check_snort.sh

check_snort.sh -> plugins to check snort (alerts/hosts*)

    check_snort is a nagios-plugin to check the functions of     a running snort-sensor* or events in snort_alert_databases     against given thresholds     this plugin is designed to collect snort_statisticts and display     via pnp graphs; i wouldn't count on the nagios-alerts, but     it's nice to check your 5min-alert-count or 24hrs-alert-count     with time-based

    both checks are designed to run via nrpe.

not yet ready and to be done

Installation:

    download from http://exchange.icinga.org     and put check_snort.sh into your $PLUGINS_REPOSITORY at your     snort_senors (for check_snort -m host) or your snort_alert_db_server     (for check_snort.sh -m alerts)         edit check_snort.sh and change the variables as needed

    create $SPOOL_DATA_DIR with write_permissions for user nagios; this

    directory will be used for check-data and logfiles

    check out check_snort.cfg.template for nagios command/service-definitions

    and a pnp-template

    run test from nagios-host; you might turn on debugging_output (output

    appears in the logs @ $SPOOL_DATA_DIR)

    enjoy your graphs ;-)

Plugin-Modi

    the plugin works in two different modi:  

  Alert-Modus 

    check_snort.sh -m alerts checks the actual alerts againts an average

    alert_count; selection can be made with the -i switch

    -i [INTERVAL] set check\_interval (actual\_alert vs avg\_alert:

                  1 -> 5min vs 60min

                  2 -> 1hour vs 24hour [default]

                  3 -> 24hour vs 7day

                  4 -> 7 day vs 30 day (DO NOT USE)

                  5 -> 7 day vs 90 day (DO NOT USE)

                  6 -> display total number (no warning/critical) [nyr]

   

    furthermore you can choose a priority-level with the -p switch, given a range

    from 1 (lowest prio, all alerts) to 4 (highest prio, only successfull-[user|admin]

    and successfull exploits); -p 3 is always a good start

    -p [PRIORITY] set the snort\_sig\_priority\_level to check against;

                  default: 3

   

   

  Host-Modus *

    tbd ...

   

Running the plugin

    depending on the amount of alerts it's wise to start just

    with a few checks, maybe interval 2 for prio 2/3

    (check_snort.sh -m alerts -i 2 -p 2 ), being checked

    every five minutes)

    alerting is best done with interval 1 or 2, but you'll need to adjust

    the warning/critical threshold, since the default values and the values

    in cfg.templates are taken from a webserver-environment.

    

    if you implement checks with -i > 2 you should run this checks

    just once every hour or less frequent, since this interval

    is more for statistical reasons and not alerting, but might cause some

    load on the database.

   

   

   

   

Output:

    log_output is placed into $SPOOL_DATA_DIR (default) and might be verbose using

    the -d switch

    the plugin returns, if check was able to execute OK/WARNING/CRITICAL, otherwise UNKNOWN

    in good nagios-plugin-tradition; beside this some values are display:

    the following live shows the output for: check_snort.sh -m alerts -p 1 -i 1 -w 1000 -c 10000

    SNORT_CHECK OK - [alerts] p-1 :: 5min-1hr :: last: 151 - avg: 20 / thresh: 220/2020 [1000%/10000%] 

    the output displays modus, prio, intervall last_alerts, avg_alerts and the threshold in values and

    percent. beside this, the plugin also returns actaual_alert_count, avg_alert_count, total_alert_count

    for the avg_interval; in this case, perfdata would be 5min=151;220;2020; 1hr=244; 1hr-avg=20.

    for displaying the graphs via pnp there is a little pnp_template in check_snort.fg.template

    check the plugin_homepage for examples

   

   

Usage:

check_snort.sh

            - nagios_plugin to snort_hosts or

              check snort_alerts in snort_databases

              and alert on given thresholds;

              to be used @ snort_db_hosts via check_nrpe

              see check_snort.README for more details

             

  [nyr]  ->  use with caution: function not yet ready implemented and tested

  USAGE:

    check_snort.sh [options]

  CONFIG:

    values for db_acces, defaults etc might be configured

    within this file -> /path/to/plugins/check_snort.sh

   

  OPTIONS

    this script uses 2 modes:

    -m [modus]    set the working-modus

                  MODI:

                    host   - check snort\_host specific details (running, dropped packages)

                             [nyr]

                    alerts - check snort\_alerts against a given database (only mysql supported

                             at the moment

    -c [percent]  set critical\_threshold; if actual\_alert

                  is [percent] higher then avg\_alert returns CRITICAL

                  if the alertcount is [percent] lower, an

                  anormal\_report is generated and displayed

                  default: 100

                 

    -w [percent]  set warning\_threshold; if actual\_alert

                  is [percent] higher then avg\_alert warning is displayed

                  if the alertcount is [percent] lower, an

                  anormal\_report is generated and displayed

                  default: 500

                 

    -i [INTERVAL] set check\_interval (actual\_alert vs avg\_alert:

                  1 -> 5min vs 60min

                  2 -> 1hour vs 24hour [default]

                  3 -> 24hour vs 7day

                  4 -> 7 day vs 30 day (DO NOT USE)

                  5 -> 7 day vs 90 day (DO NOT USE)

                  6 -> display total number (no warning/critical) [nyr]

                 

    -p [PRIORITY] set the snort\_sig\_priority\_level to check against;

                  default: 3

   

    -s [sid]      set a special sid to check instead of priority

                  [nyr]

                 

   

    -d            debuG\_output > logfile

                 

    -l [logfile]  alternate log\_file

                  default: SPOOL\_DATA\_DIR/check\_snort.log

                 

   

    -o [out\_dir]  give a separate spool\_data\_dir

                  default: /var/log/nagios

                  may be changed within the script itself via default\_VAR

   

    -z            create cvs\_output in SPOOL\_DATA\_DIR [nyr]

 

 

  EXAMPLE

   check\_snort.sh -m alerts -i 3 -w 100 -c 200

check_snort.cfg.templates

 #

 # nagios/pnp config\_templates for check\_snort.sh

 #

 # 2009-10-20

 #

 # local-nrpe.cfg

 # dont\_blame\_nrpe=1

 command[check\_snort\_alerts]=/etc/nagios/plugins/check\_snort.sh -m alerts -i $ARG1$ -p $ARG2$ -w $ARG3$ -c $ARG4$

   

 # nagios\_conf

 ### command\_definition w/ values ###################################

 define  command {

    command\_name    check\_snort\_alerts

    command\_line    $USER1$/check\_nrpe -H $HOSTADDRESS$ -c check\_snort\_alerts -a $ARG2$

    }  

   

 ##### prio 4 templates #####################################

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p4-1 5min

        check\_command           check\_snort\_alerts!1 4 1000 10000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   5

        retry\_check\_interval    5

        max\_check\_attempts      3

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p4-2 1hr

        check\_command           check\_snort\_alerts!2 4 500 5000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   30

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p4-3 24hr

        check\_command           check\_snort\_alerts!3 4 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   60

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p4-4 7d

        check\_command           check\_snort\_alerts!4 4 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p4-5 7d

        check\_command           check\_snort\_alerts!5 4 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

prio 3 templates

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p3-1 5min

        check\_command           check\_snort\_alerts!1 3 1000 10000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   5

        retry\_check\_interval    2

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p3-2 1hr

        check\_command           check\_snort\_alerts!2 3 500 5000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   30

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p3-3 24hr

        check\_command           check\_snort\_alerts!3 3 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   60

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p3-4 7d

        check\_command           check\_snort\_alerts!4 3 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p3-5 7d

        check\_command           check\_snort\_alerts!5 3 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

prio 2 templates

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p2-1 5min

        check\_command           check\_snort\_alerts!1 2 1000 10000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   5

        retry\_check\_interval    2

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p2-2 1hr

        check\_command           check\_snort\_alerts!2 2 400 5000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   30

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p2-3 24hr

        check\_command           check\_snort\_alerts!3 2 300 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   60

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p2-4 7d

        check\_command           check\_snort\_alerts!4 2 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p2-5 7d

        check\_command           check\_snort\_alerts!5 2 500 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      2

        register                0

 }

prio 1 templates

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p1-1 5min

        check\_command           check\_snort\_alerts!1 1 1000 10000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   5

        retry\_check\_interval    2

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p1-2 1hr

        check\_command           check\_snort\_alerts!2 1 400 5000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   30

        retry\_check\_interval    5

        max\_check\_attempts      2

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p1-3 24hr

        check\_command           check\_snort\_alerts!3 1 300 1000

        use                     generic-service

        check\_period            24x7

        normal\_check\_interval   60

        retry\_check\_interval    10

        max\_check\_attempts      3

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p1-4 7d

        check\_command           check\_snort\_alerts!4 1 500 1000

        use                     generic-service

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      3

        register                0

 }

 define  service {

        host\_name               snort\_db\_host

        service\_description     snort\_alerts p1-5 7d

        check\_command           check\_snort\_alerts!5 1 500 1000

        use                     generic-service

        normal\_check\_interval   720

        retry\_check\_interval    10

        max\_check\_attempts      3

        register                0

 }

 # pnp\_template => nagios3/htdocs/pnp/templates/check\_snort.pnp

 #

 # Copyright (c) 2006-2008 Joerg Linge (http://www.pnp4nagios.org)

 #

 # modified for check\_snort\_alerts /

 #

 # 2009-09-30

 #

 #

 $opt[1] = "--title "AVG\_ALERTS / $servicedesc" ";

 #

 $def[1] =  "DEF:var1=$rrdfile:$DS[1]:AVERAGE " ;

 $def[1] .=  "DEF:var2=$rrdfile:$DS[3]:AVERAGE " ;

 $def[1] .= "AREA:0 " ;

 $def[1] .= "AREA:var2#00FF00:"Avg Alerts $NAME[2] ":STACK " ;

 $def[1] .= "LINE1:var2#000000 " ;

 $def[1] .= "LINE2:var1#FF0000:"Last Alerts $NAME[1] " " ;

 $def[1] .= "VDEF:var3=var1,MAXIMUM " ;

 $def[1] .= "LINE1:var3#F020F7:MAX " ;

 $def[1] .= "COMMENT:"              " " ;

 $def[1] .= "COMMENT:"-----------------------------------------------" " ;

 $def[1] .= "COMMENT:"last alerts count-interval  $NAME[1]                 " " ;

 $def[1] .= "COMMENT:"avg  alerts count-interval  $NAME[3]                 " " ;

 $def[1] .= "COMMENT:"-----------------------------------------------            " " ;

 $def[1] .= "GPRINT:var1:LAST:"last alerts %6.0lf                " ";

 $def[1] .= "COMMENT:"                       " " ;

 $def[1] .= "GPRINT:var2:LAST:"avg-alerts  %6.0lf   " ";

 $def[1] .= "COMMENT:"                                 " " ;

 $def[1] .= "GPRINT:var1:MAX:"max-alerts  %6.0lf   " ";

 $def[1] .= "COMMENT:"                                 " " ;

 $def[1] .= "COMMENT:"-----------------------------------------------" " ;

 $def[1] .= "COMMENT:"limits -> w $WARN[1] | c $CRIT[1]                  " " ;

 $def[1] .= "COMMENT:"-----------------------------------------------            " " ;

 $def[1] .= "COMMENT:"host   -> $hostname     " " ;

 #$def[1] .= "GPRINT:var1:AVERAGE:"%3.4lg %s$UNIT[1] AVERAGE " ";

 $opt[2] = "--title "TOTAL\_ALERTS / $servicedesc" ";

 $def[2] =  "DEF:var1=$rrdfile:$DS[2]:AVERAGE " ;

 $def[2] .= "AREA:0 " ;

 $def[2] .= "AREA:var1#00FF00:"total\_count $NAME[3] - $servicedesc ":STACK " ;

 $def[2] .= "LINE1:var1#000000 " ;

 $def[2] .= "COMMENT:"                 " " ;

 $def[2] .= "COMMENT:"-----------------------------------------------" " ;

 $def[2] .= "COMMENT:"total counts  $NAME[3]                 " " ;

 $def[2] .= "COMMENT:"-----------------------------------------------            " " ;

 $def[2] .= "GPRINT:var1:LAST:"$NAME[3] total\_count %6.0lf    " ";

 $def[2] .= "COMMENT:"                                 " " ;

 $def[2] .= "COMMENT:"-----------------------------------------------            " " ;

 $def[2] .= "COMMENT:"host        $hostname     " " ;

 ?>