[Snort-devel] Trying to get SNMP traps from Snort

Robert D. Hughes rob at ...825...
Tue Oct 2 05:42:03 EDT 2001


Glenn,
 
Thanks. I actually had that set as a number originally, but changed it
to the host name to see if that made any difference. I'll change it
back.
 
Rob

-----Original Message-----
From: Glenn Mansfield Keeni [mailto:glenn at ...486...]
Sent: Tuesday, October 02, 2001 7:12 AM
To: Robert D. Hughes; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Trying to get SNMP traps from Snort



Rob,
     In your configuration you have
    # For SNMPv2c traps
    #
       output trap_snmp: alert, snortbox, trap -v 2c -p 162 nnmbox
       ro-community-string

 The SensorID is expected to be numeric. replace
"snortbox" by a number - anything numeric will do.
[An error should have been printed on the console or
the log - I will be surprised if there wasn't one]
Otherwise the configuration is perfect.

Cheers

Glenn

From: "Robert D. Hughes" <rob at ...825...>
To: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, October 02, 2001 1:16 PM
Subject: RE: [Snort-devel] Trying to get SNMP traps from Snort


Chris,

Thanks. I've been able to send traps from the command line to my
management console, but have not snort been able to get traps to the
management console from snort. This was a basic test to make sure
snmptrap functioned and that nothing was blocking the port. Here's the
script I use to start snort (its mailly unedited to avoid removing
something important, so I apologize for its length):

if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
    echo "$0: Cannot determine the PREFIX" >&2
    exit 1
fi

case "$1" in
start)
        [ -x ${PREFIX}/bin/snort ] && ${PREFIX}/bin/snort -A FULL -c
/usr/local/etc/snort/snort.conf -dDeX -i dc0 -z all && echo -n ' snort'
        ;;
stop)
        killall snort && echo -n ' snort'
        ;;
*)
        echo "Usage: `basename $0` {start|stop}" >&2
        ;;
esac

exit 0

and my snort.conf

#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.1 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.64 2001/09/01 12:06:48 fygrave Exp $
#
###################################################

var HOME_NET [x.x.x.mynetworks]


var EXTERNAL_NET any


var SMTP [x.x.x.mymailservers]


var HTTP_SERVERS [x.x.x.mywebboxes]


var SQL_SERVERS [x.x.x.mysqlboxes]


var DNS_SERVERS [x.x.x.mydnsservers]

preprocessor frag2


preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384


preprocessor stream4: detect_scans


preprocessor stream4_reassemble


preprocessor http_decode: 80 -unicode -cginull



preprocessor rpc_decode: 111


preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS


preprocessor arpspoof


output log_tcpdump: /var/log/snort/snort.log



# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README-SNMP file for more information on enabling and using
this
# plug-in.
#
#
# The SnmpTrapGenerator outputplugin requires several parameters
# The parameters depend on the Snmpversion that is used (specified)
# For the SNMPv2c case the paremeters will be as follows
#  alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber>
#         <hostName> <community>
#
# For SNMPv2c traps
#
output trap_snmp: alert, snortbox, trap -v 2c -p 162 nnmbox
ro-community-string
#
# For SNMPv2c informs

#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
myCommunity
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
#           authentication protocol = SHA ,
#           authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
#           privacy protocol = DES,
#           privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
#For SNMPv3 informs with authentication and encryption
#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

#=========================================
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules


-----Original Message-----
From: Chris Green [ mailto:cmg at ...81...]
Sent: Monday, October 01, 2001 10:42 PM
To: Robert D. Hughes
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Trying to get SNMP traps from Snort



"Robert D. Hughes" <rob at ...825...> writes:

> I've been trying to get an snmp trap out of snort for about a month
now,
> but don't fully understand the criteria snort looks for before sending
> the trap. I have verified that snmp is correctly installed on the
snort
> machine and that it is capable of at least sending a v1 trap the NNM

snmptrap from command line or from snort?

> management console. I also have the mibs distributed with build 81 of
> snort loaded on the console and have built from source using the
> --with-snmp configure option. Tcpdump set to listen for all traffic on
> port 162 does not see any traps going to or coming from 162 on the
> snort
> box. I've tried net-snmp 4.2, 4.2.1 and 4.2-pre2 on FreeBSD
4.4-STABLE.
> What am I doing wrong, or can someone at least point me to some more
> documentation?

Hard to say without a config file and the command line you are running
snort with.  I'll be glad to take a look w/ you if you share.

--
Chris Green <cmg at ...81...>
Don't use a big word where a diminutive one will suffice.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011002/702ae20b/attachment.html>


More information about the Snort-devel mailing list