Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 6789 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to see if the SNMP server can receive AV traps

NalK

Hi,

Within the Sophos console, in the Anti virus and HIPS policy a SNMP server has been listed in the SNMP Trap destination however how can I check if it's being configured correctly?  We are receiving all other traps from that AV server except the Desktop AV alerts.

Thanks

:37141


This thread was automatically locked due to age.
  • 0

    Hi NalK

    There are a few places to get more informatoin on the configurations. 

    There was a previous post:

    /search?q= 22429

    The Console help guides:

    http://www.sophos.com/en-us/support/knowledgebase/13113.aspx

    or you can phone sophos to go through the configurations. 

    I would recommend checking DNS configurations if you havent used an IP address. 

    Hope the above helps. 

    :37181
  • 0

    Hi Wickedkittenz,

    I've checked the configuration settings for SNMP trap destinations and it has been set up as instructed in the help manual.  The way my organisation has been setup is as follows:

    A virus alert is generated on a workstation

    This creates a alert in the Sophos console which in turn send a trap to the snmp server

    The snmp server relays this information to a message server which captures the relevant data such as user name, file location, date/time stamp, virus name etc and then logs a incident ticket to our ticketing system.

    The system administrators have advised me that they receive other traps from the snmp server just not the anti virus ones.  I can also confirm that the UDP ports are not blocked as the message server is getting other traps from the snmp server. 

    So my question is, is there anyway I can check to see if the AV traps have been blocked or not configured to be sent as traps to the message servers?

    Hope this makes more sense now.

    Thanks

    :37227
  • 0

    Hello NalK,

    an alert in the Sophos console which in turn send a trap to the snmp server

    I might have a bad start today but AFAIK the console does only send mail, not SNMP messages. The AV policy applies to clients and therefore it's them sending the traps.

    Apart from this please be aware that detection and subsequent cleanup could (I've never tested it) result in more than one message being sent - if you automatically create a ticket you'd have to correlate them in some way. Perhaps you've already observed in the dashboard the number of virus/spyware alerts to rise and drop again after a few seconds (or computers to "come and go" in the Computers with alerts list). If you look at the details this is caused by detections for which the cleanup succeeds (soon) afterwards. SEC has the logic to correctly process this sequence of events.

    Christian 

    :37229