Snort mailing list archives

Re: Snort and SNMP

From: Chris Green <cmg () uab edu>
Date: 31 Jul 2001 00:07:38 -0500

"Wiley, Rob" <WileyR () autonation com> writes:

Can SNMP trapping be configured for Snort?  I would like to forward alerts
to a central NMS console (HP Openview) via SNMP in leiu of the syslog
service.


Why yes, yes it can!   A newly checked into feature into CVS (through
the work of  Glenn Mansfield Keeni and K. Jayanthi allows one to use
either TRAPS or INFORMS.

Logging via SNMP isn't something I have done so this documentation
might be wrong.  i would appreciate any feedback.

Clip from the new ( 1.8.1 ) writing snort rules ( basically yanked from the
source )

------------

The SNMP trap output module allows Snort to direct alerts to a network
management station (NMS). The MIB format is listed in the MIBS
directory of the Snort distribution. SNMP allows Snort to integrate
with many third party tools in a standard manner.

Glenn Mansfield Keeni contributed this plugin and established an SNMP
enterprise id for Snort (10234). This plugin is contains code licensed
under a BSD license and its copyright notice is listed in Appendix A

Format

trap_snmp: : alert, <sensorID>, {trap | inform}, \

             [SnmpOptions] , <snmptrapdAddress>, <community>

 alert specifies what type of events to relay to the NMS

 sensorID sensor name to differentiate multiple sensors

 trap use SNMP v2 traps

 inform use SNMP v2 informs ( the difference being that informs use
 acknowledgement from the NMS )

 SnmpOptions

 -v 2c SNMPv2 c community

 -p remote port number for trap recipient

 snmptrapdAddress Network address of SNMP reciever

 community SNMP community string

Example:
trap_snmp: alert, internal, trap, 192.168.1.10, private

Using generic trapping is fine, I haven't quick figured out how to do it
yet.

-- 
Chris Green <cmg () uab edu>
You now have 14 minutes to reach minimum safe distance.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and SNMP Wiley, Rob (Jul 29)
- Re: Snort and SNMP Dragos Ruiu (Jul 29)
- Re: Snort and SNMP Chris Green (Jul 30)
  - Re: Snort and SNMP Dragos Ruiu (Jul 31)
    - Re: Snort and SNMP Glenn Mansfield Keeni (Jul 31)
- <Possible follow-ups>
- RE: Snort and SNMP Wiley, Rob (Jul 31)