Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snmp traps going to 161, snmp plugin syntax?

From: twig les <twigles () yahoo com>
Date: Tue, 14 Jan 2003 15:50:25 -0800 (PST)
Hey *, having a bit of a pain in me gulliver here with
snort 1.90 (build 209) and net-snmp 5.06.  I have two
boxes, both running FreeBSD 4.7 Release, one is
running "snmptrapd -Os -P" to listen for traps, which
works fine since I see link up/down traps from my
switch all the time.  The other is running snort with
this in the snort.conf:

output trap_snmp: alert, 7, trap -v 2c -c myCommunity
nms

Now snort starts fine like this, but the traps never
show up at the nms box.  I tossed in a sniffer to see
what was happening and saw this when I wrote a quick
ICMP rule and triggered it:

L# tcpdump -ln host 192.168.1.4 and host 192.168.1.10
tcpdump: listening on ep0
15:29:19.753301 192.168.1.4.4978 > 192.168.1.10.161: 
C=myCommunity V2Trap(30)  .1.3.6.1.2.1.1.3.0=0
15:29:20.751553 192.168.1.4.4979 > 192.168.1.10.161: 
C=myCommunity V2Trap(30)  .1.3.6.1.2.1.1.3.0=0


From what tcpdump is telling me my traps are all going

to UDP 161 instead of 162.  And I mean all of them,
not a single packet went to 162.  I have explicitly
told net-snmp to use 162, although that should not be
necessary.  My only idea now is that the snort plugin
is telling net-snmp to use 161 for some reason.

I have thus tried to force snort to specify the port
with the following lines in snort.conf, which got me
the corresponding results:

output trap_snmp: alert, 7, trap -v 2c -c myCommunity
nms -p 162
Snort starts, no effect.

output trap_snmp: alert, 7, trap -v 2c -p 162 -c
myCommunity nms
"Warning: -p option is no longer used - specify the
remote host as HOST:PORT
SnmpTrapPlugin:  Insufficient SnmpTrap parameters"

output trap_snmp: alert, 7, trap -v 2c -c myCommunity
nms:162
"SnmpTrapPlugin: Unresolvable Trap destination :
nms:162"


Ack!  Anyone have this working and can maybe give me a
clue as to the problem?  Even a lead to the correct
doc would be nice as I've been reading a lot since I
started this last week.

=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving 
your online business a competitive advantage. Test-drive a Thawte SSL 
certificate - our easy online guide will show you how. Click here to get 
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: