[Snort-devel] [Fwd: [tech:02224] Snort-Snmp Upgrade]

Glenn Mansfield Keeni glenn at ...1085...
Fri May 31 19:43:01 EDT 2002


Hi folks,
   The long awaited SnortSnmp upgrade is here.
It is available at
  http://www.cysol.co.jp/contrib/snortsnmp/snortSnmpPlugin-1.8.6.tar.gz
The Patch to upgrade from the earlier snortSnmpPlugin-02-1.8.3.tar.gz
is available  at
http://www.cysol.co.jp/contrib/snortsnmp/SnortSnmpPatch-03.gz

 Could someone please do the needful to update the cvs with the latest
snortSnmp plugin. Thanks.

The major changes are (details are in snort-1.8.6/ChangesSnmpTrap020502)
   1. Added the following MOs
        sidaAlertProto
        sidaAlertRuleID
        sidaAlertRuleRevision
        sidaPacketPrint
   2. Deprecated the following alerts
        sidaAlertGeneric
        sidaAlertScanStatus
   3. Added the following Alerts
        sidaAlertGeneric-2
        sidaAlertScanStatus-2
   4. Description of MOs revised to define the value to
      be used when the true value of the MO is unknown,
      not available or not applicable.

   5. An optional "notification option" has been added to the
      trap_snmp plugin activation line in snort.conf.The trap_snmp
      plugin accepts the options
      [c],[p[m|s]]
          where,
              c : Generate compact notifications.
                 (Saves on bandwidth by not reporting MOs for which
                  values are unknown, not available or, not applicable.
                  For details see below.)
                  By default this option is reset.
              p : Generate a print of the invariant part of the
                  offending packet. This can be used to track the packet
                  across the Internet. If you do not know what this is
                  about you probably do not need this.
                  By default this option is reset.
              m : Use the MD5 algorithm to generate the packet print.
                  By default this algorithm is used. If you do not know
                  what this is about you probably do not need this.
              s : Use the SHA1 algorithm to generate the packet print.
                  If you do not know
                  what this is about you probably do not need this.

    6. The handling of MOs reported in alerts has been modified.
       The "mandatory" MOs are always reported. The optional MOs are
       reported by default. If the value of an MO is not available,
       unknown or not available then a predefined value (specified in
       the MIB) will be reported to indicate that.[These notifications
       have the advantages of being fixed format and the disadvantage of
       being unnecessarily large.]

       If the compact notification option is specified in the trap_snmp
       activation line then the MOs for which the values are unknown or
       not available will not be present in the notification. The
       ordering of the MOs does not change - but the place of the MOs
       may change. [ These notifications have the advantage of being
       compact (there are no MOs without meaningful values in the
       notification) and the disadvantage of being variable format.
       (variable format should not be a problem as an SNMP notifications
       always contains the information in MO-Value pairs)

     7. Finally, there are the packet prints. These may be included in
       the notification by specifying the "packet print" option in the
       trap_snmp activitation line. It essentially generates a hash
       of the invariant part of the packet (the checksum, ttl and any
       other variable field are masked out) using the specified
       algorithms (MD5 | SHA1).  The idea being that the notification
       receiver can use this "packet print" to correlate and/or track
       attacks. (Why use the packet print instead of the raw packet
       itself?  Using raw packets leads to privacy issues and opens
       up another can of worms. Using one-way hashes reveals nothing
       about the packet(s) being investigated - but serves the purpose
       of correlating, tracking! )



Have fun and keep the comments coming !

Glenn


 PS. A demonstration of the packet print based tracking feature
     was done at the RSA Conference 2002 and exhibition held in
     Tokyo (29/5 - 30/5). Snort! Snort!








More information about the Snort-devel mailing list