[Snort-users] Specifying SNMP Traps.

larosa, vjay larosa_vjay at ...3331...
Mon May 6 15:10:02 EDT 2002


Hello,

I am not sure ( Testing it tonight,) but is it possible to select indvidual
rules to send snmp traps from?
In some cases there is no sense in sending a trap for every single event
snort flags. I am only interested in
approximately 10 to 15 at this point. Can anyone tell me if this will work?


Add this to the snort.conf,

snip---------------------
	ruletype trap-db 
	{ 
	type alert output 
	output trap_snmp: alert, 1, trap -v 2c -p 162 10.10.10.15 public 
	output database: log, mysql, user=snort dbname=snort host=localhost 
	} 
snip--------------------------

then substitute trap-db for alert in my rules I want to send SNMP traps and
log to the DB,

trap-db tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access";  flags: A+; content:"/cmd.exe?"; nocase;
classtype:web-application-attack; sid:1002; rev:3;)


This could alleviate some overhead by selecting specific events to send snmp
traps.

Thanks!

vjl






More information about the Snort-users mailing list