[Snort-devel] MIB/SMNP Issue
rob at ...825...
Sat May 11 09:45:01 EDT 2002
I'm currently integrating Snort into OpenView NNM 6.1 and Operations
6.11. As usual, the integration into NNM went without a hitch, but I had
a great deal of trouble getting the alerts passed into Operations via a
template match condition. I started looking at the MIB files distributed
with Snort and the code, and finally figured it out. The issue is that
Snort sends a generic type 3 (link up) trap of sub-types 1 and 2 for
sidaAlertGeneric and sidaAlertScanStatus. I'm not sure if this is RFC
compliant (NNM allows appears to allow sub-types for all generic traps),
but Operations doesn't like it a bit. There is absolutely no provision
to accept a sub-type of a generic trap other that enterprise-specific.
So, what I did was to change the spo_Snmp.c as follows (I apologize that
this isn't a true diff patch, but I don't know how to make one):
diff spo_SnmpTrap.c spo_SnmpTrap.c.orig
< #define _OID_sidaAlertGenericOID ".184.108.40.206.4.1.10220.127.116.11.1"
< #define _OID_sidaAlertScanStatus ".18.104.22.168.4.1.1022.214.171.124.2"
> #define _OID_sidaAlertGenericOID ".126.96.36.199.4.1.10188.8.131.52.1"
> #define _OID_sidaAlertScanStatus ".184.108.40.206.4.1.10220.127.116.11.2"
This changes the traps to be enterprise-specific, subtype 1 and 2 and
allows for OVO integration. No other changes were needed, other than
copying the events in NNM to match. I'm still looking at the MIB files
to try to determine where the generic type link-up trap is coming from
so that I can edit that as well.
I don't know that anyone else cares except me, but I wanted to publish
what I ran into so it can at least go into the knowledge base.
More information about the Snort-devel