[Snort-users] SNMP Output question.
hugh_fraser at ...2804...
Wed Sep 5 06:32:06 EDT 2001
There are two scenarios, and the solution depends upon what you want to do.
The first is where Omnibus is the repository, and you want Snort to only
detect certain events (ie. the .ida attempts). To do this, create a
local.rule file that contains only the rules you're interested in, and
comment out all the other include statements in snort.conf. Snort will then
only detect the signatures in local.rules, and send them all to Omnibus via
The second scenario is to have Snort keep all events locally, and send
certain ones to Omnibus. In snort.conf, create a ruletype that sends events
to events to Omnibus as well as whatever you're doing to store events
locally (there are examples in the file for doing this), and change the
".ida" rules in the .rules files to use this logging ruletype instead of
> -----Original Message-----
> From: Vjay LaRosa [SMTP:vjayl at ...3331...]
> Sent: Tuesday, September 04, 2001 5:50 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] SNMP Output question.
> I have a quick question. I am a newbie to snort. I have only had it
> running for a few days.
> I am integrating snort in to my SNMP management framework (Netcool
> Omnibus). At this
> point every alert is being sent the management station. I am only
> interested in sending a few
> alerts in particular. (.ida attempts in particular). I am struggling to
> figure out how to accomplish this. Any help would be appreciated. Thanks!
> P.S. These are my output lines in my rules file.
> output trap_snmp: alert, 10, trap -v 2c -p 162 X.X.X.X public
> output trap_snmp: alert, 8, trap -v 2c -p 162 X.X.X.X public
> output trap_snmp: alert, 3, trap -v 2c -p 162 X.X.X.X public
> V.Jay LaRosa EMC Corporation
> Systems Administrator 171 South Street
> (508)435-1000 ext 14957 Hopkinton, MA 01748
> (508)497-8082 fax www.emc.com
More information about the Snort-users