Tuesday, May 23, 2006

Sguil Sensor Monitoring & Reporting

People are concerning about their network security most of the time, so monitoring network security is important, however rarely that we hear people concerning about whether their monitoring devices go wrong or malfunction instead of working properly. Especially in distributed sensors setup environment, monitoring the health and status of sensors considered part of the important role.

If you happen to use OpenBSD, there's a tool that available in the port called symon, it has been ported to FreeBSD and linux as well. Symon is light weight system monitor that used to monitor the health of system either locally or remotely with symux collecting and displaying the statistic. The beautiful part of it should be priviledge dropping so that symon won't run as root, and you can download syweb which will draw the rrd graphs based on your configuration that works perfectly with chrooted Apache as well.

With symon, you can even specify what process to monitor such as snort, httpd and etc. That is useful to know how much resources been used by your IDS or daemon. I'm currently still testing it before deploying on productive environment and quite satisfy with the result. I won't be showing you here how I get it done since the documentation that you can view here good enough to get it work.

Symon is one fine tool that you can use to monitor the health of your sensor remotely with it's small footprint. I supposed people will love it for the sake of it's flexibilities too.

Below are the 4 screenshots of symon -

Another application that I have tried would be the project that developed by one of Sguil fellow, Paulh. Squert is a so called Simple Query And Report Tool for Sguil. It is useful because it is connected directly to the mysql DB and allows you to perform Sguil DB query and generate the reports out of it, it has been claimed very useful in mass sensors environment by Paulh :P.

Below are 2 screenshots of Squert -

Symon and Squert are both incredible tools for people who are deploying distributed mass sensors. One for the sake of health monitoring and another for the sake of reporting, I do wish that Squert can generate graphic report in the future which lacks in the NSM suite.

That's all for now, cheers :]


Anonymous said...

Have you tried using snmp?

Anonymous said...

Do you know some way to monitor the traffic by port?
Like a way to plot a graphic which shows the top 10 ports used, bandwidth, percent and etc.

I think it is something useful to know, like: how are your net link is used?

C.S.Lee said...

Though snmp is widely used, but I haven't tried it for the purpose of monitoring my sensors.

To felipe, I suppose you want to collect network flow data so that should be done either using netflow, ipaudit or argus, I'm actually blogging about monitoring of the devices instead of that in this blog post. :)