What is the application monitoring feature monitoring for Sourcefire?

book

Article ID: 167978

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article explains what XOS monitors for the application monitor feature for Sourcefire based applications.
  • What is the application monitoring feature monitoring for Sourcefire deployments on X-Series?

Symptoms:
  • Sourcefire application does not become active until placed in hardware bypass
  • Errors seen -Feb 17 21:21:18 rna_1 kernel: XVNIM error: Reader wanted to add unknown or removed device 'core2' (int=0 in irqs=0 irqs off=0)

Cause

The app_status script for SourceFire is located under /crossbeam/apps directory.
The application monitoring script (app_status) for Sourcfire checks for DE (Detection Engine) status. The script calls pmtool with checkDEStatus as an argument. If the result is a '0', it is successful and if a '1' is returned, it is unsuccessul and the app is marked down. (see below)
 
If DE is running as expected, it would return interface Sets as shown below:
 
Received status (0): Interface Sets 2003cb8e-942e-11e1-93fd-8911cfca24c7 Frame size 1518 Interfaces udep.190 udep.40 udep.45 udep.60 udep.80 udep.81 9a7e4002-6d18-11e1-883d-39720c0377c9 Frame size 1518 Interfaces tr1.190 tr1.1006 tr1.1001 tr1.981 tr1.980 tr1.940 tr1.921 tr1.920 tr1.915 tr1.912 tr1.908 tr1.907 tr1.906 tr1.904 tr1.858 tr1.857 tr1.856 tr1.855 tr1.854 tr1.853 tr1.852 tr1.851 tr1.820 tr1.810 tr1.790 tr1.787 tr1.786 tr1.785 tr1.784 tr1.783 tr1.781 tr1.780 tr1.770 tr1.760 tr1.750 tr1.743 tr1.741 tr1.740 tr1.730 tr1.721 tr1.720 tr1.710 tr1.692 tr1.691 tr1.690 tr1.651 tr1.641 tr1.631 tr1.621 tr1.611 tr1.601 tr1.591 tr1.581 tr1.571 tr1.561 tr1.551 tr1.541 tr1.531 tr1.512 tr1.509 tr1.508 tr1.507 tr1.503 tr1.501 tr1.500 tr1.484 tr1.481 tr1.480 tr1.479 tr1.478 tr1.423 tr1.422 tr1.421 tr1.420 tr1.418 tr1.404 tr1.403 tr1.401 tr1.391 tr1.361 tr1.360 tr1.335 tr1.334 tr1.332 tr1.331 tr1.330 tr1.329 tr1.328 tr1.327 tr1.326 tr1.325 tr1.324 tr1.323 tr1.321 tr1.320 tr1.319 tr1.317 tr1.315 tr1.313 tr1.312 tr1.311 tr1.290 tr1.281 tr1.280 tr1.275 tr1.271 tr1.270 tr1.251 tr1.250 tr1.249 tr1.248 tr1.241 tr1.239 tr1.234 tr1.212 tr1.200 DEs f869f248-6dbc-11e1-af13-97ad0c0377c9 rna 2 instances (mask 0) c67b1bbc-6d18-11e1-9d9e-ea720c0377c9 ids 4 instances (mask 0)

______________________________________________________________________
 
ips_pod13_1 (Pod13): apps# ./app_status
ips_pod13_1 (Pod13): apps# echo $?            ! need to type "echo $?" to get the output of the above "app_status" command
0


Note:- It returns 0 – means successful.

ips_pod13_1 (Pod13): apps# /opt/sf/usr/local/sf/bin/pmtool DEstatus
Received status (0):
Interface Sets
 
0154145e-6fcb-11e2-bb4a-00ebc6d2fdf3
  Inline
  Frame size 1518
  Interfaces inside:ser
  DEs
    235f5ca2-6fcb-11e2-882d-bbebc6d2fdf3 ids 1 instances (mask 0)
 
ips_pod13_1 (Pod13): apps# /opt/sf/usr/local/sf/bin/pmtool checkDEstatus
ips_pod13_1 (Pod13): apps# echo $?
0

 
Note:- It returns 0 – means successful.