Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How To Determine Chatty Processes/Hosts in CbEvents

How To Determine Chatty Processes/Hosts in CbEvents

Version

Cb Response 5.x, 6.1

Topic

How to determine chatty processes/hosts for potential ingress filtering and additional suppression in the CbEvents Solr Core, and then upload it to Alliance servers.

Solution

5.2

  1. Determine which shards are present on the local node:
    cat /etc/cb/cluster.conf
  2. Run the following commands replacing 0 with any local shards:
    curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=path_full&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_procs_pathfull.txt" | /usr/share/cb/cbpost /tmp/$(hostname)_procs_pathfull.txt
    curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=parent_name&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_parentprocs.txt" | /usr/share/cb/cbpost /tmp/$(hostname)_parentprocs.txt
    curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=hostname&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_hosts.txt" | /usr/share/cb/cbpost /tmp/$(hostname)_hosts.txt
  3. Repeat this process on all nodes
  4. Add a case comment when the uploads are complete

6.1.x

  1. Run these commands on all nodes (master and minions):
    curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=path_full&terms=true&terms.limit=50&indent=true&wt=..." > "/var/log/cb/solr/$(hostname)_procs_pathfull.xml" && /usr/share/cb/cbpost /var/log/cb/solr/$(hostname)_procs_pathfull.xml
    curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=hostname&terms=true&terms.limit=50&indent=true&wt=x..." > "/var/log/cb/solr/$(hostname)_hosts.xml" && /usr/share/cb/cbpost /var/log/cb/solr/$(hostname)_hosts.xml
    curl "http://127.0.0.1:8080/solr/reader/terms?terms.fl=parent_name&terms=true&terms.limit=50&indent=true&w..." > "/var/log/cb/solr/$(hostname)_parent_process.xml" && /usr/share/cb/cbpost /var/log/cb/solr/$(hostname)_parent_process.xml
  2. Then add a case comment letting us know the uploads are complete
Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-07-2017
Views:
1022
Contributors