[Snort-devel] Re: MIB/SMNP Issue

Rob Hughes rob at ...825...
Sat May 11 22:57:01 EDT 2002


On Sat, 2002-05-11 at 19:54, Glenn Mansfield Keeni wrote:
> Rob,
> 
> Rob Hughes wrote:
> 
> This does not seem to be the correct direction. If you will let me know
> what is the problem with the intergration.  I can try to help.

Here's a dump of an event as NNM sees it.

1021179664 7 Sun May 12 00:01:04 2002 ns2.robhughes.com - (Snort! <*-\nVersion 1.8.7beta2 (Build 114)) (ipv4) (12.237.138.77) (1021179667.499348) (SMTP RCPT TO overflow) (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260, http://www.securityfocus.com/bid/2283, ) (ipv4) (216.136.204.119) (ipv4) (12.237.138.77) (26784) (25) (0x00 02 fc 86 80 8c) (0x00 c0 f0 3c 2f 3e) (1) ((UNAVAILABLE EVENT PARAMETER $17));2 .1.3.6.1.4.1.10234.2.1.3.1 0

Each field is enclosed within () for easier deciphering. I find it 
interesting that if I click an event, then choose "configure" from the menu, 
NNM complains that the event does not exist for the enterprise .1.3.6.1.4.1.10234.2.1.3 and 
asks if I'd like to add it. So, as far as NNM compatibility, while it works, 
the snort snmp implementation isn't standard, else NNM would most likely be able 
to correctly identify the enterprise for the trap. I say this as someone who's 
been working with NNM for the last 7 years, and unless there's a problem with the 
MIB or trap format, I never see this when configuring events via the event 
viewer.

FYI, I've restored the original spo_Snmptrap.c file and rebuilt.

Having done so, I switched back to "don't care" option in the template and am actually 
getting messages.This is progress, but NNM not recognizing the enterprise is troubling. 
NNM, at least as far as it's name service requirements, it widely recognized to be very 
RFC compliant. I also know from experience that unless the MIB exactly follows the 
correct syntax, the mib file won't load. This means that many vendor's files, including 
the UCD files, won't load without modifications. Snort's at least load. I also noticed that
of all the MIB files I have loaded on my OVO server (around 40-50), with the exception of 
the generic traps, Snort's are the only one's that *do not* follow the format of 

iso.org.dod.internet.private.enterprises.<enterprise number>.sub-type1.<...>.0.<specific trap number>

I'm not quite sure what to make of that, other than to say "it's different than the way everyone else
does it". Obviously, this doesn't make it "wrong" per se, just non-standard.

If you don't have access to an OpenView implementation, I can set *one* person up with an account
on this box for ssh access, and you can run NNM or OVO via X over ssh tunnels.

Thanks again for the help,
Rob





More information about the Snort-devel mailing list