[Snort-devel] Trying to get SNMP traps from Snort

Glenn Mansfield Keeni glenn at ...486...
Tue Oct 2 05:23:03 EDT 2001


Rob,
     In your configuration you have 
    # For SNMPv2c traps 
    #
       output trap_snmp: alert, snortbox, trap -v 2c -p 162 nnmbox
       ro-community-string

 The SensorID is expected to be numeric. replace 
"snortbox" by a number - anything numeric will do.
[An error should have been printed on the console or
the log - I will be surprised if there wasn't one]
Otherwise the configuration is perfect. 

Cheers

Glenn

From: "Robert D. Hughes" <rob at ...825...>
To: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, October 02, 2001 1:16 PM
Subject: RE: [Snort-devel] Trying to get SNMP traps from Snort


Chris,
 
Thanks. I've been able to send traps from the command line to my
management console, but have not snort been able to get traps to the
management console from snort. This was a basic test to make sure
snmptrap functioned and that nothing was blocking the port. Here's the
script I use to start snort (its mailly unedited to avoid removing
something important, so I apologize for its length):
 
if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
    echo "$0: Cannot determine the PREFIX" >&2
    exit 1
fi
 
case "$1" in
start)
        [ -x ${PREFIX}/bin/snort ] && ${PREFIX}/bin/snort -A FULL -c
/usr/local/etc/snort/snort.conf -dDeX -i dc0 -z all && echo -n ' snort'
        ;;
stop)
        killall snort && echo -n ' snort'
        ;;
*)
        echo "Usage: `basename $0` {start|stop}" >&2
        ;;
esac
 
exit 0
 
and my snort.conf
 
#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.1 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.64 2001/09/01 12:06:48 fygrave Exp $
#
###################################################
 
var HOME_NET [x.x.x.mynetworks]
 
 
var EXTERNAL_NET any
 
 
var SMTP [x.x.x.mymailservers]
 
 
var HTTP_SERVERS [x.x.x.mywebboxes]
 
 
var SQL_SERVERS [x.x.x.mysqlboxes]
 
 
var DNS_SERVERS [x.x.x.mydnsservers]
 
preprocessor frag2
 
 
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
 
 
preprocessor stream4: detect_scans
 
 
preprocessor stream4_reassemble
 
 
preprocessor http_decode: 80 -unicode -cginull
 
 
 
preprocessor rpc_decode: 111 
 
 
preprocessor bo: -nobrute
 
preprocessor telnet_decode
 
preprocessor portscan: $HOME_NET 4 3 portscan.log
 
preprocessor portscan-ignorehosts: $DNS_SERVERS
 
 
preprocessor arpspoof
 
 
output log_tcpdump: /var/log/snort/snort.log
 
 
 
# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README-SNMP file for more information on enabling and using
this
# plug-in.
#
#
# The SnmpTrapGenerator outputplugin requires several parameters
# The parameters depend on the Snmpversion that is used (specified)
# For the SNMPv2c case the paremeters will be as follows
#  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
#         <hostName> <community>
#
# For SNMPv2c traps 
#
output trap_snmp: alert, snortbox, trap -v 2c -p 162 nnmbox
ro-community-string
#
# For SNMPv2c informs 
 
#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
myCommunity
#
# For SNMPv3 traps with 
# security name = snortUser 
# security level = authentication and privacy
# authentication parameters :
#           authentication protocol = SHA , 
#           authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters 
#           privacy protocol = DES, 
#           privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
#For SNMPv3 informs with authentication and encryption
#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
 
#=========================================
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules


-----Original Message-----
From: Chris Green [mailto:cmg at ...81...]
Sent: Monday, October 01, 2001 10:42 PM
To: Robert D. Hughes
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Trying to get SNMP traps from Snort



"Robert D. Hughes" <rob at ...825...> writes:

> I've been trying to get an snmp trap out of snort for about a month
now,
> but don't fully understand the criteria snort looks for before sending
> the trap. I have verified that snmp is correctly installed on the
snort
> machine and that it is capable of at least sending a v1 trap the NNM

snmptrap from command line or from snort?

> management console. I also have the mibs distributed with build 81 of
> snort loaded on the console and have built from source using the
> --with-snmp configure option. Tcpdump set to listen for all traffic on
> port 162 does not see any traps going to or coming from 162 on the
> snort
> box. I've tried net-snmp 4.2, 4.2.1 and 4.2-pre2 on FreeBSD
4.4-STABLE.
> What am I doing wrong, or can someone at least point me to some more
> documentation?

Hard to say without a config file and the command line you are running
snort with.  I'll be glad to take a look w/ you if you share.

--
Chris Green <cmg at ...81...>
Don't use a big word where a diminutive one will suffice.








More information about the Snort-devel mailing list