Re: HP SIM for monitoring snort process

[Joe Pampel <jpampel () paladyne com>]

The snort daemon will syslog errors on startup (as an example) and you can use standard SNMP OID's to call stats on 
CPU, RAM, Swap, network throughput & errors etc.

Most of these are pretty standard across the Linuxes. Solaris has some different counters.
Interface counters are universally the UCD MIB in my experience.
Using the UCD MIB extensions you can create a custom counter for the snort daemon to make sure it's up, things like 
that. You can also send a custom trap.
At the end of your snmp.conf file, just add something like this (then restart snmp):

#######################
# Added to monitor Snort via NET-SNMP extentions
proc snort 1
proc mysqld 1

(etc etc)
############## End of custom services #########


The proc name has to match the actual name of the service.

The number after the proc name is the number of processes that should be running. More or less causes an alert. 
(prErrMessage)

The service instances will all get custom OID's under .1.3.6.1.4.1.2021.2:  (if using snmp v3, add this OID to your 
user's view!)

mysharona@/usr/sfw/bin: snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prIndex.2 = INTEGER: 2
UCD-SNMP-MIB::prNames.1 = STRING: snort
UCD-SNMP-MIB::prNames.2 = STRING: mysqld
UCD-SNMP-MIB::prMin.1 = INTEGER: 0
UCD-SNMP-MIB::prMin.2 = INTEGER: 0
UCD-SNMP-MIB::prMax.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.2 = INTEGER: 1
UCD-SNMP-MIB::prCount.1 = INTEGER: 2
UCD-SNMP-MIB::prCount.2 = INTEGER: 1
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: 1
UCD-SNMP-MIB::prErrorFlag.2 = INTEGER: 0
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many snort running (# = 2)
UCD-SNMP-MIB::prErrMessage.2 = STRING:


Is this the kind of issue reporting you mean?

- Joe

On Apr 29, 2010, at 8:41 PM, Joel Esler wrote:

How does the HP SIM interface with end machines?  Maybe I can give you some pointers about how to implement it.  I've 
never worked with the HP SIM myself.

Are you talking about OpenView?

On Thu, Apr 29, 2010 at 4:43 PM, Billy Marshall <Billy.Marshall () state co us<mailto:Billy.Marshall () state co us>> 
wrote:
Hi,

Is there a known way to implement HP SIM to report issues with snort?

Cheers

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<ATT00001..txt><ATT00002..txt>


________________________________
The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone 
other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, 
please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users