API tools faq
paste
Guest User

sostat

a guest
Sep 12th, 2016
353
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 46.07 KB | None | 0 0
raw download clone embed print report
  1. souser@servername:~$ sudo sostat
  2. =========================================================================
  3. Service Status
  4. =========================================================================
  5. Status: securityonion
  6. * sguil server[ OK ]
  7. Status: HIDS
  8. * ossec_agent (sguil)[ OK ]
  9. Status: Bro
  10. Getting process status ...
  11. Getting peer status ...
  12. Name Type Host Status Pid Peers Started
  13. manager manager localhost running 5345 2 12 Sep 15:59:37
  14. proxy proxy localhost running 5514 2 12 Sep 15:59:38
  15. servername-eth1-1 worker localhost running 5701 2 12 Sep 15:59:40
  16. Status: servername-eth1
  17. * netsniff-ng (full packet data)[ OK ]
  18. * pcap_agent (sguil)[ OK ]
  19. * snort_agent (sguil)[ OK ]
  20. * suricata (alert data)[ OK ]
  21. * barnyard2 (spooler, unified2 format)[ OK ]
  22.  
  23. =========================================================================
  24. Interface Status
  25. =========================================================================
  26. eth0 Link encap:Ethernet HWaddr
  27. inet addr:X.X.X.X Bcast:X.X.X.X Mask:255.255.255.0
  28. inet6 addr: X Scope:Link
  29. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  30. RX packets:6044 errors:0 dropped:0 overruns:0 frame:0
  31. TX packets:1899 errors:0 dropped:0 overruns:0 carrier:0
  32. collisions:0 txqueuelen:1000
  33. RX bytes:7270235 (7.2 MB) TX bytes:323325 (323.3 KB)
  34.  
  35. eth1 Link encap:Ethernet HWaddr
  36. inet addr:X.X.X.X Bcast:X.X.X.X Mask:255.255.255.0
  37. inet6 addr: Scope:Link
  38. UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
  39. RX packets:12245438 errors:0 dropped:0 overruns:0 frame:0
  40. TX packets:384 errors:0 dropped:0 overruns:0 carrier:0
  41. collisions:0 txqueuelen:1000
  42. RX bytes:7967382013 (7.9 GB) TX bytes:30082 (30.0 KB)
  43.  
  44. lo Link encap:Local Loopback
  45. inet addr:127.0.0.1 Mask:255.0.0.0
  46. inet6 addr: ::1/128 Scope:Host
  47. UP LOOPBACK RUNNING MTU:65536 Metric:1
  48. RX packets:513984 errors:0 dropped:0 overruns:0 frame:0
  49. TX packets:513984 errors:0 dropped:0 overruns:0 carrier:0
  50. collisions:0 txqueuelen:1
  51. RX bytes:120586565 (120.5 MB) TX bytes:120586565 (120.5 MB)
  52.  
  53.  
  54. =========================================================================
  55. Link Statistics
  56. =========================================================================
  57. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
  58. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  59. RX: bytes packets errors dropped overrun mcast
  60. 120586565 513984 0 0 0 0
  61. RX errors: length crc frame fifo missed
  62. 0 0 0 0 0
  63. TX: bytes packets errors dropped carrier collsns
  64. 120586565 513984 0 0 0 0
  65. TX errors: aborted fifo window heartbeat
  66. 0 0 0 0
  67. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
  68. link/ether brd ff:ff:ff:ff:ff:ff
  69. RX: bytes packets errors dropped overrun mcast
  70. 7270475 6048 0 0 0 0
  71. RX errors: length crc frame fifo missed
  72. 0 0 0 0 0
  73. TX: bytes packets errors dropped carrier collsns
  74. 326223 1910 0 0 0 0
  75. TX errors: aborted fifo window heartbeat
  76. 0 0 0 0
  77. 3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
  78. link/ether brd ff:ff:ff:ff:ff:ff
  79. RX: bytes packets errors dropped overrun mcast
  80. 7967384915 12245440 0 0 0 0
  81. RX errors: length crc frame fifo missed
  82. 0 0 0 0 0
  83. TX: bytes packets errors dropped carrier collsns
  84. 30082 384 0 0 0 0
  85. TX errors: aborted fifo window heartbeat
  86. 0 0 0 0
  87. 4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1
  88. link/gre 0.0.0.0 brd 0.0.0.0
  89. RX: bytes packets errors dropped overrun mcast
  90. 0 0 0 0 0 0
  91. RX errors: length crc frame fifo missed
  92. 0 0 0 0 0
  93. TX: bytes packets errors dropped carrier collsns
  94. 0 0 0 0 0 0
  95. TX errors: aborted fifo window heartbeat
  96. 0 0 0 0
  97. 5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
  98. link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
  99. RX: bytes packets errors dropped overrun mcast
  100. 0 0 0 0 0 0
  101. RX errors: length crc frame fifo missed
  102. 0 0 0 0 0
  103. TX: bytes packets errors dropped carrier collsns
  104. 0 0 0 0 0 0
  105. TX errors: aborted fifo window heartbeat
  106. 0 0 0 0
  107.  
  108. =========================================================================
  109. Disk Usage
  110. =========================================================================
  111. Filesystem Size Used Avail Use% Mounted on
  112. udev 7.9G 4.0K 7.9G 1% /dev
  113. tmpfs 1.6G 1.3M 1.6G 1% /run
  114. /dev/sda6 15G 3.5G 11G 25% /
  115. none 4.0K 0 4.0K 0% /sys/fs/cgroup
  116. none 5.0M 0 5.0M 0% /run/lock
  117. none 7.9G 14M 7.9G 1% /run/shm
  118. none 100M 24K 100M 1% /run/user
  119. /dev/sdb1 99G 4.0G 90G 5% /var
  120. /dev/sdc1 99G 84G 9.4G 90% /nsm
  121. /dev/sda1 945M 49M 832M 6% /boot
  122.  
  123. =========================================================================
  124. Network Sockets
  125. =========================================================================
  126. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  127. avahi-dae 952 avahi 12u IPv4 7746 0t0 UDP *:5353
  128. avahi-dae 952 avahi 13u IPv6 7747 0t0 UDP *:5353
  129. avahi-dae 952 avahi 14u IPv4 7748 0t0 UDP *:45403
  130. avahi-dae 952 avahi 15u IPv6 7749 0t0 UDP *:36516
  131. ntpd 1591 ntp 16u IPv4 10793 0t0 UDP *:123
  132. ntpd 1591 ntp 17u IPv6 10796 0t0 UDP *:123
  133. ntpd 1591 ntp 18u IPv4 10803 0t0 UDP 127.0.0.1:123
  134. ntpd 1591 ntp 19u IPv4 10805 0t0 UDP X.X.X.X:123
  135. ntpd 1591 ntp 20u IPv4 10807 0t0 UDP X.X.X.X:123
  136. ntpd 1591 ntp 21u IPv6 10809 0t0 UDP [::1]:123
  137. ntpd 1591 ntp 22u IPv6 10811 0t0 UDP [fe80::250:56ff:fe88:16fc]:123
  138. ntpd 1591 ntp 23u IPv6 10813 0t0 UDP [fe80::250:56ff:fe88:7359]:123
  139. cupsd 1603 root 10u IPv6 11592 0t0 TCP [::1]:631 (LISTEN)
  140. cupsd 1603 root 11u IPv4 11593 0t0 TCP 127.0.0.1:631 (LISTEN)
  141. cups-brow 1614 root 8u IPv4 11612 0t0 UDP *:631
  142. sshd 1823 root 3u IPv4 10999 0t0 TCP *:22 (LISTEN)
  143. sshd 1823 root 4u IPv6 11001 0t0 TCP *:22 (LISTEN)
  144. searchd 1865 sphinxsearch 7u IPv4 12245 0t0 TCP *:9306 (LISTEN)
  145. searchd 1865 sphinxsearch 8u IPv4 12246 0t0 TCP *:9312 (LISTEN)
  146. syslog-ng 1897 root 9u IPv4 12256 0t0 TCP *:514 (LISTEN)
  147. syslog-ng 1897 root 10u IPv4 12257 0t0 UDP *:514
  148. mysqld 1903 mysql 10u IPv4 11246 0t0 TCP 127.0.0.1:3306 (LISTEN)
  149. salt-mini 1960 root 13u IPv4 14980 0t0 TCP 127.0.0.1:41090->127.0.0.1:4506 (ESTABLISHED)
  150. salt-mini 1960 root 24u IPv4 14152 0t0 TCP 127.0.0.1:42724->127.0.0.1:4505 (ESTABLISHED)
  151. ossec-csy 1979 ossecm 5u IPv4 13652 0t0 UDP 127.0.0.1:47097->127.0.0.1:514
  152. salt-mast 2060 root 12u IPv4 14536 0t0 TCP *:4505 (LISTEN)
  153. salt-mast 2060 root 14u IPv4 15764 0t0 TCP 127.0.0.1:4505->127.0.0.1:42724 (ESTABLISHED)
  154. salt-mast 2087 root 20u IPv4 13727 0t0 TCP *:4506 (LISTEN)
  155. salt-mast 2087 root 22u IPv4 16542 0t0 TCP 127.0.0.1:4506->127.0.0.1:41090 (ESTABLISHED)
  156. /usr/sbin 3068 root 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  157. /usr/sbin 3068 root 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  158. /usr/sbin 3068 root 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  159. tclsh 5048 sguil 13u IPv4 29542 0t0 TCP *:7734 (LISTEN)
  160. tclsh 5048 sguil 14u IPv6 29543 0t0 TCP *:7734 (LISTEN)
  161. tclsh 5048 sguil 15u IPv4 29546 0t0 TCP *:7736 (LISTEN)
  162. tclsh 5048 sguil 16u IPv6 29547 0t0 TCP *:7736 (LISTEN)
  163. tclsh 5048 sguil 17u IPv4 29548 0t0 TCP 127.0.0.1:7736->127.0.0.1:46260 (ESTABLISHED)
  164. tclsh 5048 sguil 18u IPv4 32703 0t0 TCP 127.0.0.1:7736->127.0.0.1:34888 (ESTABLISHED)
  165. tclsh 5048 sguil 19u IPv4 33514 0t0 TCP 127.0.0.1:7736->127.0.0.1:33042 (ESTABLISHED)
  166. tclsh 5048 sguil 20u IPv4 55756 0t0 TCP 127.0.0.1:7734->127.0.0.1:36412 (ESTABLISHED)
  167. tclsh 5094 sguil 3u IPv4 29551 0t0 TCP 127.0.0.1:33042->127.0.0.1:7736 (ESTABLISHED)
  168. bro 5345 sguil 4u IPv4 29236 0t0 UDP X.X.X.X:51119->X.X.X.X:53
  169. bro 5347 sguil 0u IPv4 24971 0t0 TCP *:47761 (LISTEN)
  170. bro 5347 sguil 1u IPv6 24972 0t0 TCP *:47761 (LISTEN)
  171. bro 5347 sguil 2u IPv4 25051 0t0 TCP 127.0.0.1:47761->127.0.0.1:36552 (ESTABLISHED)
  172. bro 5347 sguil 4u IPv4 29236 0t0 UDP X.X.X.X:51119->X.X.X.X:53
  173. bro 5347 sguil 268u IPv4 25168 0t0 TCP 127.0.0.1:47761->127.0.0.1:36554 (ESTABLISHED)
  174. bro 5514 sguil 4u IPv4 29346 0t0 UDP X.X.X.X:35295->X.X.X.X:53
  175. bro 5516 sguil 0u IPv4 25050 0t0 TCP 127.0.0.1:36552->127.0.0.1:47761 (ESTABLISHED)
  176. bro 5516 sguil 4u IPv4 29346 0t0 UDP X.X.X.X:35295->X.X.X.X:53
  177. bro 5516 sguil 266u IPv4 25058 0t0 TCP *:47762 (LISTEN)
  178. bro 5516 sguil 267u IPv6 25059 0t0 TCP *:47762 (LISTEN)
  179. bro 5516 sguil 268u IPv4 25174 0t0 TCP 127.0.0.1:47762->127.0.0.1:57592 (ESTABLISHED)
  180. bro 5701 sguil 4u IPv4 23252 0t0 UDP X.X.X.X:49728->X.X.X.X:53
  181. bro 5702 sguil 0u IPv4 25167 0t0 TCP 127.0.0.1:36554->127.0.0.1:47761 (ESTABLISHED)
  182. bro 5702 sguil 4u IPv4 23252 0t0 UDP X.X.X.X:49728->X.X.X.X:53
  183. bro 5702 sguil 266u IPv4 25173 0t0 TCP 127.0.0.1:57592->127.0.0.1:47762 (ESTABLISHED)
  184. bro 5702 sguil 271u IPv4 25181 0t0 TCP *:47763 (LISTEN)
  185. bro 5702 sguil 272u IPv6 25182 0t0 TCP *:47763 (LISTEN)
  186. tclsh 5775 sguil 3u IPv4 32699 0t0 TCP 127.0.0.1:46260->127.0.0.1:7736 (ESTABLISHED)
  187. tclsh 5791 sguil 3u IPv4 23352 0t0 TCP 127.0.0.1:8100 (LISTEN)
  188. tclsh 5791 sguil 5u IPv4 23391 0t0 TCP 127.0.0.1:8100->127.0.0.1:52504 (ESTABLISHED)
  189. tclsh 5791 sguil 7u IPv4 32702 0t0 TCP 127.0.0.1:34888->127.0.0.1:7736 (ESTABLISHED)
  190. barnyard2 5834 sguil 3u IPv4 25286 0t0 TCP 127.0.0.1:52504->127.0.0.1:8100 (ESTABLISHED)
  191. wish 6742 souser 4u IPv4 57363 0t0 TCP 127.0.0.1:36412->127.0.0.1:7734 (ESTABLISHED)
  192. chromium- 7018 souser 101u IPv4 34966 0t0 UDP *:5353
  193. chromium- 7018 souser 106u IPv6 220375 0t0 TCP [::1]:53652->[::1]:443 (ESTABLISHED)
  194. chromium- 7018 souser 107u IPv6 220374 0t0 TCP [::1]:53650->[::1]:443 (ESTABLISHED)
  195. chromium- 7018 souser 108u IPv6 220376 0t0 TCP [::1]:53654->[::1]:443 (ESTABLISHED)
  196. chromium- 7018 souser 110u IPv6 220377 0t0 TCP [::1]:53656->[::1]:443 (ESTABLISHED)
  197. /usr/sbin 18446 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  198. /usr/sbin 18446 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  199. /usr/sbin 18446 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  200. /usr/sbin 18449 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  201. /usr/sbin 18449 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  202. /usr/sbin 18449 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  203. /usr/sbin 18449 www-data 28u IPv4 221367 0t0 TCP 127.0.0.1:46416->127.0.0.1:3154 (CLOSE_WAIT)
  204. /usr/sbin 18475 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  205. /usr/sbin 18475 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  206. /usr/sbin 18475 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  207. /usr/sbin 18475 www-data 25u IPv6 221380 0t0 TCP [::1]:443->[::1]:53650 (ESTABLISHED)
  208. /usr/sbin 18476 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  209. /usr/sbin 18476 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  210. /usr/sbin 18476 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  211. /usr/sbin 18476 www-data 25u IPv6 217467 0t0 TCP [::1]:443->[::1]:53652 (ESTABLISHED)
  212. /usr/sbin 18477 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  213. /usr/sbin 18477 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  214. /usr/sbin 18477 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  215. /usr/sbin 18477 www-data 25u IPv6 217468 0t0 TCP [::1]:443->[::1]:53654 (ESTABLISHED)
  216. /usr/sbin 18478 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  217. /usr/sbin 18478 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  218. /usr/sbin 18478 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  219. /usr/sbin 18478 www-data 25u IPv6 217469 0t0 TCP [::1]:443->[::1]:53656 (ESTABLISHED)
  220. /usr/sbin 18480 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  221. /usr/sbin 18480 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  222. /usr/sbin 18480 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  223. /usr/sbin 18482 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  224. /usr/sbin 18482 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  225. /usr/sbin 18482 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  226. /usr/sbin 18484 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  227. /usr/sbin 18484 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  228. /usr/sbin 18484 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  229. /usr/sbin 18485 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  230. /usr/sbin 18485 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  231. /usr/sbin 18485 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  232. /usr/sbin 18486 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  233. /usr/sbin 18486 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  234. /usr/sbin 18486 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  235. /usr/sbin 18487 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  236. /usr/sbin 18487 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  237. /usr/sbin 18487 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  238. /usr/sbin 18488 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  239. /usr/sbin 18488 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  240. /usr/sbin 18488 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  241. /usr/sbin 18489 www-data 5u IPv6 15792 0t0 TCP *:443 (LISTEN)
  242. /usr/sbin 18489 www-data 7u IPv6 15796 0t0 TCP *:9876 (LISTEN)
  243. /usr/sbin 18489 www-data 9u IPv6 15802 0t0 TCP *:3154 (LISTEN)
  244. sshd 18942 root 3u IPv4 221653 0t0 TCP X.X.X.X:22->X.X.X.X:56340 (ESTABLISHED)
  245. sshd 19023 souser 3u IPv4 221653 0t0 TCP X.X.X.X:22->X.X.X.X:56340 (ESTABLISHED)
  246.  
  247. =========================================================================
  248. IDS Rules Update
  249. =========================================================================
  250. Mon Sep 12 07:01:01 UTC 2016
  251. Backing up current local_rules.xml file.
  252. Cleaning up local_rules.xml backup files older than 30 days.
  253. Backing up current downloaded.rules file before it gets overwritten.
  254. Cleaning up downloaded.rules backup files older than 30 days.
  255. Backing up current local.rules file before it gets overwritten.
  256. Cleaning up local.rules backup files older than 30 days.
  257. Sleeping for 38 minutes to avoid overwhelming rule sites.
  258. ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules.
  259. Running PulledPork.
  260. Error 500 when fetching https://rules.emergingthreatspro.com/open/suricata-3.1.1/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463.
  261. main::md5file('open', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/open/suricata-3.1.1/') called at /usr/bin/pulledpork.pl line 1885
  262. http://code.google.com/p/pulledpork/
  263. _____ ____
  264. `----,\ )
  265. `--==\\ / PulledPork v0.7.0 - Swine Flu!
  266. `--==\\/
  267. .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
  268. @_/ / 66\_ [email protected]
  269. | \ \ _(")
  270. \ /-| ||'--' Rules give me wings!
  271. \_\ \_\\
  272. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  273. Checking latest MD5 for emerging.rules.tar.gz....
  274. Restarting Barnyard2.
  275. Restarting: servername-eth1
  276. * stopping: barnyard2 (spooler, unified2 format)[ OK ]
  277. * starting: barnyard2 (spooler, unified2 format)[ OK ]
  278. Restarting IDS Engine.
  279. Restarting: servername-eth1
  280. * stopping: suricata (alert data)[ OK ]
  281. * starting: suricata (alert data)[ OK ]
  282.  
  283. =========================================================================
  284. CPU Usage
  285. =========================================================================
  286. Load average for the last 1, 5, and 15 minutes:
  287. 0.44 0.66 0.68
  288. Processing units: 4
  289. If load average is higher than processing units,
  290. then tune until load average is lower than processing units.
  291.  
  292. top - 16:44:08 up 47 min, 5 users, load average: 0.44, 0.66, 0.68
  293. Tasks: 279 total, 3 running, 273 sleeping, 0 stopped, 3 zombie
  294. %Cpu(s): 14.5 us, 3.5 sy, 0.0 ni, 79.4 id, 1.2 wa, 0.0 hi, 1.5 si, 0.0 st
  295. KiB Mem: 16432856 total, 15570064 used, 862792 free, 74260 buffers
  296. KiB Swap: 3998716 total, 0 used, 3998716 free. 8759260 cached Mem
  297.  
  298. %CPU %MEM COMMAND
  299. 26.5 0.5 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p servername-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  300. 21.8 0.4 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
  301. 17.3 0.5 /usr/sbin/mysqld
  302. 7.9 2.2 suricata --user sguil --group sguil -c /etc/nsm/servername-eth1/suricata.yaml --pfring=eth1 -l /nsm/sensor_data/servername-eth1
  303. 3.5 0.1 wish /usr/bin/sguil.tk
  304. 3.2 25.9 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
  305. 2.4 0.0 barnyard2 -c /etc/nsm/servername-eth1/barnyard2.conf -u sguil -g sguil -d /nsm/sensor_data/servername-eth1 -f snort.unified2 -w /etc/nsm/servername-eth1/barnyard2.waldo -i 1 -U
  306. 2.1 0.5 netsniff-ng -i eth1 -o /nsm/sensor_data/servername-eth1/dailylogs/2016-09-12/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
  307. 1.6 0.8 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingInc
  308. 1.3 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  309. 1.2 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  310. 0.9 0.5 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
  311. 0.8 1.3 wireshark
  312. 0.6 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/servername-eth1/snort_agent.conf
  313. 0.6 1.1 /usr/lib/chromium-browser/chromium-browser --enable-pinch https://localhost/squert
  314. 0.4 0.0 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  315. 0.4 0.0 /var/ossec/bin/ossec-syscheckd
  316. 0.4 0.0 -bash
  317. 0.3 0.3 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
  318. 0.3 0.0 [kworker/u8:1]
  319. 0.2 5.3 /usr/bin/searchd --nodetach
  320. 0.2 0.2 /usr/bin/python /usr/bin/salt-master
  321. 0.1 0.0 [rcu_sched]
  322. 0.1 0.0 /var/ossec/bin/ossec-analysisd
  323. 0.1 0.2 xfce4-terminal --geometry=78x24 --display :0.0 --role=xfce4-terminal-1473540190-1197851340 --show-menubar --show-borders --hide-toolbar --working-directory /home/souser --tab --working-directory /home/souser --tab --working-directory /etc/network --sm-client-id 2615dce6f-a6b3-
  324. 0.1 0.6 /usr/lib/chromium-browser/chromium-browser --type=renderer --enable-pinch --enable-features=DocumentWriteEvaluator<DisallowFetchForDocWrittenScriptsInMainFrame,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentReportingModuleLoadAnalysis<SafeBrowsingInc
  325. 0.0 0.0 /sbin/init
  326. 0.0 0.0 [kthreadd]
  327. 0.0 0.0 [ksoftirqd/0]
  328. 0.0 0.0 [kworker/0:0H]
  329. 0.0 0.0 [rcu_bh]
  330. 0.0 0.0 [migration/0]
  331. 0.0 0.0 [watchdog/0]
  332. 0.0 0.0 [watchdog/1]
  333. 0.0 0.0 [migration/1]
  334. 0.0 0.0 [ksoftirqd/1]
  335. 0.0 0.0 [kworker/1:0]
  336. 0.0 0.0 [kworker/1:0H]
  337. 0.0 0.0 [watchdog/2]
  338. 0.0 0.0 [migration/2]
  339. 0.0 0.0 [ksoftirqd/2]
  340. 0.0 0.0 [kworker/2:0H]
  341. 0.0 0.0 [watchdog/3]
  342. 0.0 0.0 [migration/3]
  343. 0.0 0.0 [ksoftirqd/3]
  344. 0.0 0.0 [kworker/3:0]
  345. 0.0 0.0 [kworker/3:0H]
  346. 0.0 0.0 [kdevtmpfs]
  347. 0.0 0.0 [netns]
  348. 0.0 0.0 [perf]
  349. 0.0 0.0 [khungtaskd]
  350. 0.0 0.0 [writeback]
  351. 0.0 0.0 [ksmd]
  352. 0.0 0.0 [khugepaged]
  353. 0.0 0.0 [crypto]
  354. 0.0 0.0 [kintegrityd]
  355. 0.0 0.0 [bioset]
  356. 0.0 0.0 [kblockd]
  357. 0.0 0.0 [ata_sff]
  358. 0.0 0.0 [md]
  359. 0.0 0.0 [devfreq_wq]
  360. 0.0 0.0 [kworker/3:1]
  361. 0.0 0.0 [kworker/1:1]
  362. 0.0 0.0 [kswapd0]
  363. 0.0 0.0 [vmstat]
  364. 0.0 0.0 [fsnotify_mark]
  365. 0.0 0.0 [ecryptfs-kthrea]
  366. 0.0 0.0 [kthrotld]
  367. 0.0 0.0 [acpi_thermal_pm]
  368. 0.0 0.0 [bioset]
  369. 0.0 0.0 [bioset]
  370. 0.0 0.0 [bioset]
  371. 0.0 0.0 [bioset]
  372. 0.0 0.0 [bioset]
  373. 0.0 0.0 [bioset]
  374. 0.0 0.0 [bioset]
  375. 0.0 0.0 [bioset]
  376. 0.0 0.0 [bioset]
  377. 0.0 0.0 [bioset]
  378. 0.0 0.0 [bioset]
  379. 0.0 0.0 [bioset]
  380. 0.0 0.0 [bioset]
  381. 0.0 0.0 [bioset]
  382. 0.0 0.0 [bioset]
  383. 0.0 0.0 [bioset]
  384. 0.0 0.0 [bioset]
  385. 0.0 0.0 [bioset]
  386. 0.0 0.0 [bioset]
  387. 0.0 0.0 [bioset]
  388. 0.0 0.0 [bioset]
  389. 0.0 0.0 [bioset]
  390. 0.0 0.0 [bioset]
  391. 0.0 0.0 [bioset]
  392. 0.0 0.0 [scsi_eh_0]
  393. 0.0 0.0 [scsi_tmf_0]
  394. 0.0 0.0 [scsi_eh_1]
  395. 0.0 0.0 [scsi_tmf_1]
  396. 0.0 0.0 [ipv6_addrconf]
  397. 0.0 0.0 [deferwq]
  398. 0.0 0.0 [charger_manager]
  399. 0.0 0.0 [bioset]
  400. 0.0 0.0 [scsi_eh_2]
  401. 0.0 0.0 [scsi_tmf_2]
  402. 0.0 0.0 [vmw_pvscsi_wq_2]
  403. 0.0 0.0 [bioset]
  404. 0.0 0.0 [bioset]
  405. 0.0 0.0 [bioset]
  406. 0.0 0.0 [kpsmoused]
  407. 0.0 0.0 [ttm_swap]
  408. 0.0 0.0 [bioset]
  409. 0.0 0.0 [jbd2/sda6-8]
  410. 0.0 0.0 [ext4-rsv-conver]
  411. 0.0 0.0 upstart-udev-bridge --daemon
  412. 0.0 0.0 /lib/systemd/systemd-udevd --daemon
  413. 0.0 0.0 [jbd2/sdb1-8]
  414. 0.0 0.0 [ext4-rsv-conver]
  415. 0.0 0.0 [jbd2/sdc1-8]
  416. 0.0 0.0 [ext4-rsv-conver]
  417. 0.0 0.0 [jbd2/sda1-8]
  418. 0.0 0.0 [ext4-rsv-conver]
  419. 0.0 0.0 [kmpathd]
  420. 0.0 0.0 [kmpath_handlerd]
  421. 0.0 0.0 upstart-file-bridge --daemon
  422. 0.0 0.0 dbus-daemon --system --fork
  423. 0.0 0.0 [kworker/2:1H]
  424. 0.0 0.0 /usr/sbin/bluetoothd
  425. 0.0 0.0 /lib/systemd/systemd-logind
  426. 0.0 0.0 avahi-daemon: running [servername.local]
  427. 0.0 0.0 avahi-daemon: chroot helper
  428. 0.0 0.0 [krfcommd]
  429. 0.0 0.0 upstart-socket-bridge --daemon
  430. 0.0 0.0 [kworker/0:1H]
  431. 0.0 0.0 [kworker/1:1H]
  432. 0.0 0.0 [kworker/3:1H]
  433. 0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
  434. 0.0 0.0 /usr/sbin/cupsd -f
  435. 0.0 0.0 /usr/sbin/cups-browsed
  436. 0.0 0.0 /sbin/getty -8 38400 tty4
  437. 0.0 0.0 /sbin/getty -8 38400 tty5
  438. 0.0 0.1 /usr/bin/python /usr/bin/salt-minion
  439. 0.0 0.0 /sbin/getty -8 38400 tty2
  440. 0.0 0.0 /sbin/getty -8 38400 tty3
  441. 0.0 0.1 /usr/bin/python /usr/bin/salt-master
  442. 0.0 0.0 /sbin/getty -8 38400 tty6
  443. 0.0 0.0 /usr/sbin/sshd -D
  444. 0.0 0.0 cron
  445. 0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  446. 0.0 0.0 /usr/sbin/irqbalance
  447. 0.0 0.0 [kauditd]
  448. 0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
  449. 0.0 0.0 supervising syslog-ng
  450. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  451. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  452. 0.0 0.0 /usr/sbin/kerneloops
  453. 0.0 0.1 /usr/bin/python /usr/bin/salt-minion
  454. 0.0 0.0 /var/ossec/bin/ossec-csyslogd
  455. 0.0 0.0 /var/ossec/bin/ossec-execd
  456. 0.0 0.0 /var/ossec/bin/ossec-logcollector
  457. 0.0 0.0 lightdm
  458. 0.0 0.0 /usr/lib/accountsservice/accounts-daemon
  459. 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
  460. 0.0 0.1 /usr/bin/python /usr/bin/salt-master
  461. 0.0 0.1 /usr/bin/python /usr/bin/salt-master
  462. 0.0 0.1 /usr/bin/python /usr/bin/salt-master
  463. 0.0 0.2 /usr/bin/python /usr/bin/salt-master
  464. 0.0 0.2 /usr/bin/python /usr/bin/salt-master
  465. 0.0 0.2 /usr/bin/python /usr/bin/salt-master
  466. 0.0 0.2 /usr/bin/python /usr/bin/salt-master
  467. 0.0 0.2 /usr/bin/python /usr/bin/salt-master
  468. 0.0 0.1 /usr/bin/python /usr/bin/salt-master
  469. 0.0 0.0 /var/ossec/bin/ossec-monitord
  470. 0.0 0.0 /usr/bin/vmtoolsd
  471. 0.0 0.9 /usr/sbin/apache2 -k start
  472. 0.0 0.0 /sbin/getty -8 38400 tty1
  473. 0.0 0.0 lightdm --session-child 12 21
  474. 0.0 0.0 /usr/bin/gnome-keyring-daemon --daemonize --login
  475. 0.0 0.0 init --user
  476. 0.0 0.0 [kworker/2:2]
  477. 0.0 0.0 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-xGD8mxwMsw
  478. 0.0 0.0 upstart-event-bridge
  479. 0.0 0.0 upstart-file-bridge --daemon --user
  480. 0.0 0.0 upstart-dbus-bridge --daemon --session --user --bus-name session
  481. 0.0 0.0 upstart-dbus-bridge --daemon --system --user --bus-name system
  482. 0.0 0.0 /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
  483. 0.0 0.1 xfce4-session
  484. 0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  485. 0.0 0.0 /usr/bin/ssh-agent -s
  486. 0.0 0.1 xfwm4 --display :0.0 --sm-client-id 2f644d165-be3c-4b88-91cc-a9e9f80e0c19
  487. 0.0 0.0 Thunar --sm-client-id 2293f6004-4316-4a6e-b7da-32e4e25314a5 --daemon
  488. 0.0 0.1 xfce4-panel --display :0.0 --sm-client-id 26e3c0834-e808-4099-99d6-1e10978363bb
  489. 0.0 0.1 xfdesktop --display :0.0 --sm-client-id 26c99a627-093d-46e1-aafa-9b682b9993d6
  490. 0.0 0.0 xfsettingsd --display :0.0 --sm-client-id 258929f22-683c-48bc-8f40-3c655aa0f6b2
  491. 0.0 0.0 /usr/lib/upower/upowerd
  492. 0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libwhiskermenu.so 1 12582944 whiskermenu Whisker Menu Show a menu to easily access installed applications
  493. 0.0 0.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 4 12582945 systray Notification Area Area where notification icons appear
  494. 0.0 0.0 /usr/lib/gvfs/gvfsd
  495. 0.0 0.0 xfce4-power-manager --restart --sm-client-id 2ede874ab-9b9c-4a88-80a8-0a802f25ea68
  496. 0.0 0.1 /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libindicator-plugin.so 5 12582946 indicator Indicator Plugin Provides a panel area for Unity indicators. Indicators allow applications and system services to display their status and
  497. 0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
  498. 0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
  499. 0.0 0.1 update-notifier
  500. 0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
  501. 0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
  502. 0.0 0.0 xfce4-power-manager
  503. 0.0 0.0 xfce4-volumed
  504. 0.0 0.1 /usr/bin/python /usr/share/system-config-printer/applet.py
  505. 0.0 0.0 light-locker
  506. 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-application/indicator-application-service
  507. 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-power/indicator-power-service
  508. 0.0 0.2 /usr/bin/python /usr/bin/blueman-applet
  509. 0.0 0.1 nm-applet
  510. 0.0 0.0 /usr/bin/pulseaudio --start --log-target=syslog
  511. 0.0 0.0 /usr/lib/rtkit/rtkit-daemon
  512. 0.0 0.0 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
  513. 0.0 0.0 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
  514. 0.0 0.0 gnome-pty-helper
  515. 0.0 0.0 bash
  516. 0.0 0.0 /usr/lib/udisks2/udisksd --no-debug
  517. 0.0 0.0 bash
  518. 0.0 0.0 bash
  519. 0.0 0.0 init --user --startup-event indicator-services-start
  520. 0.0 0.0 /usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service
  521. 0.0 0.0 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
  522. 0.0 0.0 /usr/lib/gvfs/gvfs-mtp-volume-monitor
  523. 0.0 0.0 /usr/lib/gvfs/gvfs-afc-volume-monitor
  524. 0.0 0.0 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2
  525. 0.0 0.0 /usr/lib/gvfs/gvfsd-trash --spawner :1.14 /org/gtk/gvfs/exec_spaw/0
  526. 0.0 0.0 /usr/bin/obex-data-server --no-daemon
  527. 0.0 0.0 su - sguil -- /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
  528. 0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
  529. 0.0 0.0 tclsh /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
  530. 0.0 0.0 su - sguil -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  531. 0.0 0.0 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  532. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  533. 0.0 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  534. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  535. 0.0 0.3 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  536. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p servername-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  537. 0.0 0.5 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p servername-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  538. 0.0 0.0 su - sguil -- /usr/bin/pcap_agent.tcl -c /etc/nsm/servername-eth1/pcap_agent.conf
  539. 0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/servername-eth1/pcap_agent.conf
  540. 0.0 0.0 su - sguil -- /usr/bin/snort_agent.tcl -c /etc/nsm/servername-eth1/snort_agent.conf
  541. 0.0 0.0 tail -n 1 -f /nsm/sensor_data/servername-eth1/snort.stats
  542. 0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
  543. 0.0 0.3 /usr/lib/chromium-browser/chromium-browser --type=zygote
  544. 0.0 0.0 /usr/lib/chromium-browser/chromium-browser --type=zygote
  545. 0.0 0.0 [kworker/2:0]
  546. 0.0 0.0 [tcpdump] <defunct>
  547. 0.0 0.0 [wireshark] <defunct>
  548. 0.0 0.0 [tcpdump] <defunct>
  549. 0.0 0.0 sudo wireshark
  550. 0.0 0.0 [kworker/u8:2]
  551. 0.0 0.0 [kworker/0:1]
  552. 0.0 0.0 [kworker/0:2]
  553. 0.0 0.0 [kworker/u8:3]
  554. 0.0 0.8 /usr/sbin/apache2 -k start
  555. 0.0 0.9 /usr/sbin/apache2 -k start
  556. 0.0 0.8 /usr/sbin/apache2 -k start
  557. 0.0 0.8 /usr/sbin/apache2 -k start
  558. 0.0 0.8 /usr/sbin/apache2 -k start
  559. 0.0 0.8 /usr/sbin/apache2 -k start
  560. 0.0 0.8 /usr/sbin/apache2 -k start
  561. 0.0 0.8 /usr/sbin/apache2 -k start
  562. 0.0 0.8 /usr/sbin/apache2 -k start
  563. 0.0 0.8 /usr/sbin/apache2 -k start
  564. 0.0 0.8 /usr/sbin/apache2 -k start
  565. 0.0 0.8 /usr/sbin/apache2 -k start
  566. 0.0 0.8 /usr/sbin/apache2 -k start
  567. 0.0 0.8 /usr/sbin/apache2 -k start
  568. 0.0 0.0 sshd: souser [priv]
  569. 0.0 0.0 [kworker/0:0]
  570. 0.0 0.0 sshd: souser@pts/0
  571. 0.0 0.0 CRON
  572. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
  573. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
  574. 0.0 0.0 sudo sostat
  575. 0.0 0.0 /bin/bash /usr/bin/sostat
  576. 0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
  577.  
  578. =========================================================================
  579. Packets received during last monitoring interval (600 seconds)
  580. =========================================================================
  581.  
  582. eth1: 2682892
  583.  
  584. =========================================================================
  585. Packet Loss Stats
  586. =========================================================================
  587.  
  588. NIC:
  589.  
  590. eth1:
  591.  
  592. RX packets:12248658 dropped:0 TX packets:384 dropped:0
  593.  
  594. -------------------------------------------------------------------------
  595.  
  596. pf_ring:
  597.  
  598. Appl. Name : bro-eth1
  599. Tot Packets : 11606250
  600. Tot Pkt Lost : 0
  601.  
  602.  
  603. Appl. Name : Suricata
  604. Tot Packets : 11552125
  605. Tot Pkt Lost : 813
  606.  
  607. -------------------------------------------------------------------------
  608.  
  609. IDS Engine (suricata) packet drops:
  610.  
  611. /nsm/sensor_data/servername-eth1/stats.log
  612.  
  613. capture.kernel_drops | W#01-eth1 | 813
  614.  
  615. -------------------------------------------------------------------------
  616.  
  617. Bro:
  618.  
  619. Average packet loss as percent across all Bro workers: 0.000000
  620.  
  621. servername-eth1-1: 1473698648.941722 recvd=11607742 dropped=0 link=11607742
  622.  
  623. Capture Loss:
  624.  
  625. servername-eth1-1 0.0
  626.  
  627. If you are seeing capture loss without dropped packets, this
  628. may indicate that an upstream device is dropping packets (tap or SPAN port).
  629.  
  630. -------------------------------------------------------------------------
  631.  
  632. Netsniff-NG:
  633. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911000004 Processed: +289931 Lost: -31411
  634. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +159953 Lost: -5854
  635. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +511521 Lost: -14434
  636. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +182277 Lost: -9306
  637. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +160728 Lost: -2720
  638. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +170405 Lost: -511
  639. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160911035109 Processed: +155862 Lost: -4748
  640. File: /var/log/nsm/servername-eth1/netsniff-ng.log.20160912000007 Processed: +441592 Lost: -8658
  641.  
  642. =========================================================================
  643. PF_RING
  644. =========================================================================
  645. PF_RING Version : 6.4.1 (unknown)
  646. Total rings : 2
  647.  
  648. Standard (non ZC) Options
  649. Ring slots : 4096
  650. Slot version : 16
  651. Capture TX : Yes [RX+TX]
  652. IP Defragment : No
  653. Socket Mode : Standard
  654. Total plugins : 0
  655. Cluster Fragment Queue : 0
  656. Cluster Fragment Discard : 0
  657.  
  658. =========================================================================
  659. Log Archive
  660. =========================================================================
  661. /nsm/sensor_data/servername-eth0/dailylogs/ - 0 days
  662. 4.0K .
  663.  
  664. /nsm/sensor_data/servername-eth1/dailylogs/ - 1 days
  665. 82G .
  666. 82G ./2016-09-12
  667.  
  668. /nsm/bro/logs/ - 1 days
  669. 2.0M .
  670. 800K ./2016-09-12
  671. 1.2M ./stats
  672.  
  673. =========================================================================
  674. Sguil Uncategorized Events
  675. =========================================================================
  676. +----------+
  677. | COUNT(*) |
  678. +----------+
  679. | 2247635 |
  680. +----------+
  681.  
  682. =========================================================================
  683. Sguil events summary for yesterday
  684. =========================================================================
  685. +---------+-------------+--------------------------------------------------------------------------+
  686. | Totals | GenID:SigID | Signature |
  687. +---------+-------------+--------------------------------------------------------------------------+
  688. | 3869519 | 1:2101411 | GPL SNMP public access udp |
  689. | 18075 | 1:2003068 | ET SCAN Potential SSH Scan OUTBOUND |
  690. | 2184 | 1:2016150 | ET INFO Session Traversal Utilities for NAT (STUN Binding Response) |
  691. | 943 | 1:2200037 | SURICATA TCP duplicated option |
  692. | 851 | 1:2001581 | ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection |
  693. | 92 | 1:2020565 | ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use |
  694. | 88 | 1:2009702 | ET POLICY DNS Update From External net |
  695. | 33 | 1:2200074 | SURICATA TCPv4 invalid checksum |
  696. | 11 | 1:2402000 | ET DROP Dshield Block Listed Source group 1 |
  697. | 10 | 1:2100651 | GPL SHELLCODE x86 stealth NOOP |
  698. | 8 | 1:2403304 | ET CINS Active Threat Intelligence Poor Reputation IP group 5 |
  699. | 6 | 1:2008581 | ET P2P BitTorrent DHT ping request |
  700. | 6 | 1:2001219 | ET SCAN Potential SSH Scan |
  701. | 5 | 1:2522070 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36 |
  702. | 5 | 1:2520070 | ET TOR Known Tor Exit Node Traffic group 36 |
  703. | 3 | 1:2000340 | ET P2P Kaaza Media desktop p2pnetworking.exe Activity |
  704. | 3 | 1:2200075 | SURICATA UDPv4 invalid checksum |
  705. | 1 | 1:2520148 | ET TOR Known Tor Exit Node Traffic group 75 |
  706. | 1 | 1:2403323 | ET CINS Active Threat Intelligence Poor Reputation IP group 24 |
  707. | 1 | 1:2522148 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 |
  708. | 1 | 1:2523296 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649 |
  709. | 1 | 1:2522424 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213 |
  710. | 1 | 1:2400002 | ET DROP Spamhaus DROP Listed Traffic Inbound group 3 |
  711. | 1 | 1:2500082 | ET COMPROMISED Known Compromised or Hostile Host Traffic group 42 |
  712. +---------+-------------+--------------------------------------------------------------------------+
  713. +---------+
  714. | Total |
  715. +---------+
  716. | 3891849 |
  717. +---------+
  718.  
  719. =========================================================================
  720. Top 50 All time Sguil Events
  721. =========================================================================
  722. +---------+-------------+--------------------------------------------------------------------------+
  723. | Totals | GenID:SigID | Signature |
  724. +---------+-------------+--------------------------------------------------------------------------+
  725. | 7158612 | 1:2101411 | GPL SNMP public access udp |
  726. | 32517 | 1:2003068 | ET SCAN Potential SSH Scan OUTBOUND |
  727. | 4601 | 1:2016150 | ET INFO Session Traversal Utilities for NAT (STUN Binding Response) |
  728. | 1867 | 1:2200037 | SURICATA TCP duplicated option |
  729. | 1124 | 1:2001581 | ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection |
  730. | 167 | 1:2009702 | ET POLICY DNS Update From External net |
  731. | 116 | 1:2020565 | ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use |
  732. | 33 | 1:2200074 | SURICATA TCPv4 invalid checksum |
  733. | 17 | 1:2402000 | ET DROP Dshield Block Listed Source group 1 |
  734. | 15 | 1:2403304 | ET CINS Active Threat Intelligence Poor Reputation IP group 5 |
  735. | 12 | 1:2008581 | ET P2P BitTorrent DHT ping request |
  736. | 11 | 1:2100651 | GPL SHELLCODE x86 stealth NOOP |
  737. | 10 | 1:2001219 | ET SCAN Potential SSH Scan |
  738. | 5 | 1:2520070 | ET TOR Known Tor Exit Node Traffic group 36 |
  739. | 5 | 1:2000340 | ET P2P Kaaza Media desktop p2pnetworking.exe Activity |
  740. | 5 | 1:2522070 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36 |
  741. | 3 | 1:2200075 | SURICATA UDPv4 invalid checksum |
  742. | 3 | 1:2403316 | ET CINS Active Threat Intelligence Poor Reputation IP group 17 |
  743. | 2 | 1:2523296 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649 |
  744. | 2 | 1:2522492 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247 |
  745. | 2 | 1:2400002 | ET DROP Spamhaus DROP Listed Traffic Inbound group 3 |
  746. | 2 | 1:2013800 | ET POLICY Outgoing Chromoting Session Response |
  747. | 1 | 1:2403303 | ET CINS Active Threat Intelligence Poor Reputation IP group 4 |
  748. | 1 | 1:2520042 | ET TOR Known Tor Exit Node Traffic group 22 |
  749. | 1 | 1:2400007 | ET DROP Spamhaus DROP Listed Traffic Inbound group 8 |
  750. | 1 | 1:2522424 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213 |
  751. | 1 | 1:2403301 | ET CINS Active Threat Intelligence Poor Reputation IP group 2 |
  752. | 1 | 1:2403323 | ET CINS Active Threat Intelligence Poor Reputation IP group 24 |
  753. | 1 | 1:2522042 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22 |
  754. | 1 | 1:2520148 | ET TOR Known Tor Exit Node Traffic group 75 |
  755. | 1 | 1:2500082 | ET COMPROMISED Known Compromised or Hostile Host Traffic group 42 |
  756. | 1 | 1:2523150 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576 |
  757. | 1 | 1:2403308 | ET CINS Active Threat Intelligence Poor Reputation IP group 9 |
  758. | 1 | 1:2522148 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 |
  759. +---------+-------------+--------------------------------------------------------------------------+
  760. +---------+
  761. | Total |
  762. +---------+
  763. | 7199518 |
  764. +---------+
  765.  
  766. =========================================================================
  767. Last update
  768. =========================================================================
  769.  
  770. Start-Date: 2016-09-10 15:14:09
  771. Commandline: apt-get -y dist-upgrade
  772. Upgrade: update-manager-core:amd64 (0.196.19, 0.196.21), isc-dhcp-common:amd64 (4.2.4-7ubuntu12.5, 4.2.4-7ubuntu12.6), python3-update-manager:amd64 (0.196.19, 0.196.21), chromium-codecs-ffmpeg-extra:amd64 (51.0.2704.79-0ubuntu0.14.04.1.1121, 52.0.2743.116-0ubuntu0.14.04.1.1134), curl:amd64 (7.35.0-1ubuntu2.8, 7.35.0-1ubuntu2.9), chromium-browser-l10n:amd64 (51.0.2704.79-0ubuntu0.14.04.1.1121, 52.0.2743.116-0ubuntu0.14.04.1.1134), isc-dhcp-client:amd64 (4.2.4-7ubuntu12.5, 4.2.4-7ubuntu12.6), libcurl3:amd64 (7.35.0-1ubuntu2.8, 7.35.0-1ubuntu2.9), xserver-xorg-core-lts-xenial:amd64 (1.18.3-1ubuntu2.2~trusty2, 1.18.3-1ubuntu2.2~trusty3), update-manager:amd64 (0.196.19, 0.196.21), chromium-browser:amd64 (51.0.2704.79-0ubuntu0.14.04.1.1121, 52.0.2743.116-0ubuntu0.14.04.1.1134), file-roller:amd64 (3.10.2.1-0ubuntu4.1, 3.10.2.1-0ubuntu4.2), libcurl3-gnutls:amd64 (7.35.0-1ubuntu2.8, 7.35.0-1ubuntu2.9)
  773. End-Date: 2016-09-10 15:14:23
  774.  
  775. Start-Date: 2016-09-11 03:43:21
  776. Commandline: apt-get install open-vm-tools
  777. Install: open-vm-tools:amd64 (9.4.0-1280544-5ubuntu6.2), zerofree:amd64 (1.0.2-1ubuntu1, automatic)
  778. End-Date: 2016-09-11 03:43:25
  779.  
  780. =========================================================================
  781. ELSA
  782. =========================================================================
  783. Syslog-ng
  784. Checking for process:
  785. 1897 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  786. Checking for connection:
  787. Connection to localhost 514 port [tcp/shell] succeeded!
  788.  
  789. MySQL
  790. Checking for process:
  791. 1903 /usr/sbin/mysqld
  792. Checking for connection:
  793. Connection to localhost 3306 port [tcp/mysql] succeeded!
  794.  
  795. Sphinx
  796. Checking for process:
  797. 1836 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  798. 1865 /usr/bin/searchd --nodetach
  799. Checking for connection:
  800. Connection to localhost 9306 port [tcp/*] succeeded!
  801.  
  802. ELSA Buffers in Queue:
  803. 2
  804. If this number is consistently higher than 20, please see:
  805. https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
  806.  
  807. ELSA Directory Sizes:
  808. 1.5G /nsm/elsa/data
  809. 2.9M /var/lib/mysql/syslog
  810. 32K /var/lib/mysql/syslog_data
  811.  
  812. ELSA Index Date Range
  813. If you don't have at least 2 full days of logs in the Index Date Range,
  814. then you'll need to increase log_size_limit in /etc/elsa_node.conf.
  815. +---------------------+---------------------+
  816. | MIN(start) | MAX(end) |
  817. +---------------------+---------------------+
  818. | 2016-09-10 20:36:41 | 2016-09-12 16:43:56 |
  819. +---------------------+---------------------+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!