[Snort-devel] Re: Status alert

Martin Roesch roesch at ...402...
Mon Feb 23 20:19:22 EST 2004


Isn't it easier to have a process just monitor the process table to 
make sure Snort is running?  Doesn't Big Brother fill this role?  I'm 
not opposed, but I think there are other programs out there that can do 
this already for you.

      -Marty

On Feb 3, 2004, at 7:00 AM, Martin Olsson wrote:

>
> Hi guys.
>
> I got an idea...
>
> If you send a SIGUSR2 signal to the snort process it should generate an
> alert. This way you can test and see that your snort system is up and
> running.
>
> I can't generate this kind of "status alert" manually.
> * The monitoring interface is listening on a customer's internal net
> * The monitoring interface have no IP-address
> * I'm not allowed to generate any kind of traffic from the sensor on 
> the
>   monitored net
>
> I want to manually force the snort process to generate a "status alert"
> to check that the whole chain from the snort to the mysql-server and 
> ACID
> is working properly.
>
>
> If SIGUSR2 is already in use or is reserved, then maybe the alert 
> could be
> sent if you send two SIGUSR1 within 0.5 seconds?
>
>
> Maybe the alert could contain a virtual packet whos payload contain the
> current statistics (dropped packets, frag stats, stream stats, etc)?
>
> /Martin
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list