========================================================================= Service Status ========================================================================= Status: securityonion * SO-user server[ OK ] Status: HIDS * ossec_agent (SO-user)[ OK ] Status: Bro Getting process status ... Getting peer status ... Name Type Host Status Pid Peers Started manager manager localhost running 4565 2 09 Feb 05:12:23 proxy proxy localhost running 4908 2 09 Feb 05:12:33 SO-server-eth1-1 worker localhost running 5206 2 09 Feb 05:12:44 Status: SO-server-eth1 * netsniff-ng (full packet data)[ OK ] * pcap_agent (SO-user)[ OK ] * snort_agent-1 (SO-user)[ OK ] * snort_agent-2 (SO-user)[ OK ] * snort-1 (alert data)[ OK ] * snort-2 (alert data)[ OK ] * barnyard2-1 (spooler, unified2 format)[ OK ] * barnyard2-2 (spooler, unified2 format)[ OK ] ========================================================================= Interface Status ========================================================================= eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:83484 errors:0 dropped:0 overruns:0 frame:0 TX packets:41650 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:71039350 (71.0 MB) TX bytes:7017346 (7.0 MB) eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:4360373 errors:0 dropped:14 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4679376123 (4.6 GB) TX bytes:0 (0.0 B) eth2 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2833 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1340446 (1.3 MB) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:X.X.X.X Mask:X.X.X.X inet6 addr: X.X.X.X/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:92784 errors:0 dropped:0 overruns:0 frame:0 TX packets:92784 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:65660569 (65.6 MB) TX bytes:65660569 (65.6 MB) ========================================================================= Link Statistics ========================================================================= 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 65660621 92785 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 65660621 92785 0 0 0 0 TX errors: aborted fifo window heartbeat 0 0 0 0 2: eth0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 71039350 83484 0 0 0 2798 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 7017346 41650 0 0 0 0 TX errors: aborted fifo window heartbeat 0 0 0 0 3: eth1: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 4679376123 4360373 0 14 0 42276 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 TX errors: aborted fifo window heartbeat 0 0 0 0 4: eth2: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM RX: bytes packets errors dropped overrun mcast 1340446 2833 0 0 0 2831 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 TX errors: aborted fifo window heartbeat 0 0 0 0 ========================================================================= Disk Usage ========================================================================= Filesystem Size Used Avail Use% Mounted on udev 7.9G 4.0K 7.9G 1% /dev tmpfs 1.6G 1.1M 1.6G 1% /run /dev/sda4 3.0T 2.7T 326G 90% / none 4.0K 0 4.0K 0% /sys/fs/cgroup none 5.0M 0 5.0M 0% /run/lock none 7.9G 72K 7.9G 1% /run/shm none 100M 12K 100M 1% /run/user /dev/sda2 939M 85M 807M 10% /boot ========================================================================= Network Sockets ========================================================================= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 1276 avahi 12u IPv4 13522 0t0 UDP *:5353 avahi-dae 1276 avahi 13u IPv6 13523 0t0 UDP *:5353 avahi-dae 1276 avahi 14u IPv4 13524 0t0 UDP *:39199 avahi-dae 1276 avahi 15u IPv6 13525 0t0 UDP *:60874 cupsd 1485 root 10u IPv6 11970 0t0 TCP [X.X.X.X]:631 (LISTEN) cupsd 1485 root 11u IPv4 11971 0t0 TCP X.X.X.X:631 (LISTEN) cups-brow 1497 root 8u IPv4 13724 0t0 UDP *:631 ntpd 1591 ntp 16u IPv4 11995 0t0 UDP *:123 ntpd 1591 ntp 17u IPv6 11998 0t0 UDP *:123 ntpd 1591 ntp 18u IPv4 12005 0t0 UDP X.X.X.X:123 ntpd 1591 ntp 19u IPv4 12007 0t0 UDP X.X.X.X:123 ntpd 1591 ntp 20u IPv6 12009 0t0 UDP [X.X.X.X]:123 ntpd 1591 ntp 21u IPv6 12011 0t0 UDP [X.X.X.X]:123 sshd 1752 root 3u IPv4 13924 0t0 TCP *:ssh_port (LISTEN) sshd 1752 root 4u IPv6 13926 0t0 TCP *:ssh_port (LISTEN) syslog-ng 1815 root 9u IPv4 15484 0t0 TCP *:514 (LISTEN) syslog-ng 1815 root 10u IPv4 15485 0t0 UDP *:514 mysqld 1859 mysql 10u IPv4 16467 0t0 TCP X.X.X.X:3306 (LISTEN) searchd 1975 sphinxsearch 7u IPv4 14330 0t0 TCP *:9306 (LISTEN) searchd 1975 sphinxsearch 8u IPv4 14331 0t0 TCP *:9312 (LISTEN) ossec-csy 2065 ossecm 5u IPv4 16407 0t0 UDP X.X.X.X:59318->X.X.X.X:514 ossec-rem 2093 ossecr 4u IPv4 14566 0t0 UDP *:1514 /usr/sbin 2390 root 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2390 root 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2390 root 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) tclsh 2499 SO-user 3u IPv4 356683 0t0 TCP X.X.X.X:45606->X.X.X.X:7736 (ESTABLISHED) /usr/sbin 2549 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2549 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2549 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 2549 www-data 28u IPv4 483161 0t0 TCP X.X.X.X:40120->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2550 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2550 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2550 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 2550 www-data 26u IPv4 485007 0t0 TCP X.X.X.X:40112->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2550 www-data 29u IPv4 472665 0t0 TCP X.X.X.X:39998->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2551 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2551 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2551 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 2551 www-data 28u IPv4 472522 0t0 TCP X.X.X.X:39987->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2551 www-data 29u IPv4 483168 0t0 TCP X.X.X.X:40126->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2552 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2552 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2552 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 2552 www-data 28u IPv4 474700 0t0 TCP X.X.X.X:40060->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2552 www-data 29u IPv4 485540 0t0 TCP X.X.X.X:40094->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2553 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 2553 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 2553 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 2553 www-data 26u IPv4 472024 0t0 TCP X.X.X.X:39991->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 2553 www-data 29u IPv4 485123 0t0 TCP X.X.X.X:40121->X.X.X.X:3154 (CLOSE_WAIT) tclsh 2884 SO-user 3u IPv4 354913 0t0 TCP X.X.X.X:43452->X.X.X.X:7736 (ESTABLISHED) tclsh 3104 SO-user 13u IPv4 41036 0t0 TCP *:7734 (LISTEN) tclsh 3104 SO-user 14u IPv6 41037 0t0 TCP *:7734 (LISTEN) tclsh 3104 SO-user 15u IPv4 41040 0t0 TCP *:7736 (LISTEN) tclsh 3104 SO-user 16u IPv6 41041 0t0 TCP *:7736 (LISTEN) tclsh 3104 SO-user 17u IPv4 358552 0t0 TCP X.X.X.X:7736->X.X.X.X:36793 (ESTABLISHED) tclsh 3104 SO-user 18u IPv4 356771 0t0 TCP X.X.X.X:7736->X.X.X.X:43452 (ESTABLISHED) tclsh 3104 SO-user 19u IPv4 355205 0t0 TCP X.X.X.X:7736->X.X.X.X:44096 (ESTABLISHED) tclsh 3104 SO-user 20u IPv4 355701 0t0 TCP X.X.X.X:7736->X.X.X.X:45606 (ESTABLISHED) tclsh 3104 SO-user 21u IPv4 473707 0t0 TCP X.X.X.X:7734->X.X.X.X:48641 (ESTABLISHED) tclsh 3142 SO-user 3u IPv4 355114 0t0 TCP X.X.X.X:36793->X.X.X.X:7736 (ESTABLISHED) tclsh 3142 SO-user 4u IPv4 357565 0t0 TCP X.X.X.X:8101 (LISTEN) /usr/sbin 3228 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 3228 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 3228 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 3228 www-data 28u IPv4 461720 0t0 TCP X.X.X.X:39918->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 3228 www-data 29u IPv4 485675 0t0 TCP X.X.X.X:40103->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 3229 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 3229 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 3229 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 3229 www-data 26u IPv4 486523 0t0 TCP X.X.X.X:40100->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 3230 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 3230 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 3230 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 3230 www-data 28u IPv4 474529 0t0 TCP X.X.X.X:40025->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 3230 www-data 29u IPv4 482232 0t0 TCP X.X.X.X:40106->X.X.X.X:3154 (CLOSE_WAIT) tclsh 3236 SO-user 3u IPv4 357696 0t0 TCP X.X.X.X:44096->X.X.X.X:7736 (ESTABLISHED) tclsh 3236 SO-user 4u IPv4 359480 0t0 TCP X.X.X.X:8102 (LISTEN) bro 4565 SO-user 4u IPv4 27919 0t0 UDP X.X.X.X:49106->X.X.X.X:53 bro 4908 SO-user 4u IPv4 26316 0t0 UDP X.X.X.X:53671->X.X.X.X:53 bro 5206 SO-user 4u IPv4 29051 0t0 UDP X.X.X.X:60762->X.X.X.X:53 bro 5338 SO-user 0u IPv4 26509 0t0 TCP *:47761 (LISTEN) bro 5338 SO-user 1u IPv6 26510 0t0 TCP *:47761 (LISTEN) bro 5338 SO-user 2u IPv4 28354 0t0 TCP X.X.X.X:47761->X.X.X.X:39892 (ESTABLISHED) bro 5338 SO-user 4u IPv4 27919 0t0 UDP X.X.X.X:49106->X.X.X.X:53 bro 5338 SO-user 276u IPv4 27547 0t0 TCP X.X.X.X:47761->X.X.X.X:39894 (ESTABLISHED) bro 5342 SO-user 0u IPv4 26513 0t0 TCP X.X.X.X:39892->X.X.X.X:47761 (ESTABLISHED) bro 5342 SO-user 4u IPv4 26316 0t0 UDP X.X.X.X:53671->X.X.X.X:53 bro 5342 SO-user 273u IPv4 26518 0t0 TCP *:47762 (LISTEN) bro 5342 SO-user 274u IPv6 26519 0t0 TCP *:47762 (LISTEN) bro 5342 SO-user 275u IPv4 29149 0t0 TCP X.X.X.X:47762->X.X.X.X:52763 (ESTABLISHED) bro 5346 SO-user 0u IPv4 26528 0t0 TCP X.X.X.X:52763->X.X.X.X:47762 (ESTABLISHED) bro 5346 SO-user 4u IPv4 29051 0t0 UDP X.X.X.X:60762->X.X.X.X:53 bro 5346 SO-user 273u IPv4 26531 0t0 TCP X.X.X.X:39894->X.X.X.X:47761 (ESTABLISHED) bro 5346 SO-user 278u IPv4 26536 0t0 TCP *:47763 (LISTEN) bro 5346 SO-user 279u IPv6 26537 0t0 TCP *:47763 (LISTEN) sshd 8534 root 3u IPv4 464725 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59468 (ESTABLISHED) sshd 8536 SO-user 3u IPv4 464725 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:59468 (ESTABLISHED) sshd 8536 SO-user 7u IPv6 468273 0t0 TCP [X.X.X.X]:6010 (LISTEN) sshd 8536 SO-user 8u IPv4 468274 0t0 TCP X.X.X.X:6010 (LISTEN) sshd 8536 SO-user 10u IPv4 471894 0t0 TCP X.X.X.X:6010->X.X.X.X:36661 (ESTABLISHED) wish 10536 SO-user 3u IPv4 474308 0t0 TCP X.X.X.X:36661->X.X.X.X:6010 (ESTABLISHED) wish 10536 SO-user 4u IPv4 470836 0t0 TCP X.X.X.X:48641->X.X.X.X:7734 (ESTABLISHED) /usr/sbin 10789 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 10789 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 10789 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) /usr/sbin 10789 www-data 28u IPv4 475572 0t0 TCP X.X.X.X:40019->X.X.X.X:3154 (CLOSE_WAIT) /usr/sbin 11059 www-data 5u IPv6 16096 0t0 TCP *:443 (LISTEN) /usr/sbin 11059 www-data 7u IPv6 16100 0t0 TCP *:9876 (LISTEN) /usr/sbin 11059 www-data 9u IPv6 16106 0t0 TCP *:3154 (LISTEN) sshd 11978 root 3u IPv4 477880 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60026 (ESTABLISHED) sshd 11987 SO-user 3u IPv4 477880 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:60026 (ESTABLISHED) barnyard2 29980 SO-user 3u IPv4 243564 0t0 TCP X.X.X.X:60192->X.X.X.X:8101 (CLOSE_WAIT) barnyard2 30025 SO-user 3u IPv4 246402 0t0 TCP X.X.X.X:58234->X.X.X.X:8102 (CLOSE_WAIT) ========================================================================= IDS Rules Update ========================================================================= Tue Feb 9 07:01:01 UTC 2016 Backing up current local_rules.xml file. Cleaning up local_rules.xml backup files older than 30 days. Backing up current downloaded.rules file before it gets overwritten. Cleaning up downloaded.rules backup files older than 30 days. Backing up current local.rules file before it gets overwritten. Cleaning up local.rules backup files older than 30 days. Sleeping for 22 minutes to avoid overwhelming rule sites. Running PulledPork. http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj@gmail.com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2980.tar.gz.... Rules tarball download of snortrules-snapshot-2980.tar.gz.... They Match Done! Rules tarball download of community-rules.tar.gz.... Rules tarball download of community-rules.tar.gz.... Checking latest MD5 for emerging.rules.tar.gz.... Rules tarball download of emerging.rules.tar.gz.... They Match Done! Rules tarball download of community-rules.tar.gz.... Prepping rules from emerging.rules.tar.gz for work.... Done! Prepping rules from snortrules-snapshot-2980.tar.gz for work.... Done! Prepping rules from community-rules.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... Done Reading rules... Reading rules... Modifying Sids.... Done! Processing /etc/nsm/pulledpork/enablesid.conf.... Modified 3075 rules Done Processing /etc/nsm/pulledpork/dropsid.conf.... Modified 0 rules Done Processing /etc/nsm/pulledpork/disablesid.conf.... Modified 8962 rules Done Setting Flowbit State.... Enabled 391 flowbits Enabled 25 flowbits Enabled 5 flowbits Enabled 2 flowbits Done Writing /etc/nsm/rules/downloaded.rules.... Done Generating sid-msg.map.... Done Writing v1 /etc/nsm/rules/sid-msg.map.... Done Writing /var/log/nsm/sid_changes.log.... Done Rule Stats... New:-------46 Deleted:---16 Enabled Rules:----21057 Dropped Rules:----0 Disabled Rules:---28448 Total Rules:------49505 No IP Blacklist Changes Done Please review /var/log/nsm/sid_changes.log for additional details Fly Piggy Fly! Restarting Barnyard2. Restarting: SO-server-eth1 * stopping: barnyard2-1 (spooler, unified2 format)[ OK ] * starting: barnyard2-1 (spooler, unified2 format)[ OK ] * stopping: barnyard2-2 (spooler, unified2 format)[ OK ] * starting: barnyard2-2 (spooler, unified2 format)[ OK ] Restarting IDS Engine. Restarting: SO-server-eth1 * stopping: snort-1 (alert data)[ OK ] * starting: snort-1 (alert data)[ OK ] * stopping: snort-2 (alert data)[ OK ] * starting: snort-2 (alert data)[ OK ] ========================================================================= CPU Usage ========================================================================= Load average for the last 1, 5, and 15 minutes: 0.19 0.65 0.82 Processing units: 6 If load average is higher than processing units, then tune until load average is lower than processing units. top - 17:39:57 up 12:39, 2 users, load average: 0.19, 0.65, 0.82 Tasks: 227 total, 2 running, 225 sleeping, 0 stopped, 0 zombie %Cpu(s): 6.6 us, 2.1 sy, 0.0 ni, 88.4 id, 2.9 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 16434048 total, 13396688 used, 3037360 free, 592 buffers KiB Swap: 8000508 total, 5308 used, 7995200 free. 6996936 cached Mem %CPU %MEM COMMAND 29.4 3.7 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto 2.5 0.4 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 2.3 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto 1.0 1.2 /usr/sbin/mysqld 0.8 7.7 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/senSO-serverr_data/SO-server-eth1/snort-2 --perfmon-file /nsm/senSO-serverr_data/SO-server-eth1/snort-2.stats -U 0.7 0.1 wish /usr/bin/SO-user.tk 0.7 7.7 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -F /etc/nsm/SO-server-eth1/bpf-ids.conf -l /nsm/senSO-serverr_data/SO-server-eth1/snort-1 --perfmon-file /nsm/senSO-serverr_data/SO-server-eth1/snort-1.stats -U 0.6 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/senSO-serverr_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i 1 -U 0.6 0.1 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/senSO-serverr_data/SO-server-eth1/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-2 -i 2 -U 0.4 5.1 /usr/bin/searchd --nodetach 0.2 0.0 /var/ossec/bin/ossec-syscheckd 0.2 7.3 netsniff-ng -i eth1 -o /nsm/senSO-serverr_data/SO-server-eth1/dailylogs/2016-02-09/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 1 iB --interval 150 iB --mmap 0.2 0.0 sudo SO-serverstat-redacted 0.2 0.0 sed -r s/(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b/X.X.X.X/g 0.1 0.0 sshd: SO-user@pts/6 0.1 0.9 /usr/sbin/apache2 -k start 0.1 0.8 /usr/sbin/apache2 -k start 0.0 0.0 /sbin/init 0.0 0.0 [kthreadd] 0.0 0.0 [kSO-serverftirqd/0] 0.0 0.0 [kworker/0:0H] 0.0 0.0 [rcu_sched] 0.0 0.0 [rcuos/0] 0.0 0.0 [rcuos/1] 0.0 0.0 [rcuos/2] 0.0 0.0 [rcuos/3] 0.0 0.0 [rcuos/4] 0.0 0.0 [rcuos/5] 0.0 0.0 [rcu_bh] 0.0 0.0 [rcuob/0] 0.0 0.0 [rcuob/1] 0.0 0.0 [rcuob/2] 0.0 0.0 [rcuob/3] 0.0 0.0 [rcuob/4] 0.0 0.0 [rcuob/5] 0.0 0.0 [migration/0] 0.0 0.0 [watchdog/0] 0.0 0.0 [watchdog/1] 0.0 0.0 [migration/1] 0.0 0.0 [kSO-serverftirqd/1] 0.0 0.0 [kworker/1:0H] 0.0 0.0 [watchdog/2] 0.0 0.0 [migration/2] 0.0 0.0 [kSO-serverftirqd/2] 0.0 0.0 [kworker/2:0H] 0.0 0.0 [watchdog/3] 0.0 0.0 [migration/3] 0.0 0.0 [kSO-serverftirqd/3] 0.0 0.0 [kworker/3:0H] 0.0 0.0 [watchdog/4] 0.0 0.0 [migration/4] 0.0 0.0 [kSO-serverftirqd/4] 0.0 0.0 [kworker/4:0H] 0.0 0.0 [watchdog/5] 0.0 0.0 [migration/5] 0.0 0.0 [kSO-serverftirqd/5] 0.0 0.0 [kworker/5:0H] 0.0 0.0 [khelper] 0.0 0.0 [kdevtmpfs] 0.0 0.0 [netns] 0.0 0.0 [writeback] 0.0 0.0 [kintegrityd] 0.0 0.0 [bioset] 0.0 0.0 [kworker/u13:0] 0.0 0.0 [kblockd] 0.0 0.0 [ata_sff] 0.0 0.0 [khubd] 0.0 0.0 [md] 0.0 0.0 [devfreq_wq] 0.0 0.0 [khungtaskd] 0.0 0.0 [kswapd0] 0.0 0.0 [ksmd] 0.0 0.0 [khugepaged] 0.0 0.0 [fsnotify_mark] 0.0 0.0 [ecryptfs-kthrea] 0.0 0.0 [crypto] 0.0 0.0 [kthrotld] 0.0 0.0 [kworker/1:1] 0.0 0.0 [scsi_eh_0] 0.0 0.0 [scsi_eh_1] 0.0 0.0 [deferwq] 0.0 0.0 [charger_manager] 0.0 0.0 [kworker/2:1] 0.0 0.0 [kworker/3:1] 0.0 0.0 [kworker/4:1] 0.0 0.0 [mpt_poll_0] 0.0 0.0 [mpt/0] 0.0 0.0 [kpsmoused] 0.0 0.0 [scsi_eh_2] 0.0 0.0 [ttm_swap] 0.0 0.0 [bioset] 0.0 0.0 [xfsalloc] 0.0 0.0 [xfs_mru_cache] 0.0 0.0 [xfslogd] 0.0 0.0 [xfs-data/sda4] 0.0 0.0 [xfs-conv/sda4] 0.0 0.0 [xfs-cil/sda4] 0.0 0.0 [xfs-reclaim/sda] 0.0 0.0 [xfs-log/sda4] 0.0 0.0 [xfs-eofblocks/s] 0.0 0.0 [kworker/0:1H] 0.0 0.0 [xfsaild/sda4] 0.0 0.0 [kworker/u13:1] 0.0 0.0 upstart-udev-bridge --daemon 0.0 0.0 /lib/systemd/systemd-udevd --daemon 0.0 0.0 [kmpathd] 0.0 0.0 [kmpath_handlerd] 0.0 0.0 upstart-SO-servercket-bridge --daemon 0.0 0.0 [ext4-rsv-conver] 0.0 0.0 dbus-daemon --system --fork 0.0 0.0 upstart-file-bridge --daemon 0.0 0.0 /usr/sbin/bluetoothd 0.0 0.0 [krfcommd] 0.0 0.0 avahi-daemon: running [SO-server.local] 0.0 0.0 avahi-daemon: chroot helper 0.0 0.0 /lib/systemd/systemd-logind 0.0 0.0 /usr/sbin/cupsd -f 0.0 0.0 /usr/sbin/cups-browsed 0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 118:126 0.0 0.0 /sbin/getty -8 38400 tty4 0.0 0.0 /sbin/getty -8 38400 tty5 0.0 0.0 /sbin/getty -8 38400 tty2 0.0 0.0 /sbin/getty -8 38400 tty3 0.0 0.0 /sbin/getty -8 38400 tty6 0.0 0.0 /usr/sbin/sshd -D 0.0 0.0 cron 0.0 0.0 atd 0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.SO-servercket 0.0 0.0 supervising syslog-ng 0.0 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid 0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach 0.0 0.0 [kauditd] 0.0 0.0 /usr/sbin/conSO-serverle-kit-daemon --no-daemon 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug 0.0 0.0 /usr/sbin/kerneloops 0.0 0.0 /var/ossec/bin/ossec-csyslogd 0.0 0.0 /var/ossec/bin/ossec-execd 0.0 0.0 /var/ossec/bin/ossec-analysisd 0.0 0.0 /var/ossec/bin/ossec-logcollector 0.0 0.0 /var/ossec/bin/ossec-remoted 0.0 0.0 /var/ossec/bin/ossec-monitord 0.0 0.0 /usr/bin/vmtoolsd 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh 0.0 0.3 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf 0.0 0.8 /usr/sbin/apache2 -k start 0.0 0.0 lightdm 0.0 0.1 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch 0.0 0.0 /usr/lib/accountsservice/accounts-daemon 0.0 0.0 lightdm --session-child 16 19 0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter 0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session 0.0 0.2 /usr/sbin/lightdm-gtk-greeter 0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf 0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher 0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session 0.0 0.0 /usr/lib/gvfs/gvfsd 0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf 0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/104/gvfs -f -o big_writes 0.0 0.0 init --user --startup-event indicator-services-start 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-SO-serverund/indicator-SO-serverund-service 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service 0.0 0.0 /usr/lib/upower/upowerd 0.0 0.0 lightdm --session-child 12 19 0.0 0.9 /usr/sbin/apache2 -k start 0.0 0.8 /usr/sbin/apache2 -k start 0.0 0.8 /usr/sbin/apache2 -k start 0.0 0.9 /usr/sbin/apache2 -k start 0.0 0.9 /usr/sbin/apache2 -k start 0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log 0.0 0.0 /sbin/getty -8 38400 tty1 0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog 0.0 0.0 /usr/lib/rtkit/rtkit-daemon 0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf 0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf 0.0 0.0 su - SO-user -- /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs 0.0 0.1 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf 0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf 0.0 0.0 tail -n 1 -f /nsm/senSO-serverr_data/SO-server-eth1/snort-1.stats 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf 0.0 0.8 /usr/sbin/apache2 -k start 0.0 0.8 /usr/sbin/apache2 -k start 0.0 0.9 /usr/sbin/apache2 -k start 0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf 0.0 0.0 tail -n 1 -f /nsm/senSO-serverr_data/SO-server-eth1/snort-2.stats 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto 0.0 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 0.0 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto 0.0 3.5 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto 0.0 0.0 ./dema -d /opt/xplico -b sqlite 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs 0.0 0.0 tclsh /usr/bin/SO-userd -c /etc/nsm/securityonion/SO-userd.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/SO-userd.queries -A /etc/nsm/securityonion/SO-userd.access -C /etc/nsm/securityonion/certs 0.0 0.0 [kworker/0:1] 0.0 0.0 sshd: SO-user [priv] 0.0 0.0 -bash 0.0 0.0 [kworker/3:2] 0.0 0.0 [kworker/5:1] 0.0 0.0 [kworker/0:0] 0.0 0.0 [kworker/2:0] 0.0 0.0 [kworker/u12:0] 0.0 0.0 [kworker/5:0] 0.0 0.0 [kworker/1:2] 0.0 0.0 sshd: SO-user [priv] 0.0 0.0 sshd: SO-user@pts/10 0.0 0.0 -bash 0.0 0.0 [kworker/4:0] 0.0 0.0 [kworker/u12:2] 0.0 0.0 [kworker/3:0] 0.0 0.0 /bin/bash /usr/bin/SO-serverstat-redacted 0.0 0.0 /bin/bash /usr/bin/SO-serverstat 0.0 0.0 sed -r s/(\b[0-9]{1,3}\.){3}[0-9]{1,3}\b/X.X.X.X/g 0.0 0.0 sed -r s/([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}/MM:MM:MM:MM:MM:MM/g 0.0 0.0 sed -r s/X:ssh_port/X:ssh_port/g 0.0 0.0 sed -r s/\*:ssh_port/*:ssh_port/g 0.0 0.0 sed -r s/SO-server/SO-server/g 0.0 0.0 sed -r s/SO-node/SO-node/g 0.0 0.0 sed -r s/SO-user|SO-user/SO-user/g 0.0 0.0 ps -eo pcpu,pmem,args --SO-serverrt -pcpu 0.0 0.0 [kworker/4:1H] 0.0 0.0 [kworker/u12:1] ========================================================================= Packets received during last monitoring interval (600 seconds) ========================================================================= eth1: 21507 ========================================================================= Log Archive ========================================================================= /nsm/senSO-serverr_data/SO-server-eth0/dailylogs/ - 0 days 0 . /nsm/senSO-serverr_data/SO-server-eth1/dailylogs/ - 232 days 2.4T . 8.7G ./2015-06-23 6.6G ./2015-06-24 5.9G ./2015-06-25 9.9G ./2015-06-26 5.7G ./2015-06-27 8.4G ./2015-06-28 13G ./2015-06-29 6.6G ./2015-06-30 9.4G ./2015-07-01 9.3G ./2015-07-02 16G ./2015-07-03 9.4G ./2015-07-04 9.5G ./2015-07-05 13G ./2015-07-06 27G ./2015-07-07 6.2G ./2015-07-08 12G ./2015-07-09 9.4G ./2015-07-10 9.1G ./2015-07-11 7.8G ./2015-07-12 12G ./2015-07-13 7.3G ./2015-07-14 11G ./2015-07-15 9.8G ./2015-07-16 14G ./2015-07-17 6.1G ./2015-07-18 7.7G ./2015-07-19 15G ./2015-07-20 8.2G ./2015-07-21 14G ./2015-07-22 13G ./2015-07-23 7.6G ./2015-07-24 12G ./2015-07-25 8.9G ./2015-07-26 7.0G ./2015-07-27 7.3G ./2015-07-28 8.4G ./2015-07-29 2.2G ./2015-07-30 4.7G ./2015-07-31 6.6G ./2015-08-01 8.4G ./2015-08-02 6.0G ./2015-08-03 3.3G ./2015-08-04 6.0G ./2015-08-05 8.2G ./2015-08-06 8.0G ./2015-08-07 12G ./2015-08-08 5.7G ./2015-08-09 4.4G ./2015-08-10 19G ./2015-08-11 6.8G ./2015-08-12 7.5G ./2015-08-13 7.8G ./2015-08-14 8.5G ./2015-08-15 6.8G ./2015-08-16 5.2G ./2015-08-17 7.6G ./2015-08-18 8.4G ./2015-08-19 12G ./2015-08-20 16G ./2015-08-21 8.7G ./2015-08-22 13G ./2015-08-23 4.2G ./2015-08-24 15G ./2015-08-25 5.6G ./2015-08-26 5.8G ./2015-08-27 14G ./2015-08-28 8.3G ./2015-08-29 7.8G ./2015-08-30 7.0G ./2015-08-31 4.3G ./2015-09-01 11G ./2015-09-02 13G ./2015-09-03 7.5G ./2015-09-04 8.1G ./2015-09-05 11G ./2015-09-06 9.0G ./2015-09-07 21G ./2015-09-08 14G ./2015-09-09 6.7G ./2015-09-10 5.0G ./2015-09-11 8.7G ./2015-09-12 18G ./2015-09-13 11G ./2015-09-14 5.0G ./2015-09-15 4.7G ./2015-09-16 21G ./2015-09-17 7.1G ./2015-09-18 8.4G ./2015-09-19 12G ./2015-09-20 9.1G ./2015-09-21 8.7G ./2015-09-22 16G ./2015-09-23 7.0G ./2015-09-24 5.8G ./2015-09-25 20G ./2015-09-26 9.1G ./2015-09-27 9.9G ./2015-09-28 7.1G ./2015-09-29 5.8G ./2015-09-30 12G ./2015-10-01 8.0G ./2015-10-02 4.5G ./2015-10-03 13G ./2015-10-04 15G ./2015-10-05 5.3G ./2015-10-06 2.6G ./2015-10-07 9.9G ./2015-10-08 6.0G ./2015-10-09 6.7G ./2015-10-10 10G ./2015-10-11 19G ./2015-10-12 5.9G ./2015-10-13 7.3G ./2015-10-14 11G ./2015-10-15 8.7G ./2015-10-16 7.6G ./2015-10-17 5.7G ./2015-10-18 16G ./2015-10-19 16G ./2015-10-20 4.1G ./2015-10-21 29G ./2015-10-22 7.4G ./2015-10-23 6.7G ./2015-10-24 8.5G ./2015-10-25 13G ./2015-10-26 5.8G ./2015-10-27 5.3G ./2015-10-28 9.9G ./2015-10-29 4.7G ./2015-10-30 5.7G ./2015-10-31 17G ./2015-11-01 8.7G ./2015-11-02 3.4G ./2015-11-03 4.3G ./2015-11-04 6.5G ./2015-11-05 9.1G ./2015-11-06 8.6G ./2015-11-07 11G ./2015-11-08 13G ./2015-11-09 3.8G ./2015-11-10 3.2G ./2015-11-11 6.4G ./2015-11-12 15G ./2015-11-13 7.8G ./2015-11-14 11G ./2015-11-15 17G ./2015-11-16 5.7G ./2015-11-17 7.9G ./2015-11-18 8.1G ./2015-11-19 8.7G ./2015-11-20 251M ./2015-11-21 3.5G ./2015-11-22 13G ./2015-11-23 6.4G ./2015-11-24 4.1G ./2015-11-25 11G ./2015-11-26 14G ./2015-11-27 28G ./2015-11-28 13G ./2015-11-29 13G ./2015-11-30 10G ./2015-12-01 7.0G ./2015-12-02 6.8G ./2015-12-03 8.8G ./2015-12-04 11G ./2015-12-05 7.9G ./2015-12-06 12G ./2015-12-07 20G ./2015-12-08 9.2G ./2015-12-09 13G ./2015-12-10 20G ./2015-12-11 23G ./2015-12-12 23G ./2015-12-13 17G ./2015-12-14 15G ./2015-12-15 5.0G ./2015-12-16 9.5G ./2015-12-17 13G ./2015-12-18 7.1G ./2015-12-19 6.4G ./2015-12-20 0 ./2015-12-21 18G ./2015-12-22 12G ./2015-12-23 21G ./2015-12-24 7.6G ./2015-12-25 25G ./2015-12-26 6.2G ./2015-12-27 8.4G ./2015-12-28 13G ./2015-12-29 8.7G ./2015-12-30 15G ./2015-12-31 6.7G ./2016-01-01 16G ./2016-01-02 44G ./2016-01-03 11G ./2016-01-04 40G ./2016-01-05 9.0G ./2016-01-06 14G ./2016-01-07 17G ./2016-01-08 15G ./2016-01-09 15G ./2016-01-10 22G ./2016-01-11 7.6G ./2016-01-12 7.2G ./2016-01-13 17G ./2016-01-14 8.6G ./2016-01-15 12G ./2016-01-16 9.6G ./2016-01-17 13G ./2016-01-18 14G ./2016-01-19 9.5G ./2016-01-20 9.6G ./2016-01-21 9.9G ./2016-01-22 19G ./2016-01-23 18G ./2016-01-24 15G ./2016-01-25 11G ./2016-01-26 13G ./2016-01-27 8.0G ./2016-01-28 8.0G ./2016-01-29 15G ./2016-01-30 22G ./2016-01-31 15G ./2016-02-01 19G ./2016-02-02 12G ./2016-02-03 8.5G ./2016-02-04 9.0G ./2016-02-05 15G ./2016-02-06 13G ./2016-02-07 14G ./2016-02-08 6.2G ./2016-02-09 /nsm/senSO-serverr_data/SO-server-eth2/dailylogs/ - 228 days 93G . 21M ./2015-06-24 21M ./2015-06-25 21M ./2015-06-26 21M ./2015-06-27 21M ./2015-06-28 21M ./2015-06-29 21M ./2015-06-30 21M ./2015-07-01 21M ./2015-07-02 21M ./2015-07-03 27M ./2015-07-04 277M ./2015-07-05 1.3G ./2015-07-06 22M ./2015-07-07 21M ./2015-07-08 21M ./2015-07-09 21M ./2015-07-10 229M ./2015-07-11 27M ./2015-07-12 22M ./2015-07-13 22M ./2015-07-14 22M ./2015-07-15 22M ./2015-07-16 22M ./2015-07-17 22M ./2015-07-18 22M ./2015-07-19 22M ./2015-07-20 22M ./2015-07-21 57M ./2015-07-22 22M ./2015-07-23 23M ./2015-07-24 4.1G ./2015-07-25 290M ./2015-07-26 551M ./2015-07-27 21M ./2015-07-28 21M ./2015-07-29 21M ./2015-07-30 21M ./2015-07-31 875M ./2015-08-01 5.4G ./2015-08-02 890M ./2015-08-03 684M ./2015-08-04 1007M ./2015-08-05 2.4G ./2015-08-06 520M ./2015-08-07 1.9G ./2015-08-08 994M ./2015-08-09 851M ./2015-08-10 22M ./2015-08-11 22M ./2015-08-12 22M ./2015-08-13 22M ./2015-08-14 22M ./2015-08-15 22M ./2015-08-16 22M ./2015-08-17 22M ./2015-08-18 18M ./2015-08-19 22M ./2015-08-20 22M ./2015-08-21 22M ./2015-08-22 22M ./2015-08-23 22M ./2015-08-24 22M ./2015-08-25 22M ./2015-08-26 22M ./2015-08-27 22M ./2015-08-28 22M ./2015-08-29 23M ./2015-08-30 92M ./2015-08-31 22M ./2015-09-01 20M ./2015-09-02 8.0K ./2015-09-03 4.0K ./2015-09-04 4.0K ./2015-09-05 12K ./2015-09-06 4.0K ./2015-09-07 4.0K ./2015-09-08 4.0K ./2015-09-09 4.0K ./2015-09-10 4.0K ./2015-09-11 4.0K ./2015-09-12 1.2M ./2015-09-13 4.0G ./2015-09-14 410M ./2015-09-15 55M ./2015-09-16 1.4G ./2015-09-17 205M ./2015-09-18 375M ./2015-09-19 81M ./2015-09-20 654M ./2015-09-21 8.0K ./2015-09-22 12K ./2015-09-23 8.0K ./2015-09-24 8.0K ./2015-09-25 8.0K ./2015-09-26 64K ./2015-09-27 16K ./2015-09-28 8.0K ./2015-09-29 8.0K ./2015-09-30 12K ./2015-10-01 8.0K ./2015-10-02 80M ./2015-10-03 8.0K ./2015-10-04 8.0K ./2015-10-05 8.0K ./2015-10-06 8.0K ./2015-10-07 8.0K ./2015-10-08 8.0K ./2015-10-09 8.0K ./2015-10-10 8.0K ./2015-10-11 56K ./2015-10-12 8.0K ./2015-10-13 8.0K ./2015-10-14 180K ./2015-10-15 8.0K ./2015-10-16 8.0K ./2015-10-17 8.0K ./2015-10-18 16K ./2015-10-19 8.0K ./2015-10-20 8.0K ./2015-10-21 72K ./2015-10-22 8.0K ./2015-10-23 8.0K ./2015-10-24 8.0K ./2015-10-25 32K ./2015-10-26 8.0K ./2015-10-27 8.0K ./2015-10-28 8.0K ./2015-10-29 20K ./2015-10-30 1.2G ./2015-10-31 2.9G ./2015-11-01 1.7G ./2015-11-02 6.6G ./2015-11-03 6.2G ./2015-11-04 314M ./2015-11-05 405M ./2015-11-06 380M ./2015-11-07 294M ./2015-11-08 1.5G ./2015-11-09 2.0G ./2015-11-10 8.0K ./2015-11-11 12K ./2015-11-12 8.0K ./2015-11-13 8.0K ./2015-11-14 16K ./2015-11-15 8.0K ./2015-11-16 12K ./2015-11-17 8.0K ./2015-11-18 362M ./2015-11-19 190M ./2015-11-20 4.6M ./2015-11-21 44K ./2015-11-22 352K ./2015-11-23 8.0K ./2015-11-24 8.0K ./2015-11-25 8.0K ./2015-11-26 8.0K ./2015-11-27 28K ./2015-11-28 16K ./2015-11-29 8.0K ./2015-11-30 8.0K ./2015-12-01 8.0K ./2015-12-02 8.0K ./2015-12-03 24K ./2015-12-04 16K ./2015-12-05 8.0K ./2015-12-06 8.0K ./2015-12-07 8.0K ./2015-12-08 8.0K ./2015-12-09 8.0K ./2015-12-10 8.0K ./2015-12-11 8.0K ./2015-12-12 156K ./2015-12-13 8.0K ./2015-12-14 8.0K ./2015-12-15 8.0K ./2015-12-16 132K ./2015-12-17 4.0G ./2015-12-18 3.7G ./2015-12-19 1.4G ./2015-12-20 2.5G ./2015-12-21 3.1G ./2015-12-22 5.7G ./2015-12-23 4.9G ./2015-12-24 2.4G ./2015-12-25 3.9G ./2015-12-26 11M ./2015-12-27 208K ./2015-12-28 928K ./2015-12-29 304K ./2015-12-30 1.3M ./2015-12-31 700K ./2016-01-01 688K ./2016-01-02 556K ./2016-01-03 360K ./2016-01-04 272K ./2016-01-05 451M ./2016-01-06 20M ./2016-01-07 30M ./2016-01-08 22M ./2016-01-09 15M ./2016-01-10 26M ./2016-01-11 76M ./2016-01-12 38M ./2016-01-13 27M ./2016-01-14 21M ./2016-01-15 304M ./2016-01-16 1.3G ./2016-01-17 15M ./2016-01-18 670M ./2016-01-19 319M ./2016-01-20 20M ./2016-01-21 26M ./2016-01-22 26M ./2016-01-23 17M ./2016-01-24 24M ./2016-01-25 614M ./2016-01-26 24M ./2016-01-27 19M ./2016-01-28 21M ./2016-01-29 24M ./2016-01-30 20M ./2016-01-31 3.9G ./2016-02-01 12M ./2016-02-02 9.8M ./2016-02-03 7.5M ./2016-02-04 2.6M ./2016-02-05 2.1M ./2016-02-06 /nsm/senSO-serverr_data/SO-server-eth3/dailylogs/ - 0 days 0 . /nsm/bro/logs/ - 232 days 2.6G . 14M ./2015-06-23 11M ./2015-06-24 15M ./2015-06-25 12M ./2015-06-26 13M ./2015-06-27 13M ./2015-06-28 14M ./2015-06-29 11M ./2015-06-30 12M ./2015-07-01 16M ./2015-07-02 17M ./2015-07-03 11M ./2015-07-04 9.5M ./2015-07-05 16M ./2015-07-06 11M ./2015-07-07 9.1M ./2015-07-08 14M ./2015-07-09 12M ./2015-07-10 15M ./2015-07-11 9.6M ./2015-07-12 13M ./2015-07-13 11M ./2015-07-14 9.9M ./2015-07-15 14M ./2015-07-16 13M ./2015-07-17 9.8M ./2015-07-18 11M ./2015-07-19 12M ./2015-07-20 10M ./2015-07-21 11M ./2015-07-22 13M ./2015-07-23 11M ./2015-07-24 11M ./2015-07-25 13M ./2015-07-26 14M ./2015-07-27 8.8M ./2015-07-28 12M ./2015-07-29 9.3M ./2015-07-30 9.7M ./2015-07-31 11M ./2015-08-01 13M ./2015-08-02 12M ./2015-08-03 9.0M ./2015-08-04 8.8M ./2015-08-05 11M ./2015-08-06 11M ./2015-08-07 11M ./2015-08-08 9.1M ./2015-08-09 7.2M ./2015-08-10 9.9M ./2015-08-11 7.8M ./2015-08-12 9.4M ./2015-08-13 11M ./2015-08-14 11M ./2015-08-15 7.9M ./2015-08-16 7.5M ./2015-08-17 9.8M ./2015-08-18 9.2M ./2015-08-19 13M ./2015-08-20 12M ./2015-08-21 9.4M ./2015-08-22 8.9M ./2015-08-23 8.9M ./2015-08-24 11M ./2015-08-25 8.9M ./2015-08-26 10M ./2015-08-27 9.5M ./2015-08-28 9.1M ./2015-08-29 11M ./2015-08-30 15M ./2015-08-31 12M ./2015-09-01 13M ./2015-09-02 12M ./2015-09-03 8.3M ./2015-09-04 8.7M ./2015-09-05 14M ./2015-09-06 14M ./2015-09-07 8.3M ./2015-09-08 7.7M ./2015-09-09 9.5M ./2015-09-10 7.5M ./2015-09-11 11M ./2015-09-12 12M ./2015-09-13 13M ./2015-09-14 12M ./2015-09-15 7.6M ./2015-09-16 15M ./2015-09-17 8.1M ./2015-09-18 11M ./2015-09-19 9.5M ./2015-09-20 13M ./2015-09-21 8.6M ./2015-09-22 7.2M ./2015-09-23 6.9M ./2015-09-24 7.1M ./2015-09-25 16M ./2015-09-26 9.4M ./2015-09-27 9.5M ./2015-09-28 9.8M ./2015-09-29 7.0M ./2015-09-30 8.8M ./2015-10-01 5.9M ./2015-10-02 6.3M ./2015-10-03 9.8M ./2015-10-04 11M ./2015-10-05 7.5M ./2015-10-06 7.0M ./2015-10-07 9.6M ./2015-10-08 6.5M ./2015-10-09 6.5M ./2015-10-10 18M ./2015-10-11 14M ./2015-10-12 12M ./2015-10-13 8.0M ./2015-10-14 8.2M ./2015-10-15 9.5M ./2015-10-16 8.9M ./2015-10-17 12M ./2015-10-18 12M ./2015-10-19 13M ./2015-10-20 8.1M ./2015-10-21 12M ./2015-10-22 7.1M ./2015-10-23 7.2M ./2015-10-24 7.2M ./2015-10-25 7.5M ./2015-10-26 9.8M ./2015-10-27 7.1M ./2015-10-28 8.5M ./2015-10-29 8.0M ./2015-10-30 11M ./2015-10-31 12M ./2015-11-01 18M ./2015-11-02 13M ./2015-11-03 14M ./2015-11-04 11M ./2015-11-05 12M ./2015-11-06 11M ./2015-11-07 9.7M ./2015-11-08 14M ./2015-11-09 12M ./2015-11-10 6.1M ./2015-11-11 7.3M ./2015-11-12 8.4M ./2015-11-13 6.7M ./2015-11-14 9.7M ./2015-11-15 11M ./2015-11-16 8.6M ./2015-11-17 7.5M ./2015-11-18 9.5M ./2015-11-19 11M ./2015-11-20 3.9M ./2015-11-21 4.7M ./2015-11-22 6.4M ./2015-11-23 9.6M ./2015-11-24 7.7M ./2015-11-25 8.9M ./2015-11-26 7.6M ./2015-11-27 8.0M ./2015-11-28 11M ./2015-11-29 8.9M ./2015-11-30 11M ./2015-12-01 6.8M ./2015-12-02 5.4M ./2015-12-03 8.8M ./2015-12-04 9.7M ./2015-12-05 12M ./2015-12-06 9.7M ./2015-12-07 14M ./2015-12-08 8.2M ./2015-12-09 12M ./2015-12-10 13M ./2015-12-11 11M ./2015-12-12 14M ./2015-12-13 14M ./2015-12-14 17M ./2015-12-15 8.6M ./2015-12-16 12M ./2015-12-17 13M ./2015-12-18 16M ./2015-12-19 11M ./2015-12-20 15M ./2015-12-21 19M ./2015-12-22 13M ./2015-12-23 15M ./2015-12-24 11M ./2015-12-25 14M ./2015-12-26 6.9M ./2015-12-27 11M ./2015-12-28 2.4M ./2015-12-29 7.0M ./2015-12-30 644K ./2015-12-31 8.1M ./2016-01-01 8.4M ./2016-01-02 13M ./2016-01-03 12M ./2016-01-04 11M ./2016-01-05 11M ./2016-01-06 11M ./2016-01-07 9.0M ./2016-01-08 8.6M ./2016-01-09 11M ./2016-01-10 12M ./2016-01-11 8.8M ./2016-01-12 7.0M ./2016-01-13 7.1M ./2016-01-14 7.6M ./2016-01-15 6.7M ./2016-01-16 7.7M ./2016-01-17 7.3M ./2016-01-18 12M ./2016-01-19 412K ./2016-01-20 10M ./2016-01-21 360K ./2016-01-22 7.5M ./2016-01-23 11M ./2016-01-24 11M ./2016-01-25 11M ./2016-01-26 7.5M ./2016-01-27 7.5M ./2016-01-28 7.8M ./2016-01-29 8.5M ./2016-01-30 16M ./2016-01-31 11M ./2016-02-01 9.8M ./2016-02-02 6.8M ./2016-02-03 9.9M ./2016-02-04 11M ./2016-02-05 9.7M ./2016-02-06 13M ./2016-02-07 14M ./2016-02-08 8.3M ./2016-02-09 259M ./stats ========================================================================= Bro netstats ========================================================================= Average packet loss as percent across all Bro workers: 0.000000 SO-server-eth1-1: 1455039598.685807 recvd=3824094 dropped=0 link=3824094 ========================================================================= IDS Engine (snort) packet drops ========================================================================= /nsm/senSO-serverr_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 0.000 /nsm/senSO-serverr_data/SO-server-eth1/snort-2.stats last reported pkt_drop_percent as 0.000 /nsm/senSO-serverr_data/SO-server-eth2/snort-1.stats last reported pkt_drop_percent as 0.000 /nsm/senSO-serverr_data/SO-server-eth2/snort-2.stats last reported pkt_drop_percent as 0.000 ERROR: No stats found in /nsm/senSO-serverr_data/SO-server-eth3/snort-1.stats ERROR: No stats found in /nsm/senSO-serverr_data/SO-server-eth3/snort-2.stats ========================================================================= pf_ring stats ========================================================================= PF_RING Version : 6.0.3 ($Revision: $) Total rings : 3 Standard (non DNA/ZC) Options Ring slots : 65534 Slot version : 16 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Total plugins : 0 Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 /proc/net/pf_ring/30126-eth1.33 Appl. Name : snort-cluster-52-SO-servercket-0 Tot Packets : 299634 Tot Pkt Lost : 0 Reflect: Fwd Errors: 0 Min Num Slots : 65538 Num Free Slots : 65520 /proc/net/pf_ring/30173-eth1.34 Appl. Name : snort-cluster-52-SO-servercket-0 Tot Packets : 385651 Tot Pkt Lost : 0 Reflect: Fwd Errors: 0 Min Num Slots : 65538 Num Free Slots : 65536 /proc/net/pf_ring/5206-eth1.1 Appl. Name : bro-eth1 Tot Packets : 3824882 Tot Pkt Lost : 0 TX: Send Errors : 0 Reflect: Fwd Errors: 0 Min Num Slots : 65534 Num Free Slots : 65534 ========================================================================= Netsniff-NG - Reported Packet Loss (per interval) ========================================================================= 0 Loss ========================================================================= Sguil Uncategorized Events ========================================================================= COUNT(*) 0 ========================================================================= Sguil events summary for yesterday ========================================================================= Totals GenID:SigID Signature 6 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected 2 1:2008420 ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile 2 1:2012888 ET POLICY Http Client Body contains pwd= in cleartext 2 1:2404158 ET CNC Zeus Tracker Reported CnC Server TCP group 5 1 1:2001329 ET POLICY RDP connection request 1 1:2001330 ET POLICY RDP connection confirm Total 14 ========================================================================= Top 50 All time Sguil Events ========================================================================= Totals GenID:SigID Signature 1118448 128:4 ssh: Protocol mismatch 9319 1:2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management 6217 1:24551 FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt 3771 1:6700 FILE-IMAGE MicroSO-serverft Multiple Products malformed PNG detected tEXt overflow attempt 2491 1:2018904 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obSO-serverlete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) 1766 1:25459 FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt 1470 1:2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt 1286 1:2012694 ET POLICY request to .xxx TLD 727 1:2000419 ET POLICY PE EXE or DLL Windows file download 630 1:2014819 ET INFO Packed Executable Download 321 1:2015561 ET INFO PDF Using CCITTFax Filter 237 1:36535 EXPLOIT-KIT Neutrino exploit kit landing page detected 221 1:2014518 ET INFO EXE - OSX Disk Image Download 210 1:2007994 ET MALWARE Suspicious User-Agent (1 space) 174 1:2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String 161 1:2001330 ET POLICY RDP connection confirm 124 1:2012086 ET SHELLCODE Possible Call with No Offset TCP Shellcode 123 3:13667 PROTOCOL-DNS dns cache poiSO-serverning attempt 118 1:2000418 ET POLICY Executable and linking format (ELF) file download 118 1:2001329 ET POLICY RDP connection request 99 1:37125 FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt 95 128:1 ssh: Gobbles exploit 92 1:2016360 ET INFO JAVA - ClassID 87 1:36501 FILE-OTHER MicroSO-serverft Word WordPerfect CSTYL border element stack overflow attempt 84 1:2008420 ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile 74 1:2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source) 72 129:2 stream5: Data on SYN packet 72 1:37355 EXPLOIT-KIT Sweet Orange exploit kit landing page detected 72 1:2022218 ET POLICY Lets Encrypt Free SSL Cert Observed 62 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent 57 123:8 frag3: Fragmentation overlap 54 1:2010525 ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) 48 1:23878 BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt 46 1:2019401 ET POLICY Vulnerable Java Version 1.8.x Detected 46 1:2012522 ET POLICY DNS Query For XXX Adult Site Top Level Domain 35 123:2 frag3: Teardrop attack 34 1:2013030 ET POLICY libwww-perl User-Agent 29 1:18196 BROWSER-IE MicroSO-serverft Internet Explorer CSS importer use-after-free attempt 28 1:27525 FILE-IMAGE Directshow GIF logical width overflow attempt 25 1:2014520 ET INFO EXE - Served Attached HTTP 24 1:16482 BROWSER-IE MicroSO-serverft Internet Explorer userdata behavior memory corruption attempt 24 1:2012870 ET POLICY HTTP Outbound Request contains pw 24 1:37111 FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt 24 1:2013028 ET POLICY curl User-Agent Outbound 22 1:2016766 ET INFO PDF - Acrobat Enumeration - var PDFObject 21 1:2012611 ET USER_AGENTS Suspicious User-Agent Sample | 19 124:3 smtp: Attempted response buffer overflow | 18 1:32488 INDICATOR-COMPROMISE .com- potentially malicious hostname | 16 1:2012885 ET POLICY Http Client Body contains password= in cleartext | 16 1:2018302 ET INFO Possible Phish - Mirrored Website Comment Observed Total 1149920 ========================================================================= Last update ========================================================================= Start-Date: 2016-02-08 16:16:50 Commandline: apt-get -y remove --purge linux-image-3.13.0-74-generic linux-headers-3.13.0-74-generic Purge: linux-image-3.13.0-74-generic:amd64 (3.13.0-74.118), linux-headers-3.13.0-74-generic:amd64 (3.13.0-74.118) End-Date: 2016-02-08 16:17:39 Start-Date: 2016-02-08 16:18:22 Commandline: apt-get -y dist-upgrade Upgrade: libibus-1.0-5:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), libdrm-intel1:amd64 (2.4.60-2~ubuntu14.04.1, 2.4.64-1~ubuntu14.04.1), gir1.2-ibus-1.0:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), openssh-server:amd64 (6.6p1-2ubuntu2.4, 6.6p1-2ubuntu2.6), libdrm-radeon1:amd64 (2.4.60-2~ubuntu14.04.1, 2.4.64-1~ubuntu14.04.1), openssh-sftp-server:amd64 (6.6p1-2ubuntu2.4, 6.6p1-2ubuntu2.6), python-ibus:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), ibus-gtk:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), ntp:amd64 (4.2.6.p5+dfsg-3ubuntu2.14.04.6, 4.2.6.p5+dfsg-3ubuntu2.14.04.7), ibus:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), openssh-client:amd64 (6.6p1-2ubuntu2.4, 6.6p1-2ubuntu2.6), libdrm-nouveau2:amd64 (2.4.60-2~ubuntu14.04.1, 2.4.64-1~ubuntu14.04.1), passwd:amd64 (X.X.X.X-1ubuntu9.1, X.X.X.X-1ubuntu9.2), securityonion-setup:amd64 (20120912-0ubuntu0securityonion192, 20120912-0ubuntu0securityonion194), login:amd64 (X.X.X.X-1ubuntu9.1, X.X.X.X-1ubuntu9.2), ibus-gtk3:amd64 (1.5.5-1ubuntu3, 1.5.5-1ubuntu3.2), libdrm2:amd64 (2.4.60-2~ubuntu14.04.1, 2.4.64-1~ubuntu14.04.1), ntpdate:amd64 (4.2.6.p5+dfsg-3ubuntu2.14.04.6, 4.2.6.p5+dfsg-3ubuntu2.14.04.7) End-Date: 2016-02-08 16:19:43 ========================================================================= ELSA ========================================================================= Syslog-ng Checking for process: 1815 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid Checking for connection: Connection to localhost 514 port [tcp/shell] succeeded! MySQL Checking for process: 1859 /usr/sbin/mysqld Checking for connection: Connection to localhost 3306 port [tcp/mysql] succeeded! Sphinx Checking for process: 1858 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach 1975 /usr/bin/searchd --nodetach Checking for connection: Connection to localhost 9306 port [tcp/*] succeeded! ELSA Buffers in Queue: 2 If this number is consistently higher than 20, please see: https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-SO-serverstat-show-a-high-number-of-elsa-buffers-in-queue ELSA Directory Sizes: 138G /nsm/elsa/data 200M /var/lib/mysql/syslog 539M /var/lib/mysql/syslog_data ELSA Index Date Range If you don't have at least 48 hours (or whatever your default_start_time_offset is), then you'll need to adjust log_size_limit in /etc/elsa_node.conf. MIN(start) MAX(end) 2015-04-23 22:26:39 2016-02-09 17:41:00