Re: SNMP Questions

[Matt Kettler <mkettler () evi-inc com>]

At 01:58 PM 8/10/2004, Brian Zuromski wrote:
> Hello,
>          I'm using snort 2.1.3 on RHES 3.0 and I'm having an issue with 
> SNMP alerts.  I've set my 'var SNMP_SERVERS' to my current SNMP 
> monitoring servers on our network.  My problem is that the alerts are 
> still being generated and filling up my database from our monitoring 
> server. .  I want it to alert on any SNMP traffic except coming from our 
> SNMP monitoring servers in 'var SNMP_SERVERS'.   Can anyone help?  Or 
> maybe I'm doing something wrong.


From looking at the rules, none of them actually make use of SNMP_SERVERS, 
so changing that value won't accomplish anything on the default setup... 
They all currently use EXTERNAL_NET and HOME_NET in snmp.rules.

as a fix, I'd suggest moving the snmp.rules to the last entry in your 
snort.conf and redefine EXTERNAL_NET to !$SNMP_SERVERS right before you 
include it. This way the SNMP rules will ignore your SNMP_SERVERS as you 
desire.

something like this:

        include $RULE_PATH/xxx.rules
        include $RULE_PATH/xxx.rules
        include $RULE_PATH/xxx.rules

        var EXTERNAL_NET !$SNMP_SERVERS
        include $RULE_PATH/snmp.rules




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users