Home > Contributions > SnortSNMP
 

Cyber Solutions is pleased to present upgrade patches for the snortSnmpPlugin. The following patches are available.

The latest version of SnortSnmp.
Patch file README.SNMP snort version
SnortSnmpMod-2.9.3.1-03.tgz README.SNMP.txt 2.9.3.1

Changes for 2.9.3.1-03
#01 A new parameter, "-s <sensorAddress>", was added to snort.conf.
This is to subsidize that interface may not have an address assigned.
Changes for 2.9.3.1-02
#01 Bugs that occurred when "-DINET6" was given were fixed.
Changes for snort-2.9.3.1
#01 1.Adopted to snort-2.9.3.1.


Other versions
Patch file README.SNMP snort version
SnortSnmpMod-2.2.0-02.tgz README.SNMP 2.2.0
SnortSnmp-2.1.0.tar.gz README.SNMP 2.1.0
SnortSnmp-2.0.6.tar.gz README.SNMP 2.0.6
SnortSnmp-2.0.5.tar.gz README.SNMP 2.0.5
SnortSnmp-2.0.4.tar.gz README.SNMP 2.0.4
SnortSnmp-2.0.3.tar.gz README.SNMP 2.0.3
SnortSnmp-2.0.2.tar.gz README.SNMP 2.0.2
SnortSnmp-2.0.1.tar.gz README.SNMP 2.0.1
SnortSnmp-2.0.0.tar.gz README.SNMP 2.0.1
SnortSnmp-current.tar.gz @ current(CVS)


We confirm that the latest snortSnmp plug-in works with the following

  1. Red Hat Enterprise Linux ES release 4
  2. snort-2.9.3.1
  3. net-snmp-5.7

SnortSnmp installation procedure

  1. Introduction

    The snortSnmpPlugin enables snort to send SNMP alerts to Network Management Systems (NMS). The alerts can be traps (the alert will not be acknowledged by the receiver) or informs (the alert will be acknowledged by the receiver). This adds significant power to the NMS by allowing it to monitor the security of the network. It also allows the snort sensor to exploit the features that are built into existing network management systems.

  2. Requirements

    The plug-in requires the net-snmp libraries and header files. You will need to download and install the ucd-snmp (netSnmp) package before you try to install this plug-in. The URL is http://net-snmp.sourceforge.net

  3. Activation Steps

    Generate the SnortSnmp enabled snort package:

    o	Download the SnortSnmp patch file from the above table 
    o	follow the steps in README.SNMP 
                        

    Follow the usual steps to build the package (refer to the README in the package)

    o	./configure 
    o	make 
    o	su make install. 
    
    IMPORTANT NOTES:
    1. Prepare the snort.conf which defines the snort run-time configuration.

      Important:You need to enable the snortSnmpTrap plugin in the snort.conf or any other configuration file of snort. The parameters depend on the SNMP version that is used (specified). For the SNMPv2c case the parameters will be as follows

      
       # The parameters for the SnmpTrap plugin module are
       #  alert, <SENSORID> {trap|inform} -v <SNMPVERSION> -c <COMMUNITY>
       #         <HOSTNAME>:<PORTNUMBER> 
       output trap_snmp: alert, 7, trap -v 2c -c myCommunity myTrapListener:162 
                                    

      Note. Currently SNMPv1 traps are not supported. SNMPv2 and above should work. You need to specify the parameters correctly. The parameters for trap[inform] are same as those that are accepted on the command line by netSnmp applications. To see the options and features refer to the snmptrapd man pages.

    If you choose to send traps [informs] - you should ensure that a SnmpTrapListener is listening to the traps[informs] on the destination () at the specified port () If Snmptrapd is not running - you can try snmptrapd -P -p on This will work if you have the ucd-snmp package installed on The received alerts will be printed on the console.

     snmptrapd -P -p <PORTNUMBER> (ucd-snmp)
     snmptrapd -f -Le udp:162 (net-snmp)
                        
    You are all set. Start snort !

    # We do not support HOW-TO use SnortSNMP or HOW-TO install.

If you have problems / queries / suggestions - mail tosnortSnmp@cysols.com
A rudimentary guide to SnortSNMP is here.

Copyright © 1997-2014 Cyber Solutions Inc., All rights reserved.