[Snort-users] Sensor 'sanity'

Paul Halliday paul.halliday at ...11827...
Fri Nov 9 06:19:25 EST 2007


Inline..

On Nov 8, 2007 10:09 PM, Matt Jonkman <jonkman at ...4024...> wrote:
> You mean for faults like the span port was broken by the network guys,
> or started seeing only one part of a stream, or lost a chunk of it's
> monitored traffic?

Exactly.

> For the basics you could just use traffic monitoring, if it drops below
> a threshold shoot you an alert.
>
> What else did you have in mind?

I guess what I am looking for is an event generated by snort that will
appear in my console - perfmon looks like it might have the ability. I
would hate to add an extra component to every sensor just to tell me
it is frigged when snort might already have the ability to do so.

> Matt
>
>
> Paul Halliday wrote:
> > Hi,
> >
> > I am not sure about how most people deal with this but I would love any insight.
> >
> > In an overtaxed environment where I just don't have the time to coddle
> > each sensor, what is a common practice to make sure that the sensors
> > are actually still sane?
> > Most of my sensors are sittings on span/mirrored ports on gear that I
> > don't directly manage.
> >
> > Is/would it be possible to construct a preprocessor that could
> > actually fire and tell me that the link isn't 'typical' anymore?
> >
> > Thanks.
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthreats.net
> --------------------------------------------
>
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>
>
>




More information about the Snort-users mailing list