Snort mailing list archives
SNMP V1 support
From: Mark Holohan <mark.holohan () compaq com>
Date: Fri, 07 Dec 2001 15:44:12 -0500
Hello,
I'm trying to link snort's snmp trap generation
capability into an SNMP management station software
package that only supports SNMP V1 MIB's. Has
anyone generated a V1 MIB for Snort? If so, will
a V1 MIB loaded at the management station, handle
V2 traps generated by Snort?
Thanks,
Mark
P.S. I've tried using limsmi (smidump) to gen a
V1 MIB from the V2 included MIB's. I've incorporated
this V1 MIB into my management station software, but
still can't get the traps to be noticed. I'm attaching
my cut at a V1 MIB for the Alerts.
--
-- This SMIv1 module has been generated by smidump 0.3.0. Do not edit.
--
SNORT-INTRUSION-DETECTION-ALERT-MIB DEFINITIONS ::= BEGIN
IMPORTS
InetAddress, InetAddressType
FROM INET-ADDRESS-MIB
OBJECT-TYPE
FROM RFC-1212
TRAP-TYPE
FROM RFC-1215
Counter, Gauge
FROM RFC1155-SMI
mib-2
FROM RFC1213-MIB
snortExp
FROM SNORT-COMMON-MIB;
snortIDSAlertMIB OBJECT IDENTIFIER
::= { snortExp 1 }
-- snortIDSAlertMIB MODULE-IDENTITY
-- LAST-UPDATED "200107250000Z"
-- ORGANIZATION
-- "Snort.org"
-- CONTACT-INFO
-- " Glenn Mansfield Keeni
-- Postal: Cyber Solutions Inc.
-- 6-6-3, Minami Yoshinari
-- Aoba-ku, Sendai, Japan 989-3204.
-- Tel: +81-22-303-4012
-- Fax: +81-22-303-4015
-- E-mail: glenn () cysols com
--
-- Martin Roesch
-- 6550 Bonnie Brae Dr.
-- Eldersburg, MD 21784
-- US
--
-- Tel: +1-410-549-7810
-- E-mail: roesch () sourcefire com
--
-- Support Group E-mail: mibsupport () cysols com"
-- DESCRIPTION
-- " The MIB for snort Alert Messages."
-- ::= { snortExp 1 }
SnmpEngineID ::=
OCTET STRING (SIZE(5..32))
-- SnmpEngineID ::= TEXTUAL-CONVENTION
-- STATUS mandatory
-- DESCRIPTION
-- "An SNMP engine's administratively-unique identifier.
-- Objects of this type are for identification, not for
-- addressing, even though it is possible that an
-- address may have been used in the generation of
-- a specific value.
--
-- The value for this object may not be all zeros or
-- all 'ff'H or the empty (zero length) string.
--
-- The initial value for this object may be configured
-- via an operator console entry or via an algorithmic
-- function. In the latter case, the following
-- example algorithm is recommended.
--
-- In cases where there are multiple engines on the
-- same system, the use of this algorithm is NOT
-- appropriate, as it would result in all of those
-- engines ending up with the same ID value.
--
-- 1) The very first bit is used to indicate how the
-- rest of the data is composed.
--
-- 0 - as defined by enterprise using former methods
-- that existed before SNMPv3. See item 2 below.
--
-- 1 - as defined by this architecture, see item 3
-- below.
-- Note that this allows existing uses of the
-- engineID (also known as AgentID [RFC1910]) to
-- co-exist with any new uses.
--
-- 2) The snmpEngineID has a length of 12 octets.
--
-- The first four octets are set to the binary
-- equivalent of the agent's SNMP management
-- private enterprise number as assigned by the
-- Internet Assigned Numbers Authority (IANA).
-- For example, if Acme Networks has been assigned
-- { enterprises 696 }, the first four octets would
-- be assigned '000002b8'H.
--
-- The remaining eight octets are determined via
-- one or more enterprise-specific methods. Such
-- methods must be designed so as to maximize the
-- possibility that the value of this object will
-- be unique in the agent's administrative domain.
-- For example, it may be the IP address of the SNMP
-- entity, or the MAC address of one of the
-- interfaces, with each address suitably padded
-- with random octets. If multiple methods are
-- defined, then it is recommended that the first
-- octet indicate the method being used and the
-- remaining octets be a function of the method.
--
-- 3) The length of the octet strings varies.
--
-- The first four octets are set to the binary
-- equivalent of the agent's SNMP management
-- private enterprise number as assigned by the
-- Internet Assigned Numbers Authority (IANA).
-- For example, if Acme Networks has been assigned
-- { enterprises 696 }, the first four octets would
-- be assigned '000002b8'H.
--
-- The very first bit is set to 1. For example, the
-- above value for Acme Networks now changes to be
-- '800002b8'H.
--
-- The fifth octet indicates how the rest (6th and
-- following octets) are formatted. The values for
-- the fifth octet are:
--
-- 0 - reserved, unused.
--
-- 1 - IPv4 address (4 octets)
-- lowest non-special IP address
--
-- 2 - IPv6 address (16 octets)
-- lowest non-special IP address
--
-- 3 - MAC address (6 octets)
-- lowest IEEE MAC address, canonical
-- order
--
-- 4 - Text, administratively assigned
-- Maximum remaining length 27
--
-- 5 - Octets, administratively assigned
-- Maximum remaining length 27
--
-- 6-127 - reserved, unused
--
-- 127-255 - as defined by the enterprise
-- Maximum remaining length 27
-- "
-- SYNTAX OCTET STRING (SIZE(5..32))
SnmpAdminString ::=
OCTET STRING (SIZE(0..255))
-- SnmpAdminString ::= TEXTUAL-CONVENTION
-- DISPLAY-HINT "255a"
-- STATUS mandatory
-- DESCRIPTION
-- "An octet string containing administrative
-- information, preferably in human-readable form.
--
-- To facilitate internationalization, this
-- information is represented using the ISO/IEC
-- IS 10646-1 character set, encoded as an octet
-- string using the UTF-8 transformation format
-- described in [RFC2279].
--
-- Since additional code points are added by
-- amendments to the 10646 standard from time
-- to time, implementations must be prepared to
-- encounter any code point from 0x00000000 to
-- 0x7fffffff. Byte sequences that do not
-- correspond to the valid UTF-8 encoding of a
-- code point or are outside this range are
-- prohibited.
--
-- The use of control codes should be avoided.
--
-- When it is necessary to represent a newline,
-- the control code sequence CR LF should be used.
--
-- The use of leading or trailing white space should
-- be avoided.
--
-- For code points not directly supported by user
-- interface hardware or software, an alternative
-- means of entry and display, such as hexadecimal,
-- may be provided.
--
-- For information encoded in 7-bit US-ASCII,
-- the UTF-8 encoding is identical to the
-- US-ASCII encoding.
--
-- UTF-8 may require multiple bytes to represent a
-- single character / code point; thus the length
-- of this object in octets may be different from
-- the number of characters encoded. Similarly,
-- size constraints refer to the number of encoded
-- octets, not the number of characters represented
-- by an encoding.
--
-- Note that when this TC is used for an object that
-- is used or envisioned to be used as an index, then
-- a SIZE restriction MUST be specified so that the
-- number of sub-identifiers for any object instance
-- does not exceed the limit of 128, as defined by
-- [RFC1905].
--
-- Note that the size of an SnmpAdminString object is
-- measured in octets, not characters.
-- "
-- SYNTAX OCTET STRING (SIZE(0..255))
URLString ::=
OCTET STRING (SIZE(0..255))
-- URLString ::= TEXTUAL-CONVENTION
-- DISPLAY-HINT "255a"
-- STATUS mandatory
-- DESCRIPTION
-- "A Uniform Resource Locator represented in accordance
-- with RFCs 1738 and 2368, presented in the NVT ASCII
-- charset defined in RFC 854."
-- SYNTAX OCTET STRING (SIZE(0..255))
sidaSensors OBJECT-TYPE
SYNTAX SEQUENCE OF SidaSensorEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
" Each row of this table contains information
about an alert indexed by sidaSensorID."
::= { snortIDSAlertMIB 1 }
sidaSensorEntry OBJECT-TYPE
SYNTAX SidaSensorEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
" Entry containing information pertaining to
a snort sensor."
INDEX { sidaSensorID }
::= { sidaSensors 1 }
SidaSensorEntry ::= SEQUENCE {
sidaSensorID INTEGER,
sidaSensorDescription SnmpAdminString,
sidaSensorVersion SnmpAdminString,
sidaSensorLocation SnmpAdminString,
sidaSensorAddressType InetAddressType,
sidaSensorAddress InetAddress,
sidaSensorInterfaceIndex INTEGER,
sidaSensorManufacturer SnmpAdminString,
sidaSensorProductName SnmpAdminString,
sidaSensorProductID OBJECT IDENTIFIER
}
sidaSensorID OBJECT-TYPE
SYNTAX INTEGER (0..16383)
ACCESS read-only
STATUS mandatory
DESCRIPTION
" An identifier to uniquely identify the Analyzer
in the domain."
::= { sidaSensorEntry 1 }
sidaSensorDescription OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" A short description of the Sensor."
::= { sidaSensorEntry 2 }
sidaSensorVersion OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" the version number of the sensor that detected the event."
::= { sidaSensorEntry 3 }
sidaSensorLocation OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" the location of the sensor that detected the event."
::= { sidaSensorEntry 4 }
sidaSensorAddressType OBJECT-TYPE
SYNTAX InetAddressType
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The type of the address which follows."
::= { sidaSensorEntry 5 }
sidaSensorAddress OBJECT-TYPE
SYNTAX InetAddress
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The network address of the sensor. "
::= { sidaSensorEntry 6 }
sidaSensorInterfaceIndex OBJECT-TYPE
SYNTAX INTEGER (1..65535)
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The ifIndex of the interface on which the event was
detected by the sensor."
::= { sidaSensorEntry 7 }
sidaSensorManufacturer OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" the Manufacturer of the sensor that detected the event."
::= { sidaSensorEntry 8 }
sidaSensorProductName OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" the name of the product that detected the event."
::= { sidaSensorEntry 9 }
sidaSensorProductID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A reference to MIB definitions specific to the
analyzer generating the message. If this information
is not present, its value should be set to the OBJECT
IDENTIFIER { 0 0 }, which is a syntatically valid
object identifier."
::= { sidaSensorEntry 10 }
sidaAlerts OBJECT-TYPE
SYNTAX SEQUENCE OF SidaAlertEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
" Each row of this table contains information
about an alert indexed by sidaSensorID and sidaAlertID."
::= { snortIDSAlertMIB 2 }
sidaAlertEntry OBJECT-TYPE
SYNTAX SidaAlertEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
" Entry containing information pertaining to
an alert."
INDEX { sidaSensorID, sidaAlertID }
::= { sidaAlerts 1 }
SidaAlertEntry ::= SEQUENCE {
sidaAlertID INTEGER,
sidaAlertTimeStamp SnmpAdminString,
sidaAlertActionsTaken SnmpAdminString,
sidaAlertMsg SnmpAdminString,
sidaAlertMoreInfo URLString,
sidaAlertSrcAddressType InetAddressType,
sidaAlertSrcAddress InetAddress,
sidaAlertDstAddressType InetAddressType,
sidaAlertDstAddress InetAddress,
sidaAlertSrcPort INTEGER,
sidaAlertDstPort INTEGER,
sidaAlertStartTime SnmpAdminString,
sidaAlertOccurrences Gauge
}
sidaAlertID OBJECT-TYPE
SYNTAX INTEGER (1..65535)
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The AlertID uniquely identifies each alert generated
by the sensor."
::= { sidaAlertEntry 1 }
sidaAlertTimeStamp OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" An NTP style timestamp of the local time when this alert
was generated. It will be of the format 991372237.668158 ."
::= { sidaAlertEntry 2 }
sidaAlertActionsTaken OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The list of automatic actions taken by the sensor"
::= { sidaAlertEntry 3 }
sidaAlertMsg OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" the message associated with the rule that triggered
the alert. Conventionally, the name of the attack.
If there is no message this field will be blank."
::= { sidaAlertEntry 4 }
sidaAlertMoreInfo OBJECT-TYPE
SYNTAX URLString
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A reference to more information specific to this
alert message. This is likely to be a URL. If there is no
reference available this field will be blank"
::= { sidaAlertEntry 5 }
sidaAlertSrcAddressType OBJECT-TYPE
SYNTAX InetAddressType
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The type of the Internet address that was the attack source."
::= { sidaAlertEntry 6 }
sidaAlertSrcAddress OBJECT-TYPE
SYNTAX InetAddress
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The Internet addresses of the entity from which the attack
originated, if known. "
::= { sidaAlertEntry 7 }
sidaAlertDstAddressType OBJECT-TYPE
SYNTAX InetAddressType
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The type of the Internet address that was the attack target."
::= { sidaAlertEntry 8 }
sidaAlertDstAddress OBJECT-TYPE
SYNTAX InetAddress
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The Internet address of the entity to which the attack
was destined, if known."
::= { sidaAlertEntry 9 }
sidaAlertSrcPort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The port number from where the attack has originated "
::= { sidaAlertEntry 10 }
sidaAlertDstPort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The port number to which the attack is destined "
::= { sidaAlertEntry 11 }
sidaAlertStartTime OBJECT-TYPE
SYNTAX SnmpAdminString
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The local date and time when the event causing this alert
was first detected."
::= { sidaAlertEntry 12 }
sidaAlertOccurrences OBJECT-TYPE
SYNTAX Gauge
ACCESS read-only
STATUS mandatory
DESCRIPTION
" The number of occurrences of the event that is being
reported in the alert."
::= { sidaAlertEntry 13 }
sidaAlertTypes OBJECT IDENTIFIER
::= { snortIDSAlertMIB 3 }
sidaConformance OBJECT IDENTIFIER
::= { snortIDSAlertMIB 4 }
sidaGroups OBJECT IDENTIFIER
::= { sidaConformance 1 }
sidaCompliances OBJECT IDENTIFIER
::= { sidaConformance 2 }
sidaAlertGeneric TRAP-TYPE
ENTERPRISE sidaAlertTypes
VARIABLES { sidaSensorVersion, sidaSensorAddressType,
sidaSensorAddress, sidaAlertTimeStamp, sidaAlertMsg,
sidaAlertMoreInfo, sidaAlertSrcAddressType,
sidaAlertSrcAddress, sidaAlertDstAddressType,
sidaAlertDstAddress, sidaAlertSrcPort,
sidaAlertDstPort }
-- STATUS mandatory
DESCRIPTION
"The Sida Alert Generic Trap is sent whenever an
event is detected by snort (rules) and no specific
Alert is found applicable."
::= 1
sidaAlertGroup OBJECT IDENTIFIER
::= { sidaGroups 1 }
sidaAlertCompliance OBJECT IDENTIFIER
::= { sidaCompliances 1 }
-- sidaAlertCompliance MODULE-COMPLIANCE
-- STATUS mandatory
-- DESCRIPTION
-- "The compliance statement for SNMP entities
-- which implement the
-- SNORT-INTRUSION-DETECTION-ALERT-MIB."
-- MODULE -- -- this module
-- MANDATORY-GROUPS { sidaAlertGroup }
-- ::= { sidaCompliances 1 }
END -- end of module SNORT-INTRUSION-DETECTION-ALERT-MIB.
Current thread:
- SNMP V1 support Mark Holohan (Dec 07)