[Snort-users] Snort SNMP Variables are not consistent?

Metz, Tim TMetz at ...4410...
Wed May 1 05:21:10 EDT 2002


Searching though the archives I came across this thread and I am having the
same problem. It seems that if a variable is empty  all the string numbers
decrement - poor description but I think you know what I mean.

For example, if $8 is supposed to be src ip but $7 is empty then $7 becomes
src ip. I'm still confirming this is the pattern.

I use snort 1.8.7 build 108 and am sending v2c traps (alerts not informs) to
HP Openview.

Marty: not try to suck a$$ but your portion was definitely the best at SANS
in Orlando.


Thanks,

Tim Metz
PanAmSat Atlanta
+1-404-381-2828


-----Original Message-----
From: Martin Roesch [mailto:roesch at ...1935...]
Sent: Friday, March 15, 2002 7:09 PM
To: Vjay LaRosa; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort SNMP Variables are not consistent?


Geez man, give us a chance!  I don't normally run SNMP alerting and I have
to setup a test environment here to check it out, gimme a little time and
I'll get on it.

    -Marty

On 3/15/02 4:18 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:

> O.Kay,
> 
> I give up. I guess nobody else that sends SNMP traps with snort has
> noticed this. If any one knows why it is doing
> this I would appreciate it. Or at least if someone else sees the same
> thing let me know.
> 
> vjl
> 
> 
> 
> Vjay LaRosa wrote:
> 
>> Hello,
>> 
>> Is any one else using snort 1.8.4 Beta-4 to send SNMP traps? I have
>> snort configured to trap to our Netcool
>> Omnibus server.
>> 
>> Originally snort 1.8.4 Beta-1 was sending the following information in
>> these variables.
>> 
>> $8      Src IP
>> $10    Dst IP
>> $11    Src Port
>> $12    Dst Port
>> 
>> But now that I upgraded I noticed that some alerts use this as their
>> variable mappings,
>> 
>> $7      Src IP
>> $9      Dst IP
>> $10    Src Port
>> $11    Dst Port
>> 
>> but some alerts are still sent using the old format. What's up with
>> this? Am I crazy or is something not right?
>> 
>> vjl
>> 
>> --
>>  V.Jay LaRosa                           EMC Corporation
>>  Systems Administrator                  171 South Street
>>  (508)435-1000 ext 14957                Hopkinton, MA 01748
>>  (508)497-8082 fax                      www.emc.com
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> V.Jay LaRosa                           EMC Corporation
> Systems Administrator                  171 South Street
> (508)435-1000 ext 14957                Hopkinton, MA 01748
> (508)497-8082 fax                      www.emc.com
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list