[Snort-users] How to capture the Snort sensor ID using SnMP traps

Jose Vicente Nunez Zuleta josevnz at ...7052...
Wed Oct 2 07:56:47 EDT 2002


I set up Snort and is working fine; I managed to generate some events using NMAP but i'm not able to get the following information:

1) Interface where the event was captured (important if you are running several Snort instances on the same machine on different NICs). I'm running Snort on my Stelath and administrative NIC.
2) The Snort ID (I set it up to 6720615032)

Here is my snort config:

output trap_snmp: alert, 16720615032, trap -v 2c -p 162  <MYNMS> <MY_COMMUNITY>

And here is what i get (this is a sample so i'm suing snmptrapd on a test box):

	system.sysUpTime.0 = Timeticks: (58509321) 6 days, 18:31:33.21	.iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = OID: enterprises.10234.	enterprises.10234. = "Snort! <*-.Version 1.8.7 (Build 128)"	enterprises.10234. = "1033569387. 22740"	enterprises.10234. = "spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection"	enterprises.10234. = 1	enterprises.10234. = "OFENDERIP"	enterprises.10234. = 1	enterprises.10234. = "VICTIMIP"	enterprises.10234. = 62583	enterprises.10234. = 1	enterprises.10234. =  Hex: 00 02 4B DD AD 60 	enterprises.10234. =  Hex: 08 00 20 9A CE 15 
2002-10-02 10:36:27 SNORTSENSOR [SNORTSENSORIP]:

So far i'm not able to see the info i want anywhere on the trap message...

Any ideas?

Thanks in advance,


José Vicente Núñez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator (http://www.newbreak.com)

More information about the Snort-users mailing list