[Snort-devel] Re: Status alert

Chris Green cmg at ...81...
Tue Feb 24 06:14:01 EST 2004


Martin Olsson <elof at ...969...> writes:

> Not really. In my example you check the entire chain from the sensor to
> the receiving end, not just that the process is running.
> Example:

One way this has been solved in several scenarios is to emit a custom
ping / udp packet at set intervals so you are testing the sniffing
interface as well with a custom rule so that you are testing the
entire sensor.

A good reason to do this is sometimes the promisc flag gets wonky and
you have a snort that's not actually sniffing.
-- 
Chris Green <cmg at ...2257...>
A watched process never cores.





More information about the Snort-devel mailing list