[Snort-devel] snort and snmp

Mariusz Woloszyn emsi at ...821...
Tue Sep 18 10:02:10 EDT 2001


Hi! I developed a patch for snmp_alert output plugin that solves Null
packet problem (for example preprocesors like portscan produces null
packets whiich were not logged via snmp) and added minimum snmp v1
support.

patch attached.

p.s. I'm not on the list.

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
-------------- next part --------------
--- snort-1.8.1-RELEASE/spo_SnmpTrap.c	Sun Aug 12 06:28:54 2001
+++ spo_SnmpTrap.c	Tue Sep 18 18:28:10 2001
@@ -596,12 +596,13 @@
 
 void   startIDWS(Packet *p, char *msg) 
 {
-  if    (!p)
+/*  if    (!p)
   {
           ErrorMessage("SnortSnmp: Null packet with msg %s \n", 
                                                msg?msg:"NULL");       
           return;
   }
+*/
   alertID ++;
   sendSNMPInform(p, msg, alertID, &SnmpData);
   return ;
@@ -658,7 +659,12 @@
     char  *trap = NULL;
     char   timeNtpStamp [32];
     struct timeval unixStamp;
-    
+    int     name_length;
+    oid name[MAX_OID_LEN];
+
+
+    name_length = MAX_OID_LEN;
+
     sensorID = SnmpData->sensorID;
     gettimeofday(&unixStamp, NULL);
     sprintf (timeNtpStamp, "%ld.%6ld", unixStamp.tv_sec, unixStamp.tv_usec);
@@ -676,15 +682,45 @@
     }
     arg = 0;
     if (session->version == SNMP_VERSION_1) {
-        ErrorMessage ("Sorry! Version 1 traps are not supported now \n");
-        return (1);
+
+    pdu = snmp_pdu_create(SNMP_MSG_TRAP);
+
+    /*
+     * SNMPv1 trap 
+     */
+    if (!snmp_parse_oid(_OID_sidaAlertGenericOID, name, &name_length)) {
+	    snmp_perror(_OID_sidaAlertGenericOID);
+	    SOCK_CLEANUP;
+	    return(1);
+    }
+    pdu->enterprise = (oid *)malloc(name_length * sizeof(oid));
+    memcpy(pdu->enterprise, name, name_length * sizeof(oid));
+    pdu->enterprise_length = name_length;
+
+
+    pdu->trap_type =0; // Cold Reboot
+    pdu->specific_type=0;
+
+    // Other parts skipped!!!
+
+
+    // AlertMSG
+    Result = ParseOidAndAddToPdu( ALERTMSG, sensorID, AlertID, msg, pdu);
+    if (Result) {
+	    SOCK_CLEANUP;
+	    return (Result);
     }
+    
+    pdu->time = get_uptime();
+
+    } else {
+
+    pdu = snmp_pdu_create(inform ? SNMP_MSG_INFORM : SNMP_MSG_TRAP2);
 
    /*
     * The SysUpTime
     */
 
-    pdu = snmp_pdu_create(inform ? SNMP_MSG_INFORM : SNMP_MSG_TRAP2);
     sysuptime = get_uptime ();
     sprintf (csysuptime, "%ld", sysuptime);
     trap = csysuptime;
@@ -784,8 +820,8 @@
          SOCK_CLEANUP;
          return (Result);
      }
-
-
+} // #else SNMP v1
+if (p) {
    /*
     * The AlertMoreInfo
     */
@@ -915,6 +951,7 @@
          SOCK_CLEANUP;
          return (Result);
      }
+} // #if (p)
 
      if (inform) 
      {  


More information about the Snort-devel mailing list