[Snort-devel] Re: Status alert
roesch at ...402...
Mon Feb 23 20:19:22 EST 2004
Isn't it easier to have a process just monitor the process table to
make sure Snort is running? Doesn't Big Brother fill this role? I'm
not opposed, but I think there are other programs out there that can do
this already for you.
On Feb 3, 2004, at 7:00 AM, Martin Olsson wrote:
> Hi guys.
> I got an idea...
> If you send a SIGUSR2 signal to the snort process it should generate an
> alert. This way you can test and see that your snort system is up and
> I can't generate this kind of "status alert" manually.
> * The monitoring interface is listening on a customer's internal net
> * The monitoring interface have no IP-address
> * I'm not allowed to generate any kind of traffic from the sensor on
> monitored net
> I want to manually force the snort process to generate a "status alert"
> to check that the whole chain from the snort to the mysql-server and
> is working properly.
> If SIGUSR2 is already in use or is reserved, then maybe the alert
> could be
> sent if you send two SIGUSR1 within 0.5 seconds?
> Maybe the alert could contain a virtual packet whos payload contain the
> current statistics (dropped packets, frag stats, stream stats, etc)?
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel