root 25 5 29296 17m 4560 S 6 0.1 5:42.08 bro
> 23763 root 25 5 29292 17m 4552 S 6 0.1 5:43.52 bro
> 448 root 20 0 0 0 0 S 2 0.0 3:19.97 flush-8:16
> 1954 root 20 0 220m 36m 4692 S 2 0.2 5:59.73 python
> 22109 sguil 20 0 6200 5032 4828 S 2 0.0 1:05.15 daemonlogger
> 22371 sguil 20 0 522m 304m 134m S 2 1.9 7:08.14 snort
> 22506 sguil 20 0 7716 6444 5012 S 2 0.0 0:38.69 pads
> 22621 sguil 20 0 35936 11m 3188 S 2 0.1 0:56.38 argus
> 1 root 20 0 2888 1800 1240 S 0 0.0 0:01.36 init
> 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
> 3 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/0
> 4 root 20 0 0 0 0 S 0 0.0 0:03.16 ksoftirqd/0
> 5 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
> 6 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/1
> 7 root 20 0 0 0 0 S 0 0.0 0:01.01 ksoftirqd/1
> 8 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
> 9 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/2
> 10 root 20 0 0 0 0 S 0 0.0 0:00.94 ksoftirqd/2
> 11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
> 12 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/3
> 13 root 20 0 0 0 0 S 0 0.0 0:00.84 ksoftirqd/3
> 14 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
> 15 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/4
> 16 root 20 0 0 0 0 S 0 0.0 0:00.83 ksoftirqd/4
> 17 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/4
> 18 root RT 0 0 0 0 S 0 0.0 0:00.07 migration/5
> 19 root 20 0 0 0 0 S 0 0.0 0:01.12 ksoftirqd/5
> 20 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/5
> 21 root RT 0 0 0 0 S 0 0.0 0:00.08 migration/6
> 22 root 20 0 0 0 0 S 0 0.0 0:00.84 ksoftirqd/6
> 23 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/6
> 24 root RT 0 0 0 0 S 0 0.0 0:00.06 migration/7
> 25 root 20 0 0 0 0 S 0 0.0 0:00.89 ksoftirqd/7
> 26 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/7
> 27 root 20 0 0 0 0 S 0 0.0 0:01.64 events/0
> 28 root 20 0 0 0 0 S 0 0.0 0:00.24 events/1
> 29 root 20 0 0 0 0 S 0 0.0 0:01.50 events/2
> 30 root 20 0 0 0 0 S 0 0.0 0:00.23 events/3
> 31 root 20 0 0 0 0 S 0 0.0 0:00.26 events/4
> 32 root 20 0 0 0 0 S 0 0.0 0:00.25 events/5
> 33 root 20 0 0 0 0 S 0 0.0 0:00.26 events/6
> 34 root 20 0 0 0 0 S 0 0.0 0:00.27 events/7
> 35 root 20 0 0 0 0 S 0 0.0 0:00.00 cpuset
> 36 root 20 0 0 0 0 S 0 0.0 0:00.00 khelper
> 37 root 20 0 0 0 0 S 0 0.0 0:00.00 netns
> 38 root 20 0 0 0 0 S 0 0.0 0:00.00 async/mgr
> 39 root 20 0 0 0 0 S 0 0.0 0:00.00 pm
> 41 root 20 0 0 0 0 S 0 0.0 0:00.04 sync_supers
> 42 root 20 0 0 0 0 S 0 0.0 0:00.06 bdi-default
> 43 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/0
> 44 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/1
> 45 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/2
> 46 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/3
> 47 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/4
> 48 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/5
> 49 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/6
> 50 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/7
> 51 root 20 0 0 0 0 S 0 0.0 0:00.58 kblockd/0
> 52 root 20 0 0 0 0 S 0 0.0 0:00.24 kblockd/1
> 53 root 20 0 0 0 0 S 0 0.0 0:00.21 kblockd/2
> 54 root 20 0 0 0 0 S 0 0.0 0:00.21 kblockd/3
> 55 root 20 0 0 0 0 S 0 0.0 0:00.51 kblockd/4
> 56 root 20 0 0 0 0 S 0 0.0 0:00.39 kblockd/5
> 57 root 20 0 0 0 0 S 0 0.0 0:00.64 kblockd/6
> 58 root 20 0 0 0 0 S 0 0.0 0:00.62 kblockd/7
> 59 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpid
> 60 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpi_notify
> 61 root 20 0 0 0 0 S 0 0.0 0:00.00 kacpi_hotplug
> 62 root 20 0 0 0 0 S 0 0.0 0:00.77 ata/0
> 63 root 20 0 0 0 0 S 0 0.0 0:00.47 ata/1
> 64 root 20 0 0 0 0 S 0 0.0 0:00.36 ata/2
> 65 root 20 0 0 0 0 S 0 0.0 0:01.96 ata/3
> 66 root 20 0 0 0 0 S 0 0.0 0:02.86 ata/4
> 67 root 20 0 0 0 0 S 0 0.0 0:01.92 ata/5
> 68 root 20 0 0 0 0 S 0 0.0 0:01.49 ata/6
> 69 root 20 0 0 0 0 S 0 0.0 0:06.90 ata/7
> 70 root 20 0 0 0 0 S 0 0.0 0:00.00 ata_aux
> 71 root 20 0 0 0 0 S 0 0.0 0:00.00 ksuspend_usbd
> 72 root 20 0 0 0 0 S 0 0.0 0:00.00 khubd
> 73 root 20 0 0 0 0 S 0 0.0 0:00.00 kseriod
> 74 root 20 0 0 0 0 S 0 0.0 0:00.00 kmmcd
> 83 root 20 0 0 0 0 S 0 0.0 0:00.03 khungtaskd
> 84 root 20 0 0 0 0 S 0 0.0 1:01.53 kswapd0
> 85 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
> 86 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/0
> 87 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/1
> 88 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/2
> 89 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/3
> 90 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/4
> 91 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/5
> 92 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/6
> 93 root 20 0 0 0 0 S 0 0.0 0:00.00 aio/7
> 94 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
> 95 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/0
> 96 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/1
> 97 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/2
> 98 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/3
> 99 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/4
> 100 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/5
> 101 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/6
> 102 root 20 0 0 0 0 S 0 0.0 0:00.00 crypto/7
> 106 root 20 0 0 0 0 S 0 0.0 0:31.84 scsi_eh_0
> 107 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
> 110 root 20 0 0 0 0 S 0 0.0 0:00.02 scsi_eh_2
> 111 root 20 0 0 0 0 S 0 0.0 0:00.02 scsi_eh_3
> 114 root 20 0 0 0 0 S 0 0.0 0:00.00 kstriped
> 115 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/0
> 116 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/1
> 117 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/2
> 118 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/3
> 119 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/4
> 120 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/5
> 121 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/6
> 122 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpathd/7
> 123 root 20 0 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd
> 124 root 20 0 0 0 0 S 0 0.0 0:00.00 ksnapd
> 125 root 20 0 0 0 0 S 0 0.0 0:14.55 kondemand/0
> 126 root 20 0 0 0 0 S 0 0.0 0:15.11 kondemand/1
> 127 root 20 0 0 0 0 S 0 0.0 0:11.64 kondemand/2
> 128 root 20 0 0 0 0 S 0 0.0 0:10.30 kondemand/3
> 129 root 20 0 0 0 0 S 0 0.0 0:13.43 kondemand/4
> 130 root 20 0 0 0 0 S 0 0.0 0:13.56 kondemand/5
> 131 root 20 0 0 0 0 R 0 0.0 0:12.05 kondemand/6
> 132 root 20 0 0 0 0 S 0 0.0 0:10.24 kondemand/7
> 133 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/0
> 134 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/1
> 135 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/2
> 136 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/3
> 137 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/4
> 138 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/5
> 139 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/6
> 140 root 20 0 0 0 0 S 0 0.0 0:00.00 kconservative/7
> 313 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_4
> 406 root 20 0 0 0 0 S 0 0.0 0:19.20 jbd2/sda1-8
> 407 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 408 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 409 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 410 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 411 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 412 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 413 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 414 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 449 root 20 0 0 0 0 S 0 0.0 0:24.94 flush-8:0
> 475 root 20 0 2312 900 668 S 0 0.0 0:00.04 upstart-udev-br
> 478 root 16 -4 2556 956 324 S 0 0.0 0:00.03 udevd
> 858 root 18 -2 2660 988 352 S 0 0.0 0:00.01 udevd
> 860 root 18 -2 2660 988 352 S 0 0.0 0:00.00 udevd
> 982 root 20 0 0 0 0 S 0 0.0 0:18.33 jbd2/sdb1-8
> 983 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 984 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 986 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 987 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 988 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 990 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 992 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 993 root 20 0 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
> 1076 root 20 0 5548 2132 1716 S 0 0.0 0:00.06 sshd
> 1097 messageb 20 0 3144 1460 792 S 0 0.0 0:00.14 dbus-daemon
> 1109 root 20 0 18784 3276 2700 S 0 0.0 0:00.36 gdm-binary
> 1116 avahi 20 0 3072 1624 1312 S 0 0.0 0:00.36 avahi-daemon
> 1117 root 20 0 19004 3964 3292 S 0 0.0 0:00.06 NetworkManager
> 1119 avahi 20 0 2924 544 316 S 0 0.0 0:00.00 avahi-daemon
> 1134 root 20 0 4168 2292 1860 S 0 0.0 0:00.01 modem-manager
> 1136 root 20 0 20560 3164 2264 S 0 0.0 0:00.04 console-kit-dae
> 1202 root 20 0 20504 3780 2984 S 0 0.0 0:00.01 gdm-simple-slav
> 1236 root 20 0 1788 564 484 S 0 0.0 0:00.00 getty
> 1240 root 20 0 1788 572 488 S 0 0.0 0:00.00 getty
> 1248 root 20 0 1788 568 488 S 0 0.0 0:00.00 getty
> 1249 root 20 0 1788 564 488 S 0 0.0 0:00.00 getty
> 1254 root 20 0 1788 572 488 S 0 0.0 0:00.00 getty
> 1266 root 20 0 2824 588 468 S 0 0.0 0:04.81 irqbalance
> 1269 root 20 0 2044 856 504 S 0 0.0 0:00.00 acpid
> 1286 daemon 20 0 2244 432 292 S 0 0.0 0:00.00 atd
> 1299 mysql 20 0 157m 60m 6848 S 0 0.4 10:54.19 mysqld
> 1340 root 20 0 54664 21m 9536 S 0 0.1 649:48.98 Xorg
> 1352 root 20 0 4836 1736 1468 S 0 0.0 0:00.00 wpa_supplicant
> 1439 root 20 0 31504 11m 8876 S 0 0.1 0:45.69 vino-server
> 1450 root 20 0 3380 776 512 S 0 0.0 0:00.00 dbus-launch
> 1451 root 20 0 2660 900 672 S 0 0.0 0:00.00 dbus-daemon
> 1453 root 20 0 4932 2992 2108 S 0 0.0 0:00.14 gconfd-2
> 1457 gdm 20 0 3380 776 512 S 0 0.0 0:00.00 dbus-launch
> 1480 root 20 0 20856 3568 2816 S 0 0.0 0:00.05 gdm-session-wor
> 1483 haldaemo 20 0 16496 4132 3328 S 0 0.0 0:00.43 hald
> 1484 root 20 0 3532 1284 1076 S 0 0.0 0:00.00 hald-runner
> 1508 root 20 0 3608 1224 1052 S 0 0.0 0:00.00 hald-addon-inpu
> 1521 root 20 0 3612 1236 1056 S 0 0.0 0:18.02 hald-addon-stor
> 1522 root 20 0 3620 1224 1048 S 0 0.0 0:00.00 hald-addon-cpuf
> 1523 haldaemo 20 0 3416 1176 1000 S 0 0.0 0:00.00 hald-addon-acpi
> 1656 root 20 0 23192 2096 992 S 0 0.0 0:06.02 splunkd
> 2438 root 20 0 6696 2552 1912 S 0 0.0 0:00.01 cupsd
> 2512 root 20 0 39708 9020 5284 S 0 0.1 0:01.00 apache2
> 2515 root 20 0 5396 1760 1532 S 0 0.0 0:00.00 PassengerWatchd
> 2518 root 20 0 16604 2376 1876 S 0 0.0 0:04.02 PassengerHelper
> 2525 root 20 0 11012 7672 2288 S 0 0.0 0:27.24 ruby
> 2530 nobody 20 0 9576 3132 2576 S 0 0.0 0:00.10 PassengerLoggin
> 2550 www-data 20 0 39896 6268 2284 S 0 0.0 0:00.06 apache2
> 2551 www-data 20 0 41024 7196 2288 S 0 0.0 0:00.09 apache2
> 2552 www-data 20 0 39888 6028 2040 S 0 0.0 0:00.03 apache2
> 2553 www-data 20 0 41032 7176 2272 S 0 0.0 0:00.04 apache2
> 2569 root 20 0 1788 568 488 S 0 0.0 0:00.00 getty
> 2974 ntp 20 0 4420 1368 1028 S 0 0.0 0:01.48 ntpd
> 3016 root 20 0 30656 10m 8220 S 0 0.1 0:00.64 notify-osd
> 3018 root 20 0 4940 2140 1840 S 0 0.0 0:00.00 gvfsd
> 3060 root 20 0 2372 900 708 S 0 0.0 0:00.01 cron
> 3061 mike 20 0 23980 2512 2064 S 0 0.0 0:00.01 gnome-keyring-d
> 3079 mike 20 0 1828 568 488 S 0 0.0 0:00.00 sh
> 3108 mike 20 0 3280 356 144 S 0 0.0 0:00.07 ssh-agent
> 3111 mike 20 0 3380 764 504 S 0 0.0 0:00.00 dbus-launch
> 3112 mike 20 0 2912 1108 680 S 0 0.0 0:00.08 dbus-daemon
> 3121 mike 20 0 5540 3252 1968 S 0 0.0 0:01.68 xscreensaver
> 3125 mike 20 0 26692 7280 5548 S 0 0.0 0:00.57 xfce4-session
> 3127 mike 20 0 3852 1988 1692 S 0 0.0 0:00.02 xfconfd
> 3133 mike 20 0 6500 3136 2216 S 0 0.0 0:00.17 gconfd-2
> 3135 mike 20 0 19408 9216 7612 S 0 0.1 0:01.46 xfwm4
> 3136 mike 20 0 16480 3288 2256 S 0 0.0 0:00.00 xfsettingsd
> 3137 mike 20 0 77364 15m 11m S 0 0.1 0:09.20 Thunar
> 3139 mike 20 0 3216 1508 1104 S 0 0.0 0:00.34 gam_server
> 3140 mike 20 0 33232 11m 9112 S 0 0.1 0:05.18 xfce4-panel
> 3141 mike 20 0 72776 16m 12m S 0 0.1 0:03.23 xfdesktop
> 3144 mike 20 0 17308 3436 2268 S 0 0.0 0:00.02 xfce4-power-man
> 3145 mike 20 0 19368 4432 2704 S 0 0.0 0:00.47 xfce4-settings-
> 3150 mike 20 0 42704 13m 9568 S 0 0.1 0:04.39 xfce4-menu-plug
> 3151 mike 20 0 32240 10m 8480 S 0 0.1 0:00.54 xfce4-places-pl
> 3153 mike 20 0 6508 2272 1892 S 0 0.0 0:00.01 gvfsd
> 3156 mike 20 0 178m 10m 8236 S 0 0.1 0:00.05 xfce4-mixer-plu
> 3160 mike 9 -11 84728 3376 2544 S 0 0.0 0:00.01 pulseaudio
> 3162 rtkit 21 1 23928 1224 1016 S 0 0.0 0:00.33 rtkit-daemon
> 3167 root 20 0 6176 3716 2956 S 0 0.0 0:00.03 polkitd
> 3178 mike 20 0 45348 12m 9748 S 0 0.1 0:00.27 nm-applet
> 3188 mike 20 0 18292 5992 4880 S 0 0.0 0:00.01 polkit-gnome-au
> 3190 mike 20 0 32596 10m 8568 S 0 0.1 0:00.58 notify-osd
> 3196 mike 20 0 166m 6004 4304 S 0 0.0 0:00.02 xfce4-volumed
> 3202 mike 20 0 32896 11m 9184 S 0 0.1 0:00.81 update-notifier
> 3204 mike 20 0 31372 14m 8676 S 0 0.1 0:00.11 python
> 3212 root 20 0 5320 2828 2340 S 0 0.0 0:00.05 udisks-daemon
> 3213 root 20 0 5184 864 592 S 0 0.0 0:07.56 udisks-daemon
> 8583 root 20 0 5464 2336 928 S 0 0.0 0:00.25 screen
> 8717 root 20 0 4592 1892 1472 S 0 0.0 0:00.00 bash
> 13639 syslog 20 0 34412 1416 1056 S 0 0.0 0:00.28 rsyslogd
> 13731 ossec 20 0 3136 1744 680 S 0 0.0 0:04.82 ossec-analysisd
> 13735 root 20 0 1956 496 380 S 0 0.0 0:00.68 ossec-logcollec
> 13848 root 20 0 3008 1864 612 S 0 0.0 0:27.74 ossec-syscheckd
> 13852 ossec 20 0 2236 756 504 S 0 0.0 0:00.03 ossec-monitord
> 15450 mike 20 0 40988 10m 8940 S 0 0.1 0:00.09 xfce4-terminal
> 15451 mike 20 0 1984 712 588 S 0 0.0 0:00.00 gnome-pty-helpe
> 15452 mike 20 0 6128 3508 1552 S 0 0.0 0:00.15 bash
> 15485 root 20 0 4216 1368 1168 S 0 0.0 0:00.01 sostat
> 15810 root 20 0 2676 1192 808 R 0 0.0 0:00.00 top
> 17562 www-data 20 0 69060 54m 2692 S 0 0.3 1:16.98 ruby
> 18109 root 20 0 99684 93m 3312 S 0 0.6 6:21.52 tclsh
> 18125 root 20 0 8764 2948 1088 S 0 0.0 0:02.03 tclsh
> 18126 root 20 0 8764 2612 772 S 0 0.0 0:00.00 tclsh
> 18356 root 20 0 23712 2552 872 S 0 0.0 0:00.00 splunkd
> 20490 root 20 0 7036 4488 2404 S 0 0.0 0:00.07 tclsh
> 20491 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 21804 root 20 0 6488 4312 2648 S 0 0.0 0:00.07 tclsh
> 21842 root 20 0 6600 4252 2660 S 0 0.0 0:03.48 tclsh
> 21878 root 20 0 6064 3808 2656 S 0 0.0 0:00.11 tclsh
> 21880 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 21963 root 20 0 11520 5988 1776 S 0 0.0 0:02.21 barnyard2
> 22006 sguil 20 0 8380 6184 5180 S 0 0.0 0:40.36 sancp
> 22054 sguil 20 0 7852 6660 5008 S 0 0.0 1:01.52 pads
> 22091 root 20 0 5788 3556 2636 S 0 0.0 0:01.86 tclsh
> 22093 root 20 0 3252 640 536 S 0 0.0 0:00.11 cat
> 22163 sguil 20 0 34304 9.8m 3188 S 0 0.1 1:08.37 argus
> 22203 root 20 0 6080 3840 2644 S 0 0.0 0:23.37 tclsh
> 22241 root 20 0 6084 3828 2648 S 0 0.0 0:00.05 tclsh
> 22244 root 20 0 3260 740 636 S 0 0.0 0:00.07 tail
> 22282 root 20 0 6600 4252 2660 S 0 0.0 0:05.84 tclsh
> 22317 root 20 0 6064 3804 2656 S 0 0.0 0:00.29 tclsh
> 22319 root 20 0 3256 676 576 S 0 0.0 0:00.04 tail
> 22419 root 20 0 11604 6000 1780 S 0 0.0 0:02.65 barnyard2
> 22462 sguil 20 0 9172 6984 5180 S 0 0.0 0:35.16 sancp
> 22544 root 20 0 5788 3560 2636 S 0 0.0 0:01.89 tclsh
> 22546 root 20 0 3252 632 536 S 0 0.0 0:00.11 cat
> 22571 sguil 20 0 2232 1072 872 S 0 0.0 1:44.86 daemonlogger
> 22660 root 20 0 6196 3920 2644 S 0 0.0 2:13.82 tclsh
> 22666 root 20 0 3260 736 636 S 0 0.0 0:00.13 tail
> 22704 root 20 0 7036 4484 2404 S 0 0.0 0:00.06 tclsh
> 22705 root 20 0 3256 672 576 S 0 0.0 0:00.04 tail
> 23652 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 23694 root 20 0 4232 1412 1192 S 0 0.0 0:00.00 bash
> 23736 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 23738 root 20 0 4232 1408 1192 S 0 0.0 0:00.00 bash
> 31285 www-data 20 0 39884 6124 2116 S 0 0.0 0:00.01 apache2
> 31445 nobody 20 0 71044 58m 3308 S 0 0.4 0:04.43 ruby
> 31456 www-data 20 0 39884 5344 1384 S 0 0.0 0:00.00 apache2
> 31532 www-data 20 0 39888 5492 1528 S 0 0.0 0:00.01 apache2
> 31533 www-data 20 0 40996 7084 2272 S 0 0.0 0:00.02 apache2
> 31534 www-data 20 0 40876 6848 2248 S 0 0.0 0:00.01 apache2
> 31535 www-data 20 0 39888 5492 1528 S 0 0.0 0:00.01 apache2
> 32529 nobody 20 0 69580 56m 2692 S 0 0.3 0:08.64 ruby
>
>
> =========================================================================
> Log Archive
> =========================================================================
> /nsm/sensor_data/SecurityOnion-eth0/dailylogs/
> 7.2G .
> 7.2G ./2012-08-02
>
> /nsm/sensor_data/SecurityOnion-eth1/dailylogs/
> 11G .
> 11G ./2012-08-02
>
> /nsm/bro/logs/
> 438M .
> 20M ./2012-07-27
> 43M ./2012-07-28
> 49M ./2012-07-29
> 91M ./2012-07-30
> 82M ./2012-07-31
> 90M ./2012-08-01
> 57M ./2012-08-02
> 8.5M ./stats
>
> =========================================================================
> IDS Engine (snort) packet drops
> =========================================================================
> /nsm/sensor_data/SecurityOnion-eth0/snort.stats last reported pkt_drop_percent as 0.000
> /nsm/sensor_data/SecurityOnion-eth1/snort.stats last reported pkt_drop_percent as 0.000
>
> =========================================================================
> Sguil Uncategorized Events
> =========================================================================
> COUNT(*)
> 12511
>
> =========================================================================
> Snorby Events Summary for yesterday
> =========================================================================
> Totals SignatureID SignatureName
> 1831 1390 GPL SHELLCODE x86 inc ebx NOOP
> 1624 653 GPL SHELLCODE x86 0x90 unicode NOOP
> 1346 2102314 GPL SHELLCODE x86 0x90 NOOP unicode
> 592 2009702 ET POLICY DNS Update From External net
> 515 2009375 ET CHAT General MSN Chat Activity
> 512 2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
> 297 2100538 GPL NETBIOS SMB IPC$ unicode share access
> 257 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
> 173 2010785 ET CHAT Facebook Chat (buddy list)
> 164 2101411 GPL SNMP public access udp
> 132 2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 98 2012647 ET POLICY Dropbox.com Offsite File Backup in Use
> 80 2001330 ET POLICY RDP connection confirm
> 79 651 GPL SHELLCODE x86 stealth NOOP
> 73 2001805 ET POLICY ICQ Message
> 73 2452 GPL CHAT Yahoo IM ping
> 60 2011124 ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
> 54 937 GPL WEB_SERVER _vti_rpc access
> 43 2003479 ET POLICY Radmin Remote Control Session Setup Initiate
> 41 2001329 ET POLICY RDP connection request
> 38 2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
> 34 2101633 GPL CHAT AIM receive message
> 32 1424 GPL SHELLCODE x86 0xEB0C NOOP
> 31 648 GPL SHELLCODE x86 NOOP
> 22 2002192 ET CHAT MSN status change
> 20 2014997 ET POLICY Pandora Usage
> 11 2014827 ET CURRENT_EVENTS FedEX Spam Inbound
> 10 2008597 ET SCAN Cisco Torch SNMP Scan
> 9 2011979 ET CURRENT_EVENTS FedEX Spam Inbound
> 6 2015483 ET INFO Java .jar request to dotted-quad domain
> 4 2001569 ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
> 4 2011738 ET GAMES TeamSpeak2 Standard/Login Part 2
> 4 2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 3 2001583 ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection
> 3 1201 GPL WEB_SERVER 403 Forbidden
> 2 2012078 ET POLICY Windows-Based OpenSSL Tunnel Outbound
> 2 2001682 ET CHAT MSN IM Poll via HTTP
> 2 2101990 GPL CHAT MSN user search
> 2 2002878 ET POLICY iTunes User Agent
> 2 2011409 ET DNS DNS Query for Suspicious .co.cc Domain
> 2 2002823 ET POLICY POSSIBLE Web Crawl using Wget
> 2 100000230 GPL CHAT MISC Jabber/Google Talk Outgoing Traffic
> 2 2012889 ET POLICY Http Client Body contains pw= in cleartext
> 2 2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
> 2 2012090 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 2 2000334 ET P2P BitTorrent peer sync
> 1 2006380 ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
> 1 2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
> 1 2406198 ET RBN Known Russian Business Network IP TCP (100)
> 1 2406378 ET RBN Known Russian Business Network IP TCP (190)
> 1 2406197 ET RBN Known Russian Business Network IP UDP (99)
> 1 2010819 ET CHAT Facebook Chat using XMPP
> 1 2003287 ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)
> 1 2406485 ET RBN Known Russian Business Network IP UDP (243)
> 1 2011582 ET POLICY Vulnerable Java Version 1.6.x Detected
> 1 2500062 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (32)
> 1 2014819 ET INFO Packed Executable Download
> 1 2500030 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (16)
> 1 2001795 ET DOS Excessive SMTP MAIL-FROM DDoS
> Total
> 8310
>
> =========================================================================
> Top 50 All Time Snorby Events
> =========================================================================
> Totals SignatureID SignatureName
> 23485 1390 GPL SHELLCODE x86 inc ebx NOOP
> 12254 653 GPL SHELLCODE x86 0x90 unicode NOOP
> 9520 2102314 GPL SHELLCODE x86 0x90 NOOP unicode
> 4209 2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 2672 2002911 ET SCAN Potential VNC Scan 5900-5920
> 1698 2009702 ET POLICY DNS Update From External net
> 1584 651 GPL SHELLCODE x86 stealth NOOP
> 1502 2012088 ET SHELLCODE Possible Call with No Offset TCP Shellcode
> 1481 2100538 GPL NETBIOS SMB IPC$ unicode share access
> 1372 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
> 1352 2102466 GPL NETBIOS SMB-DS IPC$ unicode share access
> 1090 2002910 ET SCAN Potential VNC Scan 5800-5820
> 911 2101418 GPL SNMP request tcp
> 668 2010785 ET CHAT Facebook Chat (buddy list)
> 587 2003068 ET SCAN Potential SSH Scan OUTBOUND
> 587 2001219 ET SCAN Potential SSH Scan
> 520 2000488 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment
> 515 2009375 ET CHAT General MSN Chat Activity
> 475 2012647 ET POLICY Dropbox.com Offsite File Backup in Use
> 432 648 GPL SHELLCODE x86 NOOP
> 414 2003479 ET POLICY Radmin Remote Control Session Setup Initiate
> 347 2452 GPL CHAT Yahoo IM ping
> 326 2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
> 232 2103003 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
> 206 2001805 ET POLICY ICQ Message
> 196 2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt
> 190 1424 GPL SHELLCODE x86 0xEB0C NOOP
> 169 2100687 GPL EXPLOIT xp_cmdshell - program execution
> 164 2001330 ET POLICY RDP connection confirm
> 164 2101411 GPL SNMP public access udp
> 131 2014997 ET POLICY Pandora Usage
> 118 2101633 GPL CHAT AIM receive message
> 114 2002192 ET CHAT MSN status change
> 102 2011124 ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
> 90 2014726 ET POLICY Outdated Windows Flash Version IE
> 82 2001329 ET POLICY RDP connection request
> 70 937 GPL WEB_SERVER _vti_rpc access
> 67 2100540 GPL CHAT MSN message
> 56 2009832 ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND
> 49 2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
> 45 2010937 ET POLICY Suspicious inbound to mySQL port 3306
> 45 2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
> 28 2101759 GPL EXPLOIT xp_cmdshell program execution 445
> 27 2010781 ET POLICY PsExec service created
> 21 2001581 ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
> 21 2000334 ET P2P BitTorrent peer sync
> 21 2014828 ET CURRENT_EVENTS UPS Spam Inbound
> 20 2100368 GPL ICMP_INFO PING BSDtype
> 20 2100366 GPL ICMP_INFO PING *NIX
> 20 2100480 GPL ICMP_INFO PING speedera
> Total
> 70872
Mike landoll
Aug 10, 2012, 10:10:49 AM8/10/12
to securit...@googlegroups.com
in the /usr/local/share/snorby/log/production.log(production is the name of the management interface) I am seeing a "permission denied - /usr/local/share/snorby/log/delayed_job.log"
nobody owns the file and everyone has full permissions on the file.
The only other error entries are in the /var/log/apache2/snorby_error.log complaining about the name not matching the RSA cert.
--
Dustin Webber
Aug 13, 2012, 4:29:25 PM8/13/12
to securit...@googlegroups.com
Mike,
What errors is it throwing? Also, if it's related to DNS it's likely your environment. What do you mean by `muck things up`? From what I remember Snorby is independent of all the other tools, simply not using it will fix your issue.
However, since this is OSS and Snorby as well; let's get some logs and details on the error. Let's kick it vs ignoring or removing.
- Dustin
On Aug 13, 2012, at 4:20 PM, Mike landoll <mlan...@gmail.com> wrote:
trhowing errors when doing basic dns source/destination lookups
Doug Burks
Aug 14, 2012, 5:55:53 AM8/14/12
to securit...@googlegroups.com
Hi Mike,
You said earlier DNS lookup, but if you're referring to expanding an
event, clicking a source/destination IP and clicking "Basic
Source/Destination Lookup", I think it actually defaults to a WHOIS
query and then once the WHOIS results are displayed you have the
option of requesting the DNS lookup.
Are you able to run WHOIS queries from the command line of your
Security Onion server? Should look something like this:
whois 192.168.1.1
#
# Query terms are ambiguous. The query is assumed to be:
# "n 192.168.1.1"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=192.168.1.1?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
OriginAS:
NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
If you don't get that result, perhaps WHOIS lookups are blocked on your network?
Thanks,
Doug
On Mon, Aug 13, 2012 at 5:40 PM, Mike landoll <mlan...@gmail.com> wrote:
> Sorry, just frustrated. By mucking things up i was specifically talking about my own deployment project. The errors i am receiving occur when I attempt to do a basic source or destination lookup using the buttons under the event details. the error thrown (in a very thin window) is "Error: Internal Server Error." This error is the same if either the source or destination buttons are clicked and basic source or basic destination menu items are selected. Which specific logs and what other type of details would help in troubleshooting this issue?
You said earlier DNS lookup, but if you're referring to expanding an
event, clicking a source/destination IP and clicking "Basic
Source/Destination Lookup", I think it actually defaults to a WHOIS
query and then once the WHOIS results are displayed you have the
option of requesting the DNS lookup.
Are you able to run WHOIS queries from the command line of your
Security Onion server? Should look something like this:
whois 192.168.1.1
#
# Query terms are ambiguous. The query is assumed to be:
# "n 192.168.1.1"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=192.168.1.1?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
OriginAS:
NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
If you don't get that result, perhaps WHOIS lookups are blocked on your network?
Thanks,
Doug
On Mon, Aug 13, 2012 at 5:40 PM, Mike landoll <mlan...@gmail.com> wrote:
> Sorry, just frustrated. By mucking things up i was specifically talking about my own deployment project. The errors i am receiving occur when I attempt to do a basic source or destination lookup using the buttons under the event details. the error thrown (in a very thin window) is "Error: Internal Server Error." This error is the same if either the source or destination buttons are clicked and basic source or basic destination menu items are selected. Which specific logs and what other type of details would help in troubleshooting this issue?
Reply all
Reply to author
Forward
0 new messages