Re: Snort and SNMP

[Dragos Ruiu <dr () kyx net>]

On Sun, 29 Jul 2001, Wiley, Rob wrote:
> Can SNMP trapping be configured for Snort?  I would like to forward alerts
> to a central NMS console (HP Openview) via SNMP in leiu of the syslog
> service.
>
> Using generic trapping is fine, I haven't quick figured out how to do it
> yet.
>
> SNORT is running on a Linux box, Openview on HPUX.
>
> thanks,
> Rob 

Right now no.... Though I have heard rumors of people working
on this.

But that said the code to do it would be dead simple.
The only catch is designing the MIB.... Is there a generic IDS
MIB anywhere?  If someone can either draft up a MIB or point
me to one, there is some good probablity you can get this in 
the near future...  certainly enough people have asked for it...

Implementing this kind of thing will also be simpler when Marty
finishes his Barnyard output api too...

If you're going to draft a MIB, I would suggest basing the nodes
on rule snort IDs and having branches for the alert addresses
time-stamp and packet bytes to start.

<soapbox>
IMHO SNMP seriously sucks, even v3, and I'm still not
sure you want to turn your IDS into a local DoS generator
by having it blast out an alert packet for every alert. I've spent
some time working with OpenView apps.(I worked at HP for 
more than 7 years, and you couldn't go anywhere there without 
tripping over it), and with all deference to the hordes of 
OpenView developers at HP and IBM, I'm still of the opinion 
that it's primarily an excuse to sell beefier hardware/networks
for management apps.  (Though a disturbingly large number
of "really_important_things"(tm) rely on it...) OpenView represents
a low-effort method of developing that management app GUI 
but it invokes a lot of penatlies (mostly snmp related) on your
network traffic and data analysis/presentation... 
</soabbox>

That said I can totaly understand your request and would still
work on an SNMP alerter if someone else will take care of the 
dirty work of designing the MIB...

cheers,
--dr

P.s. A nicer architecture for IDS/OpenView integration might 
be to have a separate app that integrates the alerts from multiple
IDS nodes and only forwards via SNMP certain configured alerts
(like based on severity level) that you really want to see on 
your OpenView management screen.  Otherwise that IDS 
icon will just be permanently red... thereby being 
permanently ignored. 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users