API tools faq
paste
Guest User

sensor

a guest
Feb 7th, 2018
330
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 66.62 KB | None | 0 0
raw download clone embed print report
  1. (standard_in) 1: syntax error
  2. (standard_in) 1: syntax error
  3. =========================================================================
  4. Service Status
  5. =========================================================================
  6. Status: HIDS
  7. * ossec_agent (SO-user)[ OK ]
  8. Status: Bro
  9. Name Type Host Status Pid Started
  10. manager manager localhost running 3247 07 Feb 14:08:05
  11. proxy proxy localhost running 3588 07 Feb 14:08:10
  12. SO-server-eth1-1 worker localhost running 4090 07 Feb 14:08:16
  13. SO-server-eth1-2 worker localhost running 4089 07 Feb 14:08:16
  14. Status: SO-server-eth1
  15. * netsniff-ng (full packet data)[ OK ]
  16. * pcap_agent (SO-user)[ OK ]
  17. * snort_agent-1 (SO-user)[ OK ]
  18. * snort_agent-2 (SO-user)[ OK ]
  19. * snort-1 (alert data)[ OK ]
  20. * snort-2 (alert data)[ OK ]
  21. * barnyard2-1 (spooler, unified2 format)[ OK ]
  22. * barnyard2-2 (spooler, unified2 format)[ OK ]
  23.  
  24. =========================================================================
  25. Interface Status
  26. =========================================================================
  27. docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  28. inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
  29. UP BROADCAST MULTICAST MTU:1500 Metric:1
  30. RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  31. TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  32. collisions:0 txqueuelen:0
  33. RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
  34.  
  35. eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  36. inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
  37. inet6 addr: X.X.X.X/64 Scope:Link
  38. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  39. RX packets:97824 errors:0 dropped:11 overruns:0 frame:0
  40. TX packets:16166 errors:0 dropped:0 overruns:0 carrier:0
  41. collisions:90631 txqueuelen:1000
  42. RX bytes:21881915 (21.8 MB) TX bytes:13680326 (13.6 MB)
  43.  
  44. eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  45. UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
  46. RX packets:118358165 errors:0 dropped:33468661 overruns:0 frame:0
  47. TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
  48. collisions:0 txqueuelen:1000
  49. RX bytes:64362663438 (64.3 GB) TX bytes:180 (180.0 B)
  50.  
  51. lo Link encap:Local Loopback
  52. inet addr:X.X.X.X Mask:X.X.X.X
  53. inet6 addr: X.X.X.X/128 Scope:Host
  54. UP LOOPBACK RUNNING MTU:65536 Metric:1
  55. RX packets:283411 errors:0 dropped:0 overruns:0 frame:0
  56. TX packets:283411 errors:0 dropped:0 overruns:0 carrier:0
  57. collisions:0 txqueuelen:1
  58. RX bytes:1653438008 (1.6 GB) TX bytes:1653438008 (1.6 GB)
  59.  
  60.  
  61. =========================================================================
  62. Link Statistics
  63. =========================================================================
  64. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
  65. link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  66. RX: bytes packets errors dropped overrun mcast
  67. 1653540399 283415 0 0 0 0
  68. RX errors: length crc frame fifo SO-usersed
  69. 0 0 0 0 0
  70. TX: bytes packets errors dropped carrier collsns
  71. 1653540399 283415 0 0 0 0
  72. TX errors: aborted fifo window heartbeat
  73. 0 0 0 0
  74. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
  75. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  76. RX: bytes packets errors dropped overrun mcast
  77. 21881915 97824 0 0 0 0
  78. RX errors: length crc frame fifo SO-usersed
  79. 0 0 0 0 11
  80. TX: bytes packets errors dropped carrier collsns
  81. 13680326 16166 0 0 0 90631
  82. TX errors: aborted fifo window heartbeat
  83. 0 0 0 0
  84. 3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
  85. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  86. RX: bytes packets errors dropped overrun mcast
  87. 64363660262 118360277 0 2518436 0 0
  88. RX errors: length crc frame fifo SO-usersed
  89. 0 0 0 0 30951467
  90. TX: bytes packets errors dropped carrier collsns
  91. 180 2 0 0 0 0
  92. TX errors: aborted fifo window heartbeat
  93. 0 0 0 0
  94. 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
  95. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  96. RX: bytes packets errors dropped overrun mcast
  97. 0 0 0 0 0 0
  98. RX errors: length crc frame fifo SO-usersed
  99. 0 0 0 0 0
  100. TX: bytes packets errors dropped carrier collsns
  101. 0 0 0 0 0 0
  102. TX errors: aborted fifo window heartbeat
  103. 0 0 0 0
  104.  
  105. =========================================================================
  106. Disk Usage
  107. =========================================================================
  108. Filesystem Size Used Avail Use% Mounted on
  109. udev 5.9G 4.0K 5.9G 1% /dev
  110. tmpfs 1.2G 916K 1.2G 1% /run
  111. /dev/dm-0 1000G 575G 375G 61% /
  112. none 4.0K 0 4.0K 0% /sys/fs/cgroup
  113. none 5.0M 0 5.0M 0% /run/lock
  114. none 5.9G 12K 5.9G 1% /run/shm
  115. none 100M 4.0K 100M 1% /run/user
  116. /dev/vda1 236M 51M 173M 23% /boot
  117.  
  118. =========================================================================
  119. Network Sockets
  120. =========================================================================
  121. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  122. cupsd 785 root 7u IPv4 8744 0t0 TCP X.X.X.X:631 (LISTEN)
  123. avahi-dae 806 avahi 12u IPv4 13799 0t0 UDP *:5353
  124. avahi-dae 806 avahi 13u IPv6 13800 0t0 UDP *:5353
  125. avahi-dae 806 avahi 14u IPv4 13801 0t0 UDP *:46916
  126. avahi-dae 806 avahi 15u IPv6 13802 0t0 UDP *:46979
  127. cups-brow 1004 root 8u IPv4 8805 0t0 UDP *:631
  128. sshd 1521 root 3u IPv4 12061 0t0 TCP *:ssh_port (LISTEN)
  129. sshd 1521 root 4u IPv6 12063 0t0 TCP *:ssh_port (LISTEN)
  130. searchd 1590 sphinxsearch 7u IPv4 12720 0t0 TCP *:9306 (LISTEN)
  131. searchd 1590 sphinxsearch 8u IPv4 12721 0t0 TCP *:9312 (LISTEN)
  132. searchd 1590 sphinxsearch 49u IPv4 244831 0t0 TCP X.X.X.X:9306->X.X.X.X:49392 (ESTABLISHED)
  133. syslog-ng 1660 root 9u IPv4 14142 0t0 TCP *:514 (LISTEN)
  134. syslog-ng 1660 root 10u IPv4 14143 0t0 UDP *:514
  135. mysqld 1680 mysql 10u IPv4 14669 0t0 TCP X.X.X.X:50000 (LISTEN)
  136. salt-mini 1735 root 13u IPv4 16449 0t0 TCP X.X.X.X:56700->X.X.X.X:4506 (ESTABLISHED)
  137. salt-mini 1735 root 24u IPv4 11244 0t0 TCP X.X.X.X:49270->X.X.X.X:4505 (ESTABLISHED)
  138. ossec-csy 1835 ossecm 5u IPv4 15395 0t0 UDP X.X.X.X:38951->X.X.X.X:514
  139. starman 2037 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  140. starman 2048 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  141. starman 2050 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  142. starman 2052 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  143. starman 2054 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  144. starman 2055 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  145. ntpd 2218 ntp 16u IPv4 16531 0t0 UDP *:123
  146. ntpd 2218 ntp 17u IPv6 16532 0t0 UDP *:123
  147. ntpd 2218 ntp 18u IPv4 16538 0t0 UDP X.X.X.X:123
  148. ntpd 2218 ntp 19u IPv4 16539 0t0 UDP X.X.X.X:123
  149. ntpd 2218 ntp 20u IPv4 16540 0t0 UDP X.X.X.X:123
  150. ntpd 2218 ntp 21u IPv6 16541 0t0 UDP [X.X.X.X]:123
  151. ntpd 2218 ntp 22u IPv6 16542 0t0 UDP [X.X.X.X]:123
  152. ssh 2966 root 3u IPv4 15833 0t0 TCP X.X.X.X:44776->X.X.X.X:ssh_port (ESTABLISHED)
  153. ssh 2966 root 4u IPv6 15843 0t0 TCP [X.X.X.X]:3306 (LISTEN)
  154. ssh 2966 root 5u IPv4 15844 0t0 TCP X.X.X.X:3306 (LISTEN)
  155. tclsh 3033 SO-user 3u IPv4 20312 0t0 TCP X.X.X.X:43328->X.X.X.X:7736 (ESTABLISHED)
  156. bro 3247 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  157. bro 3336 SO-user 0u IPv4 21009 0t0 TCP *:47761 (LISTEN)
  158. bro 3336 SO-user 1u IPv6 21010 0t0 TCP *:47761 (LISTEN)
  159. bro 3336 SO-user 2u IPv4 22583 0t0 TCP X.X.X.X:47761->X.X.X.X:55178 (ESTABLISHED)
  160. bro 3336 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  161. bro 3336 SO-user 14u IPv4 24638 0t0 TCP X.X.X.X:47761->X.X.X.X:55180 (ESTABLISHED)
  162. bro 3336 SO-user 19u IPv4 21738 0t0 TCP X.X.X.X:47761->X.X.X.X:55184 (ESTABLISHED)
  163. bro 3588 SO-user 4u IPv4 22576 0t0 UDP X.X.X.X:41234->X.X.X.X:53
  164. bro 3688 SO-user 0u IPv4 17140 0t0 TCP X.X.X.X:55178->X.X.X.X:47761 (ESTABLISHED)
  165. bro 3688 SO-user 4u IPv4 22576 0t0 UDP X.X.X.X:41234->X.X.X.X:53
  166. bro 3688 SO-user 11u IPv4 17145 0t0 TCP *:47762 (LISTEN)
  167. bro 3688 SO-user 12u IPv6 17146 0t0 TCP *:47762 (LISTEN)
  168. bro 3688 SO-user 13u IPv4 24641 0t0 TCP X.X.X.X:47762->X.X.X.X:33122 (ESTABLISHED)
  169. bro 3688 SO-user 18u IPv4 24666 0t0 TCP X.X.X.X:47762->X.X.X.X:33126 (ESTABLISHED)
  170. bro 4089 SO-user 4u IPv4 22673 0t0 UDP X.X.X.X:57838->X.X.X.X:53
  171. bro 4090 SO-user 4u IPv4 23718 0t0 UDP X.X.X.X:42111->X.X.X.X:53
  172. bro 4185 SO-user 0u IPv4 21727 0t0 TCP X.X.X.X:55180->X.X.X.X:47761 (ESTABLISHED)
  173. bro 4185 SO-user 4u IPv4 23718 0t0 UDP X.X.X.X:42111->X.X.X.X:53
  174. bro 4185 SO-user 12u IPv4 21730 0t0 TCP X.X.X.X:33122->X.X.X.X:47762 (ESTABLISHED)
  175. bro 4185 SO-user 17u IPv4 21735 0t0 TCP *:47763 (LISTEN)
  176. bro 4185 SO-user 18u IPv6 21736 0t0 TCP *:47763 (LISTEN)
  177. bro 4210 SO-user 0u IPv4 21261 0t0 TCP X.X.X.X:55184->X.X.X.X:47761 (ESTABLISHED)
  178. bro 4210 SO-user 4u IPv4 22673 0t0 UDP X.X.X.X:57838->X.X.X.X:53
  179. bro 4210 SO-user 12u IPv4 21264 0t0 TCP X.X.X.X:33126->X.X.X.X:47762 (ESTABLISHED)
  180. bro 4210 SO-user 17u IPv4 21269 0t0 TCP *:47764 (LISTEN)
  181. bro 4210 SO-user 18u IPv6 21270 0t0 TCP *:47764 (LISTEN)
  182. tclsh 4362 SO-user 3u IPv4 22773 0t0 TCP X.X.X.X:33749->X.X.X.X:7736 (ESTABLISHED)
  183. tclsh 4392 SO-user 3u IPv4 24829 0t0 TCP X.X.X.X:33843->X.X.X.X:7736 (ESTABLISHED)
  184. tclsh 4392 SO-user 4u IPv4 24830 0t0 TCP X.X.X.X:8101 (LISTEN)
  185. tclsh 4392 SO-user 6u IPv4 43505 0t0 TCP X.X.X.X:8101->X.X.X.X:57320 (ESTABLISHED)
  186. tclsh 4429 SO-user 3u IPv4 21413 0t0 TCP X.X.X.X:35883->X.X.X.X:7736 (ESTABLISHED)
  187. tclsh 4429 SO-user 4u IPv4 24917 0t0 TCP X.X.X.X:8102 (LISTEN)
  188. tclsh 4429 SO-user 6u IPv4 43535 0t0 TCP X.X.X.X:8102->X.X.X.X:43342 (ESTABLISHED)
  189. barnyard2 9265 SO-user 3u IPv4 43504 0t0 TCP X.X.X.X:57320->X.X.X.X:8101 (ESTABLISHED)
  190. barnyard2 9311 SO-user 3u IPv4 58582 0t0 TCP X.X.X.X:43342->X.X.X.X:8102 (ESTABLISHED)
  191. sshd 22326 root 3u IPv4 218699 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:15605 (ESTABLISHED)
  192. sshd 22423 SO-user 3u IPv4 218699 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:15605 (ESTABLISHED)
  193. perl 22484 root 6u IPv4 243627 0t0 TCP X.X.X.X:49392->X.X.X.X:9306 (ESTABLISHED)
  194.  
  195. =========================================================================
  196. IDS Rules Update
  197. =========================================================================
  198. Wed Feb 7 14:30:15 UTC 2018
  199. Backing up current local_rules.xml file.
  200. Cleaning up local_rules.xml backup files older than 30 days.
  201. Backing up current downloaded.rules file before it gets overwritten.
  202. Cleaning up downloaded.rules backup files older than 30 days.
  203. Backing up current local.rules file before it gets overwritten.
  204. Cleaning up local.rules backup files older than 30 days.
  205. Copying rules from X.X.X.X.
  206. scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory
  207. Restarting Barnyard2.
  208. Restarting: SO-server-eth1
  209. * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
  210. * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
  211. * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
  212. * starting: barnyard2-2 (spooler, unified2 format)[ OK ]
  213. Restarting IDS Engine.
  214. Restarting: SO-server-eth1
  215. * stopping: snort-1 (alert data)[ OK ]
  216. * starting: snort-1 (alert data)[ OK ]
  217. * stopping: snort-2 (alert data)[ OK ]
  218. * starting: snort-2 (alert data)[ OK ]
  219.  
  220. =========================================================================
  221. CPU Usage
  222. =========================================================================
  223. Load average for the last 1, 5, and 15 minutes:
  224. 6.23 4.72 3.94
  225. Processing units: 6
  226. If load average is higher than processing units,
  227. then tune until load average is lower than processing units.
  228.  
  229. top - 15:59:14 up 1:52, 1 user, load average: 6.23, 4.72, 3.94
  230. Tasks: 220 total, 4 running, 216 sleeping, 0 stopped, 0 zombie
  231. %Cpu(s): 34.7 us, 6.8 sy, 0.1 ni, 45.7 id, 1.9 wa, 0.0 hi, 10.3 si, 0.4 st
  232. KiB Mem: 12303568 total, 12018712 used, 284856 free, 43544 buffers
  233. KiB Swap: 8388604 total, 289556 used, 8099048 free. 7990928 cached Mem
  234.  
  235. %CPU %MEM COMMAND
  236. 80.8 4.0 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_15
  237. 73.5 4.4 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U --snaplen 1524
  238. 72.5 4.4 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-2.stats -U --snaplen 1524
  239. 38.6 2.6 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  240. 37.2 2.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  241. 28.0 0.6 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
  242. 13.6 0.6 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2018-02-07/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
  243. 5.7 0.6 /usr/sbin/mysqld
  244. 5.6 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  245. 4.2 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
  246. 3.7 0.0 [ksoftirqd/1]
  247. 3.2 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  248. 2.9 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  249. 1.7 0.0 -bash
  250. 1.3 11.9 /usr/bin/searchd --nodetach
  251. 0.7 0.0 /bin/bash /usr/sbin/sostat
  252. 0.6 0.0 [kswapd0]
  253. 0.6 0.0 sshd: SO-user [priv]
  254. 0.5 0.0 [kworker/u12:0]
  255. 0.5 0.6 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
  256. 0.5 0.0 sudo sostat-redacted
  257. 0.4 0.0 /var/ossec/bin/ossec-syscheckd
  258. 0.3 0.1 /usr/bin/dockerd --raw-logs
  259. 0.2 0.0 [rcu_sched]
  260. 0.2 0.0 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
  261. 0.2 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  262. 0.2 0.3 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  263. 0.2 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  264. 0.2 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-2 -i SO-server-eth1-2 -U
  265. 0.2 0.0 [kworker/u12:2]
  266. 0.2 0.0 CRON
  267. 0.2 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
  268. 0.1 0.0 /sbin/init
  269. 0.1 0.0 [khugepaged]
  270. 0.1 0.2 /usr/bin/python /usr/bin/salt-minion
  271. 0.1 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
  272. 0.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i SO-server-eth1-1 -U
  273. 0.0 0.0 [kthreadd]
  274. 0.0 0.0 [ksoftirqd/0]
  275. 0.0 0.0 [kworker/0:0H]
  276. 0.0 0.0 [rcu_bh]
  277. 0.0 0.0 [migration/0]
  278. 0.0 0.0 [watchdog/0]
  279. 0.0 0.0 [watchdog/1]
  280. 0.0 0.0 [migration/1]
  281. 0.0 0.0 [kworker/1:0]
  282. 0.0 0.0 [kworker/1:0H]
  283. 0.0 0.0 [watchdog/2]
  284. 0.0 0.0 [migration/2]
  285. 0.0 0.0 [ksoftirqd/2]
  286. 0.0 0.0 [kworker/2:0]
  287. 0.0 0.0 [kworker/2:0H]
  288. 0.0 0.0 [watchdog/3]
  289. 0.0 0.0 [migration/3]
  290. 0.0 0.0 [ksoftirqd/3]
  291. 0.0 0.0 [kworker/3:0H]
  292. 0.0 0.0 [watchdog/4]
  293. 0.0 0.0 [migration/4]
  294. 0.0 0.0 [ksoftirqd/4]
  295. 0.0 0.0 [kworker/4:0H]
  296. 0.0 0.0 [watchdog/5]
  297. 0.0 0.0 [migration/5]
  298. 0.0 0.0 [ksoftirqd/5]
  299. 0.0 0.0 [kworker/5:0]
  300. 0.0 0.0 [kworker/5:0H]
  301. 0.0 0.0 [kdevtmpfs]
  302. 0.0 0.0 [netns]
  303. 0.0 0.0 [perf]
  304. 0.0 0.0 [khungtaskd]
  305. 0.0 0.0 [writeback]
  306. 0.0 0.0 [ksmd]
  307. 0.0 0.0 [crypto]
  308. 0.0 0.0 [kintegrityd]
  309. 0.0 0.0 [bioset]
  310. 0.0 0.0 [kblockd]
  311. 0.0 0.0 [ata_sff]
  312. 0.0 0.0 [md]
  313. 0.0 0.0 [devfreq_wq]
  314. 0.0 0.0 [vmstat]
  315. 0.0 0.0 [fsnotify_mark]
  316. 0.0 0.0 [ecryptfs-kthrea]
  317. 0.0 0.0 [kthrotld]
  318. 0.0 0.0 [acpi_thermal_pm]
  319. 0.0 0.0 [vballoon]
  320. 0.0 0.0 [bioset]
  321. 0.0 0.0 [bioset]
  322. 0.0 0.0 [bioset]
  323. 0.0 0.0 [bioset]
  324. 0.0 0.0 [kworker/2:1]
  325. 0.0 0.0 [bioset]
  326. 0.0 0.0 [bioset]
  327. 0.0 0.0 [bioset]
  328. 0.0 0.0 [bioset]
  329. 0.0 0.0 [bioset]
  330. 0.0 0.0 [scsi_eh_0]
  331. 0.0 0.0 [scsi_tmf_0]
  332. 0.0 0.0 [scsi_eh_1]
  333. 0.0 0.0 [scsi_tmf_1]
  334. 0.0 0.0 [ipv6_addrconf]
  335. 0.0 0.0 [deferwq]
  336. 0.0 0.0 [charger_manager]
  337. 0.0 0.0 [bioset]
  338. 0.0 0.0 [bioset]
  339. 0.0 0.0 [bioset]
  340. 0.0 0.0 [bioset]
  341. 0.0 0.0 [bioset]
  342. 0.0 0.0 [bioset]
  343. 0.0 0.0 [bioset]
  344. 0.0 0.0 [bioset]
  345. 0.0 0.0 [bioset]
  346. 0.0 0.0 [kpsmoused]
  347. 0.0 0.0 [kworker/4:1]
  348. 0.0 0.0 [kworker/5:1]
  349. 0.0 0.0 [ttm_swap]
  350. 0.0 0.0 [qxl_gc]
  351. 0.0 0.0 [kdmflush]
  352. 0.0 0.0 [bioset]
  353. 0.0 0.0 [kdmflush]
  354. 0.0 0.0 [bioset]
  355. 0.0 0.0 [bioset]
  356. 0.0 0.0 [jbd2/dm-0-8]
  357. 0.0 0.0 [ext4-rsv-conver]
  358. 0.0 0.0 [kworker/3:1H]
  359. 0.0 0.0 [kworker/5:1H]
  360. 0.0 0.0 [kworker/1:1H]
  361. 0.0 0.0 [kworker/2:1H]
  362. 0.0 0.0 [ext4-rsv-conver]
  363. 0.0 0.0 upstart-udev-bridge --daemon
  364. 0.0 0.0 /lib/systemd/systemd-udevd --daemon
  365. 0.0 0.0 dbus-daemon --system --fork
  366. 0.0 0.0 [kmpathd]
  367. 0.0 0.0 [kmpath_handlerd]
  368. 0.0 0.0 [kvm-irqfd-clean]
  369. 0.0 0.0 /usr/sbin/bluetoothd
  370. 0.0 0.0 [krfcommd]
  371. 0.0 0.0 /lib/systemd/systemd-logind
  372. 0.0 0.0 /usr/sbin/cupsd -f
  373. 0.0 0.0 avahi-daemon: running [SO-server.local]
  374. 0.0 0.0 avahi-daemon: chroot helper
  375. 0.0 0.0 [kworker/1:2]
  376. 0.0 0.0 /usr/sbin/cups-browsed
  377. 0.0 0.0 upstart-file-bridge --daemon
  378. 0.0 0.0 upstart-socket-bridge --daemon
  379. 0.0 0.0 [kworker/4:2]
  380. 0.0 0.0 /sbin/getty -8 38400 tty4
  381. 0.0 0.0 /sbin/getty -8 38400 tty5
  382. 0.0 0.1 /usr/bin/python /usr/bin/salt-minion
  383. 0.0 0.0 /sbin/getty -8 38400 tty2
  384. 0.0 0.0 /sbin/getty -8 38400 tty3
  385. 0.0 0.0 /sbin/getty -8 38400 tty6
  386. 0.0 0.0 cron
  387. 0.0 0.0 /usr/sbin/sshd -D
  388. 0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
  389. 0.0 0.0 /usr/sbin/irqbalance
  390. 0.0 0.0 [kworker/0:1H]
  391. 0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  392. 0.0 0.0 [kauditd]
  393. 0.0 0.0 lightdm
  394. 0.0 0.1 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
  395. 0.0 0.0 supervising syslog-ng
  396. 0.0 0.0 /usr/lib/accountsservice/accounts-daemon
  397. 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
  398. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  399. 0.0 0.0 [kworker/4:1H]
  400. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  401. 0.0 0.0 /usr/sbin/kerneloops
  402. 0.0 0.0 lightdm --session-child 16 19
  403. 0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
  404. 0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
  405. 0.0 0.1 /usr/sbin/lightdm-gtk-greeter
  406. 0.0 0.0 /var/ossec/bin/ossec-csyslogd
  407. 0.0 0.0 /var/ossec/bin/ossec-execd
  408. 0.0 0.0 /var/ossec/bin/ossec-analysisd
  409. 0.0 0.0 /var/ossec/bin/ossec-logcollector
  410. 0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
  411. 0.0 0.0 /var/ossec/bin/ossec-monitord
  412. 0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
  413. 0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
  414. 0.0 0.0 /usr/lib/gvfs/gvfsd
  415. 0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
  416. 0.0 0.0 lightdm --session-child 12 19
  417. 0.0 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  418. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  419. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  420. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  421. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  422. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  423. 0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
  424. 0.0 0.0 /sbin/getty -8 38400 tty1
  425. 0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  426. 0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  427. 0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  428. 0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  429. 0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
  430. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  431. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  432. 0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  433. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  434. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  435. 0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
  436. 0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
  437. 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
  438. 0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
  439. 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
  440. 0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
  441. 0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-2.stats
  442. 0.0 0.0 [kworker/3:2]
  443. 0.0 0.0 [kworker/3:1]
  444. 0.0 0.0 [kworker/0:0]
  445. 0.0 0.0 [kworker/u12:1]
  446. 0.0 0.0 [kworker/0:2]
  447. 0.0 0.0 CRON
  448. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
  449. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
  450. 0.0 0.0 [kworker/0:1]
  451. 0.0 0.0 sshd: SO-user@pts/0
  452. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
  453. 0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
  454. 0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
  455.  
  456. =========================================================================
  457. Packets received during last monitoring interval (600 seconds)
  458. =========================================================================
  459.  
  460. eth1: 10237736
  461.  
  462. =========================================================================
  463. Packet Loss Stats
  464. =========================================================================
  465.  
  466. NIC:
  467.  
  468. eth1:
  469.  
  470. RX packets:118375333 dropped:33476310 TX packets:2 dropped:0
  471.  
  472. -------------------------------------------------------------------------
  473.  
  474. pf_ring:
  475.  
  476. Appl. Name : bro-eth1
  477. Tot Packets : 51343246
  478. Tot Pkt Lost : 47811
  479.  
  480.  
  481. Appl. Name : bro-eth1
  482. Tot Packets : 65349312
  483. Tot Pkt Lost : 197146
  484.  
  485.  
  486. Appl. Name : snort-cluster-52-socket-0
  487. Tot Packets : 38295295
  488. Tot Pkt Lost : 5132033
  489.  
  490.  
  491. Appl. Name : snort-cluster-52-socket-0
  492. Tot Packets : 50093974
  493. Tot Pkt Lost : 7861319
  494.  
  495. -------------------------------------------------------------------------
  496.  
  497. IDS Engine (snort) packet drops:
  498.  
  499. /nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 5.276
  500. /nsm/sensor_data/SO-server-eth1/snort-2.stats last reported pkt_drop_percent as 10.556
  501. -------------------------------------------------------------------------
  502.  
  503. Bro:
  504.  
  505. Average packet loss as percent across all Bro workers: 0.210250
  506.  
  507. SO-server-eth1-1: 1518019157.379665 recvd=65181203 dropped=197146 link=65181203
  508. SO-server-eth1-2: 1518019158.592284 recvd=51326075 dropped=47811 link=51326075
  509.  
  510. Capture Loss:
  511.  
  512. SO-server-eth1-1 23.711863
  513. SO-server-eth1-1 25.332931
  514. SO-server-eth1-1 25.485611
  515. SO-server-eth1-1 25.96035
  516. SO-server-eth1-2 25.223966
  517. SO-server-eth1-2 25.622044
  518. SO-server-eth1-2 27.821147
  519. SO-server-eth1-2 28.650594
  520.  
  521. If you are seeing capture loss without dropped packets, this
  522. may indicate that an upstream device is dropping packets (tap or SPAN port).
  523.  
  524. -------------------------------------------------------------------------
  525.  
  526. Netsniff-NG:
  527.  
  528.  
  529. Percentage of packets dropped:
  530.  
  531. /var/log/nsm/SO-server-eth1/netsniff-ng.log --
  532.  
  533.  
  534. =========================================================================
  535. PF_RING
  536. =========================================================================
  537. PF_RING Version : 6.6.0 (unknown)
  538. Total rings : 4
  539.  
  540. Standard (non ZC) Options
  541. Ring slots : 4096
  542. Slot version : 16
  543. Capture TX : Yes [RX+TX]
  544. IP Defragment : No
  545. Socket Mode : Standard
  546. Cluster Fragment Queue : 157
  547. Cluster Fragment Discard : 0
  548.  
  549. =========================================================================
  550. Log Archive
  551. =========================================================================
  552. /nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
  553. 4.0K .
  554.  
  555. /nsm/sensor_data/SO-server-eth1/dailylogs/ - 2 days
  556. 356G .
  557. 294G ./2018-02-06
  558. 62G ./2018-02-07
  559.  
  560. /nsm/bro/logs/ - 3 days
  561. 1.5G .
  562. 935M ./2018-02-05
  563. 443M ./2018-02-06
  564. 72M ./2018-02-07
  565. 4.0M ./stats
  566.  
  567. =========================================================================
  568. Last update
  569. =========================================================================
  570.  
  571. =========================================================================
  572. Available updates
  573. =========================================================================
  574. 64 packages can be updated.
  575. 48 updates are security updates.
  576.  
  577. Run 'sudo soup' to install the latest updates.
  578.  
  579. =========================================================================
  580. ELSA
  581. =========================================================================
  582. Syslog-ng
  583. Checking for process:
  584. 1660 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  585. Checking for connection:
  586. Connection to localhost 514 port [tcp/shell] succeeded!
  587.  
  588. MySQL
  589. Checking for process:
  590. 1680 /usr/sbin/mysqld
  591. Checking for connection:
  592. Connection to localhost 50000 port [tcp/*] succeeded!
  593.  
  594. Sphinx
  595. Checking for process:
  596. 1587 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  597. 1590 /usr/bin/searchd --nodetach
  598. Checking for connection:
  599. Connection to localhost 9306 port [tcp/*] succeeded!
  600.  
  601. ELSA Buffers in Queue:
  602. 3
  603. If this number is consistently higher than 20, please see:
  604. https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
  605.  
  606. ELSA Directory Sizes:
  607. 210G /nsm/elsa/data
  608. 15M /var/lib/mysql/syslog
  609. 392K /var/lib/mysql/syslog_data
  610.  
  611. ELSA Index Date Range
  612. If you don't have at least 2 full days of logs in the Index Date Range,
  613. then you'll need to increase log_size_limit in /etc/elsa_node.conf.
  614. MIN(start) MAX(end)
  615. 2018-02-01 16:58:15 2018-02-07 15:59:02
  616.  
  617. autossh
  618. Checking for process:
  619. 2965 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  620.  
  621. Checking APIKEY:
  622. APIKEY matches server.
  623.  
  624. starman
  625. Checking for processes:
  626. 2037 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  627. 2048 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  628. 2050 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  629. 2052 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  630. 2054 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  631. 2055 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  632.  
  633. =========================================================================
  634. Version Information
  635. =========================================================================
  636. Ubuntu 14.04.5 LTS
  637. securityonion-sostat 20120722-0ubuntu0securityonion84
  638. mis@crockett:~$ clear
  639. mis@crockett:~$ sudo sostat-redacted
  640. (standard_in) 1: syntax error
  641. (standard_in) 1: syntax error
  642. =========================================================================
  643. Service Status
  644. =========================================================================
  645. Status: HIDS
  646. * ossec_agent (SO-user)[ OK ]
  647. Status: Bro
  648. waiting for lock (owned by PID 23125) ...
  649. Name Type Host Status Pid Started
  650. manager manager localhost running 3247 07 Feb 14:08:05
  651. proxy proxy localhost running 3588 07 Feb 14:08:10
  652. SO-server-eth1-1 worker localhost running 4090 07 Feb 14:08:16
  653. SO-server-eth1-2 worker localhost running 4089 07 Feb 14:08:16
  654. Status: SO-server-eth1
  655. * netsniff-ng (full packet data)[ OK ]
  656. * pcap_agent (SO-user)[ OK ]
  657. * snort_agent-1 (SO-user)[ OK ]
  658. * snort_agent-2 (SO-user)[ OK ]
  659. * snort-1 (alert data)[ OK ]
  660. * snort-2 (alert data)[ OK ]
  661. * barnyard2-1 (spooler, unified2 format)[ OK ]
  662. * barnyard2-2 (spooler, unified2 format)[ OK ]
  663.  
  664. =========================================================================
  665. Interface Status
  666. =========================================================================
  667. docker0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  668. inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
  669. UP BROADCAST MULTICAST MTU:1500 Metric:1
  670. RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  671. TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  672. collisions:0 txqueuelen:0
  673. RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
  674.  
  675. eth0 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  676. inet addr:X.X.X.X Bcast:X.X.X.X Mask:X.X.X.X
  677. inet6 addr: X.X.X.X/64 Scope:Link
  678. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  679. RX packets:99373 errors:0 dropped:11 overruns:0 frame:0
  680. TX packets:16685 errors:0 dropped:0 overruns:0 carrier:0
  681. collisions:93285 txqueuelen:1000
  682. RX bytes:22375587 (22.3 MB) TX bytes:13889120 (13.8 MB)
  683.  
  684. eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
  685. UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
  686. RX packets:119988245 errors:0 dropped:34754999 overruns:0 frame:0
  687. TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
  688. collisions:0 txqueuelen:1000
  689. RX bytes:65418775319 (65.4 GB) TX bytes:180 (180.0 B)
  690.  
  691. lo Link encap:Local Loopback
  692. inet addr:X.X.X.X Mask:X.X.X.X
  693. inet6 addr: X.X.X.X/128 Scope:Host
  694. UP LOOPBACK RUNNING MTU:65536 Metric:1
  695. RX packets:285552 errors:0 dropped:0 overruns:0 frame:0
  696. TX packets:285552 errors:0 dropped:0 overruns:0 carrier:0
  697. collisions:0 txqueuelen:1
  698. RX bytes:1669673391 (1.6 GB) TX bytes:1669673391 (1.6 GB)
  699.  
  700.  
  701. =========================================================================
  702. Link Statistics
  703. =========================================================================
  704. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
  705. link/loopback MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  706. RX: bytes packets errors dropped overrun mcast
  707. 1669724426 285554 0 0 0 0
  708. RX errors: length crc frame fifo SO-usersed
  709. 0 0 0 0 0
  710. TX: bytes packets errors dropped carrier collsns
  711. 1669724426 285554 0 0 0 0
  712. TX errors: aborted fifo window heartbeat
  713. 0 0 0 0
  714. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
  715. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  716. RX: bytes packets errors dropped overrun mcast
  717. 22375715 99375 0 0 0 0
  718. RX errors: length crc frame fifo SO-usersed
  719. 0 0 0 0 11
  720. TX: bytes packets errors dropped carrier collsns
  721. 13889120 16685 0 0 0 93285
  722. TX errors: aborted fifo window heartbeat
  723. 0 0 0 0
  724. 3: eth1: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
  725. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  726. RX: bytes packets errors dropped overrun mcast
  727. 65419308106 119989154 0 2538636 0 0
  728. RX errors: length crc frame fifo SO-usersed
  729. 0 0 0 0 32217461
  730. TX: bytes packets errors dropped carrier collsns
  731. 180 2 0 0 0 0
  732. TX errors: aborted fifo window heartbeat
  733. 0 0 0 0
  734. 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
  735. link/ether MM:MM:MM:MM:MM:MM brd MM:MM:MM:MM:MM:MM
  736. RX: bytes packets errors dropped overrun mcast
  737. 0 0 0 0 0 0
  738. RX errors: length crc frame fifo SO-usersed
  739. 0 0 0 0 0
  740. TX: bytes packets errors dropped carrier collsns
  741. 0 0 0 0 0 0
  742. TX errors: aborted fifo window heartbeat
  743. 0 0 0 0
  744.  
  745. =========================================================================
  746. Disk Usage
  747. =========================================================================
  748. Filesystem Size Used Avail Use% Mounted on
  749. udev 5.9G 4.0K 5.9G 1% /dev
  750. tmpfs 1.2G 920K 1.2G 1% /run
  751. /dev/dm-0 1000G 577G 373G 61% /
  752. none 4.0K 0 4.0K 0% /sys/fs/cgroup
  753. none 5.0M 0 5.0M 0% /run/lock
  754. none 5.9G 12K 5.9G 1% /run/shm
  755. none 100M 4.0K 100M 1% /run/user
  756. /dev/vda1 236M 51M 173M 23% /boot
  757.  
  758. =========================================================================
  759. Network Sockets
  760. =========================================================================
  761. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  762. cupsd 785 root 7u IPv4 8744 0t0 TCP X.X.X.X:631 (LISTEN)
  763. avahi-dae 806 avahi 12u IPv4 13799 0t0 UDP *:5353
  764. avahi-dae 806 avahi 13u IPv6 13800 0t0 UDP *:5353
  765. avahi-dae 806 avahi 14u IPv4 13801 0t0 UDP *:46916
  766. avahi-dae 806 avahi 15u IPv6 13802 0t0 UDP *:46979
  767. cups-brow 1004 root 8u IPv4 8805 0t0 UDP *:631
  768. sshd 1521 root 3u IPv4 12061 0t0 TCP *:ssh_port (LISTEN)
  769. sshd 1521 root 4u IPv6 12063 0t0 TCP *:ssh_port (LISTEN)
  770. searchd 1590 sphinxsearch 7u IPv4 12720 0t0 TCP *:9306 (LISTEN)
  771. searchd 1590 sphinxsearch 8u IPv4 12721 0t0 TCP *:9312 (LISTEN)
  772. syslog-ng 1660 root 9u IPv4 14142 0t0 TCP *:514 (LISTEN)
  773. syslog-ng 1660 root 10u IPv4 14143 0t0 UDP *:514
  774. mysqld 1680 mysql 10u IPv4 14669 0t0 TCP X.X.X.X:50000 (LISTEN)
  775. salt-mini 1735 root 13u IPv4 16449 0t0 TCP X.X.X.X:56700->X.X.X.X:4506 (ESTABLISHED)
  776. salt-mini 1735 root 24u IPv4 11244 0t0 TCP X.X.X.X:49270->X.X.X.X:4505 (ESTABLISHED)
  777. ossec-csy 1835 ossecm 5u IPv4 15395 0t0 UDP X.X.X.X:38951->X.X.X.X:514
  778. starman 2037 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  779. starman 2048 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  780. starman 2050 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  781. starman 2052 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  782. starman 2054 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  783. starman 2055 www-data 5u IPv6 15504 0t0 TCP *:3154 (LISTEN)
  784. ntpd 2218 ntp 16u IPv4 16531 0t0 UDP *:123
  785. ntpd 2218 ntp 17u IPv6 16532 0t0 UDP *:123
  786. ntpd 2218 ntp 18u IPv4 16538 0t0 UDP X.X.X.X:123
  787. ntpd 2218 ntp 19u IPv4 16539 0t0 UDP X.X.X.X:123
  788. ntpd 2218 ntp 20u IPv4 16540 0t0 UDP X.X.X.X:123
  789. ntpd 2218 ntp 21u IPv6 16541 0t0 UDP [X.X.X.X]:123
  790. ntpd 2218 ntp 22u IPv6 16542 0t0 UDP [X.X.X.X]:123
  791. ssh 2966 root 3u IPv4 15833 0t0 TCP X.X.X.X:44776->X.X.X.X:ssh_port (ESTABLISHED)
  792. ssh 2966 root 4u IPv6 15843 0t0 TCP [X.X.X.X]:3306 (LISTEN)
  793. ssh 2966 root 5u IPv4 15844 0t0 TCP X.X.X.X:3306 (LISTEN)
  794. tclsh 3033 SO-user 3u IPv4 20312 0t0 TCP X.X.X.X:43328->X.X.X.X:7736 (ESTABLISHED)
  795. bro 3247 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  796. bro 3336 SO-user 0u IPv4 21009 0t0 TCP *:47761 (LISTEN)
  797. bro 3336 SO-user 1u IPv6 21010 0t0 TCP *:47761 (LISTEN)
  798. bro 3336 SO-user 2u IPv4 22583 0t0 TCP X.X.X.X:47761->X.X.X.X:55178 (ESTABLISHED)
  799. bro 3336 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  800. bro 3336 SO-user 14u IPv4 24638 0t0 TCP X.X.X.X:47761->X.X.X.X:55180 (ESTABLISHED)
  801. bro 3336 SO-user 19u IPv4 21738 0t0 TCP X.X.X.X:47761->X.X.X.X:55184 (ESTABLISHED)
  802. bro 3588 SO-user 4u IPv4 22576 0t0 UDP X.X.X.X:41234->X.X.X.X:53
  803. bro 3688 SO-user 0u IPv4 17140 0t0 TCP X.X.X.X:55178->X.X.X.X:47761 (ESTABLISHED)
  804. bro 3688 SO-user 4u IPv4 22576 0t0 UDP X.X.X.X:41234->X.X.X.X:53
  805. bro 3688 SO-user 11u IPv4 17145 0t0 TCP *:47762 (LISTEN)
  806. bro 3688 SO-user 12u IPv6 17146 0t0 TCP *:47762 (LISTEN)
  807. bro 3688 SO-user 13u IPv4 24641 0t0 TCP X.X.X.X:47762->X.X.X.X:33122 (ESTABLISHED)
  808. bro 3688 SO-user 18u IPv4 24666 0t0 TCP X.X.X.X:47762->X.X.X.X:33126 (ESTABLISHED)
  809. bro 4089 SO-user 4u IPv4 22673 0t0 UDP X.X.X.X:57838->X.X.X.X:53
  810. bro 4090 SO-user 4u IPv4 23718 0t0 UDP X.X.X.X:42111->X.X.X.X:53
  811. bro 4185 SO-user 0u IPv4 21727 0t0 TCP X.X.X.X:55180->X.X.X.X:47761 (ESTABLISHED)
  812. bro 4185 SO-user 4u IPv4 23718 0t0 UDP X.X.X.X:42111->X.X.X.X:53
  813. bro 4185 SO-user 12u IPv4 21730 0t0 TCP X.X.X.X:33122->X.X.X.X:47762 (ESTABLISHED)
  814. bro 4185 SO-user 17u IPv4 21735 0t0 TCP *:47763 (LISTEN)
  815. bro 4185 SO-user 18u IPv6 21736 0t0 TCP *:47763 (LISTEN)
  816. bro 4210 SO-user 0u IPv4 21261 0t0 TCP X.X.X.X:55184->X.X.X.X:47761 (ESTABLISHED)
  817. bro 4210 SO-user 4u IPv4 22673 0t0 UDP X.X.X.X:57838->X.X.X.X:53
  818. bro 4210 SO-user 12u IPv4 21264 0t0 TCP X.X.X.X:33126->X.X.X.X:47762 (ESTABLISHED)
  819. bro 4210 SO-user 17u IPv4 21269 0t0 TCP *:47764 (LISTEN)
  820. bro 4210 SO-user 18u IPv6 21270 0t0 TCP *:47764 (LISTEN)
  821. tclsh 4362 SO-user 3u IPv4 22773 0t0 TCP X.X.X.X:33749->X.X.X.X:7736 (ESTABLISHED)
  822. tclsh 4392 SO-user 3u IPv4 24829 0t0 TCP X.X.X.X:33843->X.X.X.X:7736 (ESTABLISHED)
  823. tclsh 4392 SO-user 4u IPv4 24830 0t0 TCP X.X.X.X:8101 (LISTEN)
  824. tclsh 4392 SO-user 6u IPv4 43505 0t0 TCP X.X.X.X:8101->X.X.X.X:57320 (ESTABLISHED)
  825. tclsh 4429 SO-user 3u IPv4 21413 0t0 TCP X.X.X.X:35883->X.X.X.X:7736 (ESTABLISHED)
  826. tclsh 4429 SO-user 4u IPv4 24917 0t0 TCP X.X.X.X:8102 (LISTEN)
  827. tclsh 4429 SO-user 6u IPv4 43535 0t0 TCP X.X.X.X:8102->X.X.X.X:43342 (ESTABLISHED)
  828. barnyard2 9265 SO-user 3u IPv4 43504 0t0 TCP X.X.X.X:57320->X.X.X.X:8101 (ESTABLISHED)
  829. barnyard2 9311 SO-user 3u IPv4 58582 0t0 TCP X.X.X.X:43342->X.X.X.X:8102 (ESTABLISHED)
  830. sshd 22326 root 3u IPv4 218699 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:15605 (ESTABLISHED)
  831. sshd 22423 SO-user 3u IPv4 218699 0t0 TCP X.X.X.X:ssh_port->X.X.X.X:15605 (ESTABLISHED)
  832. archive-l 22961 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  833. archive-l 22966 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  834. archive-l 22997 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  835. archive-l 23010 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  836. archive-l 23016 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  837. archive-l 23023 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  838. archive-l 23194 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  839. archive-l 23404 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  840. gzip 23729 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  841. gzip 23841 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  842. summarize 23892 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  843. gzip 24123 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  844. gzip 24141 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  845. gzip 24155 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  846. time 24204 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  847. grep 24245 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  848. gzip 24298 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  849. trace-sum 24454 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  850. gzip 24484 SO-user 4u IPv4 18366 0t0 UDP X.X.X.X:50739->X.X.X.X:53
  851.  
  852. =========================================================================
  853. IDS Rules Update
  854. =========================================================================
  855. Wed Feb 7 14:30:15 UTC 2018
  856. Backing up current local_rules.xml file.
  857. Cleaning up local_rules.xml backup files older than 30 days.
  858. Backing up current downloaded.rules file before it gets overwritten.
  859. Cleaning up downloaded.rules backup files older than 30 days.
  860. Backing up current local.rules file before it gets overwritten.
  861. Cleaning up local.rules backup files older than 30 days.
  862. Copying rules from X.X.X.X.
  863. scp: /usr/local/lib/snort_dynamicrules/*: No such file or directory
  864. Restarting Barnyard2.
  865. Restarting: SO-server-eth1
  866. * stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
  867. * starting: barnyard2-1 (spooler, unified2 format)[ OK ]
  868. * stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
  869. * starting: barnyard2-2 (spooler, unified2 format)[ OK ]
  870. Restarting IDS Engine.
  871. Restarting: SO-server-eth1
  872. * stopping: snort-1 (alert data)[ OK ]
  873. * starting: snort-1 (alert data)[ OK ]
  874. * stopping: snort-2 (alert data)[ OK ]
  875. * starting: snort-2 (alert data)[ OK ]
  876.  
  877. =========================================================================
  878. CPU Usage
  879. =========================================================================
  880. Load average for the last 1, 5, and 15 minutes:
  881. 19.18 8.55 5.31
  882. Processing units: 6
  883. If load average is higher than processing units,
  884. then tune until load average is lower than processing units.
  885.  
  886. top - 16:00:40 up 1:53, 1 user, load average: 19.18, 8.55, 5.31
  887. Tasks: 231 total, 15 running, 216 sleeping, 0 stopped, 0 zombie
  888. %Cpu(s): 34.9 us, 7.0 sy, 0.1 ni, 45.3 id, 2.0 wa, 0.0 hi, 10.3 si, 0.4 st
  889. KiB Mem: 12303568 total, 12143432 used, 160136 free, 45876 buffers
  890. KiB Swap: 8388604 total, 294312 used, 8094292 free. 8140960 cached Mem
  891.  
  892. %CPU %MEM COMMAND
  893. 76.8 4.3 /usr/bin/indexer --config /etc/sphinxsearch/sphinx.conf --rotate perm_15
  894. 73.5 4.4 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-1 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-1.stats -U --snaplen 1524
  895. 72.5 4.4 snort -c /etc/nsm/SO-server-eth1/snort.conf -u SO-user -g SO-user -i eth1 -l /nsm/sensor_data/SO-server-eth1/snort-2 --perfmon-file /nsm/sensor_data/SO-server-eth1/snort-2.stats -U --snaplen 1524
  896. 38.5 2.7 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  897. 37.0 2.3 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  898. 13.7 0.6 netsniff-ng -i eth1 -o /nsm/sensor_data/SO-server-eth1/dailylogs/2018-02-07/ --user 1001 --group 1001 -s --prefix snort.log. --verbose --ring-size 64 iB --interval 150 iB
  899. 5.7 0.6 /usr/sbin/mysqld
  900. 5.6 0.2 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  901. 4.5 0.0 gzip -9
  902. 4.2 0.4 perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf
  903. 4.0 0.0 gzip -9
  904. 3.7 0.0 [ksoftirqd/1]
  905. 3.4 0.0 gzip -9
  906. 3.2 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  907. 3.0 0.1 /usr/bin/python /opt/bro/bin/trace-summary -c -r -S 0.01 -l /opt/bro/etc/networks.cfg conn.2018-02-07-15-00-00.log
  908. 2.8 0.1 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  909. 2.6 0.0 gzip -9
  910. 2.6 0.0 gzip -9
  911. 1.3 12.0 /usr/bin/searchd --nodetach
  912. 1.2 0.0 /bin/bash /usr/sbin/sostat
  913. 0.6 0.0 [kswapd0]
  914. 0.5 0.0 [kworker/u12:0]
  915. 0.4 0.0 /var/ossec/bin/ossec-syscheckd
  916. 0.4 0.6 perl /opt/elsa/web/cron.pl -c /etc/elsa_web.conf
  917. 0.4 0.0 -bash
  918. 0.3 0.1 /usr/bin/dockerd --raw-logs
  919. 0.2 0.0 [rcu_sched]
  920. 0.2 0.0 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
  921. 0.2 0.1 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  922. 0.2 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  923. 0.2 0.4 /opt/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  924. 0.2 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-2.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-2 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-2 -i SO-server-eth1-2 -U
  925. 0.2 0.0 [kworker/u12:2]
  926. 0.2 0.0 sshd: SO-user [priv]
  927. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log weird.2018-02-07-15-00-00.log weird 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  928. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log files.2018-02-07-15-00-00.log files 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  929. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log http_eth1.2018-02-07-15-00-00.log http_eth1 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  930. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log dns.2018-02-07-15-00-00.log dns 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  931. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log conn.2018-02-07-15-00-00.log conn 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  932. 0.2 0.0 /bin/bash /opt/bro/share/broctl/scripts/postprocessors/summarize-connections conn.2018-02-07-15-00-00.log conn 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  933. 0.1 0.0 /sbin/init
  934. 0.1 0.0 [khugepaged]
  935. 0.1 0.2 /usr/bin/python /usr/bin/salt-minion
  936. 0.1 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
  937. 0.1 0.0 barnyard2 -c /etc/nsm/SO-server-eth1/barnyard2-1.conf -u SO-user -g SO-user -d /nsm/sensor_data/SO-server-eth1/snort-1 -f snort.unified2 -w /etc/nsm/SO-server-eth1/barnyard2.waldo-1 -i SO-server-eth1-1 -U
  938. 0.1 0.0 /bin/bash /opt/bro/share/broctl/scripts/archive-log kerberos.2018-02-07-15-00-00.log kerberos 18-02-07_15.00.00 18-02-07_16.00.00 0 ascii
  939. 0.1 0.0 sudo sostat-redacted
  940. 0.1 0.0 /usr/bin/time /opt/bro/bin/trace-summary -c -r -S 0.01 -l /opt/bro/etc/networks.cfg conn.2018-02-07-15-00-00.log
  941. 0.1 0.0 grep -v exceeds bandwidth
  942. 0.0 0.0 [kthreadd]
  943. 0.0 0.0 [ksoftirqd/0]
  944. 0.0 0.0 [kworker/0:0H]
  945. 0.0 0.0 [rcu_bh]
  946. 0.0 0.0 [migration/0]
  947. 0.0 0.0 [watchdog/0]
  948. 0.0 0.0 [watchdog/1]
  949. 0.0 0.0 [migration/1]
  950. 0.0 0.0 [kworker/1:0]
  951. 0.0 0.0 [kworker/1:0H]
  952. 0.0 0.0 [watchdog/2]
  953. 0.0 0.0 [migration/2]
  954. 0.0 0.0 [ksoftirqd/2]
  955. 0.0 0.0 [kworker/2:0]
  956. 0.0 0.0 [kworker/2:0H]
  957. 0.0 0.0 [watchdog/3]
  958. 0.0 0.0 [migration/3]
  959. 0.0 0.0 [ksoftirqd/3]
  960. 0.0 0.0 [kworker/3:0H]
  961. 0.0 0.0 [watchdog/4]
  962. 0.0 0.0 [migration/4]
  963. 0.0 0.0 [ksoftirqd/4]
  964. 0.0 0.0 [kworker/4:0H]
  965. 0.0 0.0 [watchdog/5]
  966. 0.0 0.0 [migration/5]
  967. 0.0 0.0 [ksoftirqd/5]
  968. 0.0 0.0 [kworker/5:0]
  969. 0.0 0.0 [kworker/5:0H]
  970. 0.0 0.0 [kdevtmpfs]
  971. 0.0 0.0 [netns]
  972. 0.0 0.0 [perf]
  973. 0.0 0.0 [khungtaskd]
  974. 0.0 0.0 [writeback]
  975. 0.0 0.0 [ksmd]
  976. 0.0 0.0 [crypto]
  977. 0.0 0.0 [kintegrityd]
  978. 0.0 0.0 [bioset]
  979. 0.0 0.0 [kblockd]
  980. 0.0 0.0 [ata_sff]
  981. 0.0 0.0 [md]
  982. 0.0 0.0 [devfreq_wq]
  983. 0.0 0.0 [vmstat]
  984. 0.0 0.0 [fsnotify_mark]
  985. 0.0 0.0 [ecryptfs-kthrea]
  986. 0.0 0.0 [kthrotld]
  987. 0.0 0.0 [acpi_thermal_pm]
  988. 0.0 0.0 [vballoon]
  989. 0.0 0.0 [bioset]
  990. 0.0 0.0 [bioset]
  991. 0.0 0.0 [bioset]
  992. 0.0 0.0 [bioset]
  993. 0.0 0.0 [kworker/2:1]
  994. 0.0 0.0 [bioset]
  995. 0.0 0.0 [bioset]
  996. 0.0 0.0 [bioset]
  997. 0.0 0.0 [bioset]
  998. 0.0 0.0 [bioset]
  999. 0.0 0.0 [scsi_eh_0]
  1000. 0.0 0.0 [scsi_tmf_0]
  1001. 0.0 0.0 [scsi_eh_1]
  1002. 0.0 0.0 [scsi_tmf_1]
  1003. 0.0 0.0 [ipv6_addrconf]
  1004. 0.0 0.0 [deferwq]
  1005. 0.0 0.0 [charger_manager]
  1006. 0.0 0.0 [bioset]
  1007. 0.0 0.0 [bioset]
  1008. 0.0 0.0 [bioset]
  1009. 0.0 0.0 [bioset]
  1010. 0.0 0.0 [bioset]
  1011. 0.0 0.0 [bioset]
  1012. 0.0 0.0 [bioset]
  1013. 0.0 0.0 [bioset]
  1014. 0.0 0.0 [bioset]
  1015. 0.0 0.0 [kpsmoused]
  1016. 0.0 0.0 [kworker/4:1]
  1017. 0.0 0.0 [kworker/5:1]
  1018. 0.0 0.0 [ttm_swap]
  1019. 0.0 0.0 [qxl_gc]
  1020. 0.0 0.0 [kdmflush]
  1021. 0.0 0.0 [bioset]
  1022. 0.0 0.0 [kdmflush]
  1023. 0.0 0.0 [bioset]
  1024. 0.0 0.0 [bioset]
  1025. 0.0 0.0 [jbd2/dm-0-8]
  1026. 0.0 0.0 [ext4-rsv-conver]
  1027. 0.0 0.0 [kworker/3:1H]
  1028. 0.0 0.0 [kworker/5:1H]
  1029. 0.0 0.0 [kworker/1:1H]
  1030. 0.0 0.0 [kworker/2:1H]
  1031. 0.0 0.0 [ext4-rsv-conver]
  1032. 0.0 0.0 upstart-udev-bridge --daemon
  1033. 0.0 0.0 /lib/systemd/systemd-udevd --daemon
  1034. 0.0 0.0 dbus-daemon --system --fork
  1035. 0.0 0.0 [kmpathd]
  1036. 0.0 0.0 [kmpath_handlerd]
  1037. 0.0 0.0 [kvm-irqfd-clean]
  1038. 0.0 0.0 /usr/sbin/bluetoothd
  1039. 0.0 0.0 [krfcommd]
  1040. 0.0 0.0 /lib/systemd/systemd-logind
  1041. 0.0 0.0 /usr/sbin/cupsd -f
  1042. 0.0 0.0 avahi-daemon: running [SO-server.local]
  1043. 0.0 0.0 avahi-daemon: chroot helper
  1044. 0.0 0.0 [kworker/1:2]
  1045. 0.0 0.0 /usr/sbin/cups-browsed
  1046. 0.0 0.0 upstart-file-bridge --daemon
  1047. 0.0 0.0 upstart-socket-bridge --daemon
  1048. 0.0 0.0 [kworker/4:2]
  1049. 0.0 0.0 /sbin/getty -8 38400 tty4
  1050. 0.0 0.0 /sbin/getty -8 38400 tty5
  1051. 0.0 0.1 /usr/bin/python /usr/bin/salt-minion
  1052. 0.0 0.0 /sbin/getty -8 38400 tty2
  1053. 0.0 0.0 /sbin/getty -8 38400 tty3
  1054. 0.0 0.0 /sbin/getty -8 38400 tty6
  1055. 0.0 0.0 cron
  1056. 0.0 0.0 /usr/sbin/sshd -D
  1057. 0.0 0.0 acpid -c /etc/acpi/events -s /var/run/acpid.socket
  1058. 0.0 0.0 /usr/sbin/irqbalance
  1059. 0.0 0.0 [kworker/0:1H]
  1060. 0.0 0.0 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  1061. 0.0 0.0 [kauditd]
  1062. 0.0 0.0 lightdm
  1063. 0.0 0.1 /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
  1064. 0.0 0.0 supervising syslog-ng
  1065. 0.0 0.0 /usr/lib/accountsservice/accounts-daemon
  1066. 0.0 0.0 /usr/lib/policykit-1/polkitd --no-debug
  1067. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  1068. 0.0 0.0 [kworker/4:1H]
  1069. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh
  1070. 0.0 0.0 /usr/sbin/kerneloops
  1071. 0.0 0.0 lightdm --session-child 16 19
  1072. 0.0 0.0 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/lightdm-gtk-greeter
  1073. 0.0 0.0 //bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
  1074. 0.0 0.1 /usr/sbin/lightdm-gtk-greeter
  1075. 0.0 0.0 /var/ossec/bin/ossec-csyslogd
  1076. 0.0 0.0 /var/ossec/bin/ossec-execd
  1077. 0.0 0.0 /var/ossec/bin/ossec-analysisd
  1078. 0.0 0.0 /var/ossec/bin/ossec-logcollector
  1079. 0.0 0.0 /usr/lib/at-spi2-core/at-spi-bus-launcher
  1080. 0.0 0.0 /var/ossec/bin/ossec-monitord
  1081. 0.0 0.0 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
  1082. 0.0 0.0 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
  1083. 0.0 0.0 /usr/lib/gvfs/gvfsd
  1084. 0.0 0.0 /usr/lib/gvfs/gvfsd-fuse /run/user/112/gvfs -f -o big_writes
  1085. 0.0 0.0 lightdm --session-child 12 19
  1086. 0.0 0.1 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1087. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1088. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1089. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1090. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1091. 0.0 1.0 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1092. 0.0 0.0 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:126
  1093. 0.0 0.0 /sbin/getty -8 38400 tty1
  1094. 0.0 0.0 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  1095. 0.0 0.0 /usr/bin/ssh -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  1096. 0.0 0.0 su - SO-user -- /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  1097. 0.0 0.1 tclsh /usr/bin/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i X.X.X.X -p 5 -c /etc/nsm/ossec/ossec_agent.conf
  1098. 0.0 0.0 tail -n 0 -F /var/ossec/logs/alerts/alerts.log
  1099. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
  1100. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  1101. 0.0 0.0 /opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p proxy local.bro broctl base/frameworks/cluster local-proxy broctl/auto
  1102. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  1103. 0.0 0.0 /bin/bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth1 -U .status -p broctl -p broctl-live -p local -p SO-server-eth1-2 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
  1104. 0.0 0.0 su - SO-user -- /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
  1105. 0.0 0.0 tclsh /usr/bin/pcap_agent.tcl -c /etc/nsm/SO-server-eth1/pcap_agent.conf
  1106. 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-1.conf
  1107. 0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-1.stats
  1108. 0.0 0.0 su - SO-user -- /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
  1109. 0.0 0.0 tclsh /usr/bin/snort_agent.tcl -c /etc/nsm/SO-server-eth1/snort_agent-2.conf
  1110. 0.0 0.0 tail -n 1 -f /nsm/sensor_data/SO-server-eth1/snort-2.stats
  1111. 0.0 0.0 [kworker/3:2]
  1112. 0.0 0.0 [kworker/3:1]
  1113. 0.0 0.0 [kworker/u12:1]
  1114. 0.0 0.0 [kworker/0:2]
  1115. 0.0 0.0 CRON
  1116. 0.0 0.0 /bin/sh -c sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh > /dev/null 2>&1
  1117. 0.0 0.0 sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-cron.sh
  1118. 0.0 0.0 [kworker/0:1]
  1119. 0.0 0.0 sshd: SO-user@pts/0
  1120. 0.0 0.0 /bin/bash /usr/sbin/sostat-redacted
  1121. 0.0 0.0 ps -eo pcpu,pmem,args --sort -pcpu
  1122.  
  1123. =========================================================================
  1124. Packets received during last monitoring interval (600 seconds)
  1125. =========================================================================
  1126.  
  1127. eth1: 10237736
  1128.  
  1129. =========================================================================
  1130. Packet Loss Stats
  1131. =========================================================================
  1132.  
  1133. NIC:
  1134.  
  1135. eth1:
  1136.  
  1137. RX packets:120056197 dropped:34781111 TX packets:2 dropped:0
  1138.  
  1139. -------------------------------------------------------------------------
  1140.  
  1141. pf_ring:
  1142.  
  1143. Appl. Name : bro-eth1
  1144. Tot Packets : 52056991
  1145. Tot Pkt Lost : 219746
  1146.  
  1147.  
  1148. Appl. Name : bro-eth1
  1149. Tot Packets : 66313101
  1150. Tot Pkt Lost : 288350
  1151.  
  1152.  
  1153. Appl. Name : snort-cluster-52-socket-0
  1154. Tot Packets : 39008804
  1155. Tot Pkt Lost : 5224028
  1156.  
  1157.  
  1158. Appl. Name : snort-cluster-52-socket-0
  1159. Tot Packets : 51057410
  1160. Tot Pkt Lost : 7953355
  1161.  
  1162. -------------------------------------------------------------------------
  1163.  
  1164. IDS Engine (snort) packet drops:
  1165.  
  1166. /nsm/sensor_data/SO-server-eth1/snort-1.stats last reported pkt_drop_percent as 14.157
  1167. /nsm/sensor_data/SO-server-eth1/snort-2.stats last reported pkt_drop_percent as 7.322
  1168. -------------------------------------------------------------------------
  1169.  
  1170. Bro:
  1171.  
  1172. Average packet loss as percent across all Bro workers: 0.430915
  1173.  
  1174. SO-server-eth1-1: 1518019243.469166 recvd=66047588 dropped=288350 link=66047588
  1175. SO-server-eth1-2: 1518019243.668787 recvd=51863244 dropped=219746 link=51863244
  1176.  
  1177. No capture loss reported.
  1178.  
  1179. -------------------------------------------------------------------------
  1180.  
  1181. Netsniff-NG:
  1182.  
  1183.  
  1184. Percentage of packets dropped:
  1185.  
  1186. /var/log/nsm/SO-server-eth1/netsniff-ng.log --
  1187.  
  1188.  
  1189. =========================================================================
  1190. PF_RING
  1191. =========================================================================
  1192. PF_RING Version : 6.6.0 (unknown)
  1193. Total rings : 4
  1194.  
  1195. Standard (non ZC) Options
  1196. Ring slots : 4096
  1197. Slot version : 16
  1198. Capture TX : Yes [RX+TX]
  1199. IP Defragment : No
  1200. Socket Mode : Standard
  1201. Cluster Fragment Queue : 0
  1202. Cluster Fragment Discard : 0
  1203.  
  1204. =========================================================================
  1205. Log Archive
  1206. =========================================================================
  1207. /nsm/sensor_data/SO-server-eth0/dailylogs/ - 0 days
  1208. 4.0K .
  1209.  
  1210. /nsm/sensor_data/SO-server-eth1/dailylogs/ - 2 days
  1211. 357G .
  1212. 294G ./2018-02-06
  1213. 63G ./2018-02-07
  1214.  
  1215. /nsm/bro/logs/ - 3 days
  1216. 1.5G .
  1217. 935M ./2018-02-05
  1218. 443M ./2018-02-06
  1219. 94M ./2018-02-07
  1220. 4.0M ./stats
  1221.  
  1222. =========================================================================
  1223. Last update
  1224. =========================================================================
  1225.  
  1226. =========================================================================
  1227. Available updates
  1228. =========================================================================
  1229. 64 packages can be updated.
  1230. 48 updates are security updates.
  1231.  
  1232. Run 'sudo soup' to install the latest updates.
  1233.  
  1234. =========================================================================
  1235. ELSA
  1236. =========================================================================
  1237. Syslog-ng
  1238. Checking for process:
  1239. 1660 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
  1240. Checking for connection:
  1241. Connection to localhost 514 port [tcp/shell] succeeded!
  1242.  
  1243. MySQL
  1244. Checking for process:
  1245. 1680 /usr/sbin/mysqld
  1246. Checking for connection:
  1247. Connection to localhost 50000 port [tcp/*] succeeded!
  1248.  
  1249. Sphinx
  1250. Checking for process:
  1251. 1587 su -s /bin/sh -c exec "$0" "$@" sphinxsearch -- /usr/bin/searchd --nodetach
  1252. 1590 /usr/bin/searchd --nodetach
  1253. Checking for connection:
  1254. Connection to localhost 9306 port [tcp/*] succeeded!
  1255.  
  1256. ELSA Buffers in Queue:
  1257. 3
  1258. If this number is consistently higher than 20, please see:
  1259. https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#why-does-sostat-show-a-high-number-of-elsa-buffers-in-queue
  1260.  
  1261. ELSA Directory Sizes:
  1262. 211G /nsm/elsa/data
  1263. 15M /var/lib/mysql/syslog
  1264. 392K /var/lib/mysql/syslog_data
  1265.  
  1266. ELSA Index Date Range
  1267. If you don't have at least 2 full days of logs in the Index Date Range,
  1268. then you'll need to increase log_size_limit in /etc/elsa_node.conf.
  1269. MIN(start) MAX(end)
  1270. 2018-02-01 16:58:15 2018-02-07 16:00:02
  1271.  
  1272. autossh
  1273. Checking for process:
  1274. 2965 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -i /root/.ssh/securityonion -L 3306:X.X.X.X:3306 -R 50000:localhost:3154 SO-user@X.X.X.X
  1275.  
  1276. Checking APIKEY:
  1277. APIKEY matches server.
  1278.  
  1279. starman
  1280. Checking for processes:
  1281. 2037 starman master -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1282. 2048 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1283. 2050 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1284. 2052 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1285. 2054 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1286. 2055 starman worker -I/opt/elsa/web/lib --user=www-data --listen :3154 --daemonize --pid /var/run/starman.pid --error-log /var/log/starman.log /opt/elsa/web/lib/Web.psgi
  1287.  
  1288. =========================================================================
  1289. Version Information
  1290. =========================================================================
  1291. Ubuntu 14.04.5 LTS
  1292. securityonion-sostat 20120722-0ubuntu0securityonion84
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!