Sniffer SNMP intergration into NNM

[AlfSutherland]

Hi,
Has anyone used Network Associates (NAI)'s Sniffers to send SNMP traps to NNM? How would this be displayed within NNM, what MIB info would be required?
Alf

 

[DTMan]

Hey Alf,

I'm very interested in finding out about this also. To carry this a step further, I'm also interested in knowing if you can have a group of proactive Sniffers (with filters loaded) to capture items such as Nimda and SQL Worm and have a specialized trap be sent with the effected device name, ip addresses of the conversation, the filter loaded, the Sniffer reporting, and any other information important and useful in tracking down the problem. This would be sent to HPOV NNM and then detailed event correlation could be accomplished in the background.
Possible?

DTMan

 

[AlfSutherland]

Great idea.
As you can't create your own alarms within Sniffer, the only way to do this is to force Sniffer to alarm on it's existing parameters. A possible way of doing this would be to create a monitor filter, probably combining the Data Patterns of both the Nimda and SQL filters, and apply this monitor filter to each Sniffer. You could then use the MAC thresholds to alarm on packets/second, by droping the threshold value down to 1.
Unfortunatley we would then still have the problem of getting NNM to understand the Sniffer Traps. I believe Sniffer have available HP MIBS, but when I've tried them in the past, they are incomphrehensible within NNM. I will try and get someone to write them for me some shortly. I'll then pass them on when I get them.

DTMAN - (can you send me an email)(see you back on the Sniffer Tek-tips page).

Does anyone know of ways to write MIBs/format of etc? Is there any HP NNM MIB writing documentation etc etc? Has anyone writen MIBs for any other SNMP trap agent product?

Alf

 

[vlan52]

Hi everybody, well, the best approach for your requirements may be setting up SNORT sensors + a database for SNORT(

http://www.snort.org),

which come already with a lot of helpful signatures and a few scripts to integrate or send events to management platforms thorugh SNMP.

If you manage to properly define your subnet and select accurate signatures, you'll be able to match suspicious packets and report those events to NNM without a big effort.

This should be considered as a proactive approach, hope this helps, if you have any doubts or concerns, just let us know, ok?

BTW, getting and properly configuring such events under NNM is pretty easy, you can customize almost any string that you may receive through SNMP.

Hope this helps, best regars,
vlan52
vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.

 

[nmsguru]

Alf,

No need for a new mib. Sniffer can run automated actions which can be a script
that runs the snmptrap command. You can create any messages you want and make NNM understand it via the Event configuration.

So the plan is simple: Create a filter that would initiate an action when an offending packets are captured assign and automatic action to send snmptrap to NNM.

HTH,

Yigal