Network Security: Detailed info on Re: [Snort-users] Sensor 'sanity'

Subject:	Re: [Snort-users] Sensor 'sanity'
Date:	Fri, 9 Nov 2007 07:19:25 -0400

Inline..

On Nov 8, 2007 10:09 PM, Matt Jonkman <jonkman@jonkmans.com> wrote:

You mean for faults like the span port was broken by the network guys,
or started seeing only one part of a stream, or lost a chunk of it's
monitored traffic?


Exactly.

For the basics you could just use traffic monitoring, if it drops below
a threshold shoot you an alert.

What else did you have in mind?


I guess what I am looking for is an event generated by snort that will
appear in my console - perfmon looks like it might have the ability. I
would hate to add an extra component to every sensor just to tell me
it is frigged when snort might already have the ability to do so.

Matt


Paul Halliday wrote:

Hi,

I am not sure about how most people deal with this but I would love any 
insight.

In an overtaxed environment where I just don't have the time to coddle
each sensor, what is a common practice to make sure that the sensors
are actually still sane?
Most of my sensors are sittings on span/mirrored ports on gear that I
don't directly manage.

Is/would it be possible to construct a preprocessor that could
actually fire and tell me that the link isn't 'typical' anymore?

Thanks.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Sensor 'sanity', Paul Halliday Message not available Re: [Snort-users] Sensor 'sanity', Paul Halliday <= Re: [Snort-users] Sensor 'sanity', Jason Haar [Snort-users] snort virtualization, Youngquist, Jason R. Re: [Snort-users] snort virtualization, Justin Heath

Previous by Date:	[Snort-users] HELP: Installing SnortSam with Snort-2.8.0+BASE+Barnyard installed, Rachmat Hidayat Al-Anshar
Next by Date:	[Snort-users] porn.rules, dhottinger
Previous by Thread:	[Snort-users] Sensor 'sanity', Paul Halliday
Next by Thread:	Re: [Snort-users] Sensor 'sanity', Jason Haar
Indexes:	[Date] [Thread] [Top] [All Lists]