Snort mailing list archives

Re: How to capture the Snort sensor ID using SnMP traps

From: Glenn Mansfield Keeni <glenn () cysols com>
Date: Thu, 10 Oct 2002 23:41:32 +0900

Jose,
    The alert objects are indexed by the sensorID and AlertID.
So if you running snorts on several interfaces - you should
use different sensorID for each interface. That should give
you the interface.
    There is a sidaSensorTable which gives the sidaSensor-
InterfaceIndex for sensor. But this field is not included in
the alert. To read this field you will need to have an SNMP
agent that implements the SnortIDAlertMIB. {Such a creature
does not exist now but will appear "soon" :-)
    Does that answer your question. Or have I missed something?

    Glenn

Jose Vicente Nunez Zuleta wrote:

Greetings,

I set up Snort and is working fine; I managed to generate some events using NMAP but i'm not able to get the following 
information:

1) Interface where the event was captured (important if you are running several Snort instances on the same machine on 
different NICs). I'm running Snort on my Stelath and administrative NIC.
2) The Snort ID (I set it up to 6720615032)

Here is my snort config:

output trap_snmp: alert, 16720615032, trap -v 2c -p 162  <MYNMS> <MY_COMMUNITY>

And here is what i get (this is a sample so i'm suing snmptrapd on a test box):
system.sysUpTime.0 = Timeticks: (58509321) 6 days, 18:31:33.21 .iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = OID: enterprises.10234.2.1.3.1 enterprises.10234.2.1.1.1.3.1 = "Snort! <*-.Version 1.8.7 (Build 128)" enterprises.10234.2.1.2.1.2.1.19 = "1033569387. 22740" enterprises.10234.2.1.2.1.4.1.19 = "spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection" enterprises.10234.2.1.2.1.6.1.19 = 1 enterprises.10234.2.1.2.1.7.1.19 = "OFENDERIP" enterprises.10234.2.1.2.1.8.1.19 = 1 enterprises.10234.2.1.2.1.9.1.19 = "VICTIMIP" enterprises.10234.2.1.2.1.10.1.19 = 62583 enterprises.10234.2.1.2.1.11.1.19 = 1 enterprises.10234.2.1.2.1.26.1.19 = Hex: 00 02 4B DD AD 60 enterprises.10234.2.1.2.1.27.1.19 = Hex: 08 00 20 9A CE 152002-10-02 10:36:27 SNORTSENSOR [SNORTSENSORIP]:
So far i'm not able to see the info i want anywhere on the trap message...

Any ideas?

Thanks in advance,

JV.







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to capture the Snort sensor ID using SnMP traps Jose Vicente Nunez Zuleta (Oct 02)
- Use Snort to measure HTTP transfer ? Juan José Sánchez Mesa (Oct 03)
- Re: How to capture the Snort sensor ID using SnMP traps Glenn Mansfield Keeni (Oct 10)