?

Log in

[icon] Snort monitoring & trend analysis - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.

Security:
Subject:Snort monitoring & trend analysis
Time:09:28 pm
I am looking at monitoring & trend analysis on the snort boxen. Thought I would take an informal poll as to what monitoring you folks are looking at (CPU load, memory, ETH throughput, number of alarms/minute, etc) and what are you using to formulate your trend (MRTG, Nagios with RRDtool, etc).


Any & all thoughts are appreciated - thanks!

x-posted
comments: Leave a comment Previous Entry Share Next Entry


price
Link:(Link)
Time:2007-01-24 09:46 pm (UTC)
Two things matter with Snort -- the dropped packet rate reported by libpcap, which you can get through snort's statistics preprocessor and SIGUSR1 I believe, and the amount of swap going on. An inefficient or oversized rulebase will cause the latter as packets queue up, which triggers the former.

Other metrics may apply depending on your implementation, and what exactly you're policing with snort.
(Reply) (Thread)


irishmasms
Subject:Two things matter with Snort
Link:(Link)
Time:2007-01-26 07:20 am (UTC)
Ahh, good pointers - thanks for the info.

As for other metrics, I'm not sure how to reply regarding the implementation or what we are policing.
(Reply) (Parent) (Thread)

[icon] Snort monitoring & trend analysis - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.