Introduction. The snortSnmpPlugin enables snort to send snmp alerts to the network managemement systems (NMS). The alerts can be traps (the alert will not be acknlowledged by the receiver) or informs (the alert will be acknowledged by the receiver ). This adds significant power to the NMS by allowing it to monitor the security of the network. It also allows the snort sensor to exploit the features that are built into existing network management systems. Requirements: The plugin requires the net-snmp libraries and header files. You will need to download and install the ucd-snmp (netSnmp) package before you try to install this plugin. The URL is http://net-snmp.sourceforge.net/ You will need the latest snort source distribution. Activation Steps: NOTE: That the files in MIBS need to be referred to by snmp applications. [Otherwise the OID to name translation will not take place] refer to the snmpcmd manpages for further details. 1. follow the usual steps to build the package ./configure --with-snmp make super make install NOTE-WELL: The '--with-snmp' option is required if you want to build with the snortSnmpPlugin 2. Prepare the snort.conf which defines the snort run-time configuration Important: You need to enable the SnmpTrap plugin in the snort.conf or whatever configuration file you pass on to snort. the supplied snort.conf file contains the sample line # The parameters for the SnmpTrap plugin module are # alert, <sensorID>, {trap|inform} -v <SnmpVersion> -p <portNumber> # <hostName> <community> output trap_snmp: alert, 7, trap -v 2c -p 162 myTrapListener myCommunity # Note. As of now SNMPv1 traps are not supported. SNMPv2 and above should work. You will need to specify the parameters correctly. The paremeters after the trap[inform] are pretty much the same as those that are accepted on the commandline by netSnmp applications. To see the options and features do a man snmptrapd. If you choose to send traps [informs] - you should ensure that a SnmpTrapListener is listening for the traps[informs] on the destination (<hostName>) at the specified port (<portNumber>). If Snmptrapd is not running - you can try snmptrapd -P -p <portNo> on <hostname>. This will work if you have the NetSnmp package installed on <hostname>. The received alerts will get printed on the console. You are all set. Start snort ! If you have problems / queries / suggestion - mail to snortSnmp@cysols.com