[Snort-devel] Re: MIB/SMNP Issue

Rob Hughes rob at ...825...
Sun May 12 00:30:02 EDT 2002


On Sat, 2002-05-11 at 19:54, Glenn Mansfield Keeni wrote:
> Rob,
> 
> Rob Hughes wrote:
> 
> This does not seem to be the correct direction. If you will let me know
> what is the problem with the intergration.  I can try to help.

Still digging, and still finding weirdness. Attached is a text file of a few events 
dumped from OVO for comparison. Notice that some of the variables are not passed 
consistently in the traps. In particular, the src/dst mac, port and address seem to 
be passed differently in some of the traps. Why is this?
-------------- next part --------------
#                        ITO Report
#                        --- ------
#
# Report Date: 05/12/02                                  Report Time: 02:15:37
#
# Report Definition:
#
#        Report Name    : Selected active detailed
#        Report Script  : 
#

Legend of used head lines:
   Auto St.:      Status of a automatic action which belongs to the message
   Oper St.:      Status of a operator initiated action
   Sev.:          Severity of the Message
   Message Group: Message Group of the Message
   Node Name:     The Node that message comes from
   Message Text:  Message text of the message
   Source Type:   Source, where the message comes from (e.g. logfile, SnmpTrap)
   Original Text: Original Message Text, text which was reformatted through
                  a message condition to get the message text
   Msg.Gen.Node:  Node where the message has been generated.
   Service Name:  The service this message maps to.
   Last Received: Last time a duplicate for this message has been received


Selected active detailed                                          Page:      1

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

      05/12/02 02:08:04 undef    undef    warn Security         ns2.robhughes.com
               Source Type  : Snmp Trap

               Message Text : Sensor Address:12.237.138.77 Event Time
                              Stamp:1021187286.835394 Event:spp_anomsensor:
                              Threshold adjusted to 4.7925 after 0 alerts (of 3)
                              Event Class:(UNAVAILABLE EVENT PARAMETER $14)
                              SrcAddr/Port:(UNAVAILABLE EVENT PARAMETER
                              $7)/(UNAVAILABLE EVENT PARAMETER $10)
                              DstAddr/Port:(UNAVAILABLE EVENT PARAMETER
                              $9)/(UNAVAILABLE EVENT PARAMETER $11)
                              SrcMAC:(UNAVAILABLE EVENT PARAMETER $12)
                              DstMAC:(UNAVAILABLE EVENT PARAMETER $13) (UNAVAILABLE
                              EVENT PARAMETER $15) (UNAVAILABLE EVENT PARAMETER $16)
                              (UNAVAILABLE EVENT PARAMETER $17) (UNAVAILABLE EVENT
                              PARAMETER $18) (UNAVAILABLE EVENT PARAMETER $19)
                              (UNAVAILABLE EVENT PARAMETER $20)
               Original Text: Generic: 6; Specific: 1; Enterprise:
                              .1.3.6.1.4.1.10234.2.1.3;
                              Variables:
                              [1]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorVersion.7
                              (OctetString): Snort! <*-
                              Version 1.8.7beta2 (Build 114)
                              [2]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddressType
                              .7.266 (Integer): ipv4
                              [3]
Selected active detailed                                          Page:      2

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddress.7.2
                              66 (OctetString): 12.237.138.77
                              [4]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertTimeStamp.7.26
                              6 (OctetString): 1021187286.835394
                              [5]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertMsg.7.266
                              (OctetString): spp_anomsensor: Threshold adjusted to
                              4.7925 after 0 alerts (of 3) 
               Msg.Gen.Node : itph-ems-01.robhughes.com
               Service Name : Snort

      05/12/02 02:08:05 undef    undef    warn Security         ns2.robhughes.com
               Source Type  : Snmp Trap

               Message Text : Sensor Address:12.237.138.77 Event Time
                              Stamp:1021187288.314183 Event:SMTP RCPT TO overflow
                              Event Class:0x00 c0 f0 3c 2f 3e
                              SrcAddr/Port:ipv4/12.237.138.77
                              DstAddr/Port:ipv4/25955 SrcMAC:25 DstMAC:0x00 02 fc 86
                              80 8c attemptedAdmin 1 (UNAVAILABLE EVENT PARAMETER
                              $17) (UNAVAILABLE EVENT PARAMETER $18) (UNAVAILABLE
                              EVENT PARAMETER $19) (UNAVAILABLE EVENT PARAMETER $20)
               Original Text: Generic: 6; Specific: 1; Enterprise:
                              .1.3.6.1.4.1.10234.2.1.3;
                              Variables:
                              [1]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorVersion.7
                              (OctetString): Snort! <*-
                              Version 1.8.7beta2 (Build 114)
                              [2]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddressType
                              .7.267 (Integer): ipv4
                              [3]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddress.7.2
                              67 (OctetString): 12.237.138.77
                              [4]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertTimeStamp.7.26
                              7 (OctetString): 1021187288.314183
                              [5]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertMsg.7.267
                              (OctetString): SMTP RCPT TO overflow
                              [6]
Selected active detailed                                          Page:      3

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertMoreInfo.7.267
                              (OctetString):
                              http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001
                              -0260, http://www.securityfocus.com/bid/2283, 
                              [7]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddressType
                              .7.267 (Integer): ipv4
                              [8]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddress.7.2
                              67 (OctetString): 216.136.204.119
                              [9]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddressType
                              .7.267 (Integer): ipv4
                              [10]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddress.7.2
                              67 (OctetString): 12.237.138.77
                              [11]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcPort.7.267
                              (Integer): 25955
                              [12]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstPort.7.267
                              (Integer): 25
                              [13]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcMacAddress.
                              7.267 (OctetString): 0x00 02 fc 86 80 8c
                              [14]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstMacAddress.
                              7.267 (OctetString): 0x00 c0 f0 3c 2f 3e
                              [15]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertImpact.7.267
                              (Integer): attemptedAdmin
                              [16]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertEventPriority.
                              7.267 (Integer): 1 
               Msg.Gen.Node : itph-ems-01.robhughes.com
               Service Name : Snort



Selected active detailed                                          Page:      4

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

      05/12/02 02:09:41 undef    undef    warn Security         ns2.robhughes.com
               Source Type  : Snmp Trap

               Message Text : Sensor Address:12.237.138.77 Event Time
                              Stamp:1021187384.483626 Event:spp_stream4: Multiple
                              Acked Packets (possible fragroute) Event
                              Class:(UNAVAILABLE EVENT PARAMETER $14)
                              SrcAddr/Port:12.247.65.45/21
                              DstAddr/Port:12.237.138.77/3388 SrcMAC:0x00 02 fc 86
                              80 8c DstMAC:0x00 c0 f0 3c 2f 3e (UNAVAILABLE EVENT
                              PARAMETER $15) (UNAVAILABLE EVENT PARAMETER $16)
                              (UNAVAILABLE EVENT PARAMETER $17) (UNAVAILABLE EVENT
                              PARAMETER $18) (UNAVAILABLE EVENT PARAMETER $19)
                              (UNAVAILABLE EVENT PARAMETER $20)
               Original Text: Generic: 6; Specific: 1; Enterprise:
                              .1.3.6.1.4.1.10234.2.1.3;
                              Variables:
                              [1]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorVersion.7
                              (OctetString): Snort! <*-
                              Version 1.8.7beta2 (Build 114)
                              [2]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddressType
                              .7.268 (Integer): ipv4
                              [3]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddress.7.2
                              68 (OctetString): 12.237.138.77
                              [4]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertTimeStamp.7.26
                              8 (OctetString): 1021187384.483626
                              [5]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertMsg.7.268
                              (OctetString): spp_stream4: Multiple Acked Packets
                              (possible fragroute)
                              [6]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddressType
                              .7.268 (Integer): ipv4
                              [7]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddress.7.2
                              68 (OctetString): 12.247.65.45
                              [8]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddressType
                              .7.268 (Integer): ipv4
Selected active detailed                                          Page:      5

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

                              [9]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddress.7.2
                              68 (OctetString): 12.237.138.77
                              [10]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcPort.7.268
                              (Integer): 21
                              [11]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstPort.7.268
                              (Integer): 3388
                              [12]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcMacAddress.
                              7.268 (OctetString): 0x00 02 fc 86 80 8c
                              [13]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstMacAddress.
                              7.268 (OctetString): 0x00 c0 f0 3c 2f 3e 
               Msg.Gen.Node : itph-ems-01.robhughes.com
               Service Name : Snort

      05/12/02 02:10:48 undef    undef    warn Security         ns2.robhughes.com
               Source Type  : Snmp Trap

               Message Text : Sensor Address:12.237.138.77 Event Time
                              Stamp:1021187450.980788 Event:spp_stream4: TCP TOO
                              FAST RETRANSMISSION WITH DIFFERENT DATA SIZE (possible
                              fragroute) detection Event Class:(UNAVAILABLE EVENT
                              PARAMETER $14) SrcAddr/Port:12.247.65.45/21
                              DstAddr/Port:12.237.138.77/3388 SrcMAC:0x00 02 fc 86
                              80 8c DstMAC:0x00 c0 f0 3c 2f 3e (UNAVAILABLE EVENT
                              PARAMETER $15) (UNAVAILABLE EVENT PARAMETER $16)
                              (UNAVAILABLE EVENT PARAMETER $17) (UNAVAILABLE EVENT
                              PARAMETER $18) (UNAVAILABLE EVENT PARAMETER $19)
                              (UNAVAILABLE EVENT PARAMETER $20)
               Original Text: Generic: 6; Specific: 1; Enterprise:
                              .1.3.6.1.4.1.10234.2.1.3;
                              Variables:
                              [1]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorVersion.7
                              (OctetString): Snort! <*-
                              Version 1.8.7beta2 (Build 114)
                              [2]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddressType
                              .7.269 (Integer): ipv4
                              [3]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
Selected active detailed                                          Page:      6

Dup.  Date/Time         Auto St. Oper St. Sev. Message Group    Node Name
----- ----------------- -------- -------- ---- ---------------- -------------------

                              .sidaSensorTable.sidaSensorEntry.sidaSensorAddress.7.2
                              69 (OctetString): 12.237.138.77
                              [4]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertTimeStamp.7.26
                              9 (OctetString): 1021187450.980788
                              [5]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertMsg.7.269
                              (OctetString): spp_stream4: TCP TOO FAST
                              RETRANSMISSION WITH DIFFERENT DATA SIZE (possible
                              fragroute) detection
                              [6]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddressType
                              .7.269 (Integer): ipv4
                              [7]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcAddress.7.2
                              69 (OctetString): 12.247.65.45
                              [8]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddressType
                              .7.269 (Integer): ipv4
                              [9]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstAddress.7.2
                              69 (OctetString): 12.237.138.77
                              [10]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcPort.7.269
                              (Integer): 21
                              [11]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstPort.7.269
                              (Integer): 3388
                              [12]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertSrcMacAddress.
                              7.269 (OctetString): 0x00 02 fc 86 80 8c
                              [13]
                              private.enterprises.snortMIB.snortExp.snortIDSAlertMIB
                              .sidaAlertTable.sidaAlertEntry.sidaAlertDstMacAddress.
                              7.269 (OctetString): 0x00 c0 f0 3c 2f 3e 
               Msg.Gen.Node : itph-ems-01.robhughes.com
               Service Name : Snort



More information about the Snort-devel mailing list