You Are Here : Forums Sunday, July 20, 2008
     
Activeworx.org Forums
 
  Forum  IDS Policy Mana...  IDS Policy Mana...  Check for a good restart
Previous Previous
 
Next Next
New Post 7/10/2007 3:14 PM
  Ray
53 posts
6th Level Poster


Check for a good restart 

After uploading a rule set to a 2.6.1.5 sensor, it ran the restart script OK but Snort did not restart due to an error. From the messages log:

 

/etc/snort/rules/bleeding-botcc-BLOCK.rules(5) => Unknown keywork 'fwsam' in rule!

 

I caught it because I manually check "pidof snort" before and after an upload.

 

Could the login credentials be used to check the "before" and "after" pid to make sure it is there after the script runs and that it has changed?

 

Thanks,

 

Ray
 
New Post 7/10/2007 5:57 PM
  Jeff Dell
228 posts
www.activeworx.com
1st Level Poster


Re: Check for a good restart 
The real problem is Snort is failing because of something bad in the config files. I am going to try to add a new feature in the next build that will give an option to run a test before it runs the script. A simple -T appended to the end of your start snort line is a simple way to do this. If there is an error, don't restart snort.

The problem with doing 'pidof snort' is how long after you start snort do you run this? depending on your snort install it can take a few seconds or a few minutes to fail to start. Maybe a process within IDSPM that logs in every x minutes and checks to make sure snort is running would be cool.

Cheers,
Jeff
 
New Post 7/10/2007 9:14 PM
  Ray
53 posts
6th Level Poster


Re: Check for a good restart 
Thanks for the quick reply. Maybe the place for a periodic Snort heartbeat check is in the Security Center product that could send an email when a sensor goes went down. That would be a nice added value and 4.0 isn't done yet. :-)

Or perhaps an optional check at the shutdown of IDSPM Standalone, but there could be a lot of sensors needing to be checked which would slow down the program closure. Still, it would be a good warning of a problem and I'd rather not have one go down and not know about it. Maybe a check prior to installing the policy would be good as well because it would tell you that it wasn't running before the change was made.

Take care,

Ray
 
New Post 7/11/2007 1:58 AM
  Jeff Dell
228 posts
www.activeworx.com
1st Level Poster


Re: Check for a good restart 
Who says 4.0 isn't done yet? :) It is actually feature frozen and being finalized as we speak. but this sounds like a nice feature to add for a future release.

As for IDSPM stand alone, maybe a good item could be to check the status of the sensors. it be a simple screen the user can check the status on all selected sensors similar to the policy or sensor upgrade form... each sensor can then have a status command to run, like to see if snort is running, or anything else the user would like to check.. barnyard is another good one to check. this form then could be ran whenever a user wants to check the status. let me see what I can do... I have some good idea's now.

Cheers,
Jeff
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  IDS Policy Mana...  IDS Policy Mana...  Check for a good restart
 
 
Copyright 2000-2007 by Activeworx, Inc.
All trademarks and copyrights on this page are owned by their respective owners.