Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Specifying SNMP Traps.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Mon, 6 May 2002 18:06:22 -0400
Hello,

I am not sure ( Testing it tonight,) but is it possible to select indvidual
rules to send snmp traps from?
In some cases there is no sense in sending a trap for every single event
snort flags. I am only interested in
approximately 10 to 15 at this point. Can anyone tell me if this will work?


Add this to the snort.conf,

snip---------------------
        ruletype trap-db 
        { 
        type alert output 
        output trap_snmp: alert, 1, trap -v 2c -p 162 10.10.10.15 public 
        output database: log, mysql, user=snort dbname=snort host=localhost 
        } 
snip--------------------------

then substitute trap-db for alert in my rules I want to send SNMP traps and
log to the DB,

trap-db tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access";  flags: A+; content:"/cmd.exe?"; nocase;
classtype:web-application-attack; sid:1002; rev:3;)


This could alleviate some overhead by selecting specific events to send snmp
traps.

Thanks!

vjl



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: