Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

SensorStopsSeeingTraffic

doug edited this page Aug 27, 2019 · 8 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/SensorStopsSeeingTraffic.

Just like in everything, there's always more than one way to do it!

Here are a few options:

OSSEC

OSSEC checks your sniffing interfaces every 10 minutes. If no packets have been received within that 10 minute window, then OSSEC will generate an alert. This alert can be found in Sguil, Squert, and Kibana. If you'd like OSSEC to email you, then configure it for email as shown here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-ossec-to-send-emails

Bro

Bro will automatically email you when it stops seeing traffic on an interface. All you have to do is configure Bro per the Email page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-bro-to-send-emails

Script to check for lack of IDS alerts

Here's another option contributed by Jerry Shenk:

#!/bin/sh
#script to monitor Security Onion activity for the past hour to alert on inactivity
#Inactivity could be due to a connection having been removed or some process failing
[email protected]
DATE=`date`
SUBJECT="`hostname` Security Onion inactivity alert `date`"
LIMIT=5
REPORT=/root/so-lasthour.txt

echo $SUBJECT > /root/edgerouter.log

if test ` mysql -N -B --user root --database securityonion_db -e
"SELECT COUNT(signature)as cnt, signature FROM event WHERE status<>1
and timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature
ORDER BY cnt DESC LIMIT 20;" | grep -c .` -le $LIMIT
then
echo "Too few events"

echo "non-URL signatures" > $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status<>1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
echo "" >> $REPORT
echo "URL signatures" >> $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status=1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
cat $REPORT | mail -s "$SUBJECT" $MAILTO

else
echo "Acceptible number of events"
fi
Clone this wiki locally