Re: Snort Question

[Joe Pampel <jpampel () paladyne com>]

You can always use snmp to catch the process not running.  The UCD library lets you define custom counters. Add 
something like this to the end of your snmp.conf:


proc snort 1



Or whatever the number of snort processes should be if it's more than 1.

Restart SNMP and you will see the process counter OID as well as the alert OID which will indicate an issue.

This is easy to integrate into common monitoring systems and scales well if you run multiple snort instances on a box.

You can have a script poll for the value, and if it's < 1 send a syslog or an e-mail etc.


Do an snmpwalk on this oid: (using your correct version of snmp & community of course..)

snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2


and you will see any custom counter OIDs you've made.


On Jan 21, 2011, at 10:52 AM, Atkins, Dwane P wrote:

I am having an issue with the snort process stopping or going away and I am not sure how to determine why and when it 
happens.  This time it appears to have stopped reporting and existing 2 days ago.

It does not appear that our log files are filling up nor was there a recycling of power done in that timeframe in that 
area.

Is there a way to determine why the process has stopped and when?  When I do a ps –aux, there is a barnyard2 entry but 
not a snort entry.

Is there a cron job that I can run to check for the snort process and if it is not discovered, restart it?

I am sure it is me that has done something incorrectly but my configurations seems to be extremely unreliable.  How do 
I alert personnel via email if there is an issue?

Thank you all for your help.

Dwane


<ATT00001..txt><ATT00002..txt>


________________________________
The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone 
other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, 
please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users