Language
At Cyber ​​Solutions, we have been actively contributing to the SNMP output plugin for the open source network intrusion detection system Snort™. As a result, we are releasing an SNMP output plug-in in the form of a patch.
 
SnortSnmp latest version
Patch file ReadMe.Snort Supported Snort version
SnortSnmpMod-2.9.3.1-03.tgz README.SNMP.txt 2.9.3.1
 
◆Changes in 2.9.3.1-03
a. Added "-s" to the snmp_trap parameter in snort.conf. The IP address information set here will be set to the sensor address in the SNMP trap notification information. If this setting is omitted, a NULL value will be notified.
◆Changes in 2.9.3.1-02
a. Fixed a bug when -DINET6 was given.
◆Changes in 2.9.3.1-01.
a. Compatible with snort-2.9.3.1.
 
Other versions
Patch file ReadMe.Snort Supported Snort version
SnortSnmpMod-2.2.0-02.tgz README.SNMP.2.2.0-02.txt 2.2.0
SnortSnmpMod-2.2.0-01.tgz README.SNMP.2.2.0-01.txt 2.2.0
SnortSnmp-2.1.0.tar.gz README.SNMP.2.1.0.txt 2.1.0
SnortSnmp-2.0.6.tar.gz README.SNMP.2.0.6.txt 2.0.6
SnortSnmp-2.0.5.tar.gz README.SNMP.2.0.5.txt 2.0.5
SnortSnmp-2.0.4.tar.gz README.SNMP.2.0.4.txt 2.0.4
SnortSnmp-2.0.3.tar.gz README.SNMP.2.0.3.txt 2.0.3
SnortSnmp-2.0.2.tar.gz README.SNMP.2.0.2.txt 2.0.2
SnortSnmp-2.0.1.tar.gz README.SNMP2.0.1.txt 2.0.1
SnortSnmp-2.0.0.tar.gz README.SNMP2.0.0.txt 2.0.0
SnortSnmp-current.tar.gz   current(CVS)
 
We have confirmed that the latest version of the patch has been applied as follows.
  • Red Hat Enterprise Linux ES release 4
  • snort-2.9.3.1
  • net-snmp-2.7

SnortSnmp installation instructions
1. Introduction
The SNMP output plugin allows snort to send alert notifications to a network management system (NMS) using SNMP traps (format that does not require ACK)/inform (format that requires ACK). This feature allows you to integrate snort as a sensor into your existing network management system (NMS).
 
2. Requirements
To compile the SNMP output plug-in, the net-snmp library and header files are required. Please install net-snmp in advance. The package is available at the URL http://net-snmp.sourceforge.net.
 
3. Activation Steps
Here, we will proceed with the discussion using snort-2.9.3.1 as an example.
For other versions, please change the version name.
First, extract the patch package SnortSnmpMod-2.9.3.1-01.tgz.
$ tar xvzf SnortSnmpMod-2.9.3.1-01.tgz
At this time, README.SNMP.txt and patch file SnortSnmp-2.9.3.1-01.gz are created under the directory SnortSnmpMod-2.9.3.1-01.
Next, follow the steps below to apply SnortSnmp-2.9.3.1-01.gz to the snort-2.9.3.1 source code and build the package.
See also README.SNMP.

 $ tar xvzf snort-2.9.3.1.tar.gz
 $ zcat <somewhere>/SnortSnmp-2.9.3.1-01.gz | patch -p0
 $ cd snort-2.9.3.1
 $ ./configure
 $ make
 $ sudo make install
 
NOTE:
    Edit the snort.conf file.
    Settings related to the SNMP output plugin must be written in snort.conf. An example is provided in snort.conf included in the patch.
    Example
     # The parameters for the SnmpTrap plugin module are
     # alert, <SENSORID> {trap|inform} -v <SNMPVERSION> -c <COMMUNITY>
     # <HOSTNAME>:<PORTNUMBER>
     output trap_snmp: alert, 7, trap -v 2c -c myCommunity myTrapListener:162
                        
Note.
SNMPv1 traps are not supported.
Please use SNMPv2c and SNMPv3.
The SNMP related parameters written in snort.conf are almost the same as the net-snmp parameters. See the snmptrapd man page for information about other parameters.
Finally, check whether SnmpTrapListenr is running on the host and port number specified in snort.conf.
An example of how to start snmptrapd that outputs received alerts on the console is as follows.
 snmptrapd -P -p <PORTNUMBER> (ucd-snmp)
 snmptrapd -f -Le udp:162 (net-snmp)
                    
Setup is completed. Please start Snort.
 
*Please note that we do not provide support regarding SnortSnmp.