Snort mailing list archives

RE: Monitoring Sensors

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Tue, 24 Sep 2002 12:22:40 -0400

As one previous poster mentioned, Netsaint/Nagios offers the tools needed to
monitor your sensors. I use it to do more than simply tell if the sensor is
alive though, since I'm also interested in the overall "health" of the
sensor. To that end, I watch load level, disk space, memory, process count
etc. putting appropriate thresholds on each of the measurements, so that I'm
notified if things are getting out of line. To add some additional
sophistication, one of the plugins will do limit checks on MRTG to alert you
to unusual network loads. Couple this with Netsaint's console page and
historical trending and you've got a good package for watching a number of
sensors. Add in the notification features and it's very powerful indeed,
providing the exception-only reporting environment I'm looking for.

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Monday, September 23, 2002 10:43 AM
To: Pedro Tedeschi
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Monitoring Sensors

Different folks have different strategies for monitoring.

My own preference is for end-to-end functional monitoring.

For IDS sensors, I like to arrange for a special signature that will
trigger a keepalive "alarm" when I send a special probe packet past
it; then I arrange a generator to send one of those packets every
so often, and then process the alerts, wherever they're ultimately
forwarded, to move the keepalives aside for special examination;
then a periodic monitor process sets off an alarm if it doesn't
see one of these keepalive alerts for too long (several "probe"
intervals).

Same trick as I use for other server monitoring wherever I can
figure out a way to; e.g. I'll monitor an email relay server by
periodically routing a keepalive message through it to a monitoring
mailbox.

-Bennett



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Monitoring Sensors Pedro Tedeschi (Sep 20)
- Re: Monitoring Sensors Bennett Todd (Sep 23)
- <Possible follow-ups>
- RE: Monitoring Sensors Hutchinson, Andrew (Sep 20)
  - RE: Monitoring Sensors Chris Fox (Sep 20)
  - Re: Monitoring Sensors Jon Quiros (Sep 21)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - RE: Monitoring Sensors Gene Gomez (Sep 20)
- RE: Monitoring Sensors Christopher Lyon (Sep 20)
  - Re: Monitoring Sensors quentyn (Sep 23)
- RE: Monitoring Sensors Fraser Hugh (Sep 24)