[Snort-devel] Re: Status alert

Dirk Geschke Dirk_Geschke at ...802...
Tue Feb 24 05:55:06 EST 2004


Hi,

> Not really. In my example you check the entire chain from the sensor to
> the receiving end, not just that the process is running.
> Example:
> * Snort receives SIGUSR2 and generate a status alert
> * The alert is sent using the prelude output plugin
> * A prelude manager in country A receive the alert and retransmits it
> * A prelude manager in country B receive the alert and retransmits it
> * The prelude manager in my country receive the alert
> * The prelude alert is mangled into a customized idmef alert
> * The idmef alert is logged to our NMS
> 
> Every time such a status alert is received, it's an indication that
> everything is all right.
> Compare this feature with the "--MARK--" message sent by syslogd. It
> is nice to have when backtracking a system failure.
> 
> 
> 
> A nice side effect is that if you fill the alert payload with
> snort statistics such as the number of dropped packets, you
> automaticly have a centralized historical archive of the snort's
> performance without having to use the Monitor Performance preprocessor.
> 
> The Monitor Performance preprocessor can only log to the console or to a
> file on the sensor. This is a nice feature, but in my case the sensors are
> located in different countries and I don't want to build a new system that
> collects files from the sensors to a central place. I already have a nice
> working redundant solution (prelude).
> Why not simply reuse the existing solution for sending statistics and
> performance data?

why do you want to use a signal? Simply create a special rule and
trigger an alert via the network. Then you have tested the whole
chain...

It should be easy to inject a special configured network packet
which can't be send in via the "normal" traffic. All you need is
to verify that this packet raises an alert and maybe find it in
the database.

Best regards

Dirk





More information about the Snort-devel mailing list