RE: Snort SNMP Variables are not consistent?

["Metz, Tim" <TMetz () PanAmSat com>]

Searching though the archives I came across this thread and I am having the
same problem. It seems that if a variable is empty  all the string numbers
decrement - poor description but I think you know what I mean.

For example, if $8 is supposed to be src ip but $7 is empty then $7 becomes
src ip. I'm still confirming this is the pattern.

I use snort 1.8.7 build 108 and am sending v2c traps (alerts not informs) to
HP Openview.

Marty: not try to suck a$$ but your portion was definitely the best at SANS
in Orlando.


Thanks,

Tim Metz
PanAmSat Atlanta
+1-404-381-2828


-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: Friday, March 15, 2002 7:09 PM
To: Vjay LaRosa; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort SNMP Variables are not consistent?


Geez man, give us a chance!  I don't normally run SNMP alerting and I have
to setup a test environment here to check it out, gimme a little time and
I'll get on it.

    -Marty

On 3/15/02 4:18 PM, "Vjay LaRosa" <vjayl () emc com> wrote:

> O.Kay,
>
> I give up. I guess nobody else that sends SNMP traps with snort has
> noticed this. If any one knows why it is doing
> this I would appreciate it. Or at least if someone else sees the same
> thing let me know.
>
> vjl
>
>
>
> Vjay LaRosa wrote:
>
> > Hello,
> >
> > Is any one else using snort 1.8.4 Beta-4 to send SNMP traps? I have
> > snort configured to trap to our Netcool
> > Omnibus server.
> >
> > Originally snort 1.8.4 Beta-1 was sending the following information in
> > these variables.
> >
> > $8      Src IP
> > $10    Dst IP
> > $11    Src Port
> > $12    Dst Port
> >
> > But now that I upgraded I noticed that some alerts use this as their
> > variable mappings,
> >
> > $7      Src IP
> > $9      Dst IP
> > $10    Src Port
> > $11    Dst Port
> >
> > but some alerts are still sent using the old format. What's up with
> > this? Am I crazy or is something not right?
> >
> > vjl
> >
> > --
> >  V.Jay LaRosa                           EMC Corporation
> >  Systems Administrator                  171 South Street
> >  (508)435-1000 ext 14957                Hopkinton, MA 01748
> >  (508)497-8082 fax                      www.emc.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> V.Jay LaRosa                           EMC Corporation
> Systems Administrator                  171 South Street
> (508)435-1000 ext 14957                Hopkinton, MA 01748
> (508)497-8082 fax                      www.emc.com
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users