Snort mailing list archives
RE: SNMP Output question.
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Wed, 5 Sep 2001 09:31:28 -0400
There are two scenarios, and the solution depends upon what you want to do. The first is where Omnibus is the repository, and you want Snort to only detect certain events (ie. the .ida attempts). To do this, create a local.rule file that contains only the rules you're interested in, and comment out all the other include statements in snort.conf. Snort will then only detect the signatures in local.rules, and send them all to Omnibus via SNMP traps. The second scenario is to have Snort keep all events locally, and send certain ones to Omnibus. In snort.conf, create a ruletype that sends events to events to Omnibus as well as whatever you're doing to store events locally (there are examples in the file for doing this), and change the ".ida" rules in the .rules files to use this logging ruletype instead of "alert".
-----Original Message----- From: Vjay LaRosa [SMTP:vjayl () emc com] Sent: Tuesday, September 04, 2001 5:50 PM To: snort-users () lists sourceforge net Subject: [Snort-users] SNMP Output question. Hello, I have a quick question. I am a newbie to snort. I have only had it running for a few days. I am integrating snort in to my SNMP management framework (Netcool Omnibus). At this point every alert is being sent the management station. I am only interested in sending a few alerts in particular. (.ida attempts in particular). I am struggling to figure out how to accomplish this. Any help would be appreciated. Thanks! vjl P.S. These are my output lines in my rules file. output trap_snmp: alert, 10, trap -v 2c -p 162 X.X.X.X public output trap_snmp: alert, 8, trap -v 2c -p 162 X.X.X.X public output trap_snmp: alert, 3, trap -v 2c -p 162 X.X.X.X public -- V.Jay LaRosa EMC Corporation Systems Administrator 171 South Street (508)435-1000 ext 14957 Hopkinton, MA 01748 (508)497-8082 fax www.emc.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP Output question. Vjay LaRosa (Sep 04)
- <Possible follow-ups>
- RE: SNMP Output question. Fraser Hugh (Sep 05)