Snort mailing list archives
RE: Snort SNMP Variables are not consistent?
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 1 May 2002 14:57:43 -0400
Yep, this is still a problem. I have a half a$$ workaround with netcool becuase it does not use mibs. You have to write your own reciever code to break up the traps in to variables, but since I upgraded from 1.8.5 to 1.8.6 the variables have yet again shifted around on me. I am just finishing up my netcool code cleanup now. It would be very nice if the SNMP trap code would be consistent when sending traps so we knew what would be in which var each time traps were sent. vjl -----Original Message----- From: Metz, Tim [mailto:TMetz () PanAmSat com] Sent: Wednesday, May 01, 2002 8:21 AM To: Martin Roesch; Vjay LaRosa; snort-users () lists sourceforge net; snortsnmp () cysols com Subject: RE: [Snort-users] Snort SNMP Variables are not consistent? Searching though the archives I came across this thread and I am having the same problem. It seems that if a variable is empty all the string numbers decrement - poor description but I think you know what I mean. For example, if $8 is supposed to be src ip but $7 is empty then $7 becomes src ip. I'm still confirming this is the pattern. I use snort 1.8.7 build 108 and am sending v2c traps (alerts not informs) to HP Openview. Marty: not try to suck a$$ but your portion was definitely the best at SANS in Orlando. Thanks, Tim Metz PanAmSat Atlanta +1-404-381-2828 -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Friday, March 15, 2002 7:09 PM To: Vjay LaRosa; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort SNMP Variables are not consistent? Geez man, give us a chance! I don't normally run SNMP alerting and I have to setup a test environment here to check it out, gimme a little time and I'll get on it. -Marty On 3/15/02 4:18 PM, "Vjay LaRosa" <vjayl () emc com> wrote:
O.Kay, I give up. I guess nobody else that sends SNMP traps with snort has noticed this. If any one knows why it is doing this I would appreciate it. Or at least if someone else sees the same thing let me know. vjl Vjay LaRosa wrote:Hello, Is any one else using snort 1.8.4 Beta-4 to send SNMP traps? I have snort configured to trap to our Netcool Omnibus server. Originally snort 1.8.4 Beta-1 was sending the following information in these variables. $8 Src IP $10 Dst IP $11 Src Port $12 Dst Port But now that I upgraded I noticed that some alerts use this as their variable mappings, $7 Src IP $9 Dst IP $10 Src Port $11 Dst Port but some alerts are still sent using the old format. What's up with this? Am I crazy or is something not right? vjl -- V.Jay LaRosa EMC Corporation Systems Administrator 171 South Street (508)435-1000 ext 14957 Hopkinton, MA 01748 (508)497-8082 fax www.emc.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- V.Jay LaRosa EMC Corporation Systems Administrator 171 South Street (508)435-1000 ext 14957 Hopkinton, MA 01748 (508)497-8082 fax www.emc.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort SNMP Variables are not consistent? Metz, Tim (May 01)
- <Possible follow-ups>
- RE: Snort SNMP Variables are not consistent? larosa, vjay (May 01)