[Snort-devel] Feature wanted: Snort alert when snort service is restarted, started or stopped?
deusexmachina667 at ...2499...
Sat Dec 8 13:11:38 EST 2012
reposting over to snort-users since it gets a bit more traffic.
Its not likely that this would become a feature since the tools you need to
determine whether or not snort has crashed, start or stopped are already
available. Snort writes to syslog like crazy.
If you are using a SIEM for system monitoring, you'll want to look for some
of these messages:
-look for any logs with snort in the string - these are snort system
messages and there are a lot of them. snort is pretty verbose and isn't
afraid to talk to syslog.
to filter down even further:
-- look for any logs with snort in the string and FATAL (all caps like
that): this will let you know that snort ran into a fatal error -- its not
running and/or failed to start. if I don't see snort in the process list
post-reboot I do the following: cat /var/log/messages | grep snort | grep
-i fatal (parse the messages file, look for lines with snort in the line
and then from those lines only show me the word fatal with case
-- look for any logs with snort in the string and the text 'Commencing
packet processing' (exactly like that, without the quotes) to indicate when
snort started up:
cat /var/log/messages | grep snort | grep -i 'commencing packet processing'
-- look for any logs with snort in the string and the text 'Snort exiting'
to know when snort was killed/stopped.
cat /var/log/messages | grep snort | grep -i 'snort exiting'
IF you are not using a SIEM for system monitoring or a syslog server of
some sort, use nagios or another system monitoring solution to see if snort
is up, and what its doing. There are tons of them and unfortunately setup
of that is outside of my scope and outside the scope of snort-devel to tell
you how to do it.
On Wed, Dec 5, 2012 at 8:16 AM, Glenn Terjesen <glenn.terjesen at ...2499...>wrote:
> is it possible to generate an alert when snort is restarted, started or
> stopped ?
> this should be a default feature i think
> Mvh Glenn Terjesen
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel