Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNMP bug for SNORT v 1.9 ???

From: Erek Adams <erek () snort org>
Date: Fri, 24 Jan 2003 09:19:36 -0500 (EST)
On Fri, 24 Jan 2003, Doan Nguyen wrote:


my original purpose was to have SNORT send traps to my network manager
for any rules that SNORT detects.  The problem here is that I think
SNORT is suppose to send only 1 trap per an incident, instead it is
continuously sending the same traps for that 1 incident which I do not
think is correct.


Two things:

        * Snort sends an alert for each and every packet that causes an
alert.  If Snort sees 10,000,000 packets that match a rule, you get
10,000,000 alerts.  Since you're sending SNMP traps on each alert, you'll
get 10,000,000 traps.

        * What alert are you getting?  You might actually be causing a
'endless loop' with the alerts.  If the rule has it's trigger value in the
alert that gets sent in cleartext, unless you're taking precautions you'll
get that rule to trigger on the alert, and then to trigger on that alert,
and so on...  I think that's what twig was pointing to.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: