Snort mailing list archives
Re: How to capture the Snort sensor ID using SnMP traps
From: Glenn Mansfield Keeni <glenn () cysols com>
Date: Thu, 10 Oct 2002 23:41:32 +0900
Jose, The alert objects are indexed by the sensorID and AlertID. So if you running snorts on several interfaces - you should use different sensorID for each interface. That should give you the interface. There is a sidaSensorTable which gives the sidaSensor- InterfaceIndex for sensor. But this field is not included in the alert. To read this field you will need to have an SNMP agent that implements the SnortIDAlertMIB. {Such a creature does not exist now but will appear "soon" :-) Does that answer your question. Or have I missed something? Glenn Jose Vicente Nunez Zuleta wrote:
Greetings, I set up Snort and is working fine; I managed to generate some events using NMAP but i'm not able to get the following information: 1) Interface where the event was captured (important if you are running several Snort instances on the same machine on different NICs). I'm running Snort on my Stelath and administrative NIC. 2) The Snort ID (I set it up to 6720615032) Here is my snort config: output trap_snmp: alert, 16720615032, trap -v 2c -p 162 <MYNMS> <MY_COMMUNITY> And here is what i get (this is a sample so i'm suing snmptrapd on a test box):system.sysUpTime.0 = Timeticks: (58509321) 6 days, 18:31:33.21 .iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = OID: enterprises.10234.2.1.3.1 enterprises.10234.2.1.1.1.3.1 = "Snort! <*-.Version 1.8.7 (Build 128)" enterprises.10234.2.1.2.1.2.1.19 = "1033569387. 22740" enterprises.10234.2.1.2.1.4.1.19 = "spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection" enterprises.10234.2.1.2.1.6.1.19 = 1 enterprises.10234.2.1.2.1.7.1.19 = "OFENDERIP" enterprises.10234.2.1.2.1.8.1.19 = 1 enterprises.10234.2.1.2.1.9.1.19 = "VICTIMIP" enterprises.10234.2.1.2.1.10.1.19 = 62583 enterprises.10234.2.1.2.1.11.1.19 = 1 enterprises.10234.2.1.2.1.26.1.19 = Hex: 00 02 4B DD AD 60 enterprises.10234.2.1.2.1.27.1.19 = Hex: 08 00 20 9A CE 15 2002-10-02 10:36:27 SNORTSENSOR [SNORTSENSORIP]:So far i'm not able to see the info i want anywhere on the trap message... Any ideas? Thanks in advance, JV.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to capture the Snort sensor ID using SnMP traps Jose Vicente Nunez Zuleta (Oct 02)
- Use Snort to measure HTTP transfer ? Juan José Sánchez Mesa (Oct 03)
- Re: How to capture the Snort sensor ID using SnMP traps Glenn Mansfield Keeni (Oct 10)