[Snort-users] HP SIM for monitoring snort process

Joe Pampel jpampel at ...14829...
Thu Apr 29 21:29:17 EDT 2010


The snort daemon will syslog errors on startup (as an example) and you can use standard SNMP OID's to call stats on CPU, RAM, Swap, network throughput & errors etc.

Most of these are pretty standard across the Linuxes. Solaris has some different counters.
Interface counters are universally the UCD MIB in my experience.
Using the UCD MIB extensions you can create a custom counter for the snort daemon to make sure it's up, things like that. You can also send a custom trap.
At the end of your snmp.conf file, just add something like this (then restart snmp):

#######################
# Added to monitor Snort via NET-SNMP extentions
proc snort 1
proc mysqld 1

(etc etc)
############## End of custom services #########


The proc name has to match the actual name of the service.

The number after the proc name is the number of processes that should be running. More or less causes an alert. (prErrMessage)

The service instances will all get custom OID's under .1.3.6.1.4.1.2021.2:  (if using snmp v3, add this OID to your user's view!)

mysharona@/usr/sfw/bin: snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prIndex.2 = INTEGER: 2
UCD-SNMP-MIB::prNames.1 = STRING: snort
UCD-SNMP-MIB::prNames.2 = STRING: mysqld
UCD-SNMP-MIB::prMin.1 = INTEGER: 0
UCD-SNMP-MIB::prMin.2 = INTEGER: 0
UCD-SNMP-MIB::prMax.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.2 = INTEGER: 1
UCD-SNMP-MIB::prCount.1 = INTEGER: 2
UCD-SNMP-MIB::prCount.2 = INTEGER: 1
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: 1
UCD-SNMP-MIB::prErrorFlag.2 = INTEGER: 0
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many snort running (# = 2)
UCD-SNMP-MIB::prErrMessage.2 = STRING:


Is this the kind of issue reporting you mean?

- Joe

On Apr 29, 2010, at 8:41 PM, Joel Esler wrote:

How does the HP SIM interface with end machines?  Maybe I can give you some pointers about how to implement it.  I've never worked with the HP SIM myself.

Are you talking about OpenView?

On Thu, Apr 29, 2010 at 4:43 PM, Billy Marshall <Billy.Marshall at ...9988...<mailto:Billy.Marshall at ...9988...>> wrote:
Hi,

Is there a known way to implement HP SIM to report issues with snort?

Cheers

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<ATT00001..txt><ATT00002..txt>


________________________________
The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/ff083589/attachment.html>


More information about the Snort-users mailing list