[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: RE: [Sidewinder] Help- how do I set up my filters to ignore snmp
From: Joseph Stanton <jks () ureach ! com>
Date: 2001-10-21 2:04:39
[Download RAW message or body]
If you do not want to see any traffic_filter events you could
either increase the trigger values set for the traffic-filter
alarm or change it so it does not email the alarm.
Inside the auditbotd.conf file you will find the following
somewhere within the file:
--------------------
auditbot(trafic_filter /var/run/audit/trafic_filter.pid
trigger(1000 30 300 yes)
flags(no no)
email[Default] pager[] strikeback[Default] cmds[])
--------------------
the trigger values are defined as follows:
trigger ( threshold period interval reset)
threshold - the number of events required to trigger an alarm
period - the timespan (in seconds) during which threshold
number of events must occur to trigger an alarm.
A value of 0 means infinity.
interval - the time interval (in seconds) during which only
one alarm will be executed, even if more are
triggered
reset - boolean (yes or no), indicating whether or not to
reset the event count once threshold is reached
To stop the emails all together just delete the word "Default"
following the word email this would make the line look as
follows:
email[] pager[] strikeback[Default] cmds[])
NOTE: This will only turn off email notification for the
traffic-filter alarm only. To turn off all email notifications
you would have to do this for every alarm event in the
auditbotd.conf file.
On the subject of what you have tried are you sure the snmp
traffic is coming from burb 0 or burb 1.
Try adding some lines for some other burbs numbers:
ignore(2 udp * * * snmp)
ignore(3 udp * * * snmp)
(you can check what burb numbers you are using by looking at
the /etc/sidewinder/burb.conf file.)
You could do what Randy suggests but then you would lose your
network management(snmp) capability, because the firewall would
just drop the packets in the bit bucket. This brings me to the
question why do you have so much snmp traffic traversing the
firewall. It seems like something might be misconfigured or
going bad.
Joe
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
---- On Sat, 20 Oct 2001, Blahut Randall M SSgt 83 CS/SCNO
(randall.blahut@langley.af.mil) wrote:
> You can use a discard service as described in the Sidewinder
manual.
> This
> will literally discard packets that arrive on a given
socket. Be
> careful
> not to create a discard service that conflicts with an
existing proxy!
> With
> Sidewinder 5.1, you can do this within the IP filter, but
that doesn't
> apply
> here.
>
> SSgt Randy Blahut
> ACC NOSC Network Security
> 83 CS/SCNO
> DSN 574-4968/6563
> Comm 757-764-4968/6563
> randall.blahut@langley.af.mil
>
>
> -----Original Message-----
> From: Ordona Emelinda C SSgt 374 CS/SCBBM
> [mailto:emelinda.ordona@yokota.af.mil]
> Sent: Friday, October 19, 2001 2:04 AM
> To: sidewinder@adeptech.com
> Subject: [Sidewinder] Help- how do I set up my filters to
ignore snmp
>
>
> I get e-mails every 15-20 minutes on
> /var/log/auditbotd/ab.trafic_filter.###
> because of 800 or so occurences of snmp. I currently have
> etc/sidewinder/auditbotd.conf to ignore snmp with this:
>
> ignore(0 udp * * * snmp)
> ignore(1 udp * * * snmp)
>
> I ran cf audit stop name=all and started it back but it isn't
working.
> I'm
> using sidewinder 4.1
>
> Emelinda C. Ordoņa, SSgt, USAF
> Information Protection Operations, Technician
> DSN 315-225-5500
>
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic