SensorStopsSeeingTraffic

weslambert edited this page Apr 19, 2018 · 6 revisions
Clone this wiki locally

Just like in everything, there's always more than one way to do it!

Here are a few options:

OSSEC

OSSEC checks your sniffing interfaces every 10 minutes. If no packets have been received within that 10 minute window, then OSSEC will generate an alert. This alert can be found in Sguil, Squert, and Kibana. If you'd like OSSEC to email you, then configure it for email as shown here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-ossec-to-send-emails

Bro

Bro will automatically email you when it stops seeing traffic on an interface. All you have to do is configure Bro per the Email page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-bro-to-send-emails

Script to check for lack of IDS alerts

Here's another option contributed by Jerry Shenk:

#!/bin/sh
#script to monitor Security Onion activity for the past hour to alert on inactivity
#Inactivity could be due to a connection having been removed or some process failing
MAILTO=idsadmin@copmany.com
DATE=`date`
SUBJECT="`hostname` Security Onion inactivity alert `date`"
LIMIT=5
REPORT=/root/so-lasthour.txt

echo $SUBJECT > /root/edgerouter.log

if test ` mysql -N -B --user root --database securityonion_db -e
"SELECT COUNT(signature)as cnt, signature FROM event WHERE status<>1
and timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature
ORDER BY cnt DESC LIMIT 20;" | grep -c .` -le $LIMIT
then
echo "Too few events"

echo "non-URL signatures" > $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status<>1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
echo "" >> $REPORT
echo "URL signatures" >> $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status=1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
cat $REPORT | mail -s "$SUBJECT" $MAILTO

else
echo "Acceptible number of events"
fi