[Snort-users] Monitoring Sensors

Bennett Todd bet at ...6163...
Mon Sep 23 07:49:01 EDT 2002


Different folks have different strategies for monitoring.

My own preference is for end-to-end functional monitoring.

For IDS sensors, I like to arrange for a special signature that will
trigger a keepalive "alarm" when I send a special probe packet past
it; then I arrange a generator to send one of those packets every
so often, and then process the alerts, wherever they're ultimately
forwarded, to move the keepalives aside for special examination;
then a periodic monitor process sets off an alarm if it doesn't
see one of these keepalive alerts for too long (several "probe"
intervals).

Same trick as I use for other server monitoring wherever I can
figure out a way to; e.g. I'll monitor an email relay server by
periodically routing a keepalive message through it to a monitoring
mailbox.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020923/ff8cccdf/attachment.sig>


More information about the Snort-users mailing list