RE: SNMP request UDP flood

["Knight, Ric" <RKnight () TUC ca>]

The SNMP rules alert for $EXTERNAL_NET to $HOME_NET if the devices
generating the SNMP traffic to your OpenView are defined as part of
$HOME_NET the alerts will go away... 

-Ric 

-----Original Message-----
From: Sherry Sun [mailto:suns () oak cats ohiou edu]
Sent: November 13, 2002 9:30 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNMP request UDP flood


I just installed Snort 1.9.0 on Linux, and have been monitoring it for a few
days.
Turns out 99% of the alerts are the same alert coming from our HPopenview
box,
They are choking my database, and still keep coming in.

I have copied the alert below:

[Classification: Attempted Information Leak] [Priority: 2] 
11/07-11:08:29.672350 132.235.8.77:36244 -> 132.235.8.0:161
UDP TTL:1 TOS:0x0 ID:35998 IpLen:20 DgmLen:103 DF
Len: 83
[Xref => cve CAN-2002-0013][Xref => cve CAN-2002-0012]
[**] [1:1417:2] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
11/07-11:08:29.686665 132.235.8.77:36244 -> 132.235.8.0:161
UDP TTL:1 TOS:0x0 ID:35999 IpLen:20 DgmLen:87 DF
Len: 67


Can anyone tell me how can I make Snort stop generating this alert?

Thank you.


Sherry Sun
suns () ohio edu


-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users