This article explains what XOS monitors for the application monitor feature for Sourcefire based applications.
What is the application monitoring feature monitoring for Sourcefire deployments on X-Series?
Sourcefire application does not become active until placed in hardware bypass
Errors seen -Feb 17 21:21:18 rna_1 kernel: XVNIM error: Reader wanted to add unknown or removed device 'core2' (int=0 in irqs=0 irqs off=0)
The app_status script for SourceFire is located under /crossbeam/apps directory. The application monitoring script (app_status) for Sourcfire checks for DE (Detection Engine) status. The script calls pmtool with checkDEStatus as an argument. If the result is a '0', it is successful and if a '1' is returned, it is unsuccessul and the app is marked down. (see below)
If DE is running as expected, it would return interface Sets as shown below: