Introduction. The snortSnmpPlugin enables snort to send snmp alerts to network managemement systems (NMS). The alerts can be traps (the alert will not be acknowledged by the receiver) or informs (the alert will be acknowledged by the receiver ). This adds significant power to the NMS by allowing it to monitor the security of the network. It also allows the snort sensor to exploit the features that are built into existing network management systems. Requirements: The plugin requires the net-snmp (or ucd-snmp) libraries and header files. You will need to download and install the net-snmp (ucd-snmp) package before you try to install this plugin. The package can be downloaded from http://net-snmp.sourceforge.net/ You will need the latest snort source distribution. Activation Steps: NOTE: That the MIB files created after applying the patch in the etc directory etc/SnortCommonMIB.txt etc/SnortIDAlertMIB.txt need to be referred to by snmp applications. [Otherwise the OID-to-name translation will not take place] refer to the snmpcmd manpages [do 'man snmpcmd'] for further details. 0. Build the Snmp enabled snort package. DownLoad the SnortSnmpModule. uncompress and untar - it will contain README.SNMP -- This file SnortSnmp-.gz -- Patch to build the Snmp enabled snort -- PatchVersion is something like M.m.p-NN -- NN is the SnortSnmp patch version number -- that applies to snort-M.m.p Apply the SnortSnmp patch as follows: In the directory where snort-N.m.pp is gunzipped and untarred cd snort-M.m.p zcat SnortSnmp-M.m.p-NN.gz | patch This will update the following files configure.in Makefile.am src/plugbase.c etc/snort.conf and create the following files in the snort source tree (snort-N.m.p). doc/README.SNMP etc/SnortCommonMIB.txt etc/SnortIDAlertMIB.txt src/output-plugins/spo_SnmpTrap.c src/output-plugins/spo_SnmpTrap.h 1. follow the usual steps to build the package aclocal autoheader automake --add-missing autoconf ./configure --with-snmp --with-openssl make su make install NOTE-WELL: The '--with-snmp' option is required if you want to build with the snortSnmpPlugin NOTE: the compiler may complain about the non-availability of some libraries used by libsnmp. You may try configuring with ./configure --with-snmp --with-openssl 2. Prepare the snort.conf which defines the snort run-time configuration Important: You need to enable the SnmpTrap plugin in the snort.conf or whatever configuration file you pass on to snort. The trap_snmp plugin requires several parameters and these will need to be specified in the trap_snmp activation line in the configuration file (snort.conf). The parameters depend on the Snmpversion that is used (specified) For the SNMPv2c case the parameters will be as follows alert, , [NotificationOptions] , {trap|inform} -v [-p ] -c For SNMPv2c, traps to the standard SNMP trap port (162), with MD5 digest based packetPrint generation the trap_snmp activation line will be as follows output trap_snmp: alert, 7, cpm,trap -v 2c -c myCommunity myTrapListener For SNMPv2c informs to port 999 with the 'compact' notification option output trap_snmp: alert, 7, c,inform -v 2c -p 999 -c myCommunity myTrapListener For details on configuring the trap_snmp plugin see the notes below and in the accompanying snort.conf. [You may also refer to the preliminary draft of the snort-snmp guide at http://www.cysols.com/contrib/snortsnmp/snortSnmpGuide.html] You are all set. Start snort ! If you have problems / queries / suggestion - mail to snortSnmp@cysols.com Note1. The trap_snmp plugin accepts the following options [c],[p[m|s]] where, c : Generate compact notifications. (Saves on bandwidth by not reporting MOs for which values are unknown, not available or, not applicable. For details see below.) By default this option is reset. p : Generate a print of the invariant part of the offending packet. This can be used to track the packet across the Internet. If you do not know what this is about you probably do not need this. By default this option is reset. m : Use the MD5 algorithm to generate the packet print. By default this algorithm is used. If you do not know what this is about you probably do not need this. s : Use the SHA1 algorithm to generate the packet print. If you do not know what this is about you probably do not need this. Note2. As of now SNMPv1 traps are not supported. SNMPv2 and above should work. You will need to specify the parameters correctly. The paremeters after the trap[inform] are pretty much the same as those that are accepted on the commandline by netSnmp applications. To see the options and features do a 'man snmptrapd'. If you choose to send traps [informs] - you should ensure that a SnmpTrapListener is listening for the traps[informs] on the destination () at the specified port (). If Snmptrapd is not running - you can try snmptrapd -P -p -Os on . This will work if you have the NetSnmp package installed on . The received alerts will get printed on the console. Note3. Description of the notifications sent by snortSnmpPlugin. The following notifications are supported: sidaAlertGeneric-2 This is the notification sent when no specific notification is found for the event. sidaAlertScanStatus-2 This notification reports that a scan. is detected, in progress or terminated. The sidaScanEventStatus MO indicates the status of the scan - whether the start of a scan is detected, a scan is in progress or, a detected scan has terminated. The periodicity of the scan in progress alerts is implementation dependent. The MOs in the sidaAlertGeneric-2 are sidaAlertTimeStamp, M (M:Mandatory, O:Optional) sidaAlertMsg, M sidaAlertImpact M sidaSensorID O sidaAlertID O sidaAlertActionsTaken, O sidaAlertMoreInfo, O sidaSensorAddressType, O sidaSensorAddress, O sidaAlertSrcAddressType, O sidaAlertSrcAddress, O sidaAlertDstAddressType, O sidaAlertDstAddress, O sidaAlertSrcPort, O sidaAlertDstPort, O sidaAlertEventPriority O sidaAlertSrcMacAddress O sidaAlertDstMacAddress O sidaAlertProto O sidaAlertRuleID O sidaAlertRuleRevision O sidaAlertPacketPrint O The MOs in the sidaAlertScanStatus-2 are sidaAlertTimeStamp, M (M:Mandatory, O:Optional) sidaAlertMsg, M sidaAlertImpact M sidaAlertScanType M sidaAlertEventStatus M sidaSensorID , O sidaAlertID , O sidaAlertActionsTaken, O sidaAlertMoreInfo O sidaSensorAddressType, O sidaSensorAddress, O sidaAlertSrcAddressType, O sidaAlertSrcAddress, O sidaAlertDstAddressType, O sidaAlertDstAddress, O sidaAlertSrcPort, O sidaAlertDstPort, O sidaAlertDstAddressList, O sidaAlertDstPortList, O sidaAlertEventPriority O sidaAlertScanDuration, O sidaAlertScannedHosts, O sidaAlertTCPScanCount, O sidaAlertUDPScanCount, O sidaAlertSrcMacAddress O sidaAlertDstMacAddress O sidaAlertProto O sidaAlertRuleID O sidaAlertRuleRevision O sidaAlertPacketPrint O Note4: Mandatory MOs and Optional MOs o Two categories of MOs are defined for the notifications. The mandatory MOs will *always* be included in the notification and in the same order as in which they appear in the definition of the corresponding NOTIFICATION object in the SNORT-ID-ALERT-MIB. o If the true value of a mandatory MO is unavailable (or unknown) an appropriate value will be assigned to the MO to indicate that. [Refer to the SNORT-ID-ALERT-MIB definitions in the MIBs directory for the default values of the MOs] o The handling of the optional MOs depends on the trap_snmp plugin options. - By default, all the MOs will be present in the notification. If the true value of an MO is not available or is unknown, a preassigned value will be supplied to to indicate that. The place and order of the MOs in the notification is fixed. [These notifications have the advantages of being fixed format and the disadvantage of being unnecessarily large.] - if the compact option 'c' is given as a parameter to the snmptrap-plugin, the MOs for which the values are unknown or not available will not be present in the notification. The ordering of the MOs does not change - but the place of the MOs may change. [ These notifications have the advantage of being compact (there are no MOs without meaningful values in the notification) and the disadvantage of being variable format. (variable format should not be a problem as an SNMP notifications always contains the information in MO-Value pairs)] Acknowledgments: The following have helped with suggestions,comments,patches and encouragement. Let me know if I have left out anybody. Mariusz Woloszyn Juergen Schoenwaelder Frank Abe Katsuhisa Yosuke Sato Martin Olsson Andrew Hood All users.