Re: SNMP bug for SNORT v 1.9 ???

[twig les <twigles () yahoo com>]

Yes, that is exactly what I meant, although my
response may have come across as a little too glib.  I
would never make fun of anyone for causing an endless
stream of snmp traps/alerts that were alerting on
themselves...because I did it :).  So try going into
snort.conf and commenting out the snmp.rules line, or
go into snmp.rules and comment out the trap alert.

Another less likely possibility (that I learned the
hard way) is that you may be sending informs and OV
isn't responding.

A third somewhat remote possibility that punched me in
the mouth is that using the net-snmp 5.x line instead
of the ucd-snmp 4.x line wouldn't allow me to specify
UDP 162 because the snmpcmd syntax had changed and the
plugin wouldn't accept the new syntax.  So traps went
to 161 until I told net-snmp to use 162 for EVERYTHING
in snmp.conf.  I don't know why traps didn't just go
to 162 by default.

Hope that helps


--- Erek Adams <erek () snort org> wrote:
> On Fri, 24 Jan 2003, Doan Nguyen wrote:
>
> > my original purpose was to have SNORT send traps
> to my network manager
> > for any rules that SNORT detects.  The problem
> here is that I think
> > SNORT is suppose to send only 1 trap per an
> incident, instead it is
> > continuously sending the same traps for that 1
> incident which I do not
> > think is correct.
>
> Two things:
>
>       * Snort sends an alert for each and every packet
> that causes an
> alert.  If Snort sees 10,000,000 packets that match
> a rule, you get
> 10,000,000 alerts.  Since you're sending SNMP traps
> on each alert, you'll
> get 10,000,000 traps.
>
>       * What alert are you getting?  You might actually
> be causing a
> 'endless loop' with the alerts.  If the rule has
> it's trigger value in the
> alert that gets sent in cleartext, unless you're
> taking precautions you'll
> get that rule to trigger on the alert, and then to
> trigger on that alert,
> and so on...  I think that's what twig was pointing
> to.
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."  
> H.S. Thompson


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users