[Snort-users] Monitoring Sensors

Fraser Hugh hugh_fraser at ...2804...
Tue Sep 24 09:23:11 EDT 2002

As one previous poster mentioned, Netsaint/Nagios offers the tools needed to
monitor your sensors. I use it to do more than simply tell if the sensor is
alive though, since I'm also interested in the overall "health" of the
sensor. To that end, I watch load level, disk space, memory, process count
etc. putting appropriate thresholds on each of the measurements, so that I'm
notified if things are getting out of line. To add some additional
sophistication, one of the plugins will do limit checks on MRTG to alert you
to unusual network loads. Couple this with Netsaint's console page and
historical trending and you've got a good package for watching a number of
sensors. Add in the notification features and it's very powerful indeed,
providing the exception-only reporting environment I'm looking for.

> -----Original Message-----
> From: Bennett Todd [mailto:bet at ...6163...]
> Sent: Monday, September 23, 2002 10:43 AM
> To: Pedro Tedeschi
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Monitoring Sensors
> Different folks have different strategies for monitoring.
> My own preference is for end-to-end functional monitoring.
> For IDS sensors, I like to arrange for a special signature that will
> trigger a keepalive "alarm" when I send a special probe packet past
> it; then I arrange a generator to send one of those packets every
> so often, and then process the alerts, wherever they're ultimately
> forwarded, to move the keepalives aside for special examination;
> then a periodic monitor process sets off an alarm if it doesn't
> see one of these keepalive alerts for too long (several "probe"
> intervals).
> Same trick as I use for other server monitoring wherever I can
> figure out a way to; e.g. I'll monitor an email relay server by
> periodically routing a keepalive message through it to a monitoring
> mailbox.
> -Bennett

More information about the Snort-users mailing list