VLAN Tagging problem
286 views
Skip to first unread message
bug...@gmail.com
Jan 21, 2017, 3:24:33 AM1/21/17
to security-onion
Hi everyone,
It has been a few months since I posted here!
I have recently updated my hardware and I am now having some issues with SO being able to see and process my network traffic. I believe it is related to VLAN tagging/encapsulation.
More info below:
- I run SO in a VM from an ESXi server
- I used to have a Mikrotik router to do my network mirroring and I have upgraded to a Ubiquity Switch
Everything used to work fine for the last year with the Mikrotik, shortly after I upgraded to the Ubiquity Switch, SO went blind.
After a bit of troubleshooting with the ubiquity staff and forum members we found out a fix, it looks like the Ubiquity switch does some kind of VLAN encapsulation (even though I have only one VLAN setup) and this can lead to an issue with ESXi.
The issue could be seen when running a wireshark on my SO VM as I could only see outgoing traffic and not incoming.
The fix, was to set the VLAN ID on the ESXi server to 4095 (and not 0) which seems to set VLAN Tagging and according to the following article it does that following:
"“Virtual Guest Tagging” (VGT). It basically means that the VLAN ID is stripped off at the Guest OS layer and not at the portgroup layer. In other words the VLAN trunk(multiple VLANs on a single wire) is extended to the virtual machine and the virtual machine will need to deal with it."
http://www.yellow-bricks.com/2010/06/10/vlan-id-4095/
With this fix, when I run a wireshark from SO then I can see both traffic (in and out), so far so good.
However, the IDS engine on SO doesn't seem to see the traffic! I do not get any alerts...
So I can confirm traffic is being received on the SO "sniff" interface OK with wireshark, yet SO does not process any alerts.
Looking at this article from this forum:
https://github.com/security-onion-solutions/security-onion/issues/243
I thought it could be related to some kind of VLAN problem...
I tried to just change VLAN = 1 in the pcap_agent.conf file (even though it says not to do that!)
Restarted the services, rebooted the VM... still the same problem.
Could anyone please suggest some tests or changes I could try?
Thanks
B.
Below is my redacted so_stats:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 6551 21 Jan 08:08:01
Status: bso-s-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3055 errors:0 dropped:0 overruns:0 frame:0
TX packets:822 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:423522 (423.5 KB) TX bytes:289395 (289.3 KB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1360430 errors:13 dropped:170 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:913678078 (913.6 MB) TX bytes:90 (90.0 B)
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
423522 3055 0 0 0 355
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
289395 822 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
913678078 1360430 13 170 0 2534
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 1.3M 394M 1% /run
/dev/sda1 489G 32G 432G 7% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 80K 2.0G 1% /run/shm
none 100M 4.0K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1112 avahi 12u IPv4 10070 0t0 UDP *:5353
avahi-dae 1112 avahi 13u IPv6 10071 0t0 UDP *:5353
avahi-dae 1112 avahi 14u IPv4 10072 0t0 UDP *:41979
avahi-dae 1112 avahi 15u IPv6 10073 0t0 UDP *:52184
dhclient 1135 root 5u IPv4 9774 0t0 UDP *:68
dhclient 1135 root 20u IPv4 9733 0t0 UDP *:57166
dhclient 1135 root 21u IPv6 9734 0t0 UDP *:47999
sshd 1520 root 3u IPv4 10861 0t0 TCP *:ssh_port (LISTEN)
sshd 1520 root 4u IPv6 10863 0t0 TCP *:ssh_port (LISTEN)
searchd 1569 sphinxsearch 7u IPv4 13318 0t0 TCP *:9306 (LISTEN)
searchd 1569 sphinxsearch 8u IPv4 13319 0t0 TCP *:9312 (LISTEN)
cups-brow 1594 root 6u IPv6 20397 0t0 TCP [X.X.X.X]:60036->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1594 root 8u IPv4 20404 0t0 UDP *:631
syslog-ng 1604 root 13u IPv4 10941 0t0 TCP *:514 (LISTEN)
syslog-ng 1604 root 14u IPv4 10942 0t0 UDP *:514
mysqld 1730 mysql 10u IPv4 13772 0t0 TCP X.X.X.X:3306 (LISTEN)
ossec-csy 1801 ossecm 5u IPv4 12742 0t0 UDP X.X.X.X:38565->X.X.X.X:514
/usr/sbin 2280 root 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 2280 root 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2280 root 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
ntpd 3123 ntp 16u IPv4 18008 0t0 UDP *:123
ntpd 3123 ntp 17u IPv6 18009 0t0 UDP *:123
ntpd 3123 ntp 18u IPv4 18015 0t0 UDP X.X.X.X:123
ntpd 3123 ntp 19u IPv4 18016 0t0 UDP X.X.X.X:123
ntpd 3123 ntp 20u IPv6 18017 0t0 UDP [X.X.X.X]:123
ntpd 3123 ntp 21u IPv6 18018 0t0 UDP [X.X.X.X]:123
cupsd 3627 root 10u IPv6 20664 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3627 root 11u IPv4 20665 0t0 TCP X.X.X.X:631 (LISTEN)
tclsh 5941 SO-user 13u IPv4 31308 0t0 TCP *:7734 (LISTEN)
tclsh 5941 SO-user 14u IPv6 31309 0t0 TCP *:7734 (LISTEN)
tclsh 5941 SO-user 15u IPv4 31312 0t0 TCP *:7736 (LISTEN)
tclsh 5941 SO-user 16u IPv6 31313 0t0 TCP *:7736 (LISTEN)
tclsh 5941 SO-user 17u IPv4 34357 0t0 TCP X.X.X.X:7736->X.X.X.X:38075 (ESTABLISHED)
tclsh 5941 SO-user 18u IPv4 34676 0t0 TCP X.X.X.X:7736->X.X.X.X:44393 (ESTABLISHED)
tclsh 5941 SO-user 19u IPv4 36947 0t0 TCP X.X.X.X:7736->X.X.X.X:36737 (ESTABLISHED)
tclsh 6064 SO-user 3u IPv4 35960 0t0 TCP X.X.X.X:36737->X.X.X.X:7736 (ESTABLISHED)
bro 6551 SO-user 4u IPv4 33234 0t0 UDP X.X.X.X:50842->X.X.X.X:53
bro 6670 SO-user 0u IPv4 33338 0t0 TCP *:47760 (LISTEN)
bro 6670 SO-user 1u IPv6 33339 0t0 TCP *:47760 (LISTEN)
bro 6670 SO-user 4u IPv4 33234 0t0 UDP X.X.X.X:50842->X.X.X.X:53
tclsh 7078 SO-user 3u IPv4 34356 0t0 TCP X.X.X.X:38075->X.X.X.X:7736 (ESTABLISHED)
tclsh 7432 SO-user 3u IPv4 34675 0t0 TCP X.X.X.X:44393->X.X.X.X:7736 (ESTABLISHED)
tclsh 7432 SO-user 4u IPv4 34677 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 7432 SO-user 6u IPv4 38376 0t0 TCP X.X.X.X:8101->X.X.X.X:47996 (ESTABLISHED)
barnyard2 7633 SO-user 3u IPv4 38375 0t0 TCP X.X.X.X:47996->X.X.X.X:8101 (ESTABLISHED)
/usr/sbin 8907 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 8907 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8907 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
sshd 8910 root 3u IPv4 44976 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:62094 (ESTABLISHED)
sshd 8963 SO-user 3u IPv4 44976 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:62094 (ESTABLISHED)
/usr/sbin 10225 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10225 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10225 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10242 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10242 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10242 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10243 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10243 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10243 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11089 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 11089 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11089 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11846 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 11846 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11846 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Sat Jan 21 07:01:01 UTC 2017
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 10 minutes to avoid overwhelming rule sites.
Running PulledPork.
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Total
0
=========================================================================
Last update
=========================================================================
Start-Date: 2017-01-21 04:07:25
Commandline: apt-get install -y mysql-server mysql-server-core-5.5 mysql-server-5.5
Upgrade: mysql-server-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-server-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-client-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-common:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-server:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1)
End-Date: 2017-01-21 04:07:54
Start-Date: 2017-01-21 04:08:06
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), initramfs-tools-bin:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), mysql-client-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), securityonion-http-agent:amd64 (0.3.1-0ubuntu0securityonion6, 0.3.1-0ubuntu0securityonion7), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), dbus:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion153, 20120724-0ubuntu0securityonion155), libapparmor1:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libdbus-1-3:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), initramfs-tools:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion71, 20141015-0ubuntu0securityonion72), libapparmor-perl:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion47, 20151011-1ubuntu1securityonion48), securityonion-onionsalt:amd64 (20140917-0ubuntu0securityonion20, 20140917-0ubuntu0securityonion21), libmysqlclient18:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), dbus-x11:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), apparmor:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-networkminer:amd64 (20160210-1ubuntu1securityonion1, 20170112-1ubuntu1securityonion1), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11)
End-Date: 2017-01-21 04:08:56
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1604 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1730 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1530 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1569 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
234
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
5.6G /nsm/elsa/data
2.2M /var/lib/mysql/syslog
8.0K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
NULL NULL
=========================================================================
Version Information
=========================================================================
Ubuntu 14.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion69
It has been a few months since I posted here!
I have recently updated my hardware and I am now having some issues with SO being able to see and process my network traffic. I believe it is related to VLAN tagging/encapsulation.
More info below:
- I run SO in a VM from an ESXi server
- I used to have a Mikrotik router to do my network mirroring and I have upgraded to a Ubiquity Switch
Everything used to work fine for the last year with the Mikrotik, shortly after I upgraded to the Ubiquity Switch, SO went blind.
After a bit of troubleshooting with the ubiquity staff and forum members we found out a fix, it looks like the Ubiquity switch does some kind of VLAN encapsulation (even though I have only one VLAN setup) and this can lead to an issue with ESXi.
The issue could be seen when running a wireshark on my SO VM as I could only see outgoing traffic and not incoming.
The fix, was to set the VLAN ID on the ESXi server to 4095 (and not 0) which seems to set VLAN Tagging and according to the following article it does that following:
"“Virtual Guest Tagging” (VGT). It basically means that the VLAN ID is stripped off at the Guest OS layer and not at the portgroup layer. In other words the VLAN trunk(multiple VLANs on a single wire) is extended to the virtual machine and the virtual machine will need to deal with it."
http://www.yellow-bricks.com/2010/06/10/vlan-id-4095/
With this fix, when I run a wireshark from SO then I can see both traffic (in and out), so far so good.
However, the IDS engine on SO doesn't seem to see the traffic! I do not get any alerts...
So I can confirm traffic is being received on the SO "sniff" interface OK with wireshark, yet SO does not process any alerts.
Looking at this article from this forum:
https://github.com/security-onion-solutions/security-onion/issues/243
I thought it could be related to some kind of VLAN problem...
I tried to just change VLAN = 1 in the pcap_agent.conf file (even though it says not to do that!)
Restarted the services, rebooted the VM... still the same problem.
Could anyone please suggest some tests or changes I could try?
Thanks
B.
Below is my redacted so_stats:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 6551 21 Jan 08:08:01
Status: bso-s-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3055 errors:0 dropped:0 overruns:0 frame:0
TX packets:822 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:423522 (423.5 KB) TX bytes:289395 (289.3 KB)
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1360430 errors:13 dropped:170 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:913678078 (913.6 MB) TX bytes:90 (90.0 B)
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
423522 3055 0 0 0 355
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
289395 822 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
913678078 1360430 13 170 0 2534
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
90 1 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 1.3M 394M 1% /run
/dev/sda1 489G 32G 432G 7% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 80K 2.0G 1% /run/shm
none 100M 4.0K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1112 avahi 12u IPv4 10070 0t0 UDP *:5353
avahi-dae 1112 avahi 13u IPv6 10071 0t0 UDP *:5353
avahi-dae 1112 avahi 14u IPv4 10072 0t0 UDP *:41979
avahi-dae 1112 avahi 15u IPv6 10073 0t0 UDP *:52184
dhclient 1135 root 5u IPv4 9774 0t0 UDP *:68
dhclient 1135 root 20u IPv4 9733 0t0 UDP *:57166
dhclient 1135 root 21u IPv6 9734 0t0 UDP *:47999
sshd 1520 root 3u IPv4 10861 0t0 TCP *:ssh_port (LISTEN)
sshd 1520 root 4u IPv6 10863 0t0 TCP *:ssh_port (LISTEN)
searchd 1569 sphinxsearch 7u IPv4 13318 0t0 TCP *:9306 (LISTEN)
searchd 1569 sphinxsearch 8u IPv4 13319 0t0 TCP *:9312 (LISTEN)
cups-brow 1594 root 6u IPv6 20397 0t0 TCP [X.X.X.X]:60036->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1594 root 8u IPv4 20404 0t0 UDP *:631
syslog-ng 1604 root 13u IPv4 10941 0t0 TCP *:514 (LISTEN)
syslog-ng 1604 root 14u IPv4 10942 0t0 UDP *:514
mysqld 1730 mysql 10u IPv4 13772 0t0 TCP X.X.X.X:3306 (LISTEN)
ossec-csy 1801 ossecm 5u IPv4 12742 0t0 UDP X.X.X.X:38565->X.X.X.X:514
/usr/sbin 2280 root 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 2280 root 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2280 root 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
ntpd 3123 ntp 16u IPv4 18008 0t0 UDP *:123
ntpd 3123 ntp 17u IPv6 18009 0t0 UDP *:123
ntpd 3123 ntp 18u IPv4 18015 0t0 UDP X.X.X.X:123
ntpd 3123 ntp 19u IPv4 18016 0t0 UDP X.X.X.X:123
ntpd 3123 ntp 20u IPv6 18017 0t0 UDP [X.X.X.X]:123
ntpd 3123 ntp 21u IPv6 18018 0t0 UDP [X.X.X.X]:123
cupsd 3627 root 10u IPv6 20664 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3627 root 11u IPv4 20665 0t0 TCP X.X.X.X:631 (LISTEN)
tclsh 5941 SO-user 13u IPv4 31308 0t0 TCP *:7734 (LISTEN)
tclsh 5941 SO-user 14u IPv6 31309 0t0 TCP *:7734 (LISTEN)
tclsh 5941 SO-user 15u IPv4 31312 0t0 TCP *:7736 (LISTEN)
tclsh 5941 SO-user 16u IPv6 31313 0t0 TCP *:7736 (LISTEN)
tclsh 5941 SO-user 17u IPv4 34357 0t0 TCP X.X.X.X:7736->X.X.X.X:38075 (ESTABLISHED)
tclsh 5941 SO-user 18u IPv4 34676 0t0 TCP X.X.X.X:7736->X.X.X.X:44393 (ESTABLISHED)
tclsh 5941 SO-user 19u IPv4 36947 0t0 TCP X.X.X.X:7736->X.X.X.X:36737 (ESTABLISHED)
tclsh 6064 SO-user 3u IPv4 35960 0t0 TCP X.X.X.X:36737->X.X.X.X:7736 (ESTABLISHED)
bro 6551 SO-user 4u IPv4 33234 0t0 UDP X.X.X.X:50842->X.X.X.X:53
bro 6670 SO-user 0u IPv4 33338 0t0 TCP *:47760 (LISTEN)
bro 6670 SO-user 1u IPv6 33339 0t0 TCP *:47760 (LISTEN)
bro 6670 SO-user 4u IPv4 33234 0t0 UDP X.X.X.X:50842->X.X.X.X:53
tclsh 7078 SO-user 3u IPv4 34356 0t0 TCP X.X.X.X:38075->X.X.X.X:7736 (ESTABLISHED)
tclsh 7432 SO-user 3u IPv4 34675 0t0 TCP X.X.X.X:44393->X.X.X.X:7736 (ESTABLISHED)
tclsh 7432 SO-user 4u IPv4 34677 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 7432 SO-user 6u IPv4 38376 0t0 TCP X.X.X.X:8101->X.X.X.X:47996 (ESTABLISHED)
barnyard2 7633 SO-user 3u IPv4 38375 0t0 TCP X.X.X.X:47996->X.X.X.X:8101 (ESTABLISHED)
/usr/sbin 8907 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 8907 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 8907 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
sshd 8910 root 3u IPv4 44976 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:62094 (ESTABLISHED)
sshd 8963 SO-user 3u IPv4 44976 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:62094 (ESTABLISHED)
/usr/sbin 10225 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10225 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10225 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10242 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10242 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10242 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10243 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 10243 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10243 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11089 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 11089 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11089 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
/usr/sbin 11846 www-data 5u IPv6 15337 0t0 TCP *:443 (LISTEN)
/usr/sbin 11846 www-data 7u IPv6 15341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 11846 www-data 9u IPv6 15347 0t0 TCP *:3154 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
Sat Jan 21 07:01:01 UTC 2017
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Sleeping for 10 minutes to avoid overwhelming rule sites.
Running PulledPork.
https://github.com/shirkdog/pulledpork
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.3 - Making signature updates great again!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
=========================================================================
Total
0
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Total
0
=========================================================================
Last update
=========================================================================
Start-Date: 2017-01-21 04:07:25
Commandline: apt-get install -y mysql-server mysql-server-core-5.5 mysql-server-5.5
Upgrade: mysql-server-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-server-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-client-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-common:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), mysql-server:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1)
End-Date: 2017-01-21 04:07:54
Start-Date: 2017-01-21 04:08:06
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), initramfs-tools-bin:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), mysql-client-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), securityonion-http-agent:amd64 (0.3.1-0ubuntu0securityonion6, 0.3.1-0ubuntu0securityonion7), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), dbus:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion153, 20120724-0ubuntu0securityonion155), libapparmor1:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libdbus-1-3:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), initramfs-tools:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion71, 20141015-0ubuntu0securityonion72), libapparmor-perl:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion47, 20151011-1ubuntu1securityonion48), securityonion-onionsalt:amd64 (20140917-0ubuntu0securityonion20, 20140917-0ubuntu0securityonion21), libmysqlclient18:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), dbus-x11:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), apparmor:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-networkminer:amd64 (20160210-1ubuntu1securityonion1, 20170112-1ubuntu1securityonion1), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11)
End-Date: 2017-01-21 04:08:56
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1604 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1730 /usr/sbin/mysqld
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1530 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
1569 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
234
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
5.6G /nsm/elsa/data
2.2M /var/lib/mysql/syslog
8.0K /var/lib/mysql/syslog_data
ELSA Index Date Range
If you don't have at least 2 full days of logs in the Index Date Range,
then you'll need to increase log_size_limit in /etc/elsa_node.conf.
MIN(start) MAX(end)
NULL NULL
=========================================================================
Version Information
=========================================================================
Ubuntu 14.04.5 LTS
securityonion-sostat 20120722-0ubuntu0securityonion69
Doug Burks
Jan 21, 2017, 6:08:59 PM1/21/17
to securit...@googlegroups.com
Hi bugsxor,
Looking at your sostat output, it looks like you have an issue which
is not necessarily related to your VLAN question, but I'll make you
aware of it. You have the recently released MySQL packages which
prevent ELSA from creating new tables:
http://blog.securityonion.net/2017/01/latest-mysql-packages-may-impact-elsa.html
A new ELSA package has been submitted for testing:
https://github.com/Security-Onion-Solutions/security-onion/issues/1065
You have 234 buffers in the ELSA queue, which probably means you have
lots of Bro logs waiting to be written to the ELSA database once that
patch is put into place. If you'd like to help test the package, you
can follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/xHmKLB8kNJg/discussion
If you don't want to test the new ELSA package, you could take a look
at the raw Bro logs in /nsm/bro/logs/ and see if Bro is correctly
logging your VLAN traffic.
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Looking at your sostat output, it looks like you have an issue which
is not necessarily related to your VLAN question, but I'll make you
aware of it. You have the recently released MySQL packages which
prevent ELSA from creating new tables:
http://blog.securityonion.net/2017/01/latest-mysql-packages-may-impact-elsa.html
A new ELSA package has been submitted for testing:
https://github.com/Security-Onion-Solutions/security-onion/issues/1065
You have 234 buffers in the ELSA queue, which probably means you have
lots of Bro logs waiting to be written to the ELSA database once that
patch is put into place. If you'd like to help test the package, you
can follow the instructions here:
https://groups.google.com/d/topic/security-onion-testing/xHmKLB8kNJg/discussion
If you don't want to test the new ELSA package, you could take a look
at the raw Bro logs in /nsm/bro/logs/ and see if Bro is correctly
logging your VLAN traffic.
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
bug...@gmail.com
Jan 22, 2017, 11:58:16 PM1/22/17
to security-onion
Hi Doug,
It is long overdue that I participate in your testing!
Will try that now and revert back.
Regards,
B.
On Sunday, January 22, 2017 at 3:08:59 AM UTC+4, Doug Burks wrote:
> Hi bugsxor,
>
> Looking at your sostat output, it looks like you have an issue which
> is not necessarily related to your VLAN question, but I'll make you
> aware of it. You have the recently released MySQL packages which
> prevent ELSA from creating new tables:
> http://blog.securityonion.net/2017/01/latest-mysql-packages-may-impact-elsa.html
>
> A new ELSA package has been submitted for testing:
> https://github.com/Security-Onion-Solutions/security-onion/issues/1065
>
> You have 234 buffers in the ELSA queue, which probably means you have
> lots of Bro logs waiting to be written to the ELSA database once that
> patch is put into place. If you'd like to help test the package, you
> can follow the instructions here:
> https://groups.google.com/d/topic/security-onion-testing/xHmKLB8kNJg/discussion
>
> If you don't want to test the new ELSA package, you could take a look
> at the raw Bro logs in /nsm/bro/logs/ and see if Bro is correctly
> logging your VLAN traffic.
>
It is long overdue that I participate in your testing!
Will try that now and revert back.
Regards,
B.
On Sunday, January 22, 2017 at 3:08:59 AM UTC+4, Doug Burks wrote:
> Hi bugsxor,
>
> Looking at your sostat output, it looks like you have an issue which
> is not necessarily related to your VLAN question, but I'll make you
> aware of it. You have the recently released MySQL packages which
> prevent ELSA from creating new tables:
> http://blog.securityonion.net/2017/01/latest-mysql-packages-may-impact-elsa.html
>
> A new ELSA package has been submitted for testing:
> https://github.com/Security-Onion-Solutions/security-onion/issues/1065
>
> You have 234 buffers in the ELSA queue, which probably means you have
> lots of Bro logs waiting to be written to the ELSA database once that
> patch is put into place. If you'd like to help test the package, you
> can follow the instructions here:
> https://groups.google.com/d/topic/security-onion-testing/xHmKLB8kNJg/discussion
>
> If you don't want to test the new ELSA package, you could take a look
> at the raw Bro logs in /nsm/bro/logs/ and see if Bro is correctly
> logging your VLAN traffic.
>
Doug Burks
Jan 23, 2017, 6:15:12 AM1/23/17
to securit...@googlegroups.com
published to stable repo:
securityonion-elsa-extras - 20151011-1ubuntu1securityonion49 resolves
an issue with recent MySQL updates
securityonion-elsa-extras - 20151011-1ubuntu1securityonion49 resolves
an issue with recent MySQL updates
bug...@gmail.com
Jan 23, 2017, 11:39:48 AM1/23/17
to security-onion
Thanks, was too late!
I just did a sudo soup and also rebooted my VM, however, I am still getting the following:
ELSA Buffers in Queue:
2994
below is my full sostats redacted:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
bro standalone localhost running 5188 23 Jan 16:22:04
RX bytes:445704085 (445.7 MB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:780 errors:0 dropped:0 overruns:0 frame:0
TX packets:780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:3123637 (3.1 MB) TX bytes:3123637 (3.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
avahi-dae 722 avahi 13u IPv6 10412 0t0 UDP *:5353
avahi-dae 722 avahi 14u IPv4 10413 0t0 UDP *:41112
avahi-dae 722 avahi 15u IPv6 10414 0t0 UDP *:37769
dhclient 1081 root 5u IPv4 10634 0t0 UDP *:68
dhclient 1081 root 20u IPv4 10603 0t0 UDP *:35372
dhclient 1081 root 21u IPv6 10604 0t0 UDP *:6285
sshd 1433 root 3u IPv4 10830 0t0 TCP *:ssh_port (LISTEN)
sshd 1433 root 4u IPv6 10832 0t0 TCP *:ssh_port (LISTEN)
searchd 1499 sphinxsearch 7u IPv4 10989 0t0 TCP *:9306 (LISTEN)
searchd 1499 sphinxsearch 8u IPv4 10990 0t0 TCP *:9312 (LISTEN)
cups-brow 1531 root 6u IPv6 18654 0t0 TCP [X.X.X.X]:36216->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1531 root 8u IPv4 19532 0t0 UDP *:631
syslog-ng 1576 root 12u IPv4 10912 0t0 TCP *:514 (LISTEN)
syslog-ng 1576 root 13u IPv4 10913 0t0 UDP *:514
mysqld 1629 mysql 12u IPv4 13172 0t0 TCP X.X.X.X:3306 (LISTEN)
ossec-csy 1834 ossecm 5u IPv4 12909 0t0 UDP X.X.X.X:53671->X.X.X.X:514
/usr/sbin 2190 root 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 2190 root 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2190 root 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
ntpd 2818 ntp 16u IPv4 16015 0t0 UDP *:123
ntpd 2818 ntp 17u IPv6 16016 0t0 UDP *:123
ntpd 2818 ntp 18u IPv4 16022 0t0 UDP X.X.X.X:123
ntpd 2818 ntp 19u IPv4 16023 0t0 UDP X.X.X.X:123
ntpd 2818 ntp 20u IPv6 16024 0t0 UDP [X.X.X.X]:123
ntpd 2818 ntp 21u IPv6 16025 0t0 UDP [X.X.X.X]:123
cupsd 3238 root 10u IPv6 18622 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3238 root 11u IPv4 18623 0t0 TCP X.X.X.X:631 (LISTEN)
tclsh 4663 SO-user 13u IPv4 25754 0t0 TCP *:7734 (LISTEN)
tclsh 4663 SO-user 14u IPv6 25755 0t0 TCP *:7734 (LISTEN)
tclsh 4663 SO-user 15u IPv4 25758 0t0 TCP *:7736 (LISTEN)
tclsh 4663 SO-user 16u IPv6 25759 0t0 TCP *:7736 (LISTEN)
tclsh 4663 SO-user 17u IPv4 28956 0t0 TCP X.X.X.X:7736->X.X.X.X:35096 (ESTABLISHED)
tclsh 4663 SO-user 18u IPv4 28970 0t0 TCP X.X.X.X:7736->X.X.X.X:34107 (ESTABLISHED)
tclsh 4663 SO-user 19u IPv4 29060 0t0 TCP X.X.X.X:7736->X.X.X.X:43565 (ESTABLISHED)
tclsh 4780 SO-user 3u IPv4 28620 0t0 TCP X.X.X.X:34107->X.X.X.X:7736 (ESTABLISHED)
bro 5188 SO-user 4u IPv4 26476 0t0 UDP X.X.X.X:56551->X.X.X.X:53
bro 5228 SO-user 0u IPv4 26576 0t0 TCP *:47760 (LISTEN)
bro 5228 SO-user 1u IPv6 26577 0t0 TCP *:47760 (LISTEN)
bro 5228 SO-user 4u IPv4 26476 0t0 UDP X.X.X.X:56551->X.X.X.X:53
tclsh 5912 SO-user 3u IPv4 28955 0t0 TCP X.X.X.X:35096->X.X.X.X:7736 (ESTABLISHED)
tclsh 5973 SO-user 3u IPv4 29718 0t0 TCP X.X.X.X:43565->X.X.X.X:7736 (ESTABLISHED)
tclsh 5973 SO-user 4u IPv4 29724 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 5973 SO-user 6u IPv4 32426 0t0 TCP X.X.X.X:8101->X.X.X.X:44216 (ESTABLISHED)
barnyard2 6094 SO-user 3u IPv4 31061 0t0 TCP X.X.X.X:44216->X.X.X.X:8101 (ESTABLISHED)
/usr/sbin 10585 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 10585 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10585 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10585 www-data 26u IPv4 52638 0t0 TCP X.X.X.X:34012->X.X.X.X:3154 (CLOSE_WAIT)
sshd 10806 root 3u IPv4 48106 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59252 (ESTABLISHED)
sshd 10860 SO-user 3u IPv4 48106 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59252 (ESTABLISHED)
/usr/sbin 12174 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12174 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12174 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12193 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12193 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12193 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12193 www-data 26u IPv4 52824 0t0 TCP X.X.X.X:34030->X.X.X.X:3154 (CLOSE_WAIT)
/usr/sbin 12249 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12249 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12249 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12261 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12261 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12261 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
0.0 2.2 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/bso-s-eth1/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/bso-s-eth1/pcap_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/bso-s-eth1/snort_agent-1.conf
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/bso-s-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/bso-s-eth1/snort-1.stats
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 [kworker/0:1]
0.0 3.3 /usr/sbin/apache2 -k start
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 [kworker/1:0]
0.0 0.1 sshd: SO-user@pts/2
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell
0.0 3.3 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 292765
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
RX packets:555105 dropped:3 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : <unknown>
Tot Packets : 526645
Tot Pkt Lost : 0
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 515078
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/bso-s-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
bro: 1485189537.999466 recvd=526921 dropped=0 link=526921
Capture Loss:
bro 0.500088
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160610 Lost: -1186
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +153859 Lost: -3
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +164216 Lost: -20749
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157061 Lost: -54077
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +154314 Lost: -41453
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +150125 Lost: -46539
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156327 Lost: -18378
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +155378 Lost: -30766
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +182694 Lost: -15625
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +166391 Lost: -529
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +151596 Lost: -3362
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156412 Lost: -17384
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157572 Lost: -6876
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159778 Lost: -19378
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157170 Lost: -2
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +178756 Lost: -25253
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +161615 Lost: -3161
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +169573 Lost: -1780
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +163113 Lost: -16284
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +164261 Lost: -263
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160143 Lost: -67060
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +152082 Lost: -5799
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159370 Lost: -55009
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156460 Lost: -45124
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157835 Lost: -44914
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159519 Lost: -42473
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160461 Lost: -62485
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160214 Lost: -60287
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +158212 Lost: -10070
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +194128 Lost: -24596
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +172277 Lost: -2481
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +173452 Lost: -20615
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +164369 Lost: -54544
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +180413 Lost: -84
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 4096
/nsm/bro/logs/ - 3 days
27M .
11M ./2017-01-21
13M ./2017-01-22
3.0M ./2017-01-23
488K ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1282
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
719 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Total
719
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1272 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
6 1:2500043 ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 22
1 1:2500109 ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 55
Total
1279
=========================================================================
Last update
=========================================================================
Start-Date: 2017-01-21 04:08:06
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), initramfs-tools-bin:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), mysql-client-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), securityonion-http-agent:amd64 (0.3.1-0ubuntu0securityonion6, 0.3.1-0ubuntu0securityonion7), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), dbus:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion153, 20120724-0ubuntu0securityonion155), libapparmor1:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libdbus-1-3:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), initramfs-tools:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion71, 20141015-0ubuntu0securityonion72), libapparmor-perl:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion47, 20151011-1ubuntu1securityonion48), securityonion-onionsalt:amd64 (20140917-0ubuntu0securityonion20, 20140917-0ubuntu0securityonion21), libmysqlclient18:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), dbus-x11:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), apparmor:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-networkminer:amd64 (20160210-1ubuntu1securityonion1, 20170112-1ubuntu1securityonion1), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11)
End-Date: 2017-01-21 04:08:56
Start-Date: 2017-01-23 14:52:29
Commandline: apt-get -y dist-upgrade
Upgrade: securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion48, 20151011-1ubuntu1securityonion49)
End-Date: 2017-01-23 14:52:44
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
1576 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
1499 /usr/bin/searchd --nodetach
11M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
I just did a sudo soup and also rebooted my VM, however, I am still getting the following:
ELSA Buffers in Queue:
2994
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
How can I check if the patch has been installed?
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
below is my full sostats redacted:
=========================================================================
Service Status
=========================================================================
Status: securityonion
* SO-user server[ OK ]
Status: HIDS
* ossec_agent (SO-user)[ OK ]
Status: Bro
Name Type Host Status Pid Started
Status: bso-s-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
collisions:0 txqueuelen:1000
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (SO-user)[ OK ]
* snort_agent-1 (SO-user)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
RX bytes:445704085 (445.7 MB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:X.X.X.X Mask:X.X.X.X
inet6 addr: X.X.X.X/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:780 errors:0 dropped:0 overruns:0 frame:0
TX packets:780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:3123637 (3.1 MB) TX bytes:3123637 (3.1 MB)
=========================================================================
Link Statistics
=========================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
3123637 780 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3123637 780 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
0 0 0 0
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
385370 2867 0 0 0 423
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2418144 810 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
445705166 555030 3 3 0 2208
0 0 0 0
3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
RX: bytes packets errors dropped overrun mcast
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
TX errors: aborted fifo window heartbeat
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 1.3M 394M 1% /run
/dev/sda1 489G 171G 294G 37% /
0 0 0 0
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
udev 2.0G 4.0K 2.0G 1% /dev
tmpfs 396M 1.3M 394M 1% /run
none 4.0K 0 4.0K 0% /sys/fs/cgroup
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 80K 2.0G 1% /run/shm
none 100M 4.0K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 722 avahi 12u IPv4 10411 0t0 UDP *:5353
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 80K 2.0G 1% /run/shm
none 100M 4.0K 100M 1% /run/user
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 722 avahi 13u IPv6 10412 0t0 UDP *:5353
avahi-dae 722 avahi 14u IPv4 10413 0t0 UDP *:41112
avahi-dae 722 avahi 15u IPv6 10414 0t0 UDP *:37769
dhclient 1081 root 5u IPv4 10634 0t0 UDP *:68
dhclient 1081 root 20u IPv4 10603 0t0 UDP *:35372
dhclient 1081 root 21u IPv6 10604 0t0 UDP *:6285
sshd 1433 root 3u IPv4 10830 0t0 TCP *:ssh_port (LISTEN)
sshd 1433 root 4u IPv6 10832 0t0 TCP *:ssh_port (LISTEN)
searchd 1499 sphinxsearch 7u IPv4 10989 0t0 TCP *:9306 (LISTEN)
searchd 1499 sphinxsearch 8u IPv4 10990 0t0 TCP *:9312 (LISTEN)
cups-brow 1531 root 6u IPv6 18654 0t0 TCP [X.X.X.X]:36216->[X.X.X.X]:631 (CLOSE_WAIT)
cups-brow 1531 root 8u IPv4 19532 0t0 UDP *:631
syslog-ng 1576 root 12u IPv4 10912 0t0 TCP *:514 (LISTEN)
syslog-ng 1576 root 13u IPv4 10913 0t0 UDP *:514
mysqld 1629 mysql 12u IPv4 13172 0t0 TCP X.X.X.X:3306 (LISTEN)
ossec-csy 1834 ossecm 5u IPv4 12909 0t0 UDP X.X.X.X:53671->X.X.X.X:514
/usr/sbin 2190 root 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 2190 root 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2190 root 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
ntpd 2818 ntp 16u IPv4 16015 0t0 UDP *:123
ntpd 2818 ntp 17u IPv6 16016 0t0 UDP *:123
ntpd 2818 ntp 18u IPv4 16022 0t0 UDP X.X.X.X:123
ntpd 2818 ntp 19u IPv4 16023 0t0 UDP X.X.X.X:123
ntpd 2818 ntp 20u IPv6 16024 0t0 UDP [X.X.X.X]:123
ntpd 2818 ntp 21u IPv6 16025 0t0 UDP [X.X.X.X]:123
cupsd 3238 root 10u IPv6 18622 0t0 TCP [X.X.X.X]:631 (LISTEN)
cupsd 3238 root 11u IPv4 18623 0t0 TCP X.X.X.X:631 (LISTEN)
tclsh 4663 SO-user 13u IPv4 25754 0t0 TCP *:7734 (LISTEN)
tclsh 4663 SO-user 14u IPv6 25755 0t0 TCP *:7734 (LISTEN)
tclsh 4663 SO-user 15u IPv4 25758 0t0 TCP *:7736 (LISTEN)
tclsh 4663 SO-user 16u IPv6 25759 0t0 TCP *:7736 (LISTEN)
tclsh 4663 SO-user 17u IPv4 28956 0t0 TCP X.X.X.X:7736->X.X.X.X:35096 (ESTABLISHED)
tclsh 4663 SO-user 18u IPv4 28970 0t0 TCP X.X.X.X:7736->X.X.X.X:34107 (ESTABLISHED)
tclsh 4663 SO-user 19u IPv4 29060 0t0 TCP X.X.X.X:7736->X.X.X.X:43565 (ESTABLISHED)
tclsh 4780 SO-user 3u IPv4 28620 0t0 TCP X.X.X.X:34107->X.X.X.X:7736 (ESTABLISHED)
bro 5188 SO-user 4u IPv4 26476 0t0 UDP X.X.X.X:56551->X.X.X.X:53
bro 5228 SO-user 0u IPv4 26576 0t0 TCP *:47760 (LISTEN)
bro 5228 SO-user 1u IPv6 26577 0t0 TCP *:47760 (LISTEN)
bro 5228 SO-user 4u IPv4 26476 0t0 UDP X.X.X.X:56551->X.X.X.X:53
tclsh 5912 SO-user 3u IPv4 28955 0t0 TCP X.X.X.X:35096->X.X.X.X:7736 (ESTABLISHED)
tclsh 5973 SO-user 3u IPv4 29718 0t0 TCP X.X.X.X:43565->X.X.X.X:7736 (ESTABLISHED)
tclsh 5973 SO-user 4u IPv4 29724 0t0 TCP X.X.X.X:8101 (LISTEN)
tclsh 5973 SO-user 6u IPv4 32426 0t0 TCP X.X.X.X:8101->X.X.X.X:44216 (ESTABLISHED)
barnyard2 6094 SO-user 3u IPv4 31061 0t0 TCP X.X.X.X:44216->X.X.X.X:8101 (ESTABLISHED)
/usr/sbin 10585 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 10585 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 10585 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 10585 www-data 26u IPv4 52638 0t0 TCP X.X.X.X:34012->X.X.X.X:3154 (CLOSE_WAIT)
sshd 10806 root 3u IPv4 48106 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59252 (ESTABLISHED)
sshd 10860 SO-user 3u IPv4 48106 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59252 (ESTABLISHED)
/usr/sbin 12174 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12174 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12174 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12193 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12193 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12193 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12193 www-data 26u IPv4 52824 0t0 TCP X.X.X.X:34030->X.X.X.X:3154 (CLOSE_WAIT)
/usr/sbin 12249 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12249 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12249 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12261 www-data 5u IPv6 14644 0t0 TCP *:443 (LISTEN)
/usr/sbin 12261 www-data 7u IPv6 14648 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12261 www-data 9u IPv6 14654 0t0 TCP *:3154 (LISTEN)
0.0 2.2 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/bso-s-eth1/pcap_agent.conf
0.0 0.1 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/bso-s-eth1/pcap_agent.conf
0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/bso-s-eth1/snort_agent-1.conf
0.0 0.1 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/bso-s-eth1/snort_agent-1.conf
0.0 0.0 tail -n 1 -f /nsm/sensor_data/bso-s-eth1/snort-1.stats
0.0 0.0 ./dema -d /opt/xplico -b sqlite
0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
0.0 0.0 [kworker/0:1]
0.0 3.3 /usr/sbin/apache2 -k start
0.0 0.1 sshd: SO-user [priv]
0.0 0.0 [kworker/1:0]
0.0 0.1 sshd: SO-user@pts/2
0.0 0.0 tmux -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell
0.0 3.3 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 3.2 /usr/sbin/apache2 -k start
0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
0.0 0.0 /bin/bash /usr/sbin/sostat
0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g
0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g
0.0 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g
0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g
0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g
0.0 0.0 sed -r s/SO-server/SO-server/g
0.0 0.0 sed -r s/SO-node/SO-node/g
0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g
0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
=========================================================================
Packets received during last monitoring interval (600 seconds)
=========================================================================
eth1: 292765
=========================================================================
Packet Loss Stats
=========================================================================
NIC:
eth1:
RX packets:555105 dropped:3 TX packets:0 dropped:0
-------------------------------------------------------------------------
pf_ring:
Appl. Name : <unknown>
Tot Packets : 526645
Tot Pkt Lost : 0
Appl. Name : snort-cluster-52-socket-0
Tot Packets : 515078
Tot Pkt Lost : 0
-------------------------------------------------------------------------
IDS Engine (snort) packet drops:
/nsm/sensor_data/bso-s-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
-------------------------------------------------------------------------
Bro:
Average packet loss as percent across all Bro workers: 0.000000
bro: 1485189537.999466 recvd=526921 dropped=0 link=526921
Capture Loss:
bro 0.500088
If you are seeing capture loss without dropped packets, this
may indicate that an upstream device is dropping packets (tap or SPAN port).
-------------------------------------------------------------------------
Netsniff-NG:
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160610 Lost: -1186
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +153859 Lost: -3
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +164216 Lost: -20749
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157061 Lost: -54077
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +154314 Lost: -41453
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +150125 Lost: -46539
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156327 Lost: -18378
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +155378 Lost: -30766
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +182694 Lost: -15625
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +166391 Lost: -529
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +151596 Lost: -3362
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156412 Lost: -17384
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157572 Lost: -6876
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159778 Lost: -19378
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157170 Lost: -2
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +178756 Lost: -25253
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +161615 Lost: -3161
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +169573 Lost: -1780
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +163113 Lost: -16284
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +164261 Lost: -263
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160143 Lost: -67060
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +152082 Lost: -5799
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159370 Lost: -55009
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +156460 Lost: -45124
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +157835 Lost: -44914
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +159519 Lost: -42473
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160461 Lost: -62485
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +160214 Lost: -60287
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170122000003 Processed: +158212 Lost: -10070
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +194128 Lost: -24596
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +172277 Lost: -2481
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +173452 Lost: -20615
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +164369 Lost: -54544
File: /var/log/nsm/bso-s-eth1/netsniff-ng.log.20170123000004 Processed: +180413 Lost: -84
=========================================================================
PF_RING
=========================================================================
PF_RING Version : 6.4.1 (unknown)
Total rings : 2
Standard (non ZC) Options
Ring slots : 4096
/nsm/bro/logs/ - 3 days
27M .
11M ./2017-01-21
13M ./2017-01-22
3.0M ./2017-01-23
488K ./stats
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
1282
=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
719 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Total
719
=========================================================================
Top 50 All time Sguil Events
=========================================================================
1272 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
6 1:2500043 ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 22
1 1:2500109 ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 55
Total
1279
=========================================================================
Last update
=========================================================================
Start-Date: 2017-01-21 04:08:06
Commandline: apt-get -y dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), initramfs-tools-bin:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), mysql-client-core-5.5:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), securityonion-http-agent:amd64 (0.3.1-0ubuntu0securityonion6, 0.3.1-0ubuntu0securityonion7), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), dbus:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion153, 20120724-0ubuntu0securityonion155), libapparmor1:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libdbus-1-3:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), initramfs-tools:amd64 (0.103ubuntu4.5, 0.103ubuntu4.6), securityonion-web-page:amd64 (20141015-0ubuntu0securityonion71, 20141015-0ubuntu0securityonion72), libapparmor-perl:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion47, 20151011-1ubuntu1securityonion48), securityonion-onionsalt:amd64 (20140917-0ubuntu0securityonion20, 20140917-0ubuntu0securityonion21), libmysqlclient18:amd64 (5.5.53-0ubuntu0.14.04.1, 5.5.54-0ubuntu0.14.04.1), dbus-x11:amd64 (1.6.18-0ubuntu4.4, 1.6.18-0ubuntu4.5), apparmor:amd64 (2.8.95~2430-0ubuntu5.3, 2.10.95-0ubuntu2.5~14.04.1), securityonion-networkminer:amd64 (20160210-1ubuntu1securityonion1, 20170112-1ubuntu1securityonion1), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.10, 9.9.5.dfsg-3ubuntu0.11)
End-Date: 2017-01-21 04:08:56
Commandline: apt-get -y dist-upgrade
Upgrade: securityonion-elsa-extras:amd64 (20151011-1ubuntu1securityonion48, 20151011-1ubuntu1securityonion49)
End-Date: 2017-01-23 14:52:44
=========================================================================
ELSA
=========================================================================
Syslog-ng
Checking for process:
Checking for connection:
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
1629 /usr/sbin/mysqld
Connection to localhost 514 port [tcp/shell] succeeded!
MySQL
Checking for process:
Checking for connection:
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1471 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
Connection to localhost 3306 port [tcp/mysql] succeeded!
Sphinx
Checking for process:
1499 /usr/bin/searchd --nodetach
Checking for connection:
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
3010
Connection to localhost 9306 port [tcp/*] succeeded!
ELSA Buffers in Queue:
If this number is consistently higher than 20, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
6.0G /nsm/elsa/data
https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
ELSA Directory Sizes:
11M /var/lib/mysql/syslog
32K /var/lib/mysql/syslog_data
Doug Burks
Jan 23, 2017, 7:00:25 PM1/23/17
to securit...@googlegroups.com
dpkg -l | grep elsa-extras should show the version number as
securityonion-elsa-extras - 20151011-1ubuntu1securityonion49.
Once you verify that, then check the logs in /nsm/elsa/data/elsa/log/
for additional clues.
securityonion-elsa-extras - 20151011-1ubuntu1securityonion49.
Once you verify that, then check the logs in /nsm/elsa/data/elsa/log/
for additional clues.
bug...@gmail.com
Jan 25, 2017, 11:48:42 PM1/25/17
to security-onion
Hi Doug,
So I am still having issues with Elsa (can't rename that thread it seems).
I checked the dpkg version and it matches what you said.
Looking at the elsa logs (node.log) I can see some errors:
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (318) main::_process_batch 18919 [undef]
file size for file /nsm/elsa/data/elsa/tmp/buffers//1485405679.17465 is 273796
* TRACE [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (349) main::_process_batch 18919 [undef]
inserted filename /nsm/elsa/data/elsa/tmp/buffers//1485405679.17465 with batch_counter 550 and start Thu Jan 26 04:41:19 2017 and end Thu Jan 26 04:42:19 2017
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (188) main:: 18919 [undef]
Processed 550 records
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (184) main:: 18919 [undef]
Starting process_batch
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (271) main::_process_batch 18919 [undef]
Offline processing: and using tempfile /nsm/elsa/data/elsa/tmp/buffers//1485405739.70954
* ERROR [2017/01/26 04:42:50] /opt/elsa/node/elsa.pl (295) main::_process_batch 18919 [undef]
Unable to parse valid class id from log line 1485405770 127.0.0.1 ossec 35 Alert Level: 3; Rule: 54
Should I just delete those temporary buffer files?
Regards,
B.
So I am still having issues with Elsa (can't rename that thread it seems).
I checked the dpkg version and it matches what you said.
Looking at the elsa logs (node.log) I can see some errors:
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (318) main::_process_batch 18919 [undef]
file size for file /nsm/elsa/data/elsa/tmp/buffers//1485405679.17465 is 273796
* TRACE [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (349) main::_process_batch 18919 [undef]
inserted filename /nsm/elsa/data/elsa/tmp/buffers//1485405679.17465 with batch_counter 550 and start Thu Jan 26 04:41:19 2017 and end Thu Jan 26 04:42:19 2017
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (188) main:: 18919 [undef]
Processed 550 records
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (184) main:: 18919 [undef]
Starting process_batch
* DEBUG [2017/01/26 04:42:19] /opt/elsa/node/elsa.pl (271) main::_process_batch 18919 [undef]
Offline processing: and using tempfile /nsm/elsa/data/elsa/tmp/buffers//1485405739.70954
* ERROR [2017/01/26 04:42:50] /opt/elsa/node/elsa.pl (295) main::_process_batch 18919 [undef]
Unable to parse valid class id from log line 1485405770 127.0.0.1 ossec 35 Alert Level: 3; Rule: 54
Should I just delete those temporary buffer files?
Regards,
B.
Reply all
Reply to author
Forward
0 new messages