[Snort-users] Sensor 'sanity'
paul.halliday at ...11827...
Thu Nov 8 20:33:24 EST 2007
I am not sure about how most people deal with this but I would love any insight.
In an overtaxed environment where I just don't have the time to coddle
each sensor, what is a common practice to make sure that the sensors
are actually still sane?
Most of my sensors are sittings on span/mirrored ports on gear that I
don't directly manage.
Is/would it be possible to construct a preprocessor that could
actually fire and tell me that the link isn't 'typical' anymore?
More information about the Snort-users