Paul Halliday wrote:
In an overtaxed environment where I just don't have the time to coddle
each sensor, what is a common practice to make sure that the sensors
are actually still sane?
Most of my sensors are sittings on span/mirrored ports on gear that I
don't directly manage.
I created some rules to check for this.
alert tcp $HOME_NET 1 -> $HOME_NET 24 (msg:"Snort Test to ensure SPAN is
operational"; flags:S;sid:3000001;classtype:not-suspicious; rev:1;)
Then I have a daily job (running from an independent box) that "nmap -g1
-p23 " against IP addresses on the network that each IDS is meant to be
monitoring. Then I check the syslogs to ensure it was triggered. That
way, if someone changes the SPAN port setting,etc the rule doesn't fire
and you know there is a problem. I chose weird port options like that as
they are not the sort of normal thing you see - just cuts down on the noise.
BTW: Checking to see that your interface packet counter is incrementing
really isn't good enough - if the IDS gets accidentally moved onto
another operational switch, you will still see the counter go up (due to
it seeing ARPs and Broadcasts), but it wouldn't be useful. I think you
need IDS tests to confirm your IDS is working.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
