I have been attempting to send SNMP traps from our IPS to a management PC, but I don't believe they are being sent. Here is what I have done so far:
On the management PC, I have tshark listening on port 162 for any incoming UDP packets. By using nmap from other systems on the same network as the IPS, I have used nmap to send a UDP ping to this system. This has allowed me to verify that tshark is working properly and printing out these packets.
On the IPS, I can ping the management PC (although I obviously cannot test with nmap). I have also enabled SNMP traps and set it to notify for fatal, error, or warning events. I have enabled detailed traps and set a community string. Finally, I added the management pc as the destination on port 162 with the correct community string.
So in order to test this, I set an event action override for low, medium and high risk events to "Request SNMP Trap". Once I have done this, I can monitor the events that are triggered through IPSME, and I have verified that all of these type of events have the action to request the SNMP trap.
When I check the management PC, nothing has come through on tshark.
Is there something simple I am missing? Can I use an event action override for this? Thanks!