[Snort-devel] Re: MIB/SMNP Issue

Glenn Mansfield Keeni glenn at ...1085...
Sat May 11 17:56:02 EDT 2002


Rob,

Rob Hughes wrote:

> All,
> 
> I'm currently integrating Snort into OpenView NNM 6.1 and Operations
> 6.11. As usual, the integration into NNM went without a hitch, but I had
> a great deal of trouble getting the alerts passed into Operations via a
> template match condition. I started looking at the MIB files distributed
> with Snort and the code, and finally figured it out. The issue is that
> Snort sends a generic type 3 (link up) trap of sub-types 1 and 2 for
> sidaAlertGeneric and sidaAlertScanStatus. I'm not sure if this is RFC

This is not correct. Please note: Snort is not sending SNMPv1 traps.
There are no sub-types.
The notification OID identifies type of the notificationt being sent. At
present there are two types of notifications the Generic notification
and  the scan status notification. Depending on the type of the
notification the contents of the alert may change. [ You will probably
switch the template depending on the OID].


> compliant (NNM allows appears to allow sub-types for all generic traps),
> but Operations doesn't like it a bit. There is absolutely no provision
> to accept a sub-type of a generic trap other that enterprise-specific.
> So, what I did was to change the spo_Snmp.c as follows (I apologize that
> this isn't a true diff patch, but I don't know how to make one):
> 
>  diff spo_SnmpTrap.c spo_SnmpTrap.c.orig
> 83,84c83,84
> < #define   _OID_sidaAlertGenericOID       ".1.3.6.1.4.1.10234.2.1.0.1"
> < #define   _OID_sidaAlertScanStatus       ".1.3.6.1.4.1.10234.2.1.0.2"
> ---
> 
>>#define   _OID_sidaAlertGenericOID       ".1.3.6.1.4.1.10234.2.1.3.1"
>>#define   _OID_sidaAlertScanStatus       ".1.3.6.1.4.1.10234.2.1.3.2"
>>
>

 
> This changes the traps to be enterprise-specific, subtype 1 and 2 and
> allows for OVO integration. No other changes were needed, other than
> copying the events in NNM to match. I'm still looking at the MIB files
> to try to determine where the generic type link-up trap is coming from
> so that I can edit that as well.

This does not seem to be the correct direction. If you will let me know
what is the problem with the intergration.  I can try to help.


> 
> I don't know that anyone else cares except me, but I wanted to publish
> what I ran into so it can at least go into the knowledge base.



Glenn







More information about the Snort-devel mailing list