[Snort-users] Snort-1.8.7 + snmp support

Chris Green cmg at ...1935...
Fri Jul 26 11:48:06 EDT 2002


"Schlottmann, Philipp, HO" <Philipp.Schlottmann at ...6359...> writes:

> Hi.
>
> I configured snort with mysql database output and snmp trap sending support.
>
> I only once force an event being triggered by using "nmap -sS someIP" and
> snort does produce an enormous neverending amount of SNMP traps (UDP). I
> checked it with tcpdump and grep'ed the community string. The SNMP traps
> themselves being again recognized by snort cause kind of an endless loop! My
> ACID console with underlying mysql snort db gets performance problems and so
> on.
>
> How comes that snort produces SNMP traps all the time just because of one
> triggered signature...and it never ends up with that?

Basically, its a problem of not using an out of band management
network.

Short fix:

add this to your snort command line

not \( src 192.168.1.1  and udp and dst port 162 \)

where 192.168.1.1 is the IP address of your sensor

>
> How can I fix this? Is there a way to tell snort not to recognize the snmp
> traps it produced itself or to produce less traps or at least end up within
> some time?
>
> Thanx a lot!
>
> Philipp Schlottmann
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list