Snort mailing list archives
Re: Snort Question
From: Joe Pampel <jpampel () paladyne com>
Date: Fri, 21 Jan 2011 12:00:28 -0500
You can always use snmp to catch the process not running. The UCD library lets you define custom counters. Add something like this to the end of your snmp.conf: proc snort 1 Or whatever the number of snort processes should be if it's more than 1. Restart SNMP and you will see the process counter OID as well as the alert OID which will indicate an issue. This is easy to integrate into common monitoring systems and scales well if you run multiple snort instances on a box. You can have a script poll for the value, and if it's < 1 send a syslog or an e-mail etc. Do an snmpwalk on this oid: (using your correct version of snmp & community of course..) snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2 and you will see any custom counter OIDs you've made. On Jan 21, 2011, at 10:52 AM, Atkins, Dwane P wrote: I am having an issue with the snort process stopping or going away and I am not sure how to determine why and when it happens. This time it appears to have stopped reporting and existing 2 days ago. It does not appear that our log files are filling up nor was there a recycling of power done in that timeframe in that area. Is there a way to determine why the process has stopped and when? When I do a ps –aux, there is a barnyard2 entry but not a snort entry. Is there a cron job that I can run to check for the snort process and if it is not discovered, restart it? I am sure it is me that has done something incorrectly but my configurations seems to be extremely unreliable. How do I alert personnel via email if there is an issue? Thank you all for your help. Dwane <ATT00001..txt><ATT00002..txt> ________________________________ The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Question Atkins, Dwane P (Jan 21)
- Re: Snort Question Joe Pampel (Jan 21)