[Snort-users] SNMP alerts?

Glenn Mansfield glenn at ...1097...
Fri Jan 5 23:02:23 EST 2001


Snmp Alerts ? Yes our snort output plugins do send out snmpalerts -
and secure ones too. It is no big deal. The corresponding MIB which
defines the objects that will be used in the alerts are defined in
http://www.ietf.org/internet-drafts/draft-glenn-id-sensor-alert-mib-01.txt
The "sensor" MIB has used Snort as the model.

We have this MIB implemented on tiny IDSs running snort and generating
snmp-alerts [Nothing else]. The almighty managers receiving the alerts
do the work and even generate XML messages in conformance with the
present proposed IDMEF XML-DTD. [This was demonstrated at the
IETF-IDWG meeting at SanDiego. Details should be there in the minutes]

For those who want the MIB, it is already there - let me know if there are
more things that we will need in the MIB. I intend having a core MIB which
contains the essentials and several extension MIBs for Packet formats,
traffic
patterns, specific attacks ......

For those who want the code, please hold on. I need to do the packaging so
that only a few simple steps are required to build and make. It is coming
soon.

Cheers

Glenn

----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Dragos Ruiu" <dr at ...381...>
Cc: "Fyodor" <fygrave at ...121...>; "Jeff Dell" <jdell at ...912...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, December 05, 2000 4:04 PM
Subject: Re: [Snort-users] SNMP alerts?


> If someone codes it up, I'll include it.  Don't we have to purchase some
sort
> of unique ID for our SNMP traffic, thought?  I seem to remember something
> about that (watch as Marty reveals his astounding ignorance of all things
> SNMP...) :)
>
>    -Marty
>
> Dragos Ruiu wrote:
> >
> > On Mon, 04 Dec 2000, Fyodor wrote:
> > > On Mon, Dec 04, 2000 at 11:51:49AM -0500, Jeff Dell wrote:
> > > > Has anyone thought about implementing snmp alerts within Snort?
Similar to
> > > > the smbalerts, but instead of a popup message, it is a snmp trap?
> > > >
> > >
> > > yup, "throught", :), want to code it? :)
> >
> > And please save us all some security grief if you do... please
> > look at V3 before implementing, though it may look "simple", imho
> > it has some safety concerns... :-)
> >
> > cheers,
> > --dr
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list