[Snort-devel] Re: Status alert

Martin Olsson elof at ...969...
Tue Feb 24 05:03:04 EST 2004


Not really. In my example you check the entire chain from the sensor to
the receiving end, not just that the process is running.
Example:
* Snort receives SIGUSR2 and generate a status alert
* The alert is sent using the prelude output plugin
* A prelude manager in country A receive the alert and retransmits it
* A prelude manager in country B receive the alert and retransmits it
* The prelude manager in my country receive the alert
* The prelude alert is mangled into a customized idmef alert
* The idmef alert is logged to our NMS

Every time such a status alert is received, it's an indication that
everything is all right.
Compare this feature with the "--MARK--" message sent by syslogd. It
is nice to have when backtracking a system failure.



A nice side effect is that if you fill the alert payload with
snort statistics such as the number of dropped packets, you
automaticly have a centralized historical archive of the snort's
performance without having to use the Monitor Performance preprocessor.

The Monitor Performance preprocessor can only log to the console or to a
file on the sensor. This is a nice feature, but in my case the sensors are
located in different countries and I don't want to build a new system that
collects files from the sensors to a central place. I already have a nice
working redundant solution (prelude).
Why not simply reuse the existing solution for sending statistics and
performance data?


/Martin



On Mon, 23 Feb 2004, Martin Roesch wrote:

> Isn't it easier to have a process just monitor the process table to
> make sure Snort is running?  Doesn't Big Brother fill this role?  I'm
> not opposed, but I think there are other programs out there that can do
> this already for you.
>
>       -Marty
>
> On Feb 3, 2004, at 7:00 AM, Martin Olsson wrote:
>
> >
> > Hi guys.
> >
> > I got an idea...
> >
> > If you send a SIGUSR2 signal to the snort process it should generate an
> > alert. This way you can test and see that your snort system is up and
> > running.
> >
> > I can't generate this kind of "status alert" manually.
> > * The monitoring interface is listening on a customer's internal net
> > * The monitoring interface have no IP-address
> > * I'm not allowed to generate any kind of traffic from the sensor on
> > the
> >   monitored net
> >
> > I want to manually force the snort process to generate a "status alert"
> > to check that the whole chain from the snort to the mysql-server and
> > ACID
> > is working properly.
> >
> >
> > If SIGUSR2 is already in use or is reserved, then maybe the alert
> > could be
> > sent if you send two SIGUSR1 within 0.5 seconds?
> >
> >
> > Maybe the alert could contain a virtual packet whos payload contain the
> > current statistics (dropped packets, frag stats, stream stats, etc)?
> >
> > /Martin
> >
> >
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>





More information about the Snort-devel mailing list