[Snort-devel] snmp plugin and net-snmp 5.06's syntax

twig les twigles at ...398...
Sat Jan 18 10:23:02 EST 2003

Hey guys/gals, I'm wondering if a problem I ran into
might be a snafu in the snmp plugin.  Basically I got
snort 1.90 (build 209) to send alerts via net-snmp
5.06 to another box (both FreeBSD 4.7 release) running
"snmptrapd -Os -P", but had to jump through some
hoops.  When I start and stop snmpd on the sensor,
snmptrapd on the viewer receives traps normally, but
when snort alerts it sees nothing because the alerts
go to udp 161 (confirmed with tcpdump).

I fixed this by adding "defaultport  162" to
snmp.conf, but it worries me that if I need to do any
other snmp stuff with this box I will have just broken
some of our other apps already running in the
infrastructure (HPOV for example).

The reason I think the plugin might not be working the
new snmpcmd syntax is that I keep getting errors when
I use the -p and when I *don't* use the -c arguments. 
Net-snmp 5.06 uses the [hostname]:[port] syntax but
Snort errors out on that syntax too, saying it doesn't
understand, and I should use -p.

So basically I have 2 concerns here.  The first is
that traps should be going to udp 162 by default,
which they are, but not for snort alerts.  The second
is that the syntax seems to have changed and the
plugin either doesn't understand it or the docs just
haven't been updated yet.  Please don't take this as
criticism, if I had the coding experience/know-how I
would look for the problem myself (I hate begging for
code...so unbecoming).  I can recreate the problem
anytime if someone wants tcpdump output or the exact errors.

Know yourself and know your enemy and you will never fear defeat.         

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

More information about the Snort-devel mailing list