[Oisf-users] suricata SNMP enterprise OID

Mark Ashley mark at ibiblio.org
Wed Feb 5 05:48:12 UTC 2014


Hey folks,

I've developed a barnyard2 SNMP output plugin using a merger of the version
0.2.0 barnyard2 SNMP module patch and the current syslog output plugin.
It's useful to us to forward alerts to our SNMP management console, as well
as the normal log handling systems such as snorby. Alerts can go to both
etc.

Here's an extract from our barnyard2.conf file:

# Examples:
#   output alert_snmp
#   output alert_snmp: hostname=nms.example.com
#   output alert_snmp: retries=2
#   output alert_snmp: remote_port=161
#   output alert_snmp: transport=udp | tcp
#   output alert_snmp: events_per_sec_limit: 10
#   output alert_snmp: community=public
#   output alert_snmp: snmp_trap_type=normal | agentx
#   output alert_snmp: snmp_version=1 | 2c
#   output alert_snmp: enterprise_oid=1.3.6.1.4.1.999
#
output alert_snmp: hostname=snmphost.example.com, remote_port=161,
transport=udp, community=public, events_per_sec_limit=20, snmp_version=2c,
snmp_trap_type=normal, enterprise_oid=1.3.6.1.4.1.999

What I've noticed is the SNMP OIDs being seen on the receiving host were
those of Snort:

Ent Value 0: .1.3.6.1.4.1.10234.2.1.2.1.2.0.199283=02/03/14-16:56:25.481721
Ent Value 1: .1.3.6.1.4.1.10234.2.1.2.1.33.0.199283=1
Ent Value 2: .1.3.6.1.4.1.10234.2.1.2.1.34.0.199283=0
Ent Value 3: .1.3.6.1.4.1.10234.2.1.2.1.29.0.199283=2221021
Ent Value 4: .1.3.6.1.4.1.10234.2.1.2.1.30.0.199283=1
Ent Value 5: .1.3.6.1.4.1.10234.2.1.2.1.31.0.199283=SURICATA HTTP response
header invalid
Ent Value 6: .1.3.6.1.4.1.10234.2.1.2.1.28.0.199283=TCP
Ent Value 7: .1.3.6.1.4.1.10234.2.1.2.1.7.0.199283=123.123.123.30
Ent Value 8: .1.3.6.1.4.1.10234.2.1.2.1.9.0.199283=10.10.10.61
Ent Value 9: .1.3.6.1.4.1.10234.2.1.2.1.10.0.199283=80
Ent Value 10: .1.3.6.1.4.1.10234.2.1.2.1.11.0.199283=53927
Ent Value 11: .1.3.6.1.4.1.10234.2.1.2.1.35.0.199283=Generic Protocol
Command Decode
Ent Value 12: .1.3.6.1.4.1.10234.2.1.2.1.25.0.199283=3

10234 is the enterprise number for snort.org as seen here:

https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
10234   Snort.org     Glenn Mansfield Keeni       glenn&cysols.com

The reason that was used is because of the definitions in the SNMP plugin
.h file. Back when the file was created, snort was the tool generating the
input to barnyard2. I essentially left the OIDs as they were and can now
see it's probably not logical to do so:

% cat spo_snmp_mib.h
#ifndef OP_SNMP_MIB_H_
#define OP_SNMP_MIB_H_
#define OID_SIDA_ALERT         { 1, 3, 6, 1, 4, 1, 10234, 2, 1, 2, 1, 0, 0,
0 }
#define OID_SIDA_ALERT_GENERIC { 1, 3, 6, 1, 4, 1, 10234, 2, 1, 3, 3 }
enum {
         SIDA_ALERT_PARAM_IDX      = 11,
         SIDA_ALERT_SENSOR_ID_IDX  = 12,
         SIDA_ALERT_EVENT_ID_IDX   = 13,

         ALERTID                   = 1,
         ALERTTIMESTAMP            = 2,
         ALERTACTIONSTAKEN         = 3,
         ALERTMSG                  = 4,
         ALERTMOREINFO             = 5,

I was considering altering the enterprise number and using our own internal
number, but that would infer that our companies' software is the creator of
these traps, when in reality it's information generated from suricata and
passed on via barnyard2. It's certainly not coming from snort any more so
that should be changed. It's a bit of an issue as Networks want a MIB file
to describe these OIDs. I have created some but which enterprise number to
use is the problem.

So, what's the best creator ID to use in the OID? suricata or barnyard2? If
it's barnyard2, then I can ask Ian Firns to register a number for it. I'd
like to see suricata have their own though, and the barnyard2 SNMP output
plugin be configured to send it. I can convert the MIBs to be
suricata.orgMIBs and submit them as a feature addition in git.

Suricata can ask for their own enterprise number here:
http://pen.iana.org/pen/PenApplication.page

Thoughts?

ta,
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140205/fa200e4d/attachment.html>


More information about the Oisf-users mailing list