Snort mailing list archives
Re: trap to two destinations
From: "Mark D. Nagel" <mnagel () willingminds com>
Date: Tue, 26 Mar 2002 12:19:14 -0800
----- Original Message ----- From: "Andrew R. Baker" <andrewb () snort org> To: <rnoonan () interops com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, March 26, 2002 11:54 AM Subject: Re: [Snort-users] trap to two destinations
Richard Noonan wrote:I am attempting to trap to two hosts from a single snort config. I've defined the ruletype below: ruletype dsnmp { type alert output trap_snmp: alert, 7, trap -v 2c -p 163 10.2.1.3 public output trap_snmp: alert, 7, trap -v 2c -p 162 10.2.1.4 public output alert_syslog: LOG_AUTH LOG_ALERT } And what happens is whichever trap_snmp appears 2nd gets the traps. Whichever one appears first gets nothing. Syslog seems to work always.
Is
this in fact an unsupported config?The SnmpTrap output plugin does not currently support multiple instances of itself. We may be able to add this functionality in Snort 1.9.
Another alternative might be looper -- see http://edgesolutions.ca/article.php?sid=7. Looper can forward traps sent to it via multiple destinations or transform them to different output formats as well. Looks pretty useful, though I have not tried it in production... Mark _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- trap to two destinations Richard Noonan (Mar 25)
- Re: trap to two destinations Andrew R. Baker (Mar 26)
- Re: trap to two destinations Mark D. Nagel (Mar 26)
- Re: trap to two destinations Andrew R. Baker (Mar 26)