[Snort-devel] Utility, might be usefull to more than me.
Lamont R. Peterson
lamont at ...2434...
Tue Aug 31 13:34:41 EDT 2004
On Fri, 2004-08-27 at 15:21, Keith T. Morgan wrote:
> I'm not a member of this list so, please reply to me directly.
> I have about 12 pigs tied together and alerting to one snort/acid
> database. A big issue for us is failure to realize that a sensor has
> lost its connection to the database and is no longer sending alerts.
> I've written a (probably quite crappy) perl script that can take a
> configuration file and be run via cron to check to see the last time one
> (or all) of your sensors has alerted. If this thing would be considered
> even vaguely usefull to any of the snort community, I'd love to
So, your sensors are expecting to find "Bad Things(TM)" on a regular
schedule (or at least frequently enough to make this work)?
Personally, I try to eliminate all false-positives from occurring, then
I work on eliminating (securing, locking down, whatever) the rest.
If I am successful (I know, this is a *very* tall order), then I should
only see alerts when there really *is* something to be concerned about.
In that case, I would expect your tool to show that most (or,
preferably, all) of my sensors were "offline" when, in fact, they are
running just fine.
I think it would be better to add a simple heartbeat to the sensors.
Maybe a simple daemon on the database server could poll (or collect
from, which way would people prefer?) the sensors and send you an alert
if one is down?
Better yet, include this functionality in the sensors themselves. Peer
heartbeat. Any sensors that are OK can send an alert about the downed
sensors. Obviously, we would need to have a mechanism to summarize the
multiple alerts (from several sensors).
There are other obvious need for this idea to work that I can think of.
If there is interest in having such a heartbeat feature, I will discuss
them further and even write the code for it.
Lamont R. Peterson <lamont at ...2434...>
Guru Labs, L.C. http://www.GuruLabs.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel