[Snort-users] SNMP bug for SNORT v 1.9 ???

Erek Adams erek at ...950...
Fri Jan 24 06:30:05 EST 2003


On Fri, 24 Jan 2003, Doan Nguyen wrote:

> my original purpose was to have SNORT send traps to my network manager
> for any rules that SNORT detects.  The problem here is that I think
> SNORT is suppose to send only 1 trap per an incident, instead it is
> continuously sending the same traps for that 1 incident which I do not
> think is correct.

Two things:

	* Snort sends an alert for each and every packet that causes an
alert.  If Snort sees 10,000,000 packets that match a rule, you get
10,000,000 alerts.  Since you're sending SNMP traps on each alert, you'll
get 10,000,000 traps.

	* What alert are you getting?  You might actually be causing a
'endless loop' with the alerts.  If the rule has it's trigger value in the
alert that gets sent in cleartext, unless you're taking precautions you'll
get that rule to trigger on the alert, and then to trigger on that alert,
and so on...  I think that's what twig was pointing to.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list