[Snort-users] SNMP bug for SNORT v 1.9 ???

twig les twigles at ...131...
Fri Jan 24 10:14:09 EST 2003


Yes, that is exactly what I meant, although my
response may have come across as a little too glib.  I
would never make fun of anyone for causing an endless
stream of snmp traps/alerts that were alerting on
themselves...because I did it :).  So try going into
snort.conf and commenting out the snmp.rules line, or
go into snmp.rules and comment out the trap alert.

Another less likely possibility (that I learned the
hard way) is that you may be sending informs and OV
isn't responding.

A third somewhat remote possibility that punched me in
the mouth is that using the net-snmp 5.x line instead
of the ucd-snmp 4.x line wouldn't allow me to specify
UDP 162 because the snmpcmd syntax had changed and the
plugin wouldn't accept the new syntax.  So traps went
to 161 until I told net-snmp to use 162 for EVERYTHING
in snmp.conf.  I don't know why traps didn't just go
to 162 by default.

Hope that helps


--- Erek Adams <erek at ...950...> wrote:
> On Fri, 24 Jan 2003, Doan Nguyen wrote:
> 
> > my original purpose was to have SNORT send traps
> to my network manager
> > for any rules that SNORT detects.  The problem
> here is that I think
> > SNORT is suppose to send only 1 trap per an
> incident, instead it is
> > continuously sending the same traps for that 1
> incident which I do not
> > think is correct.
> 
> Two things:
> 
> 	* Snort sends an alert for each and every packet
> that causes an
> alert.  If Snort sees 10,000,000 packets that match
> a rule, you get
> 10,000,000 alerts.  Since you're sending SNMP traps
> on each alert, you'll
> get 10,000,000 traps.
> 
> 	* What alert are you getting?  You might actually
> be causing a
> 'endless loop' with the alerts.  If the rule has
> it's trigger value in the
> alert that gets sent in cleartext, unless you're
> taking precautions you'll
> get that rule to trigger on the alert, and then to
> trigger on that alert,
> and so on...  I think that's what twig was pointing
> to.
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."  
> H.S. Thompson


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list