Snort mailing list archives
Re: SNMP bug for SNORT v 1.9 ???
From: twig les <twigles () yahoo com>
Date: Fri, 24 Jan 2003 10:13:25 -0800 (PST)
Yes, that is exactly what I meant, although my response may have come across as a little too glib. I would never make fun of anyone for causing an endless stream of snmp traps/alerts that were alerting on themselves...because I did it :). So try going into snort.conf and commenting out the snmp.rules line, or go into snmp.rules and comment out the trap alert. Another less likely possibility (that I learned the hard way) is that you may be sending informs and OV isn't responding. A third somewhat remote possibility that punched me in the mouth is that using the net-snmp 5.x line instead of the ucd-snmp 4.x line wouldn't allow me to specify UDP 162 because the snmpcmd syntax had changed and the plugin wouldn't accept the new syntax. So traps went to 161 until I told net-snmp to use 162 for EVERYTHING in snmp.conf. I don't know why traps didn't just go to 162 by default. Hope that helps --- Erek Adams <erek () snort org> wrote:
On Fri, 24 Jan 2003, Doan Nguyen wrote:my original purpose was to have SNORT send trapsto my network managerfor any rules that SNORT detects. The problemhere is that I thinkSNORT is suppose to send only 1 trap per anincident, instead it iscontinuously sending the same traps for that 1incident which I do notthink is correct.Two things: * Snort sends an alert for each and every packet that causes an alert. If Snort sees 10,000,000 packets that match a rule, you get 10,000,000 alerts. Since you're sending SNMP traps on each alert, you'll get 10,000,000 traps. * What alert are you getting? You might actually be causing a 'endless loop' with the alerts. If the rule has it's trigger value in the alert that gets sent in cleartext, unless you're taking precautions you'll get that rule to trigger on the alert, and then to trigger on that alert, and so on... I think that's what twig was pointing to. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNMP bug for SNORT v 1.9 ??? Doan Nguyen (Jan 23)
- Re: SNMP bug for SNORT v 1.9 ??? twig les (Jan 23)
- Re: SNMP bug for SNORT v 1.9 ??? Doan Nguyen (Jan 24)
- Re: SNMP bug for SNORT v 1.9 ??? Erek Adams (Jan 24)
- Re: SNMP bug for SNORT v 1.9 ??? twig les (Jan 24)
- Re: SNMP bug for SNORT v 1.9 ??? Doan Nguyen (Jan 24)
- Re: SNMP bug for SNORT v 1.9 ??? twig les (Jan 23)