[Snort-users] SNMP Questions
mkettler at ...4108...
Tue Aug 10 12:57:10 EDT 2004
At 01:58 PM 8/10/2004, Brian Zuromski wrote:
> I'm using snort 2.1.3 on RHES 3.0 and I'm having an issue with
> SNMP alerts. I've set my 'var SNMP_SERVERS' to my current SNMP
> monitoring servers on our network. My problem is that the alerts are
> still being generated and filling up my database from our monitoring
> server. . I want it to alert on any SNMP traffic except coming from our
> SNMP monitoring servers in 'var SNMP_SERVERS'. Can anyone help? Or
> maybe I'm doing something wrong.
From looking at the rules, none of them actually make use of SNMP_SERVERS,
so changing that value won't accomplish anything on the default setup...
They all currently use EXTERNAL_NET and HOME_NET in snmp.rules.
as a fix, I'd suggest moving the snmp.rules to the last entry in your
snort.conf and redefine EXTERNAL_NET to !$SNMP_SERVERS right before you
include it. This way the SNMP rules will ignore your SNMP_SERVERS as you
something like this:
var EXTERNAL_NET !$SNMP_SERVERS
More information about the Snort-users