[Snort-devel] Re: Status alert

Dirk Geschke Dirk_Geschke at ...802...
Tue Feb 24 07:33:00 EST 2004


Hi Martin,

> Reasons to do it my way:
> * If we in any case periodically receive alerts just to show us that
>   everything is working fine, why not include some interesting data in the
>   alert? It shouldn't introduce any negative impact on snort.

ok, but the whole chain starts at the sniffing interface not
with a snort process acting on a signal...

> * I have signed a contract that prevents me from sending traffic to the
>   customers LAN. Some sensors even use an ethernet TAP. All monitoring
>   interfaces are configured to run without an IP address.
>   To do it your way I have to create and inject my offending packet
>   directly into the interface, into the packet driver or into the kernel
>   somehow. Sounds like a lot of work. It is much easier just to send a
>   SIGUSR2 to snort. :-)

This of course is a valid point. But you can even think of a status
e-mail as a generator for alerts. You don't need to forge a packet,
this was only an idea to avoid a false-positive generator...

I don't think of generating an alert via the sensor himself. This
won't make much sense. The idea is to trigger an alert from an 
external packet.

As Chris mentioned you can see this way if the machine is really
sniffing. I remember of a few systems where the promiscous mode
was toggled off if you activated it twice...

> * You can post-process all the status alerts in a centralized manner,
>   generating graphs and reports based on the contents of the status
>   alerts.

Yes, but if you store the alerts in the database then you can even
check the whole chain from the sniffing network card to the database.

And of course you can add a preprocessor acting on your status
generating alert and inject the statistics in a pseudo payload
of the packet.

Best regards

Dirk





More information about the Snort-devel mailing list