Snort mailing list archives

RE: SNMP Output question.

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Wed, 5 Sep 2001 09:31:28 -0400

There are two scenarios, and the solution depends upon what you want to do.
The first is where Omnibus is the repository, and you want Snort to only
detect certain events (ie. the .ida attempts). To do this, create a
local.rule file that contains only the rules you're interested in, and
comment out all the other include statements in snort.conf. Snort will then
only detect the signatures in local.rules, and send them all to Omnibus via
SNMP traps.

The second scenario is to have Snort keep all events locally, and send
certain ones to Omnibus. In snort.conf, create a ruletype that sends events
to events to Omnibus as well as whatever you're doing to store events
locally (there are examples in the file for doing this), and change the
".ida" rules in the .rules files to use this logging ruletype instead of
"alert".

-----Original Message-----
From: Vjay LaRosa [SMTP:vjayl () emc com]
Sent: Tuesday, September 04, 2001 5:50 PM
To:   snort-users () lists sourceforge net
Subject:      [Snort-users] SNMP Output question.

Hello, 

I have a quick question. I am a newbie to snort. I have only had it
running for a few days. 
I am integrating snort in to my SNMP management framework (Netcool
Omnibus). At this 
point every alert is being sent the management station. I am only
interested in sending a few 
alerts in particular. (.ida attempts in particular). I am struggling to
figure out how to accomplish this. Any help would be appreciated. Thanks! 

vjl 

P.S. These are my output lines in my rules file. 

output trap_snmp: alert, 10, trap -v 2c -p 162 X.X.X.X public 
output trap_snmp: alert, 8, trap -v 2c -p 162  X.X.X.X public 
output trap_snmp: alert, 3, trap -v 2c -p 162  X.X.X.X public 

-- 
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SNMP Output question. Vjay LaRosa (Sep 04)
- <Possible follow-ups>
- RE: SNMP Output question. Fraser Hugh (Sep 05)