Take snapshots of system load at regular intervals (spaced a few seconds apart) to trend and watch for spikes. This includes snapshots of CPU performance such as what you can see with uptime, procinfo, or w:

[mnystrom@blanco-rich-1 ~]$ uptime
 07:25:11 up 32 days, 17:04,  1 user,  load average: 0.01, 0.02, 0.00

It turns out that different types of systems compute this number differently. Linux does not take into account the number of processes waiting for the CPU, whereas HP does. Therefore, you’ll want to understand how the number is calculated before you set alerting thresholds. However, it’s fair to say that if the system is running normally when the load is less than 1, seeing it spike to 4 or 5 indicates that something has drastically changed, and you’ll want to look into what’s causing the spike.

Watch memory to ensure that you aren’t exhausting all of your free or swap memory. It’s good to check memory utilization against what’s “normal,” but some processes grow over time. At the very least, check to make sure you don’t run out of physical or swap memory. On a Unix machine, you can check this with commands such as top, free, and meminfo.

Watch available disk space to ensure that there’s adequate room to store collected events. Keep an eye on space utilization in the partition where you’re collecting data, and where the system must keep disk space available to function properly. You can check available disk space on a Unix server with the command df. Beyond just having disk space available, you’ll also want to ensure that the space is writable.

Check network performance and throughput to ensure that security events aren’t overwhelming your network interface. You can check this on Unix (as root), with the ifconfig command:

bash-3.00$ sudo ifconfig
Password:
eth0      Link encap:Ethernet  HWaddr 00:1E:0B:34:9F:D7  
          inet addr:10.83.4.102  Bcast:10.83.4.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:bff:fe34:9ee7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20892745 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12713946 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2754879057 (2.5 GiB)  TX bytes:1151366228 (1.0 GiB)
          Interrupt:209

Verify that you’re not seeing errors on the interface by inspecting the errors section of the output.

To continually monitor your systems, you should program these commands to run at frequent intervals, benchmarking them against normal values. We’ll describe an approach for accomplishing this later in Automated System Monitoring.

Now that we’ve discussed how to monitor the health of your systems, we’ll address how you should monitor each type of device to ensure a continual stream of events.

To ensure that you’re getting traffic to your NIDS, watch the ports feeding into it. If your NIDS is configured to receive traffic via a SPAN port, watch the SPANs to ensure that they’re still pointed to your NIDS. (Occasionally a network engineer will “steal” the SPAN port to troubleshoot other problems. She may forget to reset the configuration for your NIDS.) Alternatively, if you’ve deployed your NIDS in the line of traffic (inline), watch the traffic rates to ensure that nothing has been interrupted. It will be obvious if your NIDS is no longer receiving traffic, as all downstream traffic will also be interrupted.

To ensure that your routers are still configured to send traffic to your NIDS, you must watch the SPAN configuration on the routers themselves. If you analyze the configuration of the monitor sessions on the router, you should see that it remains configured to mirror traffic to your NIDS. The best way to ensure that it’s working properly is to document the output of the working configuration, and compare it to the running configuration at regular intervals. For example, here’s the output of show monitor on an IOS 12.2 router:

blanco-dc-gw1>show monitor
Session 1
- ---------
Type                   : Local Session
Source Ports           :
   Both                : Gi1/1
Destination Ports      : Gi3/11


Session 2
- ---------
Type                   : Local Session
Source Ports           :
   Both                : Gi1/2
Destination Ports      : Gi3/12

In this example, a NIDS is connected to port Gi3/11 on Session 1 and Gi3/12 on Session 2.

Even if traffic is reaching your NIDS, you must be sure it can process the events. The NIDS will have some processes responsible for receiving and analyzing events, which must be kept running to continue analyzing traffic and raising alerts. You should watch the sensor processes to be sure they’re running normally. For example, on a Cisco NIDS, the Analysis Engine must be running for the sensor to process events. In a Snort deployment, it’s the snort process that’s critical. You may wish to add further checks to ensure that the required processes are not in a “zombie” state, and that they’re getting sufficient CPU time.

If your router is sending traffic to the NIDS, and the processes are running normally, everything is probably working fine. One further check that you can add is to ensure that alerts are being generated. To do so, watch the alerts coming from the NIDS to ensure that you’ve received at least one alert within the past few minutes. On many networks, a properly tuned device will still generate events very frequently, so if you’ve not seen a single event within the past 30 minutes, something is definitely wrong.

Most importantly, the network flow collector must itself be watched to ensure that it can receive, store, and relay flows properly. This requires “health monitoring,” as we expounded earlier in this section. Health monitoring checks that the collector can keep up with incoming data, and that the disk space and permissions are properly configured so that captured flows can be properly stored.

There’s more than one way to monitor for flows coming in from each router you’re expecting. It’s most important to watch that the sending routers are configured to send flows to your collector. On each router, verify that the ip flow export command is properly configured. For example, here’s the NetFlow configuration on a Cisco IOS 12.2 router. It’s configured to export NetFlow v5 to our collector at 10.83.4.99 on port 2055.

blanco-dc-gw1>show ip flow export
Flow export v5 is enabled for main cache
  Exporting flows to 10.83.4.99 (2055)
  Exporting using source interface Loopback0
  Version 5 flow records, peer-as
  327844689 flows exported in 10928453 udp datagrams
  -- output clipped for brevity --

You should also confirm that NetFlow is being exported from the proper interface (in the preceding example, it’s exporting via the Loopback0 interface). If you check this again in a few seconds, you should see the number of exported flows increasing, indicating that it’s still exporting properly.

Now that you’ve checked the configuration from the routers, you should also check the collector to be sure it’s listening to receive flows, and that they’re being received. Assuming the collector is running Unix, simply use netstat to check that the collector is listening for NetFlow traffic on the proper port by “grepping” for the correct listening port:

[mnystrom@blanco-dc-nfc-1 ~]$ netstat -l | grep 2055
udp        0      0 *:2055                      *:* 

You’ll also want to see whether you’re receiving traffic from each router. One technique is to create iptables rules on the collector itself, adding an entry for each router from which you expect to receive NetFlow. For example, if you want to monitor the amount of traffic you’ve received from two gateway routers, add ACCEPT rules for each router to the iptables INPUT chain:

[root@blanco-dc-nfc-1 ~]# iptables -vL INPUT
Chain INPUT (policy ACCEPT 9875 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source      destination
-A INPUT -s 10.83.4.1 -p udp -m udp --dport 2055 -j ACCEPT 
-A INPUT -s 10.83.4.2 -p udp -m udp --dport 2055 -j ACCEPT 
ACCEPT 
COMMIT

The iptables chain in the preceding code is “accepting” connections from gateways 10.83.4.1 and .2 (corresponding to blanco-dc-gw1 and gw2, respectively). You can periodically run iptables -VL INPUT, to see how many bytes and packets have arrived from each accepted host in the chain. Simply compare those numbers with the ones from a few minutes ago to prove that you’re getting traffic from each source:

[root@blanco-dc-nfc-1 ~]# iptables -vL INPUT
Chain INPUT (policy ACCEPT 9875 packets, 14M bytes)
 pkts bytes target prot opt in  out  source        destination
  159  230K  ACCEPT udp  --  any any  blanco-dc-gw1 anywhere udp dpt:2055 
 4692 6776K  ACCEPT udp  --  any any  blanco-dc-gw2 anywhere udp dpt:2055

The preceding output proves that you’ve received 159 packets and 230,000 bytes since the last flush of the counters. Once you’ve checked these numbers, flush the counters so that you can see whether you’re accumulating flows at the next read. You can do this easily with the “zero counters” option on the iptables command (indicated in the following code by the –Z option):

[root@blanco-dc-nfc-1 ~]# iptables -vxL -Z INPUT
Chain INPUT (policy ACCEPT 273 packets, 130896 bytes)
 pkts bytes target  prot opt in  out  source         destination
  43 64156  ACCEPT  udp  --  any any  blanco-dc-gw1  anywhere udp dpt:2055
  11 16412  ACCEPT  udp  --  any any  blanco-dc-gw2  anywhere udp dpt:2055
Zeroing chain 'INPUT'

To prevent a problem where routers are sending NetFlow but you’re not able to store it, check the directories where NetFlow is stored to be sure permissions are set properly. For example, to check the /apps/netflow directory on a Unix box, check that the write bit is properly set for the user writing the flows:

[mnystrom@blanco-dc-nfc-1 data]$ ls -l /apps/netflow
total 12
drwxr-xr-x  243 netflow infosec 12288 Jul 28 09:41 data

In the preceding example, you can see that the netflow user (the owner of the file) has full permissions on the data file, so the file system is properly configured. This is a good place to verify that datafiles have been written to the collection directory within the past few minutes.

Once you’ve verified that the system can receive flows and that data is coming from the routers, you should ensure that the processes used for collecting and storing (and, if applicable, relaying) NetFlow are running, and that they haven’t failed or gone into a zombie state. To check processes, run a command on the operating system to see whether all the correct processes are running. Of course, you’ll first need to know which processes should be running, and how many of them.

[mnystrom@blanco-dc-nfc-1 ~]$ ps -ef | grep netflow
netflow  29982     1  0  2007 ?        1-09:34:16 /usr/local/netflow/bin/flow-
capture -w /apps/netflow/data -E54G -V5 0/0/2056 -S5 -p /var/run/netflow/flow-
capture.pid -N-1 -n288
netflow  29999     1  0  2007 ?        05:32:35 /usr/local/netflow/bin/flow-fanout
0/0/2055 0/0/2056 10.71.18.5/10.71.18.6/2055

In the preceding example, one flow-capture and one flow-fanout process is running. With OSU flow-tools, these processes are used to receive and store data to the local system, and relay them out to other systems.

Many collection tools provide a means for keeping storage within the bounds of available disk space by rotating out older data. With OSU flow-tools, the flow-capture process allows you to set the expire size or expire count for flows. These settings allow you to set a limit on how many flows you want to keep, or how much space you want to use for storing flows. Assuming, for example, that you want to keep as much data as possible within 1 TB of disk space, you could use the option -E 1024G on flow-capture. This option tells flow-capture to throw away the oldest flows in order to keep within the 1 TB (1,024 GB) disk space limit.

The knowledge that you have a full tool chest is useless without the accompanying knowledge of which tools are contained within. Likewise, you’ll want to know just how far back your NetFlow records go, so you can support necessary investigations and monitoring. If your collection directories are named by date, your job is an easy query against directory names. If not, simply finding the date of the oldest directory in your collection should show you how far back you can query NetFlow records.

thor$ nmap -sP 10.3.1.0/24

Starting Nmap 4.50 ( http://insecure.org ) at 2008-08-09
17:07 EDT
Host corp-dc-gw1.blanco.com (10.3.1.1) appears to be up.
Host webserver (10.3.1.18) appears to be up.
Host webserver-bkup (10.3.1.19) appears to be up.
Host new-webserver (10.3.1.20) appears to be up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.589
seconds

Monitor system health using the same approach used for NetFlow collectors. Verify that the collector is functioning properly and has enough memory, that load is sufficient for processing, and that the disk can handle more incoming data.

For event collection to work properly, the system processes used for receiving and storing events must run constantly, listening for relayed events. For example, when using syslog-ng for collecting event logs, the syslog-ng process must be listening for relayed syslog, normally via the standard syslog port of UDP/514. To check whether the process is running and listening on the correct port, use netstat to check for running UDP listeners and what processes are bound to those ports. You can do this with the -a option to show all connections, along with the -p option to show programs bound to ports:

[mnystrom@syslog-blanco-1 ~]$ sudo netstat -ap | grep syslog
tcp 0   0 0.0.0.0:514        0.0.0.0:*        LISTEN      1813/syslog-ng
udp 0   0 0.0.0.0:514        0.0.0.0:*                    1813/syslog-ng 
udp 0   0 10.83.4.102:32851 10.71.180.220:514 ESTABLISHED 1813/syslog-ng 
udp 0   0 10.83.4.102:32873 10.70.149.28:516  ESTABLISHED 1813/syslog-ng
unix  10  [ ]  DGRAM           4663   1800/syslogd        /dev/log

Based on the output from the preceding netstat -ap command, we can see that syslog-ng is listening for syslog, as we expect.

syslog-ng can handle listening for incoming syslog as well as storing it and relaying it to other servers. This is accomplished within one process, so there’s no need to monitor other processes on this host. Alternative event collection systems may use more processes in collecting and storing events. For example, Splunk, a commercial flexible analysis tool for events, requires processes for receiving events, helper processes, a watchdog process, and a web server.

You must watch the systems that are originating events to the log collector to ensure that they’re still sending data. There are a number of ways to oversee these event streams to ensure that they’re still flowing, but the most painless method is to watch the growing logfiles, checking for recent events from each system.

Begin with a list of hostnames from which you’re expecting events, and then check the event logs for recent events from such systems. Count any recent event as a “heartbeat” from the source system, indicating that it’s still sending events. There’s no need to evaluate the type of message that arrived from the source system; its recent timestamp is enough to indicate that the event feed is functioning. To check for a recent message from a source, search through the directory of collected logs. This may be a simple exercise if the directory is organized by event source, but if you’re using syslog-ng, you’ll have to slog through the mass of data to find the recent messages.

Let’s say it’s August 9 at 2:59 p.m., and you want to check for a message from the webserver-1 server within the past hour. Using egrep (extended grep) on a Unix system, you can construct this search to find something within the hour of 14:00, across all logfiles in the current directory:

egrep "Aug  9 14:.*webserver-1" /apps/logs/all-*

The egrep command tells the Unix server to run a regular expression match against the files. The .* between the date and the server name is a regular expression telling egrep to ignore everything between the date format and the server name. Even a single message within the past hour is an indicator that the server is running and sending events to the collector, as we expect.

Watch the network interface card (NIC) for messages arriving from the source system. The setup works as we described in Monitor Network Flow Collection. Create an iptables configuration with an ACCEPT rule for each source server. Monitor the accumulated packets for each rule in iptables, flushing each time you check the table.

Technically, auditing isn’t active monitoring, but the servers originating events to your collector require a configuration that will capture the correct events and relay them to the proper collector. To maintain the correct configuration on systems, deploy an auditing solution that can check its logging configuration against a reference template. Check for the following two configuration directives in the system’s log configuration:

A simple script to access the source server and grep the syslog.conf might include a check such as this:

$ ssh webserver-1 grep 10.83.4.102 /etc/syslog.conf
*.*                            @10.83.4.102

This checks the webserver-1 server for the presence of the 10.83.4.102 collection server in the syslog.conf file, and finds it in the response.

Just as we described in Monitor Network Flow Collection, it’s vital to make sure your event collection doesn’t overrun the available disk space. You can monitor this by watching available disk space (covered in “Monitor system health”), but you’ll need to proactively rotate your collected logs, expiring the oldest content to make room for new events. This feature is not native to syslog-ng, so you’ll need complementary tools to accomplish it. The most common pairing is logrotate, a freely available Unix utility authored by Erik Troan of Red Hat. This utility is scheduled to run as a daily cron, archiving logfiles by rotating, compressing, and deleting them.^[57]

To enable event logging in Oracle (Oracle calls it “auditing”), you must set the audit_trail parameter in the init.ora file. The database references this core configuration file at startup, and specifies whether to log events to the Oracle database (audit_trail = db or audit_trail = true) or to a logfile (audit_trail = os) on the host file system.

As an added step, routinely check the configuration files to be sure the Oracle database remains properly configured for logging. From the database, you can ensure that systemwide auditing is turned on by checking the v$parameter table:

select NAME, VALUE from V$PARAMETER where NAME like 'audit%';

NAME                           VALUE
------------------------------ 
audit_trail                    DB
audit_file_dest                ?/rdbms/audit

Here you can see that the administrator has configured init.ora with audit_trail = db, and that audit data will be written to the database’s audit area (SYS.AUD$).

Should you decide to collect events to the file system, it’s easy to relay those logs into your event log collection server. However, if you want Oracle to record events to the SYS.AUD$ table, you must keep watch over that table to confirm that new events are arriving regularly. For example, here’s a simple query to check for new events arriving every five minutes:

select count(*) from SYS.AUD$ 
where (current_timestamp - aud$.timestamp#) > 5*1/24/60

If the query returns a count greater than zero, you’ve confirmed that some events have been received within the past five minutes. To be sure you’ve received audit events of a certain type (for a specific table, column, user, etc.), simply add criteria to the where clause in the preceding query.

If events are captured in the SYS.AUD$ table (or the file system, depending on how Oracle is configured), you can have confidence that the system is configured to properly log events. However, because configuration changes can disrupt the flow of events, it’s useful to monitor Oracle’s audit settings to be sure you’re capturing audit events.

When you configure auditing on a table, Oracle stores the setting in metadata. The DBA_OBJ_AUDIT_OPTS view lists these settings, cross-referencing all objects with audit settings for every possible statement. You should regularly query this view to verify that audit settings are correct. For example, to ensure that auditing is still enabled for successful and unsuccessful queries against the CUSTOMERS table (where Social Security numbers are stored), issue the query:

select SEL from dba_obj_audit_opts
where object_name = 'CUSTOMERS';

If it’s properly configured for auditing, it should return:

SEL
---
A/A

This shows that auditing is enabled for both successful and unsuccessful SELECT statements against that table.

It’s considered a best practice to ensure that event logs are immutable so that a malicious user cannot cover her tracks by modifying them. Because a DBA has superuser privileges, she will always be able to modify the SYS.AUD$ table. Two simple configuration directives will record DBA activity and provide a record of any attempt to remove data from the auditing table.

First, set a directive to capture all changes to the SYS.AUD$ table. Connect as SYSDBA and modify the SYS.AUD$ table with this statement:^[58]

audit ALL on SYS.AUD$ by access;

This will ensure that every operation against the SYS.AUD$ table—including delete and truncate—are inserted into the SYS.AUD$ table as audit entries. If a DBA tries to cover her tracks by deleting entries from the table, those actions will be logged into the table itself!

You should also provide an off-database log of DBA activity. To do so, turn on file-based auditing of DBA actions by adding this configuration directive to init.ora:^[59]

AUDIT_SYS_OPERATIONS = TRUE

This will configure Oracle to log all SYS operations (including SYSDBA and SYSOPER) to the operating system logfile, which, if the system is configured correctly, is off-limits to the DBAs.

System monitoring solutions maintain a dashboard that allows an “at-a-glance” view of device status. They track the health and event status of each system using a variety of inputs, and contain the following elements:

Agents can run on the monitored device, such as an SNMP agent reporting to a system monitor or an installed agent. Alternatively, the central monitoring server can probe the device to evaluate output and record the health of the component. Figure 7-2 depicts a traditional network monitoring system.

Figure 7-2. A traditional network monitoring system showing a dashboard representing the availability of each device

The agents that run in a system monitoring solution check the health of a component or end station. They typically run a script containing commands much like the ones we’ve described in this chapter. For example, an agent could SSH into a server and run a command, evaluating the output to determine whether the system is performing within prespecified boundaries. Alternatively, the agent may run on the monitored device itself, triggering an SNMP trap when CPU utilization crosses an upper threshold.

To leverage such a system for your targeted monitoring event sources, you should configure it to monitor the following:

The status of each item should be represented on the network monitor dashboard, allowing you to observe “at a glance” those areas that require administrative attention.

Check to be sure there’s adequate disk space by running the check_disk plug-in to watch the collection directory (/apps/netflow/data), warning if less than 10% is available and sending a critical alert if less than 5% is available:

check_disk -w 10 -c 5 -p /apps/netflow/data

Ensure that the directory storing flows remains writable for incoming flows:

check_diskrw /apps/netflow/data

Evaluate whether the system load is excessive. Warn if the load exceeds 5, 10, or 15, and raise a critical alert if it exceeds 20, 25, or 30:

check_load -w 15,10,5 -c 30,25,20

Verify that a reasonable amount of physical memory is still available on the system. Warn if there’s less than 5% free memory, and raise a critical alert if there’s less than 1%:

check_mem -w 5 -c 1

Ensure that there’s a reasonable amount of swap space on the box, warning if there’s less than 90%, and raising a critical alert when it dips below 80%:

check_swap -w 90%% -c 80%%

Configure the Nagios check_latestfile plug-in to watch the /apps/netflow/data collection directory. Set the script to warn if the most recent file is more than 30 minutes old. This script does not accept parameters via the command line, so you must edit the script to set the required parameters.

Ensure that the correct number of collection and relay processes is running. First, make sure the flow-capture process is running, and that it raises a critical alert if there isn’t at least one, or if there is more than five running:

check_procs -c 1:5 -C flow-capture

The parameters described here specify only an upper limit because the syntax requires us to do so. If you’re running flow-fanout, add another check_procs to watch that process.

Blanco will use the same techniques for monitoring collector health that it used for monitoring the NetFlow collector. This will involve watching load, memory, and disk to ensure that the system is functioning normally and can receive and store event logs. Configuration for checking load, memory, and swap will remain exactly the same, but we’ll need to monitor the specific file system directories for syslog collection on this system.

Check to verify that there’s adequate disk space by running the check_disk plug-in and watching the collection directory (/apps/logs). Warn if there’s less than 20% available, and send a critical alert if there’s less than 10%:

check_disk -w 20 -c 10 -p /apps/logs

Ensure that the directory storing logs remains writable so that the events can be stored as they arrive:

check_diskrw /apps/logs

Make sure the syslog-ng process is running, raising a critical alert if there isn’t exactly one process running:

check_procs -c 1:1 -C syslog-ng

Configure the Nagios check_latestfile plug-in to watch the /apps/logs collection directory. Set the script to warn if the most recent file is more than 30 minutes old.

When storing logs to the file system, syslog-ng collates the logs from all sources into a single file during collection. This makes it difficult to discern whether a recently written file contains events from every source. To monitor for events from each of Blanco’s monitored servers, Blanco used the same approach taken with NetFlow monitoring: using iptables to watch for traffic volume.

The iptables configuration file will look similar to the one used to watch for NetFlow:

-A INPUT -s webserver-1 -p udp -m udp --dport 514 -j ACCEPT 
-A INPUT -s webserver-2 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s appserver-1 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s appserver-2 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s dbserver -p udp -m udp --dport 514 -j ACCEPT

A custom script regularly checks the accumulated data from each server via the iptables command, subsequently zeroing the counters in preparation for the next check.

Blanco monitors the health of its sensors using SNMP and Expect scripts executed via SSH. To monitor the CPU, Blanco uses a built-in Nagios plug-in called check_snmp, which queries the sensor via SNMP, sending a warning if CPU usage is above 75%. The -H parameter specifies the sensor name (ids-1), and the -o parameter requires the SNMP object identifier corresponding to a check for the CPU value of the sensor:

check_snmp -H ids-1 -o "1.3.6.1.4.1.9.9.109.1.1.1.1.8.1" -w 75

To monitor available memory and disk space, Blanco executes an Expect script via SSH. The script connects to the sensor and parses the output of the show version command:

ids-1# show version
Application Partition:

Cisco Intrusion Prevention System, Version 6.1(1)E2

-- output clipped for brevity --

Using 1901985792 out of 4100345856 bytes of available memory (46% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
boot is using 40.6M out of 69.5M bytes of available disk space (62% usage)

-- output clipped for brevity --

The script parses the output, raising a critical alert to Nagios if memory or disk space is consumed beyond 90%. In the preceding output, all values are safely below this threshold.

Because Blanco’s sensors are receiving feeds directly from gateway routers, scripts are used to periodically verify that SPANs are properly configured. This confirms that the routers are properly enabled to mirror traffic to the sensor. Using Expect, Blanco scripted a regular comparison of the show monitor session all command with a stored baseline. This is best accomplished by storing an MD5 hash of the command output and subsequently comparing it to the new value upon each connect. The script raises a Nagios alert if the hashes don’t match.

Blanco also monitors the percentage of missed packets. If the value is higher than 10%, it can indicate that the network has grown beyond the sensor’s capacity to monitor traffic. Using the show interface command, the script parses the percentage of missed packets from the output:

ids-1# show interface
Interface Statistics
   Total Packets Received = 109049288548
   Total Bytes Received = 67536504907892
   Missed Packet Percentage = 2
   Current Bypass Mode = Auto_off
-- output clipped for brevity --

Note the value Missed Packet Percentage = 2. Because this value is less than 10, the script will not raise an alert to Nagios (recall that the script should alert only if the percentage missed is greater than 10%).

Most critically, Blanco wants to ensure that the AnalysisEngine and MainApp processes are running on its CS-IPS 6.1 sensor. If they’re not running, the script raises a critical alert to Nagios. Using the show version command, the result is parsed to find an indication that these processes are running:

ids-1# show version
Application Partition:

Cisco Intrusion Prevention System, Version 6.1(1)E2

-- output clipped for brevity --

MainApp         M-2008_APR_24_19_16  (Release) 2008-04-24T19:49:05-0500   Running   
AnalysisEngine  ME-2008_JUN_05_18_26 (Release) 2008-06-05T18:55:02-0500   Running   
CLI             M-2008_APR_24_19_16  (Release) 2008-04-24T19:49:05-0500             
-- output clipped for brevity --

The preceding output shows the Running keyword on the line with each of the two critical processes: MainApp and AnalysisEngine. If the Running keyword is not present, the script raises a critical alert in Nagios.

Lastly, Blanco wants to monitor the sensors to ensure that they are still generating alerts. To check for recent alerts, the script checks the alert destination—the Security Information Manager (SIM), where alerts are reviewed by the monitoring staff. Blanco’s SIM uses an Oracle database to store the alerts for processing, so the company uses a script to query the pertinent table looking for alerts generated within the past five minutes. If no alerts have been logged within the past five minutes, the script raises a critical alert to Nagios via the NSCA framework.