[Snort-users] Sensor 'sanity'

Paul Halliday paul.halliday at ...11827...
Thu Nov 8 20:33:24 EST 2007


I am not sure about how most people deal with this but I would love any insight.

In an overtaxed environment where I just don't have the time to coddle
each sensor, what is a common practice to make sure that the sensors
are actually still sane?
Most of my sensors are sittings on span/mirrored ports on gear that I
don't directly manage.

Is/would it be possible to construct a preprocessor that could
actually fire and tell me that the link isn't 'typical' anymore?


More information about the Snort-users mailing list