Snort mailing list archives

Re: Monitoring Sensors

From: Bennett Todd <bet () rahul net>
Date: Mon, 23 Sep 2002 10:43:11 -0400

Different folks have different strategies for monitoring.

My own preference is for end-to-end functional monitoring.

For IDS sensors, I like to arrange for a special signature that will
trigger a keepalive "alarm" when I send a special probe packet past
it; then I arrange a generator to send one of those packets every
so often, and then process the alerts, wherever they're ultimately
forwarded, to move the keepalives aside for special examination;
then a periodic monitor process sets off an alarm if it doesn't
see one of these keepalive alerts for too long (several "probe"
intervals).

Same trick as I use for other server monitoring wherever I can
figure out a way to; e.g. I'll monitor an email relay server by
periodically routing a keepalive message through it to a monitoring
mailbox.

-Bennett

Attachment: _bin
Description:

Current thread:

Monitoring Sensors Pedro Tedeschi (Sep 20)
- Re: Monitoring Sensors Bennett Todd (Sep 23)
- <Possible follow-ups>
- RE: Monitoring Sensors Hutchinson, Andrew (Sep 20)
  - RE: Monitoring Sensors Chris Fox (Sep 20)
  - Re: Monitoring Sensors Jon Quiros (Sep 21)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - RE: Monitoring Sensors Gene Gomez (Sep 20)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - Re: Monitoring Sensors quentyn (Sep 23)
- RE: Monitoring Sensors Fraser Hugh (Sep 24)