Snort mailing list archives

RE: Monitoring Sensors

From: "Gene Gomez" <gegomez () tycoint com>
Date: Fri, 20 Sep 2002 16:20:20 -0700

RE: [Snort-users] Monitoring SensorsChris,
NetSaint (or Nagios) can be set up to do far more than just ping and
portcheck.  There are a LOT of plug-ins available for it that do a whole
host of other things, including CPU, Memory, and disk metrics.  It also can
check for process activity.  In short, it can do everything you're talking
about in the below email.
If you're interested, check out nagios_statd (v3 of the statd service,
requires python), or netsaint_statd (v2, requires perl).
We're currently monitoring our sensors, our servers, and all manner of neat
things with NetSaint.
Plus, we didn't have to buy any software.  :)

Gene
  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Christopher
Lyon
  Sent: Friday, September 20, 2002 2:38 PM
  To: 'Pedro Tedeschi'; snort-users () lists sourceforge net
  Subject: RE: [Snort-users] Monitoring Sensors


  Pedro,
  There are a couple of theories on how you should monitor your sensors.
Just ping to see if the box is up or actively poll the device for up, down,
and other stats.

  What we found to work best is actively poll the device using SNMP. The
reason for this is so that we can poll to make sure processes like snort are
running. Yeah it is good to know if the box is up but what good is it if a
key service has quit working.

  If you load ucd-snmp, assuming you are on a UNIX platform, you can monitor
not only if the box is up and running but you can monitor CPU utilization
and processes. So if mysql, snort or apache decided to quit for whatever
reason you can be notified that they are not running. You can use any SNMP
based product as a manager to poll the sensor for that information. We
activity monitor about 10 sensors and we get paged if any of the critical
processes stop running or if the CPU utilization is hammered.

  NetSaint, from what I can tell, only pings and does a port check. I am
sure there are other SNMP packages out there for little to no money it is
just a question about finding one. At our datacenter we use SNMPc for our
monitoring and it works very well but it is costs money and runs in Windows.

  Hope that gives you some help.

Current thread:

Monitoring Sensors Pedro Tedeschi (Sep 20)
- Re: Monitoring Sensors Bennett Todd (Sep 23)
- <Possible follow-ups>
- RE: Monitoring Sensors Hutchinson, Andrew (Sep 20)
  - RE: Monitoring Sensors Chris Fox (Sep 20)
  - Re: Monitoring Sensors Jon Quiros (Sep 21)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - RE: Monitoring Sensors Gene Gomez (Sep 20)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - Re: Monitoring Sensors quentyn (Sep 23)
- RE: Monitoring Sensors Fraser Hugh (Sep 24)