Thursday, August 31, 2006

Review of Essential SNMP, 2nd Ed Posted

Amazon.com just posted my four star review of Review of Essential SNMP, 2nd Ed. From the review:

Essential SNMP, 2nd Ed (ES2E) fills a gap in being a modern book about an important management protocol. SNMP is used extensively by network management stations (NMS) like Nagios, which is now the subject of two independent books. E2SE does a good job covering SNMP issues important to administrators and NMS users. However, the book's organization and subject matter could be improved in the 3rd edition.

This is why I've been blogging on SNMP today.

That's 12 book reviews for the month of August. Whew.

Sending and Receiving SNMP Traps

SNMP is turning into more voodoo than I expected. I decided to document the following examples for future reference.

SNMP traps are messages sent from agents to network management systems (NMS). A simple trap receive is Net-SNMP's snmptrapd. I started it as shown so I could watch messages roll in.

orr:/root# snmptrapd -f -Lo
2006-08-31 21:45:50 NET-SNMP version 5.2.3 Started.

As you can see, snmptrapd listens on port 162 UDP.

orr:/home/richard$ sockstat -4 | grep snmptrapd
root snmptrapd 5080 9 udp4 *:162 *:*

Now I will use the snmptrap program to generate traps.

First, a SNMP v1 trap for uptime.

orr:/home/richard$ snmptrap -v 1 -c read localhost '' localhost 6 1 ''

Here is what snptrapd sees.

2006-08-31 21:47:16 localhost.taosecurity.com [127.0.0.1] (via UDP: [127.0.0.1]:63651)
TRAP, SNMP v1, community read
SNMPv2-SMI::enterprises.3.1.1 Enterprise Specific Trap (1) Uptime: 16:45:42.27

Here is the SNMP v1 trap packet.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: trap (4)
trap
enterprise: 1.3.6.1.4.1.3.1.1 (SNMPv2-SMI::enterprises.3.1.1)
agent-addr: internet (0)
internet: 127.0.0.1 (127.0.0.1)
generic-trap: enterpriseSpecific (6)
specific-trap: 1
time-stamp: 6040353
variable-bindings: 0 items

0000 02 00 00 00 45 00 00 46 33 c5 00 00 40 11 48 e0 ....E..F3...@.H.
0010 7f 00 00 01 7f 00 00 01 f2 4d 00 a2 00 32 72 36 .........M...2r6
0020 30 28 02 01 00 04 04 72 65 61 64 a4 1d 06 08 2b 0(.....read....+
0030 06 01 04 01 03 01 01 40 04 7f 00 00 01 02 01 06 .......@........
0040 02 01 01 43 03 5c 2b 21 30 00 ...C.\+!0.

Second, a SNMP v2c trap for uptime, with the optional inform parameter.

orr:/home/richard$ snmptrap -v 2c -Ci -c read localhost '' SNMPv2-SMI::enterprises.3.1.1

Here is what snmptrapd sees.

2006-08-31 21:50:11 localhost.taosecurity.com [UDP: [127.0.0.1]:64215]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6051698) 16:48:36.98
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1.1

Here is the SNMP v2c trap packet, followed by confirmation.

Simple Network Management Protocol
version: v2c (1)
community: read
data: informRequest (6)
informRequest
request-id: 1679401786
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 6051698
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000 02 00 00 00 45 00 00 60 33 ed 00 00 40 11 48 9e ....E..`3...@.H.
0010 7f 00 00 01 7f 00 00 01 fa d7 00 a2 00 4c 32 1d .............L2.
0020 30 42 02 01 01 04 04 72 65 61 64 a6 37 02 04 64 0B.....read.7..d
0030 19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b ..:......0)0...+
0040 06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a .......C.\Wr0...
0050 2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04 +...........+...
0060 01 03 01 01

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-response (2)
get-response
request-id: 1679401786
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 6051698
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000 02 00 00 00 45 00 00 60 33 ee 00 00 40 11 48 9d ....E..`3...@.H.
0010 7f 00 00 01 7f 00 00 01 00 a2 fa d7 00 4c 32 21 .............L2!
0020 30 42 02 01 01 04 04 72 65 61 64 a2 37 02 04 64 0B.....read.7..d
0030 19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b ..:......0)0...+
0040 06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a .......C.\Wr0...
0050 2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04 +...........+...
0060 01 03 01 01 ....

At the moment I cannot get v3 traps to work. I can get v3 informs to work:

First I create /usr/local/etc/snmp/snmptrapd.conf:

createUser trapman MD5 trappass DES trappass

Then I restart snmptrapd. Now I can perform the inform.

orr:/home/richard$ snmpinform -v 3 -u trapman -a MD5 -A trappass -l authNoPriv localhost 42 coldStart.0

Here is what snmptrapd sees.

2006-08-31 22:43:41 localhost.taosecurity.com [UDP: [127.0.0.1]:62491]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (42) 0:00:00.42
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-MIB::coldStart.0

Here is the traffic.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1039950895
msgMaxSize: 65507
msgFlags: 05
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0D33EF7A
Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 4
msgUserName: trapman
msgAuthenticationParameters: A5FC35A19F7AB9A97466BB1A
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800D33EF7ADD83F744
data: informRequest (6)
informRequest
request-id: 2014502362
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 42
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-MIB::coldStart.0

0000 02 00 00 00 45 00 00 b3 57 33 00 00 40 11 25 05 ....E...W3..@.%.
0010 7f 00 00 01 7f 00 00 01 f4 1b 00 a2 00 9f 95 af ................
0020 30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03 0.....0...=.d/..
0030 00 ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02 .....3.z...D....
0050 01 04 04 07 74 72 61 70 6d 61 6e 04 0c a5 fc 35 ....trapman....5
0060 a1 9f 7a b9 a9 74 66 bb 1a 04 00 30 4a 04 0d 80 ..z..tf....0J...
0070 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a6 37 .....3.z...D...7
0080 02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d ..x.........0)0.
0090 06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06 ..+.......C.*0..
00a0 0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01 .+...........+..
00b0 06 03 01 01 05 01 00 .......

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1039950895
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0D33EF7A
Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 4
msgUserName: trapman
msgAuthenticationParameters: 2FEEE8643D86D468E81D09DD
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800D33EF7ADD83F744
data: get-response (2)
get-response
request-id: 2014502362
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 42
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-MIB::coldStart.0

0000 02 00 00 00 45 00 00 b3 57 34 00 00 40 11 25 04 ....E...W4..@.%.
0010 7f 00 00 01 7f 00 00 01 00 a2 f4 1b 00 9f 9f fb ................
0020 30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03 0.....0...=.d/..
0030 00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02 .....3.z...D....
0050 01 04 04 07 74 72 61 70 6d 61 6e 04 0c 2f ee e8 ....trapman../..
0060 64 3d 86 d4 68 e8 1d 09 dd 04 00 30 4a 04 0d 80 d=..h......0J...
0070 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a2 37 .....3.z...D...7
0080 02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d ..x.........0)0.
0090 06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06 ..+.......C.*0..
00a0 0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01 .+...........+..
00b0 06 03 01 01 05 01 00 .......

These instructions and my book say to add something like this to /usr/local/etc/snmp/snmptrapd.conf to enable SNMP v3 traps:

createUser -e 0x012345 doit MD5 doitpass DES doitpass

snmptrapd starts fine, and I see the new user added in /var/net-snmp/snmptrapd.conf above the first user:

usmUser 1 3 0x012345 0x646f697400 0x646f697400 NULL .1.3.6.1.6.3.10.1.1.2
0xd59dafffd9eadd362bbdde931d44f70b .1.3.6.1.6.3.10.1.2.2
0xd59dafffd9eadd362bbdde931d44f70b 0x00
usmUser 1 3 0x80001f88800d33ef7add83f744 0x747261706d616e00 0x747261706d616e00 NULL
.1.3.6.1.6.3.10.1.1.2 0x097eb8ceff51d21214b06c0a9ce6778d .1.3.6.1.6.3.10.1.2.2
0x097eb8ceff51d21214b06c0a9ce6778d 0x00
engineBoots 27
oldEngineID 0x80001f88800d33ef7add83f744

However, I get this error when trying to generate a trap:

orr:/home/richard$ snmptrap -e 0x012345 -v 3 -u doit -a MD5 -A doitpass -l authNoPriv
localhost '' SNMPv2-SMI::enterprises.3.1.1
snmptrap: USM unknown security name (no such user exists)

Any thoughts on this problem?

Update: This is most likely a bug mentioned in this thread and fixed by this patch. Apparently Net-SNMP 5.2.4 will incorporate this patch and fix sending SNMP v3 traps.

Updating Cisco Switch to Support Encrypted SNMP v3

I realized I had an IOS image for my Cisco switch that supported crypto, as required for encrypted SNMP.

I decided to reflash my switch to add this support.

This is an example of a blog entry for my future reference. I don't expect any Cisco-ites to learn anything from this.

First I see what version of IOS is installed.

2950T-24#show ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is CALHOUN boot loader

2950T-24 uptime is 3 hours, 20 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

cisco WS-C2950T-24 (RC32300) processor (revision J0) with 20839K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Configuration register is 0xF

Next I look at available filesystems.

2950T-24#show file systems
File Systems:

Size(b) Free(b) Type Flags Prefixes
* 7741440 2867712 flash rw flash:
- - opaque ro bs:
7741440 2867712 unknown rw zflash:
32768 29934 nvram rw nvram:
- - opaque rw null:
- - opaque rw system:
- - network rw tftp:
- - opaque ro xmodem:
- - opaque ro ymodem:
- - network rw rcp:
- - network rw ftp:

You can move around IOS like a Unix box.

2950T-24#cd flash:
2950T-24#dir
Directory of flash:/

2 -rwx 2888547 Mar 01 1993 00:03:24 c2950-i6q4l2-mz.121-13.EA1.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (2867712 bytes free)

The .bin file is my current IOS image. I can get the same directory listing this way:

2950T-24#show flash

Directory of flash:/

2 -rwx 2888547 Mar 01 1993 00:03:24 c2950-i6q4l2-mz.121-13.EA1.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (2867712 bytes free)

Let's check out the html directory for fun.

2950T-24#cd html
2950T-24#dir
Directory of flash:/html/

8 -rwx 3994 Mar 01 1993 00:03:24 homepage.htm
9 -rwx 1392 Mar 01 1993 00:03:24 not_supported.html
10 -rwx 9529 Mar 01 1993 00:03:24 common.js
11 -rwx 22152 Mar 01 1993 00:03:25 cms_splash.gif
12 -rwx 1211 Mar 01 1993 00:03:25 cms_13.html
13 -rwx 2823 Mar 01 1993 00:03:25 cluster.html
14 -rwx 4195 Mar 01 1993 00:03:25 Redirect.jar
15 -rwx 15899 Mar 01 1993 00:03:25 mono_disc.sgz
16 -rwx 1344455 Mar 01 1993 00:04:05 CMS.sgz
17 -rwx 86918 Mar 01 1993 00:04:08 images.sgz
18 -rwx 287994 Mar 01 1993 00:04:16 help.sgz
19 -rwx 135599 Mar 01 1993 00:04:19 CiscoChartPanel.sgz
20 -rwx 58864 Mar 01 1993 00:04:21 cms_boot.jar

7741440 bytes total (2867712 bytes free)

2950T-24#pwd
flash:/html/
2950T-24#cd ..
2950T-24#pwd
flash:/

For one last command, check the current image file type.

2950T-24#show file information c2950-i6q4l2-mz.121-13.EA1.bin
flash:c2950-i6q4l2-mz.121-13.EA1.bin:
type is ebcdic text

I need to erase this image because I do not have enough room for the old and new images in flash. First I copy the image elsewhere using FTP.

2950T-24#copy flash:c2950-i6q4l2-mz.121-13.EA1.bin
ftp://cisco:cisco@192.168.2.5/c2950-i6q4l2-mz.121-13.EA1.bin
Address or name of remote host [192.168.2.5]?
Destination filename [c2950-i6q4l2-mz.121-13.EA1.bin]?
Writing c2950-i6q4l2-mz.121-13.EA1.bin
!!!
...edited...
2888547 bytes copied in 8.796 secs (328393 bytes/sec)

Now I ensure the running config is saved, and I copy that elsewhere.

2950T-24#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

2950T-24#copy startup-config ftp://cisco:cisco@192.168.2.5/startup-config
Address or name of remote host [192.168.2.5]?
Destination filename [startup-config]?
Writing startup-config !
1711 bytes copied in 0.296 secs (5780 bytes/sec)

Now I delete the existing image.

2950T-24#delete flash:c2950-i6q4l2-mz.121-13.EA1.bin
Delete filename [c2950-i6q4l2-mz.121-13.EA1.bin]?
Delete flash:c2950-i6q4l2-mz.121-13.EA1.bin? [confirm]
2950T-24#dir
Directory of flash:/

3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (5756416 bytes free)

I can copy the new image to the switch.

2950T-24#copy ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin
flash:c2950-i6k2l2q4-mz.121-22.EA8a.bin
Destination filename [c2950-i6k2l2q4-mz.121-22.EA8a.bin]?
Accessing ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA8a.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
...edited...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3706442/1024 bytes]

3706442 bytes copied in 98.408 secs (37664 bytes/sec)

2950T-24#dir
Directory of flash:/

2 -rwx 3706442 Mar 01 1993 03:41:09 c2950-i6k2l2q4-mz.121-22.EA8a.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
5 -rwx 1880 Mar 01 1993 03:42:01 config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
23 -rwx 177 Mar 01 1993 03:42:01 private-config.text

7741440 bytes total (2049536 bytes free)

Time to reload.

2950T-24#reload
Proceed with reload? [confirm]

03:44:29: %SYS-5-RELOAD: Reload requested
C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
Compiled Mon 22-Jul-02 17:18 by antonino
WS-C2950T-24 starting...
Base ethernet MAC Address: 00:0d:28:6c:f5:40
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 20 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 5691904
flashfs[0]: Bytes available: 2049536
flashfs[0]: flashfs fsck took 8 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:/c2950-i6k2l2q4-mz.121-22.EA8a.bin"...####...0x80010000
executing...
...edited...
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
Image text-base: 0x80010000, data-base: 0x8067A000


Initializing flashfs...
flashfs[1]: 20 files, 2 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 5691904
flashfs[1]: Bytes available: 2049536
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
Done initializing flashfs.
POST: System Board Test : Passed
POST: Ethernet Controller Test : Passed
ASIC Initialization Passed

POST: FRONT-END LOOPBACK TEST : Passed
...edited...
cisco WS-C2950T-24 (RC32300) processor (revision J0) with 19959K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Building configuration...
[OK]
Building configuration...
[OK]
00:00:16: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:21: %SYS-5-CONFIG_I: Configured from memory by console
00:00:22: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:23: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
00:00:23: %SNMP-5-COLDSTART: SNMP agent on host 2950T-24 is undergoing a cold start

So far so good. Now I need to add SNMP v3 encrytion support.

2950T-24(config)#snmp-server group readonly v3 priv read readview
2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass
priv des56 bejtlichpass

I run 'sh run' to see if those entries are there.

snmp-server group readonly v3 priv read readview
snmp-server view readview internet included

I look like I am ready to perform snmpget using encrypted SNMP v3.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass
-x DES -X bejtlichpass 192.168.2.2 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING:

It worked. Here is the get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1661458003
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800000090300000D286CF541
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: cisco (9)
Engine ID Format: MAC address (3)

msgAuthoritativeEngineBoots: 2
msgAuthoritativeEngineTime: 1148
msgUserName: richard
msgAuthenticationParameters: 5D732660B4962FB94C3857F6
msgPrivacyParameters: 0000000187F9C1A5
msgData: encryptedPDU (1)
encryptedPDU: A2747E0A41B3198E50974E9B436A4D2AE105FDDB0DECABB3...

Here is the response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1661458003
msgMaxSize: 1500
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800000090300000D286CF541
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: cisco (9)
Engine ID Format: MAC address (3)

msgAuthoritativeEngineBoots: 2
msgAuthoritativeEngineTime: 1148
msgUserName: richard
msgAuthenticationParameters: 58D2406E940462CA945D1265
msgPrivacyParameters: 00000002B05B3948
msgData: encryptedPDU (1)
encryptedPDU: 1A6F31989187318B38BC5D90068B7EE847D3FE4716984CA8...

Not bad!

SNMP v3 on Cisco Switch

Using these instructions I set up SNMP v3 on my Cisco 2950-T switch.


2950T-24>enable
Password:
2950T-24#conf t
2950T-24(config)#snmp-server view readview internet included
2950T-24(config)#snmp-server group readonly v3 auth read readview
2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass
Adding an snmpv3 user could cause a bootup delay,
do you wish to continue? (y/n)[confirm]y
2950T-24(config)#exit
2950T-24#

I was not able to use DES encryption because the switch does not have a crypto image. This output has the clues I need to track down what image I'm using.

orr:/home/richard$ snmpwalk -v3 -u richard -l authNoPriv -a MD5
-A bejtlichpass 192.168.2.2 system

SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.359
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (128520) 0:21:25.20
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: 2950T-24
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 2
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

I believe a router I own has a crypto image, so to enable DES encryption of SNMP v3 packets I would say this instead:

2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass
priv des56 bejtlichpass

SNMP Comments Part II

Earlier today I described how to modify the sysLocation MIB entry using SNMP v1 or v2c.

I can do so with SNMP v3 too.

Here is the syntax, followed by packet captures. I disabled encryption so we could read the protocol.

orr:/home/richard$ snmpset -v 3 -u richard -l authNoPriv -a MD5 -A bejtlichpass
127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

Here is the SNMP v3 set.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1062947135
msgMaxSize: 65507
msgFlags: 05
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 30
msgAuthoritativeEngineTime: 284
msgUserName: richard
msgAuthenticationParameters: EC4230B1E10C6F5B9A35AFD2
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: set-request (3)
set-request
request-id: 745008373
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: Manassas

0000 02 00 00 00 45 00 00 a1 ab e5 00 00 40 11 d0 64 ....E.......@..d
0010 7f 00 00 01 7f 00 00 01 c5 64 00 a1 00 8d d7 5b .........d.....[
0020 30 81 82 02 01 03 30 11 02 04 3f 5b 49 3f 02 03 0.....0...?[I?..
0030 00 ff e3 04 01 05 02 01 03 04 31 30 2f 04 0d 80 ..........10/...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1e 02 .....~.c...D....
0050 02 01 1c 04 07 72 69 63 68 61 72 64 04 0c ec 42 .....richard...B
0060 30 b1 e1 0c 6f 5b 9a 35 af d2 04 00 30 37 04 0d 0...o[.5....07..
0070 80 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a3 ......~.c...D...
0080 24 02 04 2c 67 ec f5 02 01 00 02 01 00 30 16 30 $..,g........0.0
0090 14 06 08 2b 06 01 02 01 01 06 00 04 08 4d 61 6e ...+.........Man
00a0 61 73 73 61 73 assas

Here is the SNMP v3 response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1062947135
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 30
msgAuthoritativeEngineTime: 284
msgUserName: richard
msgAuthenticationParameters: AFBDAC044A463B08DB5C5A2F
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: get-response (2)
get-response
request-id: 745008373
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: Manassas

0000 02 00 00 00 45 00 00 a1 ab e6 00 00 40 11 d0 63 ....E.......@..c
0010 7f 00 00 01 7f 00 00 01 00 a1 c5 64 00 8d 78 28 ...........d..x(
0020 30 81 82 02 01 03 30 11 02 04 3f 5b 49 3f 02 03 0.....0...?[I?..
0030 00 ff e3 04 01 01 02 01 03 04 31 30 2f 04 0d 80 ..........10/...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1e 02 .....~.c...D....
0050 02 01 1c 04 07 72 69 63 68 61 72 64 04 0c af bd .....richard....
0060 ac 04 4a 46 3b 08 db 5c 5a 2f 04 00 30 37 04 0d ..JF;..\Z/..07..
0070 80 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a2 ......~.c...D...
0080 24 02 04 2c 67 ec f5 02 01 00 02 01 00 30 16 30 $..,g........0.0
0090 14 06 08 2b 06 01 02 01 01 06 00 04 08 4d 61 6e ...+.........Man
00a0 61 73 73 61 73 assas

SNMP v1, v2c, and v3

The book pictured at left spends more time on SNMP v1 and v2c than it does on SNMP v3. For example, it provides packet captures for v1 and v2c but not v3.

SNMP v1 is everywhere, but we should use SNMP v3 where possible.

I thought it would be helpful to show all three formats in one place.

Here is my snmpd.conf for SNMP v1 and v2c.

###########################################################################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
###########################################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.

# rwuser: a SNMPv3 read-write user
# arguments: user [noauth|auth|priv] [restriction_oid]

rocommunity read
rwcommunity write

This is the syntax for a SNMP v1 snmpget.

orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v1 get.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: get-request (0)
get-request
request-id: 623181039
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 45 8f d7 00 00 40 11 ec ce ....E..E....@...
0010 7f 00 00 01 7f 00 00 01 c7 4c 00 a1 00 31 d6 36 .........L...1.6
0020 30 27 02 01 00 04 04 72 65 61 64 a0 1c 02 04 25 0'.....read....%
0030 24 fc ef 02 01 00 02 01 00 30 0e 30 0c 06 08 2b $........0.0...+
0040 06 01 02 01 01 06 00 05 00 .........

Here is the SNMP v1 response.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: get-response (2)
get-response
request-id: 623181039
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 4e 8f d8 00 00 40 11 ec c4 ....E..N....@...
0010 7f 00 00 01 7f 00 00 01 00 a1 c7 4c 00 3a 01 f8 ...........L.:..
0020 30 30 02 01 00 04 04 72 65 61 64 a2 25 02 04 25 00.....read.%..%
0030 24 fc ef 02 01 00 02 01 00 30 17 30 15 06 08 2b $........0.0...+
0040 06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65 .........somewhe
0050 72 65 re

This is the syntax for a SNMP v2c snmpget.

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v2c get.

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-request (0)
get-request
request-id: 1664713700
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 45 8f f5 00 00 40 11 ec b0 ....E..E....@...
0010 7f 00 00 01 7f 00 00 01 d6 21 00 a1 00 31 bc 9c .........!...1..
0020 30 27 02 01 01 04 04 72 65 61 64 a0 1c 02 04 63 0'.....read....c
0030 39 83 e4 02 01 00 02 01 00 30 0e 30 0c 06 08 2b 9........0.0...+
0040 06 01 02 01 01 06 00 05 00 .........

Here is the SNMP v2c response.

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-response (2)
get-response
request-id: 1664713700
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 4e 8f f6 00 00 40 11 ec a6 ....E..N....@...
0010 7f 00 00 01 7f 00 00 01 00 a1 d6 21 00 3a e8 5d ...........!.:.]
0020 30 30 02 01 01 04 04 72 65 61 64 a2 25 02 04 63 00.....read.%..c
0030 39 83 e4 02 01 00 02 01 00 30 17 30 15 06 08 2b 9........0.0...+
0040 06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65 .........somewhe
0050 72 65 re

To use SNMP v3, use a snmpd.conf like this. Notice the lack of community strings.

rwuser richard priv
createUser richard MD5 bejtlichpass DES bejtlichpass

This is the syntax for a SNMP v3 snmpget.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass -x DES
-X bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v3 get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 235115949
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 438
msgUserName: richard
msgAuthenticationParameters: B0183A673DD87ED37B9FB3C0
msgPrivacyParameters: 0000000189C95C79
msgData: encryptedPDU (1)
encryptedPDU: 3C7F7013664F1C206DC92100AE9E2B3BC360C9839862AB8F...

0000 02 00 00 00 45 00 00 aa 8e 26 00 00 40 11 ee 1a ....E....&..@...
0010 7f 00 00 01 7f 00 00 01 ef 46 00 a1 00 96 29 52 .........F....)R
0020 30 81 8b 02 01 03 30 11 02 04 0e 03 95 ad 02 03 0.....0.........
0030 00 ff e3 04 01 07 02 01 03 04 39 30 37 04 0d 80 ..........907...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02 .....~.c...D....
0050 02 01 b6 04 07 72 69 63 68 61 72 64 04 0c b0 18 .....richard....
0060 3a 67 3d d8 7e d3 7b 9f b3 c0 04 08 00 00 00 01 :g=.~.{.........
0070 89 c9 5c 79 04 38 3c 7f 70 13 66 4f 1c 20 6d c9 ..\y.8<.p.fO. m.
0080 21 00 ae 9e 2b 3b c3 60 c9 83 98 62 ab 8f eb be !...+;.`...b....
0090 26 f1 d6 72 6a 5a 3a 6e ff 07 c7 dd d3 f2 b0 d4 &..rjZ:n........
00a0 f2 24 52 dc c2 ef 48 b8 c8 43 34 90 d2 98 .$R...H..C4...

Here is the SNMP v3 response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 235115949
msgMaxSize: 65507
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 438
msgUserName: richard
msgAuthenticationParameters: A554DADDF26EE2EC976BA9DD
msgPrivacyParameters: 0000001911E1CD8C
msgData: encryptedPDU (1)
encryptedPDU: A5CB2056AB68B85CB9AB999FB6080A3536DC086F3DF20DEC...

0000 02 00 00 00 45 00 00 b2 8e 27 00 00 40 11 ee 11 ....E....'..@...
0010 7f 00 00 01 7f 00 00 01 00 a1 ef 46 00 9e f2 fd ...........F....
0020 30 81 93 02 01 03 30 11 02 04 0e 03 95 ad 02 03 0.....0.........
0030 00 ff e3 04 01 03 02 01 03 04 39 30 37 04 0d 80 ..........907...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02 .....~.c...D....
0050 02 01 b6 04 07 72 69 63 68 61 72 64 04 0c a5 54 .....richard...T
0060 da dd f2 6e e2 ec 97 6b a9 dd 04 08 00 00 00 19 ...n...k........
0070 11 e1 cd 8c 04 40 a5 cb 20 56 ab 68 b8 5c b9 ab .....@.. V.h.\..
0080 99 9f b6 08 0a 35 36 dc 08 6f 3d f2 0d ec eb b3 .....56..o=.....
0090 1b 19 08 d1 cd 86 72 5e 2a 77 67 ee df f5 90 79 ......r^*wg....y
00a0 5f a0 27 db df 30 06 95 af 67 9b a9 16 8e 65 0e _.'..0...g....e.
00b0 3a 2d 75 69 d8 64 :-ui.d

As you can see, this last example is encrypted. This is the best way to deploy SNMP v3. However, you can disable the encryption by using this snmpd.conf.

rwuser richard auth
createUser richard MD5 bejtlichpass

You can run the following to generate an unencrypted SNMP v3 get.

orr:/home/richard$ snmpget -v 3 -u richard -l authNoPriv -a MD5
-A bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the unencrypted SNMP v3 get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1246784484
msgMaxSize: 65507
msgFlags: 05
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 27
msgAuthoritativeEngineTime: 31
msgUserName: richard
msgAuthenticationParameters: 210D87D7EF2AADAD95DF201C
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: get-request (0)
get-request
request-id: 1827121577
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 97 90 2f 00 00 40 11 ec 24 ....E..../..@..$
0010 7f 00 00 01 7f 00 00 01 fe c4 00 a1 00 83 a9 65 ...............e
0020 30 79 02 01 03 30 11 02 04 4a 50 6b e4 02 03 00 0y...0...JPk....
0030 ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80 00 .........00.....
0040 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02 01 ....~.c...D.....
0050 1f 04 07 72 69 63 68 61 72 64 04 0c 21 0d 87 d7 ...richard..!...
0060 ef 2a ad ad 95 df 20 1c 04 00 30 2f 04 0d 80 00 .*.... ...0/....
0070 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a0 1c 02 ....~.c...D.....
0080 04 6c e7 a9 a9 02 01 00 02 01 00 30 0e 30 0c 06 .l.........0.0..
0090 08 2b 06 01 02 01 01 06 00 05 00 .+.........

Here is the unencrypted SNMP v3 response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1246784484
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 27
msgAuthoritativeEngineTime: 31
msgUserName: richard
msgAuthenticationParameters: 539C1C59C5B2C9B47BE3112A
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: get-response (2)
get-response
request-id: 1827121577
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 a1 90 30 00 00 40 11 ec 19 ....E....0..@...
0010 7f 00 00 01 7f 00 00 01 00 a1 fe c4 00 8d cf 61 ...............a
0020 30 81 82 02 01 03 30 11 02 04 4a 50 6b e4 02 03 0.....0...JPk...
0030 00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02 .....~.c...D....
0050 01 1f 04 07 72 69 63 68 61 72 64 04 0c 53 9c 1c ....richard..S..
0060 59 c5 b2 c9 b4 7b e3 11 2a 04 00 30 38 04 0d 80 Y....{..*..08...
0070 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a2 25 .....~.c...D...%
0080 02 04 6c e7 a9 a9 02 01 00 02 01 00 30 17 30 15 ..l.........0.0.
0090 06 08 2b 06 01 02 01 01 06 00 04 09 73 6f 6d 65 ..+.........some
00a0 77 68 65 72 65 where

SNMP is cool. The biggest problem for SNMP v3 seems to be user and key management.

SNMP Comments

I've been reading the book pictured at left, which I hope to review with the next few days. In the text they show examples using Net-SNMP tools to read and change system attributes using SNMP.

One of the examples involves something like the following. They show modification of the sysLocation value.

orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here I'm reading the system location. Where does "somewhere" come from? I look at /usr/ports/net-mgmt/net-snmp/Makefile and find this:

CONFIGURE_ARGS+=--enable-shared --enable-internal-md5
--with-mib-modules="${_NET_SNMP_MIB_MODULES}"
--with-default-snmp-version="${DEFAULT_SNMP_VERSION}"
--with-sys-contact="${NET_SNMP_SYS_CONTACT}"
--with-sys-location="${NET_SNMP_SYS_LOCATION}"
--with-logfile="${NET_SNMP_LOGFILE}"
--with-persistent-directory="${NET_SNMP_PERSISTENTDIR}"
--with-gnu-ld --with-libwrap --with-libs="-lkvm -ldevstat"
...edited...
DEFAULT_SNMP_VERSION?= 3
NET_SNMP_SYS_CONTACT?= nobody@nowhere.invalid
NET_SNMP_SYS_LOCATION?= somewhere
NET_SNMP_LOGFILE?= /var/log/snmpd.log
NET_SNMP_PERSISTENTDIR?=/var/net-snmp
NET_SNMP_MIB_MODULES?= ${NET_SNMP_MIB_MODULE_LIST}

Since I installed the FreeBSD package, I'm using the default value.

System location is defined in /usr/local/share/snmp/mibs/SNMPv2-MIB.txt

sysLocation OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The physical location of this node (e.g., 'telephone
closet, 3rd floor'). If the location is unknown, the
value is the zero-length string."
::= { system 6 }

As you can see, this is read-write. I should be able to modify it using the example in the text.

orr:/home/richard$ snmpset -v 1 -c write 127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

I can also use SNMP v2c.

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

Here is my /usr/local/etc/snmp/snmpd.conf. Note that if I set syslocation and syscontact in this file, I would not be able to change these values using snmpset. The FAQ makes that point.

###########################################################################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
###########################################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
# arguments: community [default|hostname|network/bits] [oid]

rocommunity read

# rwcommunity: a SNMPv1/SNMPv2c read-write access community name
# arguments: community [default|hostname|network/bits] [oid]

rwcommunity write

As you can see I have no access control and I do not set sysLocation here.

I can alter other values, too. For example:

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 1.3.6.1.2.1.11.30.0
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 1.3.6.1.2.1.11.30.0 = 1
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: enabled(1)

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 1.3.6.1.2.1.11.30.0
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: enabled(1)

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 1.3.6.1.2.1.11.30.0 = 2
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)

I appreciate Dale Coddington pointing out a syntax error that caused problems with the first version of this post!

September Issue of (IN)SECURE Magazine Posted

Mirko Zorz told me a new issue (IN)SECURE Magazine is available online as Issue 1.8 September 2006 (.pdf).

Wednesday, August 30, 2006

FreeBSD Snort 2.6.0 Port Available

The FreeBSD security/snort port now offers 2.6.0. Just run portsnap fetch && portsnap update and you're ready. I'm not sure if/when Snort 2.6.0.1 will be added to the ports tree. I haven't tried 2.6.1 Beta, yet.

Attacks Against WEP and Bump Keys

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP.

At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias. MSNBC and Slashdot ran stories, and this week a NBC affiliate reported on the problem as well. This week Marc Tobias is blogging on the subject, and I've learned that locks by Abloy and Medeco are resistant to bump keys. Finally, the blogosphere has some commentary on the problem.

It seems to me that attacks against WEP and bump keys are examples of the same problem. In either case, a determined intruder with sufficient tools and expertise is going to overcome your preventative security measures and compromise you. In my books I call this fact prevention eventually fails. Eventual compromise is the reason I recommend detection and response, as well as insurance.

However, relying solely on WEP while the front door to your data center is propped open is no better than installing a vulnerable door lock on a shoddy frame. In those cases, addressing the popular flaw (vulnerable WEP, vulnerable door lock) still leaves many other avenues of attack open. Most opportunistic wireless intruders will pass a WEP-encrypted network for one that is wide open. Most opportunistic physical intruders will pass a locked door for one that is wide open.

In both cases, fighting the battle to address vulnerabilities is a losing cause. Removing threats by prosecuting criminals is the most effective way to reduce risk.

I feel better knowing I have a big dog in my house, though.

Pandemic Reporting Like Digital Security Incident Reporting

The 12 August 2006 issue of the Economist featured the story Global Health: A Shot of Transparency (subscription required). It reminded me of the state of reporting digital security incidents.

At the moment, the world's pandemic-alert system is distressingly secretive. Some countries, such as Vietnam, have been fairly open about new outbreaks of the sorts of infectious disease that might lead to pandemics, and have even invited foreigners in to help diagnose the problem. Most, however, have not been so forthright. Public-health experts point to China and Thailand, both of which suffered outbreaks of potential pandemic illnesses in the past few years (SARS in China and avian influenza in Thailand) as examples of places that do not fully disclose the relevant details...

The reasons for countries' reluctance to share information are understandable, though hardly defensible. Some believe that full disclosure could cause locals to panic and foreign tourists to stay away...

Larry Brilliant, a former WHO official who helped to eradicate smallpox in India, dreams of an open-source, non-governmental, public-access network that would help the world move quickly whenever potential pandemics start brewing. He looks for inspiration to the Global Public Health Intelligence Network (GPHIN), an obscure programme run by the Canadian government that searches public databases in seven languages looking for early signs of disease outbreak...

His proposed open network could well spot the next, as yet undiscovered, threat.


I don't want to stretch the analogy too far, but some interesting ideas are here. I wonder what the effect of publishing the IP addresses of botnet hosts would be? Not the controllers, but the hosts themselves. That would reveal (at least in the narrow botnet case) how widespread certain compromises might be (ignoring the NAT effect).

I was hoping to hear other ways of encouraging reporting, but no others appeared in the article.

Virtual Desktop Infrastructure Seminar

Last week I attended a seminar featuring VMware and Wyse pitching their Virtual Desktop Infrastructure. (Is it just me or does VMware's site seldom render properly in Firefox?)

The Wyse rep passed around the Wyse S10 pictured at left. It lists for $299, "runs BSD" (called "ThinOS"), and features a 450 MHz AMD Geode CPU. Although it has USB ports you can't use them for thumb drives or CD-ROM drives. (More powerful units support those devices.) It has a PPTP client with support for SSL VPNs on the product roadmap. Also on the roadmap is 802.1X, PoE, and wireless support. The S10 is basically a box to access remote desktops using RDP, ICA, or a Leostream connection broker. The box can be managed remotely, and can have its firmware flashed remotely.

This is the future of "business computing." It may also be the future of non-power-user consumer computing, at least for people with modest, office-like (email, Web, etc.) needs. The local hardware will be nothing more than a window (pun intended) to remote desktops. I imagine people might want local storage, but most of it will be stored remotely.

I have to start imagining how to monitor this sort of architecture. I guess we'll spend far more time watching data centers and hardly any time watching end nodes?

Update: I forgot to mention that I believe at some point ISPs will replace their cable modems with these devices. Power users will still be able to use "dumb" cable modems or just avoid the thin client features in their new ISP platform. I also think some hardware vendor will package this thin client into a LCD screen, like the iMac.

In general, this sort of architecture will make it easy for smart PDAs to gain access to the same information I might want on my laptop or desktop. When metropolitan wireless is ubiquitous, we won't have to worry as much about synchronization issues either. Fun!

Atom Feed Truncated -- Not My Fault

If you're subscribed to taosecurity.blogspot.com/atom.xml, sometime today Blogger decided to post summaries and not full stories. I changed nothing, I have full content publishing selected, and I even republished the whole blog. The RSS feed at taosecurity.blogspot.com/rss.xml is publishing whole content though.

Update: It looks like the Atom feed fixed itself.

Notes from Cisco TV on CCNP

I'm listening to the first episode of CCNP TV. It's not really TV, more like slides plus audio. I'm listening because I wanted to know about the CCNP changes mentioned earlier. The new material will all use Cisco IOS 12.4. I found this change interesting: assume I earn my CCNP; in the future, I can recertify using any Professional level exam, like one from CCSP.

Mixing and matching of old and new exams will be allowed within the guidelines explained in these two press releases.

Parts of this webcast were hilarious. Despite Cisco's drive into voice, none of the callers could communicate with the hosts. The caller who got closest to speaking should have been told "turn your radio down!" because the broadcast was on a 30 second-or-so delay. The host also asked two questions twice each, and the other panel members pretended like it didn't happen. I heard the terms "billion dollar marketplace" and "revenue opportunity" repeated several times. This was probably the funniest exchange:

Host (paraphrasing): "So what's the difference between the old and the new?"

Bob: "These new networks go up to layer 7."

Host: "Oooohhh."

If you have questions the best place to look for answers is www.cisco.com/go/certifications or www.cisco.com/go/certsupport. For specifics on preparing for CCNP, try www.cisco.com/go/prep-ccnp.

Review of Inside Network Perimeter Security, 2nd Ed Posted

Amazon.com just posted my three star review of Inside Network Perimeter Security, 2nd Ed. From the review:

I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

Tuesday, August 29, 2006

Again, External Threat Is More Prevalent

I almost fell out of my chair when word of the following story reached my Bloglines account: Study: Rethink the Outsider Threat. I published my thoughts on the prevalence of external threats in my first book, and I reiterated those thoughts recently. Now I appear to have some outside help. From the article:

The report took data from the Department of Justice Computer Crime and Intellectual Property Section's network intrusion and data-theft prosecutions between 1999 and 2006. (See How Much Does a Hack Cost?) Phoenix Technologies commissioned the report, but the data came from DOJ cases...

Outside attackers committed 79 percent of the crimes where user accounts were infiltrated[,] and former employees were the perpetrators in 21 percent of these types of breaches. And overall, 57 percent of attackers had no relationship with the victim organizations, 22 percent were former employees, 14 were current employees, and 7 percent had a customer or supplier relationship or similar "connection" to the victimized organization.
(comma added, emphasis added)

Where's the 80% myth now? Gone, except in the minds of people who cling to it. I don't expect to see it disappear overnight. Please, if you want to repeat the 80% myth, at least cite a source. (You won't be able to find anything authoritative, just reports citing each other in a circular manner.)

Liveview

Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images.

I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get.

Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at realdigitalforensics.com to patch the image.


orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:06 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ ls -al patch0001.bin
-rw-r--r-- 1 richard richard 42635114 Mar 7 12:16 patch0001.bin
orr:/home/richard$ dd if=patch0001.bin of=BRJDEV.dd.gz bs=512 seek=271560
83271+1 records in
83271+1 records out
42635114 bytes transferred in 5.059636 secs (8426518 bytes/sec)

orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:26 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ md5 BRJDEV.dd.gz
MD5 (BRJDEV.dd.gz) = 3f274b39803068d69f8b62730e101d64

Since BRJDEV.dd.gz had the proper MD5 hash, I moved it over to my Windows station, gunzipped it, and then ran Liveview. I tried to run Liveview on FreeBSD (it's Java), but I saw too many errors. Liveview is easy enough to use. I pointed it at the proper .dd file, and told it where I wanted the image produced.

Liveview built a .vmx file, a .vmdk file, and told VMware Server where to find the new VM. At this point it looked ready to start, so I fired up VMware Server.

Things started to proceed well. I got a Linux bootloader image, so something was working. The Linux kernel started to load too.

Unfortunately, I didn't get very far. Eventually Linux reported a kernel panic and complained that it was unable to mount the root filesystem.

I believe I would have more success if I used an image of a Windows system, but I do not have one handy.

While writing this blog I found dd2vmdk, a project with similar goals. I bet VMware's P2V might import dd images, but I'm not sure.

Using FCC Filings to Learn About Wireless Cards

One of the cool hints I learned in Ted Wallingford's 802.11 book involved finding your specific hardware in the FCC Equipment Authorization System Generic Search. My Linksys WPC54gv3, for example, has these exhibits. I entered Q87 as the Grantee Code and -WPC54GV3 as the Product Code (including the leading dash). You can get these codes by reading them on your NIC.

Using the Internal Photos .pdf, I can see that this NIC uses a Broadcom chipset. Plenty of other information is available too.

WildPackets OmniPeek Personal

Three years ago I attended a WildPackets traffic analysis seminar, which I liked. In June WildPackets announced the availability of the free (as in beer) OmniPeek Personal product. I learned of it from Average Admins.

After using OmniPeek personal for a short time, I have to say I still prefer Wireshark for straightforward packet analysis. I'm sure I'm going to hear from diehard WildPackets fans that OmniPeek is the cat's meow, but hear me out.

I realize that the power of OmniPeek lies in its network analysis features. OmniPeek and other WildPackets products are like "network troubleshooters in software." That's great, since Wireshark doesn't support many of those features. That is not a daily issue I face, however.

My first problem with OmniPeek is that it runs on Windows. Why didn't I complain about that with NetWitness? Well, NetWitness is a network forensics product, like EnCase is a host forensics product. I'm willing to deal with a Windows interface when I have no Unix alternative. With OmniPeek on Windows, I can turn to Wireshark on Windows or Unix. I prefer Unix when possible.

Second, I don't really like the OmniPeek interface. There are too many windows which need managing. I like the fact that I can highlight a packet in the top Wireshark pane and see corresponding details below. Oh, you can do that in OmniPeek, you might say. Well, why do I have a separate pane for every packet upon which I double-click? Can that be changed to emulate Wireshark's behavior? Argh, annoying.

Furthermore, the packet content highlight feature doesn't work as I would expect. I expect to highlight any part of the decode and see the corresponding hex and ASCII contents highlighted, and vice-versa. That is not the default behavior in OmniPeek, or at least it doesn't work reliably.

I admit a certain level of inertia is at play here. I have been using Wireshark and its predecessor for years, and I am familiar with the interface. I'm sure there's a lot of power available with OmniPeek if I am willing to put some time into learning how to use the product. For example, I think OmniPeek has some helpful visualization tools built into it. I am always looking for tools with statistics and other traffic summarization features. OmniPeek offers those.

In the short term I will continue to use Wireshark for normal packet analysis tasks. I will probably try to learn about the features in OmniPeek that could complement those in Wireshark. I do not plan to perform per-packet analysis with OmniPeek though.

If you care to see more, I've uploaded some screen shots.

Incidentally, it appears I am not the only blogger with these sentiments.

NSM Wiki created

David Bianco of Vorant created a Network Security Monitoring Wiki to share information on effective use of Sguil and other NSM tools. You might also like David's blog.

If you've got custom queries you run in Sguil, or performance reports, or related issues, please share them on the Wiki. If you have questions about Sguil use, post them to the Sguil users list via email to sguil-users [at] lists.sourceforge.net. Questions on Sguil development should go to sguil-devel [at] lists.sourceforge.net. As always, you can discuss Sguil and NSM on irc.freenode.net in channel #snort-gui.

June 2006 Issue of (IN)SECURE Magazine Posted

Yes, I missed this event from two months ago! I just realized that a new edition of Mirko Zorz's (IN)SECURE Magazine is available online as Issue 1.7 June 2006 (.pdf).

Review of Penetration Testing and Network Defense Posted

Amazon.com just posted my three star review of Penetration Testing and Network Defense. This was another disappointment that duped me into trying to read it. From the review:

Penetration testing is becoming a hot topic again, but the available books on the subject continue to underwhelm. Penetration Testing and Network Defense (PTAND), published in the fall of 2005, would be a four star book if it had been published two years earlier. Stephen Northcutt, unlike all other reviewers, noticed this fact as well. When you combine this problem with PTAND with several other deficiencies, the result is a book you can unfortunately skip.

On a brighter pen testing note, I read that work is progressing on version 3.0 of Pete Herzog's Open Source Security Testing Methodology Manual (OSSTMM). Maybe we'll see a new version in a few weeks?

Also, the Active Filter Detection tool implements a cool function needed by OSSTM.

Monday, August 28, 2006

Non-Review: Practical VoIP Security

Here's a first for the TaoSecurity Blog. As mentioned in a pre-review, I planned to read Practical VoIP Security and then write a Amazon.com review. I'd had a bad experience reading VoIP Security, so I hoped this new book would be better. Wrong.

My policy for writing Amazon.com reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security, I couldn't make it past the first chapter. In fact, by page 4 -- the third page of text -- I was frustrated. In three pages the author (who was the lead author and technical editor) had mentioned terms like PBX, SS7, H.323, SIP, SNMP, VoIP, and SIGTRAN (which never appears again in this book!) without explaining any of them. I am familiar with all except the last, but I should not have to rely on past knowledge when reading the introductory pages of a "practical" book. The first chapter, overall, is a rambling collection of ideas that do nothing to prepare the reader for what follows.

If you want more details, I found Rob Slade's review to be good.

On a note related to Intruders Selling Security Software, I found this interview with the lead author of Practical VoIP Security to be a sign of foolish boasting or outright deception:

CSOonline: What is your background, and why are you called a hacker?

-name omitted-: I’m a hacker in the more traditional sense. Old-school hackers want to learn how things work and try to take it apart or gain access out of curiosity. Getting into networks and systems is good or bad based on your vantage point. Most traditional hackers do it just to see if they can, but they’re not there to steal information or destroy the integrity of a system.
(emphasis added)

I'm setting you up for material to follow. You might guess the "vantage point" comment doesn't sit well with me. The interview continues.

Can you mention some of your notorious hacks?

Nothing that I’ve done has made public news, and there are some things I’d rather not mention. I did raise the interest of the Defense Department once, but I’ve never been involved in any criminal activity. At one point in my career, I was interested in finding proof of alien life, so I did access the network at China Lake, also known as Area 51 in Roswell, New Mexico.
(emphasis added)

Oh, you mean the super-secret Naval Air Weapons Station China Lake, home of the MAJIC Morale, Welfare and Recreation office? I think this hax0r was trying to find Groom Lake, and if that were the case we wouldn't be hearing from him.

The interview continues:

How does a hacker disclose his or her credentials?

There are two kinds of hackers. Those who do it to impress their friends or become famous, and those that you don’t know about. The really good, and smart, hackers won’t tell you that they are hackers. Many of them are also not very sociable--they keep what they do on the QT, and if they have real credentials or experience, they don’t say anything about it.
(emphasis added)

Now you see why I added emphasis to the first paragraph. Sigh. Why are people like this getting attention from the media?

I guess I'm going to have to wait for Hacking Exposed: VoIP in December. For general books on VoIP, Switching to VoIP and VoIP Hacks by Ted Wallingford look good.

Security Engineering Book in Digital Form

I just read at Light Blue Touchpaper that one of my top ten books of the past ten years is now available online. Now you have no excuse not to read this incredible book (reviewed here).

It seems funny that the blog commenters asking about making a single .pdf have not heard of Pdftk.

Thanks to jimmythegeek for getting this news to me faster than my Bloglines feed.

More Snort and Sguil Tuning

Let's assume you built a new Sguil sensor and have tuned Snort using advice in my Tuning Snort article. What I like to do next is wait a day or so and then run the following query to look for problematic alert types.

mysql> select count(*) as total, event.signature from event where
event.status=0 group by event.signature order by total desc;
+-------+------------------------------------------------------------------------+
| total | signature |
+-------+------------------------------------------------------------------------+
| 43416 | SHELLCODE x86 NOOP |
| 4145 | POLICY SMTP relaying denied |
| 3394 | WEB-MISC PCT Client_Hello overflow attempt |
| 2148 | WEB-CGI calendar access |
| 1645 | tag: Tagged Packet |
| 1267 | SHELLCODE x86 stealth NOOP |
| 1031 | WEB-MISC weblogic/tomcat .jsp view source attempt |
| 817 | http_inspect: OVERSIZE REQUEST-URI DIRECTORY |
| 683 | INFO web bug 0x0 gif attempt |
| 491 | SHELLCODE x86 0x90 unicode NOOP |
| 175 | ftp_pp: Invalid FTP command |
| 128 | WEB-IIS view source via translate header |
| 126 | WEB-MISC robots.txt access |
| 88 | Snort Alert [1:5856:0] |
| 74 | SHELLCODE x86 inc ebx NOOP |
| 71 | portscan: Open Port |
| 47 | WEB-MISC intranet access |
| 28 | MISC MS Terminal server request |
| 28 | WEB-FRONTPAGE /_vti_bin/ access |
| 27 | portscan: TCP Portsweep |
| 21 | WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt |
| 19 | ATTACK-RESPONSES 403 Forbidden |
| 16 | http_inspect: BARE BYTE UNICODE ENCODING |
| 13 | Snort Alert [1:6031:0] |
| 12 | ATTACK-RESPONSES directory listing |
| 12 | SHELLCODE x86 0xEB0C NOOP |
| 5 | Snort Alert [1:6033:0] |
| 4 | portscan: TCP Portscan |
| 4 | Snort Alert [1:5718:0] |
| 3 | EXPLOIT gobbles SSH exploit attempt |
| 3 | MISC MS Terminal server request RDP |
| 2 | MS-SQL sp_start_job - program execution |
| 2 | WEB-IIS WebDAV file lock attempt |
| 1 | WEB-FRONTPAGE posting |
| 1 | ATTACK-RESPONSES Invalid URL |
| 1 | WEB-MISC Chunked-Encoding transfer attempt |
| 1 | MS-SQL xp_reg* - registry access |
| 1 | WEB-FRONTPAGE rad fp30reg.dll access |
| 1 | WEB-MISC WebDAV search access |
| 1 | NEW POLICY RDP attempted Administrator connection request |
+-------+------------------------------------------------------------------------+
40 rows in set (2.40 sec)

Wow, that first line is popular. Let's break these out by source IP. (Thanks to VictorJ for catching a dumb error in my original syntax.)

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip)
from event where event.status=0 and event.signature='SHELLCODE x86 NOOP'
group by event.signature, event.src_ip order by total desc;
+-------+--------------------+-------------------------+
| total | signature | INET_NTOA(event.src_ip) |
+-------+--------------------+-------------------------+
| 43002 | SHELLCODE x86 NOOP | 10.20.30.14 |
| 334 | SHELLCODE x86 NOOP | 6.16.237.132 |
| 46 | SHELLCODE x86 NOOP | 6.16.237.140 |
| 18 | SHELLCODE x86 NOOP | 192.168.0.14 |
| 11 | SHELLCODE x86 NOOP | 3.87.180.190 |
| 3 | SHELLCODE x86 NOOP | 6.16.237.138 |
| 2 | SHELLCODE x86 NOOP | 192.168.1.197 |
+-------+--------------------+-------------------------+
7 rows in set (0.64 sec)

10.20.30.14 is the big offending source IP. Let's see the destination IPs.

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip),
INET_NTOA(event.dst_ip) from event where event.status=0 and
event.signature='SHELLCODE x86 NOOP' and event.src_ip=INET_ATON('10.20.30.14')
group by event.signature, event.src_ip, event.dst_ip order by total desc;
+-------+--------------------+-------------------------+-------------------------+
| total | signature | INET_NTOA(event.src_ip) | INET_NTOA(event.dst_ip) |
+-------+--------------------+-------------------------+-------------------------+
| 43002 | SHELLCODE x86 NOOP | 10.20.30.14 | 6.16.237.137 |
+-------+--------------------+-------------------------+-------------------------+
1 row in set (0.94 sec)

It looks like there are 43002 SHELLCODE x86 NOOP from 10.20.30.14 to 6.16.237.137. Is that really true though? We can validate these findings by looking for alerts where 6.16.237.137 is not the destination IP.

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip),
INET_NTOA(event.dst_ip) from event where event.status=0 and
event.signature='SHELLCODE x86 NOOP' and event.src_ip=INET_ATON('10.20.30.14') and
event.dst_ip!=INET_ATON('6.16.237.137') group by event.signature, event.src_ip,
event.dst_ip order by total desc;
Empty set (1.20 sec)

With an empty response, we confirm there are 43002 SHELLCODE x86 NOOP from 10.20.30.14 to 6.16.237.137.

I have two options here. First, I could simply delete all of these items from the database. I doubt 43002 SHELLCODE alerts from an internal IP address are malicious. On the other hand, I might want to look at them.

The problem with inspecting them is that they are currently in Sguil's inspection queue. If I fire up Sguil it's going to load 43002 alerts into the client. While they will be aggregated, it will take a long time for that to happen.

In cases like these I prefer to mark the events as "NA" and then inspect a sample later.

Before running the following, kill sguild. You should never update the database while Sguil is trying to make sense of it.

mysql> UPDATE event SET status=1, last_modified='2006-08-28 15:45:00', last_uid='sguil'
where event.status=0 and event.signature='SHELLCODE x86 NOOP' and
event.src_ip=INET_ATON('10.20.30.14');
Query OK, 43002 rows affected, 43002 warnings (5.91 sec)
Rows matched: 43002 Changed: 43002 Warnings: 43002

You can repeat this process for the other large event count alerts, or just restart sguild and fire up the Sguil client to deal with them manually.

How can we prevent such a huge number of alerts from occurring again?

My original article mentioned "Thresholding and Suppression." The SHELLCODE x86 NOOP alert might be a good candidate for thresholding.

A look in sid-msg map shows two sids:

$ grep "SHELLCODE x86 NOOP" sid-msg.map
648 || SHELLCODE x86 NOOP || arachnids,181
1394 || SHELLCODE x86 NOOP

A look in the .rules files shows two rules.

grep "SHELLCODE x86 NOOP" *.rules
shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
(msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:8;)
shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
(msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa";
classtype:shellcode-detect; sid:1394; rev:5;)

I add the following to threshold.conf to limit Snort to generate one alert per 60 seconds for each source IP causing SHELLCODE x86 NOOP alerts.

threshold gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 60
threshold gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 60

Remember to enable your local threshold.conf in snort.conf:

include /usr/local/etc/nsm/threshold.conf

After restarting Snort, I can expect a lower number of alerts should SHELLCODE x86 NOOP get out of hand again. When Snort starts you'll see the sig-id of your new threshold rule applied.

| gen-id=1 sig-id=648 type=Limit tracking=src count=1 seconds=60
...edited...
| gen-id=1 sig-id=1394 type=Limit tracking=src count=1 seconds=60

That's one item for tuning... expect others in the future.

NoVA Sec First Meeting Pictures at novasec.org

Paul Zedeck was kind enough to send pictures from the first NoVA Sec meeting last week. Please visit the NoVA Sec Blog for details.

I try to avoid cross-posting, so keep an eye on that blog for word on the next NoVA Sec meeting.

Network Forensics with NetWitness

Ten days ago I had the privilege of attending a day of product training for NetWitness. NetWitness is a real network forensics tool produced by a company of the same name. Anyone who's read my books or attended my training knows I am a big fan of open source tools. NetWitness, however, is built to facilitate investigating network traffic.

It's important to differentiate between packet collectors, protocol analyzers, and network forensics tools. Dumpcap is the prototypical packet collector. Simpler than Tcpdump and much simpler than Tshark, all Dumpcap does is record packets. It's especially suited for this role, however, because it offers native trace rotation capabilities.

Tcpdump, Tshark, and Wireshark are all protocol analyzers. Yes, Tcpdump is a protocol analyzer, although it is not as robust as Tshark or Wireshark. Protocol analyzers are suited for packet-centric inspection. For example, I used Wireshark extensively while learning about 802.11 traffic. Protocol analyzers are also helpful for network troubleshooting, with varying degrees of automated analysis. Commercial protocol analyzers are especially robust in this regard. Protocol analyzers often feature tools for rebuilding TCP sessions, but that is usually the extent of those features. Protocol analyzers also permit searching traffic, but the analyst generally must have a good grasp of what he is looking for and how to get that idea across to the protocol analyzer.

Network forensics tools are not packet-centric; they are data centric. NetWitness, for example, cares less about the underlying packets and more about the data they contain. The partial screen capture (original here) hints at NetWitness' depiction of files, accounts, and email addresses recognized in a network trace.

Investigators don't (necessarily) look at packets when they use NetWitness for network forensics. Rather, they look for useful data. One investigation might require finding all information related to a specific username. That username (or a portion of it) would be searchable in email, instant messaging, Web logins, documents, and so forth. While you could do some manual searching with tools like Ngrep or Flowgrep, NetWitness is built around discovering information and is well-suited for this process of discovery.

When you find results, they are presented within the context of the session in which they were contained. NetWitness rebuilds the session and presents it in human-friendly format. If they subject viewed an email, you will see the email. If he visited a Web page, you will see the Web page. There are limitations to this model, such as a browser displaying cache graphics instead of requesting them on the wire. However, this sort of model works very well for forensic analysts.

This second partial screen capture (original here) demonstrates two other powerful NetWitness features. First, NetWitness represents traffic using a noun-verb-adjective-like language. When you see the mention of "GET", for example, it's not necessarily an HTTP get. GET actions include FTP retrievals and other actions where a subject acquires data. This meta-language simplifies investigations by letting the analyst look for actions and not for specific protocol activities.

Second, NetWitness performs port-agnostic protocol identification. When you see "HTTP" it doesn't just mean port 80. HTTP is identified by inspecting traffic and looking for the HTTP protocol. This is an important mechanism for finding back doors and covert channels. Obviously encryption will hamper this feature, but port-agnostic protocol identification is a must-have for forensics tools.

I could say quite a bit about NetWitness, but I hope you've gotten the idea that it's a powerful tool. In case you are wondering, I am not being compensated for this review. I did get to attend the training class for free. I am also not selling NetWitness to anyone. The purpose of this review is to share insights on this tool, and to keep those of us with ties to the open source world aware of applications outside of it.

I am open to hearing from NetWitness' main competitors, Niksun and Sandstorm, if they'd like to comment. Sandstorm's NetIntercept holds a special place in my heart, since it runs on FreeBSD. NetWitness is a Windows-based product. (In production I recommend capturing traffic with a program like Dumpcap or Tcpdump, and then analyzing it in NetWitness.)