[Snort-devel] Re: MIB/SMNP Issue
Glenn Mansfield Keeni
glenn at ...1085...
Sun May 12 06:51:02 EDT 2002
Rob Hughes wrote:
> On Sat, 2002-05-11 at 19:54, Glenn Mansfield Keeni wrote:
>>Rob Hughes wrote:
>>This does not seem to be the correct direction. If you will let me know
>>what is the problem with the intergration. I can try to help.
> Still digging, and still finding weirdness. Attached is a text file of a few events
> dumped from OVO for comparison. Notice that some of the variables are not passed
> consistently in the traps. In particular, the src/dst mac, port and address seem to
> be passed differently in some of the traps. Why is this?
The notification mechanism used by the Snort implementation uses all the
notification MOs as optional. If there is no value associated with an MO
then the MO is not reported in the Notification. This saves on bandwidth
and provides flexibility (include as much information as is available).
But this variable format has caused problems with fixed format
notification receivers. So, I have prepared an update. I have
defined new incarnations of the Notification objects. These
Notifications have some mandatory objects and some optional objects.
The mandatory objects will always be present in the respective
Notification. The optional objects will be present by default. [The
MIB definition now describes the MO value to be used when the value of
the MO is not known, not available or, not applicable.]
A new parameter is added to the snmpTrap output plugin - this parameter
allows one to configure snort to send compact notifications - MOs for
which no information is present are not sent in the notification.
This should solve most (if not all) the problems for the time being.
So the next question is when is this plugin going to appear ?
Umm... let me get the documentation in place; should be anytime now!
More information about the Snort-devel