Snort mailing list archives
Re: Snort and SNMP
From: Dragos Ruiu <dr () kyx net>
Date: Sun, 29 Jul 2001 21:30:03 -0700
On Sun, 29 Jul 2001, Wiley, Rob wrote:
Can SNMP trapping be configured for Snort? I would like to forward alerts to a central NMS console (HP Openview) via SNMP in leiu of the syslog service. Using generic trapping is fine, I haven't quick figured out how to do it yet. SNORT is running on a Linux box, Openview on HPUX. thanks, Rob
Right now no.... Though I have heard rumors of people working on this. But that said the code to do it would be dead simple. The only catch is designing the MIB.... Is there a generic IDS MIB anywhere? If someone can either draft up a MIB or point me to one, there is some good probablity you can get this in the near future... certainly enough people have asked for it... Implementing this kind of thing will also be simpler when Marty finishes his Barnyard output api too... If you're going to draft a MIB, I would suggest basing the nodes on rule snort IDs and having branches for the alert addresses time-stamp and packet bytes to start. <soapbox> IMHO SNMP seriously sucks, even v3, and I'm still not sure you want to turn your IDS into a local DoS generator by having it blast out an alert packet for every alert. I've spent some time working with OpenView apps.(I worked at HP for more than 7 years, and you couldn't go anywhere there without tripping over it), and with all deference to the hordes of OpenView developers at HP and IBM, I'm still of the opinion that it's primarily an excuse to sell beefier hardware/networks for management apps. (Though a disturbingly large number of "really_important_things"(tm) rely on it...) OpenView represents a low-effort method of developing that management app GUI but it invokes a lot of penatlies (mostly snmp related) on your network traffic and data analysis/presentation... </soabbox> That said I can totaly understand your request and would still work on an SNMP alerter if someone else will take care of the dirty work of designing the MIB... cheers, --dr P.s. A nicer architecture for IDS/OpenView integration might be to have a separate app that integrates the alerts from multiple IDS nodes and only forwards via SNMP certain configured alerts (like based on severity level) that you really want to see on your OpenView management screen. Otherwise that IDS icon will just be permanently red... thereby being permanently ignored. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and SNMP Wiley, Rob (Jul 29)
- Re: Snort and SNMP Dragos Ruiu (Jul 29)
- Re: Snort and SNMP Chris Green (Jul 30)
- Re: Snort and SNMP Dragos Ruiu (Jul 31)
- Re: Snort and SNMP Glenn Mansfield Keeni (Jul 31)
- Re: Snort and SNMP Dragos Ruiu (Jul 31)
- <Possible follow-ups>
- RE: Snort and SNMP Wiley, Rob (Jul 31)