Re: Feature wanted: Snort alert when snort service is restarted, started or stopped?

[Tony Robinson <deusexmachina667 () gmail com>]

reposting over to snort-users since it gets a bit more traffic.

Its not likely that this would become a feature since the tools you need to
determine whether or not snort has crashed, start or stopped are already
available. Snort writes to syslog like crazy.
If you are using a SIEM for system monitoring, you'll want to look for some
of these messages:
-look for any logs with snort in the string - these are snort system
messages and there are a lot of them. snort is pretty verbose and isn't
afraid to talk to syslog.
to filter down even further:
-- look for any logs with snort in the string and FATAL (all caps like
that): this will let you know that snort ran into a fatal error -- its not
running and/or failed to start. if I don't see snort in the process list
post-reboot I do the following: cat /var/log/messages | grep snort | grep
-i fatal (parse the messages file, look for lines with snort in the line
and then from those lines only show me the word fatal  with case
insensitivity)

-- look for any logs with snort in the string and the text 'Commencing
packet processing' (exactly like that, without the quotes) to indicate when
snort started up:
cat /var/log/messages | grep snort | grep -i 'commencing packet processing'
-- look for any logs with snort in the string and the text 'Snort exiting'
to know when snort was killed/stopped.
cat /var/log/messages | grep snort | grep -i 'snort exiting'

IF you are not using a SIEM for system monitoring or a syslog server of
some sort, use nagios or another system monitoring solution to see if snort
is up, and what its doing. There are tons of them and unfortunately setup
of that is outside of my scope and outside the scope of snort-devel to tell
you how to do it.

DA

On Wed, Dec 5, 2012 at 8:16 AM, Glenn Terjesen <glenn.terjesen () gmail com>wrote:

> Hi,
> is it possible to generate an alert when snort is restarted, started or
> stopped ?
>
> this should be a default feature i think
>
>
> --
> Mvh Glenn Terjesen
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!