SensorStopsSeeingTraffic
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/SensorStopsSeeingTraffic.
Just like in everything, there's always more than one way to do it!
Here are a few options:
OSSEC checks your sniffing interfaces every 10 minutes. If no packets have been received within that 10 minute window, then OSSEC will generate an alert. This alert can be found in Sguil, Squert, and Kibana. If you'd like OSSEC to email you, then configure it for email as shown here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-ossec-to-send-emails
Bro will automatically email you when it stops seeing traffic on an interface. All you have to do is configure Bro per the Email page:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email#how-do-i-configure-bro-to-send-emails
Here's another option contributed by Jerry Shenk:
#!/bin/sh
#script to monitor Security Onion activity for the past hour to alert on inactivity
#Inactivity could be due to a connection having been removed or some process failing
MAILTO=idsadmin@copmany.com
DATE=`date`
SUBJECT="`hostname` Security Onion inactivity alert `date`"
LIMIT=5
REPORT=/root/so-lasthour.txt
echo $SUBJECT > /root/edgerouter.log
if test ` mysql -N -B --user root --database securityonion_db -e
"SELECT COUNT(signature)as cnt, signature FROM event WHERE status<>1
and timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature
ORDER BY cnt DESC LIMIT 20;" | grep -c .` -le $LIMIT
then
echo "Too few events"
echo "non-URL signatures" > $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status<>1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
echo "" >> $REPORT
echo "URL signatures" >> $REPORT
mysql -N -B --user root --database securityonion_db -e "SELECT
COUNT(signature)as cnt, signature FROM event WHERE status=1 and
timestamp>=date_sub(now(), interval 3 hour) GROUP BY signature ORDER
BY cnt DESC LIMIT 20;" >> $REPORT
cat $REPORT | mail -s "$SUBJECT" $MAILTO
else
echo "Acceptible number of events"
fi
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs