Snort mailing list archives
snmp traps going to 161, snmp plugin syntax?
From: twig les <twigles () yahoo com>
Date: Tue, 14 Jan 2003 15:50:25 -0800 (PST)
Hey *, having a bit of a pain in me gulliver here with snort 1.90 (build 209) and net-snmp 5.06. I have two boxes, both running FreeBSD 4.7 Release, one is running "snmptrapd -Os -P" to listen for traps, which works fine since I see link up/down traps from my switch all the time. The other is running snort with this in the snort.conf: output trap_snmp: alert, 7, trap -v 2c -c myCommunity nms Now snort starts fine like this, but the traps never show up at the nms box. I tossed in a sniffer to see what was happening and saw this when I wrote a quick ICMP rule and triggered it: L# tcpdump -ln host 192.168.1.4 and host 192.168.1.10 tcpdump: listening on ep0 15:29:19.753301 192.168.1.4.4978 > 192.168.1.10.161: C=myCommunity V2Trap(30) .1.3.6.1.2.1.1.3.0=0 15:29:20.751553 192.168.1.4.4979 > 192.168.1.10.161: C=myCommunity V2Trap(30) .1.3.6.1.2.1.1.3.0=0
From what tcpdump is telling me my traps are all going
to UDP 161 instead of 162. And I mean all of them, not a single packet went to 162. I have explicitly told net-snmp to use 162, although that should not be necessary. My only idea now is that the snort plugin is telling net-snmp to use 161 for some reason. I have thus tried to force snort to specify the port with the following lines in snort.conf, which got me the corresponding results: output trap_snmp: alert, 7, trap -v 2c -c myCommunity nms -p 162 Snort starts, no effect. output trap_snmp: alert, 7, trap -v 2c -p 162 -c myCommunity nms "Warning: -p option is no longer used - specify the remote host as HOST:PORT SnmpTrapPlugin: Insufficient SnmpTrap parameters" output trap_snmp: alert, 7, trap -v 2c -c myCommunity nms:162 "SnmpTrapPlugin: Unresolvable Trap destination : nms:162" Ack! Anyone have this working and can maybe give me a clue as to the problem? Even a lead to the correct doc would be nice as I've been reading a lot since I started this last week. ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snmp traps going to 161, snmp plugin syntax? twig les (Jan 14)
- Re: snmp traps going to 161, snmp plugin syntax? Erick Mechler (Jan 14)
- Re: snmp traps going to 161, snmp plugin syntax? twig les (Jan 14)
- Re: snmp traps going to 161, snmp plugin syntax? Erick Mechler (Jan 14)