Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

SensorStopsSeeingTraffic

Jump to bottom
Doug Burks edited this page Mar 25, 2015 · 8 revisions

Just like in everything, there's always more than one way to do it!

Here are a few options:

OSSEC

OSSEC checks your sniffing interfaces every 10 minutes. If no packets have been received within that 10 minute window, then OSSEC will generate an alert. This alert can be found in Sguil, Squert, and ELSA. If you'd like OSSEC to email you, then configure it for email as shown here:
[https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-ossec-to-send-emails](https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-ossec-to-send-emails)

Bro

Bro will automatically email you when it stops seeing traffic on an interface. All you have to do is configure Bro per the [Email](Email) page:
[https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-bro-to-send-emails](https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-bro-to-send-emails)

Script to check for lack of IDS alerts

Here's another option contributed by Jerry Shenk:
#!/bin/sh

#script to monitor Security Onion activity for the past hour to alert on inactivity

#Inactivity could be due to a connection having been removed or some process failing

[email protected]

DATE=`date`

SUBJECT="`hostname` Security Onion inactivity alert `date`"

LIMIT=5

REPORT=/root/so-lasthour.txt



echo $SUBJECT > /root/edgerouter.log



if test ` mysql -N -B --user root --database securityonion_db -e

"SELECT COUNT(signature)as cnt, signature FROM event WHERE status<>1

and timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature

ORDER BY cnt DESC LIMIT 20;" | grep -c .` -le $LIMIT

  then

     echo "Too few events"



     echo "non-URL signatures" > $REPORT

     mysql -N -B --user root --database securityonion_db -e "SELECT

COUNT(signature)as cnt, signature FROM event WHERE status<>1 and

timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER

BY cnt DESC LIMIT 20;" >> $REPORT

     echo "" >> $REPORT

     echo "URL signatures" >> $REPORT

     mysql -N -B --user root --database securityonion_db -e "SELECT

COUNT(signature)as cnt, signature FROM event WHERE status=1 and

timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER

BY cnt DESC LIMIT 20;" >> $REPORT

     cat $REPORT | mail -s "$SUBJECT" $MAILTO



  else

     echo "Acceptible number of events"

  fi

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally