[Snort-users] trap to two destinations

Mark D. Nagel mnagel at ...5391...
Tue Mar 26 12:26:17 EST 2002


----- Original Message -----
From: "Andrew R. Baker" <andrewb at ...950...>
To: <rnoonan at ...5308...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, March 26, 2002 11:54 AM
Subject: Re: [Snort-users] trap to two destinations


> Richard Noonan wrote:
> > I am attempting to trap to two hosts from a single snort config.  I've
> > defined the ruletype below:
> >
> > ruletype dsnmp
> > {
> > type alert
> > output trap_snmp: alert, 7, trap -v 2c -p 163  10.2.1.3 public
> > output trap_snmp: alert, 7, trap -v 2c -p 162  10.2.1.4 public
> > output alert_syslog: LOG_AUTH LOG_ALERT
> > }
> >
> > And what happens is whichever trap_snmp appears 2nd gets the traps.
> > Whichever one appears first gets nothing.  Syslog seems to work always.
Is
> > this in fact an unsupported config?
>
> The SnmpTrap output plugin does not currently support multiple instances
> of itself.  We may be able to add this functionality in Snort 1.9.

Another alternative might be looper -- see
http://edgesolutions.ca/article.php?sid=7.  Looper can forward traps sent to
it via multiple destinations or transform them to different output formats
as well.  Looks pretty useful, though I have not tried it in production...

Mark







More information about the Snort-users mailing list