[Snort-devel] MIB/SMNP Issue

Rob Hughes rob at ...825...
Sat May 11 09:45:01 EDT 2002


All,

I'm currently integrating Snort into OpenView NNM 6.1 and Operations
6.11. As usual, the integration into NNM went without a hitch, but I had
a great deal of trouble getting the alerts passed into Operations via a
template match condition. I started looking at the MIB files distributed
with Snort and the code, and finally figured it out. The issue is that
Snort sends a generic type 3 (link up) trap of sub-types 1 and 2 for
sidaAlertGeneric and sidaAlertScanStatus. I'm not sure if this is RFC
compliant (NNM allows appears to allow sub-types for all generic traps),
but Operations doesn't like it a bit. There is absolutely no provision
to accept a sub-type of a generic trap other that enterprise-specific.
So, what I did was to change the spo_Snmp.c as follows (I apologize that
this isn't a true diff patch, but I don't know how to make one):

 diff spo_SnmpTrap.c spo_SnmpTrap.c.orig
83,84c83,84
< #define   _OID_sidaAlertGenericOID       ".1.3.6.1.4.1.10234.2.1.0.1"
< #define   _OID_sidaAlertScanStatus       ".1.3.6.1.4.1.10234.2.1.0.2"
---
> #define   _OID_sidaAlertGenericOID       ".1.3.6.1.4.1.10234.2.1.3.1"
> #define   _OID_sidaAlertScanStatus       ".1.3.6.1.4.1.10234.2.1.3.2"

This changes the traps to be enterprise-specific, subtype 1 and 2 and
allows for OVO integration. No other changes were needed, other than
copying the events in NNM to match. I'm still looking at the MIB files
to try to determine where the generic type link-up trap is coming from
so that I can edit that as well.

I don't know that anyone else cares except me, but I wanted to publish
what I ran into so it can at least go into the knowledge base.

Regards,
Rob





More information about the Snort-devel mailing list