[Snort-devel] Re: MIB/SMNP Issue
rob at ...825...
Sat May 11 18:43:01 EDT 2002
On Sat, 2002-05-11 at 19:54, Glenn Mansfield Keeni wrote:
> This is not correct. Please note: Snort is not sending SNMPv1 traps.
> There are no sub-types.
> The notification OID identifies type of the notificationt being sent. At
> present there are two types of notifications the Generic notification
> and the scan status notification. Depending on the type of the
> notification the contents of the alert may change. [ You will probably
> switch the template depending on the OID].
As I explained, the traps from snort look like generic type 3 traps to
Operations when they come in from NNM, as operations does not understand
v2 traps. Therefore, there is no way to designate a sub-type for
anything except enterprise. If I could show you a template for an snmp
trap condition, things would be clearer. At any rate, I can tell
operations not to care about the generic type and specify the full OID,
but then it doesn't format correctly in the events browser (comes in as
a generic trap listing the enterprise OID with all the variables tacked
on like an afterthought).
Well, if you say this isn't correct, I'll take your word. What I've
observed, however, is that by making the single change to
spo_Snmptrap.c, I can accomplish the integration in the same fashion I
do all my other templates. I'll change it back and work with it some
more, though I've spent a couple of days trying all sorts of
permutations of template match conditions with very little in the way of
results until I made that change.
I do appreciate your help, too. I've only got a year or so with
Operations, and still have a lot to learn about the beast.
More information about the Snort-devel