A few months ago I created a rewrite rule in /etc/nsm/rules/local.rules and added all the print servers there. I followed the steps from the wiki. I still see the IPs I put in the rewrite rule so I am not sure how it works. The way I read the rewrite rule is I wouldn't see the alert if the srcip was in my variable which list the print server. This my need a post by itself to troubleshoot the rewrite rule.
I was trying to do the rewite and not disable this alert because I heard a talk at a security con about using SNMP to exfil data. I cant seem to find the talk or any good info on SNMP being used for exfil.
This is by far the noisiest alert that I have.
I've had this problem before when users were directly mapped to printers and the printers and/or the printers were configured to use a default public community string.
I saw a large drop in alerts after machines were configured to use an appropriate server and SNMP was disabled.
I would work to fix this, as it is a legitimate case. Check your print server and its SNMP settings, as well as any other printers/devices that may be alerted upon.
See the following for more background (a little dated, but still useful):
https://www.giac.org/paper/gcih/44/default-snmp-community-strings-set-public-private/100366
Thanks,
Wes
Thanks. I read the doc. Now I just have to figure out a way to turn it off. Nice explanation of MIBs.