[Snort-users] SNMP Questions

Matt Kettler mkettler at ...4108...
Tue Aug 10 12:57:10 EDT 2004


At 01:58 PM 8/10/2004, Brian Zuromski wrote:
>Hello,
>          I'm using snort 2.1.3 on RHES 3.0 and I'm having an issue with 
> SNMP alerts.  I've set my 'var SNMP_SERVERS' to my current SNMP 
> monitoring servers on our network.  My problem is that the alerts are 
> still being generated and filling up my database from our monitoring 
> server. .  I want it to alert on any SNMP traffic except coming from our 
> SNMP monitoring servers in 'var SNMP_SERVERS'.   Can anyone help?  Or 
> maybe I'm doing something wrong.


 From looking at the rules, none of them actually make use of SNMP_SERVERS, 
so changing that value won't accomplish anything on the default setup... 
They all currently use EXTERNAL_NET and HOME_NET in snmp.rules.

as a fix, I'd suggest moving the snmp.rules to the last entry in your 
snort.conf and redefine EXTERNAL_NET to !$SNMP_SERVERS right before you 
include it. This way the SNMP rules will ignore your SNMP_SERVERS as you 
desire.

something like this:

         include $RULE_PATH/xxx.rules
         include $RULE_PATH/xxx.rules
         include $RULE_PATH/xxx.rules

         var EXTERNAL_NET !$SNMP_SERVERS
         include $RULE_PATH/snmp.rules






More information about the Snort-users mailing list