OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eli Stair (estair_at_tardis.ath.cx)
Date: Fri Jan 31 2003 - 13:20:15 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Lars, that sounds (to me) like it belongs in a NM package like Nagios or OpenNMS,
    snort doesn't sound like the right place to be doing it (IMO). Although your net
    management software has no business (IMO) listening to the wire to check for
    damaged frames, etc. And hardware errors like that would be unlikely to make it
    above the data link layer, and thus not be detected by snort anyhow. Feel free
    to correct me if I'm wrong, anyone :)

    /eli

    On Fri, 31 Jan 2003 10:37:47 -0800
    "Lars Borland" <lborlandTriadAssoc.com> wrote:

    > Does anyone have an answer to my 2nd question?
    >
    > Has anyone written a rule for, or been able to use Snort to detect signs
    > of a failing NIC? I don't know the terminology off-hand but a dying NIC
    > may start to "yell" at the network, causing the surrounding NICs to
    > spend a lot of time dropping packets not specifically destined for them
    > (they still have to look at the packets to know to drop them). The NIC
    > on the offending machine still appears to work somewhat but performance
    > on the machine is very poor. Also, the surrounding network (whatever is
    > in the same collision domain) will suffer. Incoming tech calls will be
    > something like "Are things running kind of slow today?". I've dealt
    > with this sort of thing in the past and have luckily come across the
    > failing NIC by chance. I'd like to be able to pinpoint this sort of
    > thing more easily using Snort if at all possible. Please let me know if
    > you're aware of any such rule.
      

    -- 
CAUTION: Repeated use of finger can cause a system to become overloaded, which can cause it to stop responding.
--Infinite wisdom from the font that is ISS 6.2.1

    -------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users