Snort mailing list archives
RE: Monitoring Sensors
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Tue, 24 Sep 2002 12:22:40 -0400
As one previous poster mentioned, Netsaint/Nagios offers the tools needed to monitor your sensors. I use it to do more than simply tell if the sensor is alive though, since I'm also interested in the overall "health" of the sensor. To that end, I watch load level, disk space, memory, process count etc. putting appropriate thresholds on each of the measurements, so that I'm notified if things are getting out of line. To add some additional sophistication, one of the plugins will do limit checks on MRTG to alert you to unusual network loads. Couple this with Netsaint's console page and historical trending and you've got a good package for watching a number of sensors. Add in the notification features and it's very powerful indeed, providing the exception-only reporting environment I'm looking for.
-----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Monday, September 23, 2002 10:43 AM To: Pedro Tedeschi Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Monitoring Sensors Different folks have different strategies for monitoring. My own preference is for end-to-end functional monitoring. For IDS sensors, I like to arrange for a special signature that will trigger a keepalive "alarm" when I send a special probe packet past it; then I arrange a generator to send one of those packets every so often, and then process the alerts, wherever they're ultimately forwarded, to move the keepalives aside for special examination; then a periodic monitor process sets off an alarm if it doesn't see one of these keepalive alerts for too long (several "probe" intervals). Same trick as I use for other server monitoring wherever I can figure out a way to; e.g. I'll monitor an email relay server by periodically routing a keepalive message through it to a monitoring mailbox. -Bennett
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Monitoring Sensors Pedro Tedeschi (Sep 20)
- Re: Monitoring Sensors Bennett Todd (Sep 23)
- <Possible follow-ups>
- RE: Monitoring Sensors Hutchinson, Andrew (Sep 20)
- RE: Monitoring Sensors Chris Fox (Sep 20)
- Re: Monitoring Sensors Jon Quiros (Sep 21)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
- RE: Monitoring Sensors Gene Gomez (Sep 20)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
- Re: Monitoring Sensors quentyn (Sep 23)
- RE: Monitoring Sensors Fraser Hugh (Sep 24)