Kamis, 31 Agustus 2006

Review of Essential SNMP, 2nd Ed Posted

20.05    No comments

Amazon.com just posted my four star review of Review of Essential SNMP, 2nd Ed. From the review:

Essential SNMP, 2nd Ed (ES2E) fills a gap in being a modern book about an important management protocol. SNMP is used extensively by network management stations (NMS) like Nagios, which is now the subject of two independent books. E2SE does a good job covering SNMP issues important to administrators and NMS users. However, the book's organization and subject matter could be improved in the 3rd edition.

This is why I've been blogging on SNMP today.

That's 12 book reviews for the month of August. Whew.

Read More

Sending and Receiving SNMP Traps

18.49    No comments

SNMP is turning into more voodoo than I expected. I decided to document the following examples for future reference.

SNMP traps are messages sent from agents to network management systems (NMS). A simple trap receive is Net-SNMP's snmptrapd. I started it as shown so I could watch messages roll in.

orr:/root# snmptrapd -f -Lo
2006-08-31 21:45:50 NET-SNMP version 5.2.3 Started.

As you can see, snmptrapd listens on port 162 UDP.

orr:/home/richard$ sockstat -4 | grep snmptrapd
root     snmptrapd  5080  9  udp4   *:162                 *:*

Now I will use the snmptrap program to generate traps.

First, a SNMP v1 trap for uptime.

orr:/home/richard$ snmptrap -v 1 -c read localhost '' localhost 6 1 ''

Here is what snptrapd sees.

2006-08-31 21:47:16 localhost.taosecurity.com [127.0.0.1] (via UDP: [127.0.0.1]:63651)
 TRAP, SNMP v1, community read
        SNMPv2-SMI::enterprises.3.1.1 Enterprise Specific Trap (1) Uptime: 16:45:42.27

Here is the SNMP v1 trap packet.

Simple Network Management Protocol
    version: version-1 (0)
    community: read
    data: trap (4)
        trap
            enterprise: 1.3.6.1.4.1.3.1.1 (SNMPv2-SMI::enterprises.3.1.1)
            agent-addr: internet (0)
                internet: 127.0.0.1 (127.0.0.1)
            generic-trap: enterpriseSpecific (6)
            specific-trap: 1
            time-stamp: 6040353
            variable-bindings: 0 items

0000  02 00 00 00 45 00 00 46 33 c5 00 00 40 11 48 e0   ....E..F3...@.H.
0010  7f 00 00 01 7f 00 00 01 f2 4d 00 a2 00 32 72 36   .........M...2r6
0020  30 28 02 01 00 04 04 72 65 61 64 a4 1d 06 08 2b   0(.....read....+
0030  06 01 04 01 03 01 01 40 04 7f 00 00 01 02 01 06   .......@........
0040  02 01 01 43 03 5c 2b 21 30 00                     ...C.\+!0.

Second, a SNMP v2c trap for uptime, with the optional inform parameter.

orr:/home/richard$ snmptrap -v 2c -Ci -c read localhost '' SNMPv2-SMI::enterprises.3.1.1

Here is what snmptrapd sees.

2006-08-31 21:50:11 localhost.taosecurity.com [UDP: [127.0.0.1]:64215]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6051698) 16:48:36.98 
 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1.1

Here is the SNMP v2c trap packet, followed by confirmation.

Simple Network Management Protocol
    version: v2c (1)
    community: read
    data: informRequest (6)
        informRequest
            request-id: 1679401786
            error-status: noError (0)
            error-index: 0
            variable-bindings: 2 items
                Item
                    name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
                    valueType: value (0)
                        value: simple (4294967295)
                        value: simple (4294967295)
                            application-wide: timeticks-value (3)
                                timeticks-value: 6051698
                Item
                    name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
                    valueType: value (0)
                        value: simple (4294967295)
                            simple: objectID-value (2)
                                Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000  02 00 00 00 45 00 00 60 33 ed 00 00 40 11 48 9e   ....E..`3...@.H.
0010  7f 00 00 01 7f 00 00 01 fa d7 00 a2 00 4c 32 1d   .............L2.
0020  30 42 02 01 01 04 04 72 65 61 64 a6 37 02 04 64   0B.....read.7..d
0030  19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b   ..:......0)0...+
0040  06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a   .......C.\Wr0...
0050  2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04   +...........+...
0060  01 03 01 01

Simple Network Management Protocol
    version: v2c (1)
    community: read
    data: get-response (2)
        get-response
            request-id: 1679401786
            error-status: noError (0)
            error-index: 0
            variable-bindings: 2 items
                Item
                    name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
                    valueType: value (0)
                        value: simple (4294967295)
                        value: simple (4294967295)
                            application-wide: timeticks-value (3)
                                timeticks-value: 6051698
                Item
                    name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
                    valueType: value (0)
                        value: simple (4294967295)
                            simple: objectID-value (2)
                                Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000  02 00 00 00 45 00 00 60 33 ee 00 00 40 11 48 9d   ....E..`3...@.H.
0010  7f 00 00 01 7f 00 00 01 00 a2 fa d7 00 4c 32 21   .............L2!
0020  30 42 02 01 01 04 04 72 65 61 64 a2 37 02 04 64   0B.....read.7..d
0030  19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b   ..:......0)0...+
0040  06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a   .......C.\Wr0...
0050  2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04   +...........+...
0060  01 03 01 01                                       ....

At the moment I cannot get v3 traps to work. I can get v3 informs to work:

First I create /usr/local/etc/snmp/snmptrapd.conf:

createUser trapman MD5 trappass DES trappass

Then I restart snmptrapd. Now I can perform the inform.

orr:/home/richard$ snmpinform -v 3 -u trapman -a MD5 -A trappass -l authNoPriv localhost 42 coldStart.0

Here is what snmptrapd sees.

2006-08-31 22:43:41 localhost.taosecurity.com [UDP: [127.0.0.1]:62491]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (42) 0:00:00.42      
  SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-MIB::coldStart.0

Here is the traffic.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1039950895
        msgMaxSize: 65507
        msgFlags: 05
        .... .1.. = Reportable: Set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0D33EF7A
    Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
    msgAuthoritativeEngineBoots: 25
    msgAuthoritativeEngineTime: 4
    msgUserName: trapman
    msgAuthenticationParameters: A5FC35A19F7AB9A97466BB1A
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800D33EF7ADD83F744
            data: informRequest (6)
                informRequest
                    request-id: 2014502362
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 2 items
                        Item
                            name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                value: simple (4294967295)
                                    application-wide: timeticks-value (3)
                                        timeticks-value: 42
                        Item
                            name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                    simple: objectID-value (2)
                                        Value: OID: SNMPv2-MIB::coldStart.0

0000  02 00 00 00 45 00 00 b3 57 33 00 00 40 11 25 05   ....E...W3..@.%.
0010  7f 00 00 01 7f 00 00 01 f4 1b 00 a2 00 9f 95 af   ................
0020  30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03   0.....0...=.d/..
0030  00 ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80   ..........00....
0040  00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02   .....3.z...D....
0050  01 04 04 07 74 72 61 70 6d 61 6e 04 0c a5 fc 35   ....trapman....5
0060  a1 9f 7a b9 a9 74 66 bb 1a 04 00 30 4a 04 0d 80   ..z..tf....0J...
0070  00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a6 37   .....3.z...D...7
0080  02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d   ..x.........0)0.
0090  06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06   ..+.......C.*0..
00a0  0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01   .+...........+..
00b0  06 03 01 01 05 01 00                              .......

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1039950895
        msgMaxSize: 65507
        msgFlags: 01
        .... .0.. = Reportable: Not set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0D33EF7A
    Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
    msgAuthoritativeEngineBoots: 25
    msgAuthoritativeEngineTime: 4
    msgUserName: trapman
    msgAuthenticationParameters: 2FEEE8643D86D468E81D09DD
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800D33EF7ADD83F744
            data: get-response (2)
                get-response
                    request-id: 2014502362
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 2 items
                        Item
                            name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                value: simple (4294967295)
                                    application-wide: timeticks-value (3)
                                        timeticks-value: 42
                        Item
                            name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                    simple: objectID-value (2)
                                        Value: OID: SNMPv2-MIB::coldStart.0

0000  02 00 00 00 45 00 00 b3 57 34 00 00 40 11 25 04   ....E...W4..@.%.
0010  7f 00 00 01 7f 00 00 01 00 a2 f4 1b 00 9f 9f fb   ................
0020  30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03   0.....0...=.d/..
0030  00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80   ..........00....
0040  00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02   .....3.z...D....
0050  01 04 04 07 74 72 61 70 6d 61 6e 04 0c 2f ee e8   ....trapman../..
0060  64 3d 86 d4 68 e8 1d 09 dd 04 00 30 4a 04 0d 80   d=..h......0J...
0070  00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a2 37   .....3.z...D...7
0080  02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d   ..x.........0)0.
0090  06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06   ..+.......C.*0..
00a0  0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01   .+...........+..
00b0  06 03 01 01 05 01 00                              .......

These instructions and my book say to add something like this to /usr/local/etc/snmp/snmptrapd.conf to enable SNMP v3 traps:

createUser -e 0x012345 doit MD5 doitpass DES doitpass

snmptrapd starts fine, and I see the new user added in /var/net-snmp/snmptrapd.conf above the first user:

usmUser 1 3 0x012345 0x646f697400 0x646f697400 NULL .1.3.6.1.6.3.10.1.1.2 
 0xd59dafffd9eadd362bbdde931d44f70b .1.3.6.1.6.3.10.1.2.2
 0xd59dafffd9eadd362bbdde931d44f70b 0x00
usmUser 1 3 0x80001f88800d33ef7add83f744 0x747261706d616e00 0x747261706d616e00 NULL 
.1.3.6.1.6.3.10.1.1.2 0x097eb8ceff51d21214b06c0a9ce6778d .1.3.6.1.6.3.10.1.2.2 
0x097eb8ceff51d21214b06c0a9ce6778d 0x00
engineBoots 27
oldEngineID 0x80001f88800d33ef7add83f744

However, I get this error when trying to generate a trap:

orr:/home/richard$ snmptrap -e 0x012345 -v 3 -u doit -a MD5 -A doitpass -l authNoPriv
 localhost '' SNMPv2-SMI::enterprises.3.1.1
snmptrap: USM unknown security name (no such user exists)

Any thoughts on this problem?

Update: This is most likely a bug mentioned in this thread and fixed by this patch. Apparently Net-SNMP 5.2.4 will incorporate this patch and fix sending SNMP v3 traps.

Read More

Updating Cisco Switch to Support Encrypted SNMP v3

17.07    No comments

I realized I had an IOS image for my Cisco switch that supported crypto, as required for encrypted SNMP.

I decided to reflash my switch to add this support.

This is an example of a blog entry for my future reference. I don't expect any Cisco-ites to learn anything from this.

First I see what version of IOS is installed.

2950T-24#show ver
Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is CALHOUN boot loader

2950T-24 uptime is 3 hours, 20 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

cisco WS-C2950T-24 (RC32300) processor (revision J0) with 20839K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Configuration register is 0xF

Next I look at available filesystems.

2950T-24#show file systems
File Systems:

     Size(b)     Free(b)      Type  Flags  Prefixes
*    7741440     2867712     flash     rw   flash:
           -           -    opaque     ro   bs:
     7741440     2867712   unknown     rw   zflash:
       32768       29934     nvram     rw   nvram:
           -           -    opaque     rw   null:
           -           -    opaque     rw   system:
           -           -   network     rw   tftp:
           -           -    opaque     ro   xmodem:
           -           -    opaque     ro   ymodem:
           -           -   network     rw   rcp:
           -           -   network     rw   ftp:

You can move around IOS like a Unix box.

2950T-24#cd flash:
2950T-24#dir
Directory of flash:/

    2  -rwx     2888547   Mar 01 1993 00:03:24  c2950-i6q4l2-mz.121-13.EA1.bin
    3  -rwx         270   Jan 01 1970 00:02:09  env_vars
    4  -rwx          47   Mar 01 1993 00:04:45  private-config.text
    6  -rwx         676   May 19 1993 05:59:46  vlan.dat
    7  drwx         832   Mar 01 1993 00:04:19  html
   21  -rwx         109   Mar 01 1993 00:04:21  info
   22  -rwx         109   Mar 01 1993 00:04:21  info.ver
   24  -rwx        1711   Mar 01 1993 00:04:43  config.text

7741440 bytes total (2867712 bytes free)

The .bin file is my current IOS image. I can get the same directory listing this way:

2950T-24#show flash                                    

Directory of flash:/

    2  -rwx     2888547   Mar 01 1993 00:03:24  c2950-i6q4l2-mz.121-13.EA1.bin
    3  -rwx         270   Jan 01 1970 00:02:09  env_vars
    4  -rwx          47   Mar 01 1993 00:04:45  private-config.text
    6  -rwx         676   May 19 1993 05:59:46  vlan.dat
    7  drwx         832   Mar 01 1993 00:04:19  html
   21  -rwx         109   Mar 01 1993 00:04:21  info
   22  -rwx         109   Mar 01 1993 00:04:21  info.ver
   24  -rwx        1711   Mar 01 1993 00:04:43  config.text

7741440 bytes total (2867712 bytes free)

Let's check out the html directory for fun.

2950T-24#cd html
2950T-24#dir
Directory of flash:/html/

    8  -rwx        3994   Mar 01 1993 00:03:24  homepage.htm
    9  -rwx        1392   Mar 01 1993 00:03:24  not_supported.html
   10  -rwx        9529   Mar 01 1993 00:03:24  common.js
   11  -rwx       22152   Mar 01 1993 00:03:25  cms_splash.gif
   12  -rwx        1211   Mar 01 1993 00:03:25  cms_13.html
   13  -rwx        2823   Mar 01 1993 00:03:25  cluster.html
   14  -rwx        4195   Mar 01 1993 00:03:25  Redirect.jar
   15  -rwx       15899   Mar 01 1993 00:03:25  mono_disc.sgz
   16  -rwx     1344455   Mar 01 1993 00:04:05  CMS.sgz
   17  -rwx       86918   Mar 01 1993 00:04:08  images.sgz
   18  -rwx      287994   Mar 01 1993 00:04:16  help.sgz
   19  -rwx      135599   Mar 01 1993 00:04:19  CiscoChartPanel.sgz
   20  -rwx       58864   Mar 01 1993 00:04:21  cms_boot.jar

7741440 bytes total (2867712 bytes free)

2950T-24#pwd
flash:/html/
2950T-24#cd ..   
2950T-24#pwd
flash:/

For one last command, check the current image file type.

2950T-24#show file information c2950-i6q4l2-mz.121-13.EA1.bin
flash:c2950-i6q4l2-mz.121-13.EA1.bin:
  type is ebcdic text

I need to erase this image because I do not have enough room for the old and new images in flash. First I copy the image elsewhere using FTP.

2950T-24#copy flash:c2950-i6q4l2-mz.121-13.EA1.bin
 ftp://cisco:cisco@192.168.2.5/c2950-i6q4l2-mz.121-13.EA1.bin
Address or name of remote host [192.168.2.5]? 
Destination filename [c2950-i6q4l2-mz.121-13.EA1.bin]? 
Writing c2950-i6q4l2-mz.121-13.EA1.bin 
!!!
...edited...
2888547 bytes copied in 8.796 secs (328393 bytes/sec)

Now I ensure the running config is saved, and I copy that elsewhere.

2950T-24#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

2950T-24#copy startup-config ftp://cisco:cisco@192.168.2.5/startup-config      
Address or name of remote host [192.168.2.5]? 
Destination filename [startup-config]? 
Writing startup-config !
1711 bytes copied in 0.296 secs (5780 bytes/sec)

Now I delete the existing image.

2950T-24#delete flash:c2950-i6q4l2-mz.121-13.EA1.bin
Delete filename [c2950-i6q4l2-mz.121-13.EA1.bin]? 
Delete flash:c2950-i6q4l2-mz.121-13.EA1.bin? [confirm]
2950T-24#dir
Directory of flash:/

    3  -rwx         270   Jan 01 1970 00:02:09  env_vars
    4  -rwx          47   Mar 01 1993 00:04:45  private-config.text
    6  -rwx         676   May 19 1993 05:59:46  vlan.dat
    7  drwx         832   Mar 01 1993 00:04:19  html
   21  -rwx         109   Mar 01 1993 00:04:21  info
   22  -rwx         109   Mar 01 1993 00:04:21  info.ver
   24  -rwx        1711   Mar 01 1993 00:04:43  config.text

7741440 bytes total (5756416 bytes free)

I can copy the new image to the switch.

2950T-24#copy ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin 
 flash:c2950-i6k2l2q4-mz.121-22.EA8a.bin
Destination filename [c2950-i6k2l2q4-mz.121-22.EA8a.bin]? 
Accessing ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA8a.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
...edited...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3706442/1024 bytes]

3706442 bytes copied in 98.408 secs (37664 bytes/sec)

2950T-24#dir
Directory of flash:/

    2  -rwx     3706442   Mar 01 1993 03:41:09  c2950-i6k2l2q4-mz.121-22.EA8a.bin
    3  -rwx         270   Jan 01 1970 00:02:09  env_vars
    5  -rwx        1880   Mar 01 1993 03:42:01  config.text
    6  -rwx         676   May 19 1993 05:59:46  vlan.dat
    7  drwx         832   Mar 01 1993 00:04:19  html
   21  -rwx         109   Mar 01 1993 00:04:21  info
   22  -rwx         109   Mar 01 1993 00:04:21  info.ver
   23  -rwx         177   Mar 01 1993 03:42:01  private-config.text

7741440 bytes total (2049536 bytes free)

Time to reload.

2950T-24#reload
Proceed with reload? [confirm]

03:44:29: %SYS-5-RELOAD: Reload requested
C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
Compiled Mon 22-Jul-02 17:18 by antonino                                      
WS-C2950T-24 starting...                
Base ethernet MAC Address: 00:0d:28:6c:f5:40
Xmodem file system is available.            
Initializing Flash...           
flashfs[0]: 20 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440                    
flashfs[0]: Bytes used: 5691904 
flashfs[0]: Bytes available: 2049536
flashfs[0]: flashfs fsck took 8 seconds.
...done initializing flash.             
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:/c2950-i6k2l2q4-mz.121-22.EA8a.bin"...####...0x80010000
executing...       
...edited...
Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
Image text-base: 0x80010000, data-base: 0x8067A000


Initializing flashfs...
flashfs[1]: 20 files, 2 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 5691904
flashfs[1]: Bytes available: 2049536
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
Done initializing flashfs.
POST: System Board Test : Passed
POST: Ethernet Controller Test : Passed
ASIC Initialization Passed

POST: FRONT-END LOOPBACK TEST : Passed
...edited...
cisco WS-C2950T-24 (RC32300) processor (revision J0) with 19959K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Building configuration...
[OK]
Building configuration...
[OK]
00:00:16: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:21: %SYS-5-CONFIG_I: Configured from memory by console
00:00:22: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:23: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
00:00:23: %SNMP-5-COLDSTART: SNMP agent on host 2950T-24 is undergoing a cold start

So far so good. Now I need to add SNMP v3 encrytion support.

2950T-24(config)#snmp-server  group readonly v3 priv read readview
2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass 
 priv des56 bejtlichpass

I run 'sh run' to see if those entries are there.

snmp-server group readonly v3 priv read readview 
snmp-server view readview internet included

I look like I am ready to perform snmpget using encrypted SNMP v3.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass
 -x DES -X bejtlichpass 192.168.2.2 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING:

It worked. Here is the get.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1661458003
        msgMaxSize: 65507
        msgFlags: 07
        .... .1.. = Reportable: Set
        .... ..1. = Encrypted: Set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 800000090300000D286CF541
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: cisco (9)
    Engine ID Format: MAC address (3)
    
    msgAuthoritativeEngineBoots: 2
    msgAuthoritativeEngineTime: 1148
    msgUserName: richard
    msgAuthenticationParameters: 5D732660B4962FB94C3857F6
    msgPrivacyParameters: 0000000187F9C1A5
    msgData: encryptedPDU (1)
        encryptedPDU: A2747E0A41B3198E50974E9B436A4D2AE105FDDB0DECABB3...

Here is the response.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1661458003
        msgMaxSize: 1500
        msgFlags: 03
        .... .0.. = Reportable: Not set
        .... ..1. = Encrypted: Set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 800000090300000D286CF541
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: cisco (9)
    Engine ID Format: MAC address (3)
    
    msgAuthoritativeEngineBoots: 2
    msgAuthoritativeEngineTime: 1148
    msgUserName: richard
    msgAuthenticationParameters: 58D2406E940462CA945D1265
    msgPrivacyParameters: 00000002B05B3948
    msgData: encryptedPDU (1)
        encryptedPDU: 1A6F31989187318B38BC5D90068B7EE847D3FE4716984CA8...

Not bad!

Read More

SNMP v3 on Cisco Switch

13.21    No comments

Using these instructions I set up SNMP v3 on my Cisco 2950-T switch.


2950T-24>enable
Password: 
2950T-24#conf t
2950T-24(config)#snmp-server view readview internet included
2950T-24(config)#snmp-server group readonly v3 auth read readview
2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass 
Adding an snmpv3 user could cause a bootup delay,
do you wish to continue? (y/n)[confirm]y
2950T-24(config)#exit
2950T-24#

I was not able to use DES encryption because the switch does not have a crypto image. This output has the clues I need to track down what image I'm using.

orr:/home/richard$ snmpwalk -v3 -u richard -l authNoPriv -a MD5
 -A bejtlichpass 192.168.2.2 system

SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software 
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.359
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (128520) 0:21:25.20
SNMPv2-MIB::sysContact.0 = STRING: 
SNMPv2-MIB::sysName.0 = STRING: 2950T-24
SNMPv2-MIB::sysLocation.0 = STRING: 
SNMPv2-MIB::sysServices.0 = INTEGER: 2
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

I believe a router I own has a crypto image, so to enable DES encryption of SNMP v3 packets I would say this instead:

2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass 
 priv des56 bejtlichpass

Read More

SNMP Comments Part II

12.42    No comments

Earlier today I described how to modify the sysLocation MIB entry using SNMP v1 or v2c.

I can do so with SNMP v3 too.

Here is the syntax, followed by packet captures. I disabled encryption so we could read the protocol.

orr:/home/richard$ snmpset -v 3 -u richard -l authNoPriv -a MD5 -A bejtlichpass
 127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

Here is the SNMP v3 set.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1062947135
        msgMaxSize: 65507
        msgFlags: 05
        .... .1.. = Reportable: Set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 30
    msgAuthoritativeEngineTime: 284
    msgUserName: richard
    msgAuthenticationParameters: EC4230B1E10C6F5B9A35AFD2
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800F7E06630CC1F644
            data: set-request (3)
                set-request
                    request-id: 745008373
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        Item
                            name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                    simple: string-value (1)
                                        Value: STRING: Manassas

0000  02 00 00 00 45 00 00 a1 ab e5 00 00 40 11 d0 64   ....E.......@..d
0010  7f 00 00 01 7f 00 00 01 c5 64 00 a1 00 8d d7 5b   .........d.....[
0020  30 81 82 02 01 03 30 11 02 04 3f 5b 49 3f 02 03   0.....0...?[I?..
0030  00 ff e3 04 01 05 02 01 03 04 31 30 2f 04 0d 80   ..........10/...
0040  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1e 02   .....~.c...D....
0050  02 01 1c 04 07 72 69 63 68 61 72 64 04 0c ec 42   .....richard...B
0060  30 b1 e1 0c 6f 5b 9a 35 af d2 04 00 30 37 04 0d   0...o[.5....07..
0070  80 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a3   ......~.c...D...
0080  24 02 04 2c 67 ec f5 02 01 00 02 01 00 30 16 30   $..,g........0.0
0090  14 06 08 2b 06 01 02 01 01 06 00 04 08 4d 61 6e   ...+.........Man
00a0  61 73 73 61 73                                    assas

Here is the SNMP v3 response.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1062947135
        msgMaxSize: 65507
        msgFlags: 01
        .... .0.. = Reportable: Not set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 30
    msgAuthoritativeEngineTime: 284
    msgUserName: richard
    msgAuthenticationParameters: AFBDAC044A463B08DB5C5A2F
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800F7E06630CC1F644
            data: get-response (2)
                get-response
                    request-id: 745008373
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        Item
                            name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                    simple: string-value (1)
                                        Value: STRING: Manassas

0000  02 00 00 00 45 00 00 a1 ab e6 00 00 40 11 d0 63   ....E.......@..c
0010  7f 00 00 01 7f 00 00 01 00 a1 c5 64 00 8d 78 28   ...........d..x(
0020  30 81 82 02 01 03 30 11 02 04 3f 5b 49 3f 02 03   0.....0...?[I?..
0030  00 ff e3 04 01 01 02 01 03 04 31 30 2f 04 0d 80   ..........10/...
0040  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1e 02   .....~.c...D....
0050  02 01 1c 04 07 72 69 63 68 61 72 64 04 0c af bd   .....richard....
0060  ac 04 4a 46 3b 08 db 5c 5a 2f 04 00 30 37 04 0d   ..JF;..\Z/..07..
0070  80 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a2   ......~.c...D...
0080  24 02 04 2c 67 ec f5 02 01 00 02 01 00 30 16 30   $..,g........0.0
0090  14 06 08 2b 06 01 02 01 01 06 00 04 08 4d 61 6e   ...+.........Man
00a0  61 73 73 61 73                                    assas

Read More

SNMP v1, v2c, and v3

12.00    No comments

The book pictured at left spends more time on SNMP v1 and v2c than it does on SNMP v3. For example, it provides packet captures for v1 and v2c but not v3.

SNMP v1 is everywhere, but we should use SNMP v3 where possible.

I thought it would be helpful to show all three formats in one place.

Here is my snmpd.conf for SNMP v1 and v2c.

###########################################################################
#
# snmpd.conf
#
#   - created by the snmpconf configuration program
#
###########################################################################
# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

# rwuser: a SNMPv3 read-write user
#   arguments:  user [noauth|auth|priv] [restriction_oid]

rocommunity     read
rwcommunity     write

This is the syntax for a SNMP v1 snmpget.

orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v1 get.

Simple Network Management Protocol
    version: version-1 (0)
    community: read
    data: get-request (0)
        get-request
            request-id: 623181039
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                Item
                    name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                    valueType: unSpecified (1)
                        unSpecified

0000  02 00 00 00 45 00 00 45 8f d7 00 00 40 11 ec ce   ....E..E....@...
0010  7f 00 00 01 7f 00 00 01 c7 4c 00 a1 00 31 d6 36   .........L...1.6
0020  30 27 02 01 00 04 04 72 65 61 64 a0 1c 02 04 25   0'.....read....%
0030  24 fc ef 02 01 00 02 01 00 30 0e 30 0c 06 08 2b   $........0.0...+
0040  06 01 02 01 01 06 00 05 00                        .........

Here is the SNMP v1 response.

Simple Network Management Protocol
    version: version-1 (0)
    community: read
    data: get-response (2)
        get-response
            request-id: 623181039
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                Item
                    name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                    valueType: value (0)
                        value: simple (4294967295)
                            simple: string-value (1)
                                Value: STRING: somewhere

0000  02 00 00 00 45 00 00 4e 8f d8 00 00 40 11 ec c4   ....E..N....@...
0010  7f 00 00 01 7f 00 00 01 00 a1 c7 4c 00 3a 01 f8   ...........L.:..
0020  30 30 02 01 00 04 04 72 65 61 64 a2 25 02 04 25   00.....read.%..%
0030  24 fc ef 02 01 00 02 01 00 30 17 30 15 06 08 2b   $........0.0...+
0040  06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65   .........somewhe
0050  72 65                                             re

This is the syntax for a SNMP v2c snmpget.

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v2c get.

Simple Network Management Protocol
    version: v2c (1)
    community: read
    data: get-request (0)
        get-request
            request-id: 1664713700
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                Item
                    name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                    valueType: unSpecified (1)
                        unSpecified

0000  02 00 00 00 45 00 00 45 8f f5 00 00 40 11 ec b0   ....E..E....@...
0010  7f 00 00 01 7f 00 00 01 d6 21 00 a1 00 31 bc 9c   .........!...1..
0020  30 27 02 01 01 04 04 72 65 61 64 a0 1c 02 04 63   0'.....read....c
0030  39 83 e4 02 01 00 02 01 00 30 0e 30 0c 06 08 2b   9........0.0...+
0040  06 01 02 01 01 06 00 05 00                        .........

Here is the SNMP v2c response.

Simple Network Management Protocol
    version: v2c (1)
    community: read
    data: get-response (2)
        get-response
            request-id: 1664713700
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                Item
                    name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                    valueType: value (0)
                        value: simple (4294967295)
                            simple: string-value (1)
                                Value: STRING: somewhere

0000  02 00 00 00 45 00 00 4e 8f f6 00 00 40 11 ec a6   ....E..N....@...
0010  7f 00 00 01 7f 00 00 01 00 a1 d6 21 00 3a e8 5d   ...........!.:.]
0020  30 30 02 01 01 04 04 72 65 61 64 a2 25 02 04 63   00.....read.%..c
0030  39 83 e4 02 01 00 02 01 00 30 17 30 15 06 08 2b   9........0.0...+
0040  06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65   .........somewhe
0050  72 65                                             re

To use SNMP v3, use a snmpd.conf like this. Notice the lack of community strings.

rwuser  richard priv 
createUser      richard MD5 bejtlichpass DES bejtlichpass

This is the syntax for a SNMP v3 snmpget.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass -x DES
 -X bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v3 get.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 235115949
        msgMaxSize: 65507
        msgFlags: 07
        .... .1.. = Reportable: Set
        .... ..1. = Encrypted: Set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 25
    msgAuthoritativeEngineTime: 438
    msgUserName: richard
    msgAuthenticationParameters: B0183A673DD87ED37B9FB3C0
    msgPrivacyParameters: 0000000189C95C79
    msgData: encryptedPDU (1)
        encryptedPDU: 3C7F7013664F1C206DC92100AE9E2B3BC360C9839862AB8F...

0000  02 00 00 00 45 00 00 aa 8e 26 00 00 40 11 ee 1a   ....E....&..@...
0010  7f 00 00 01 7f 00 00 01 ef 46 00 a1 00 96 29 52   .........F....)R
0020  30 81 8b 02 01 03 30 11 02 04 0e 03 95 ad 02 03   0.....0.........
0030  00 ff e3 04 01 07 02 01 03 04 39 30 37 04 0d 80   ..........907...
0040  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02   .....~.c...D....
0050  02 01 b6 04 07 72 69 63 68 61 72 64 04 0c b0 18   .....richard....
0060  3a 67 3d d8 7e d3 7b 9f b3 c0 04 08 00 00 00 01   :g=.~.{.........
0070  89 c9 5c 79 04 38 3c 7f 70 13 66 4f 1c 20 6d c9   ..\y.8<.p.fO. m.
0080  21 00 ae 9e 2b 3b c3 60 c9 83 98 62 ab 8f eb be   !...+;.`...b....
0090  26 f1 d6 72 6a 5a 3a 6e ff 07 c7 dd d3 f2 b0 d4   &..rjZ:n........
00a0  f2 24 52 dc c2 ef 48 b8 c8 43 34 90 d2 98         .$R...H..C4...

Here is the SNMP v3 response.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 235115949
        msgMaxSize: 65507
        msgFlags: 03
        .... .0.. = Reportable: Not set
        .... ..1. = Encrypted: Set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 25
    msgAuthoritativeEngineTime: 438
    msgUserName: richard
    msgAuthenticationParameters: A554DADDF26EE2EC976BA9DD
    msgPrivacyParameters: 0000001911E1CD8C
    msgData: encryptedPDU (1)
        encryptedPDU: A5CB2056AB68B85CB9AB999FB6080A3536DC086F3DF20DEC...

0000  02 00 00 00 45 00 00 b2 8e 27 00 00 40 11 ee 11   ....E....'..@...
0010  7f 00 00 01 7f 00 00 01 00 a1 ef 46 00 9e f2 fd   ...........F....
0020  30 81 93 02 01 03 30 11 02 04 0e 03 95 ad 02 03   0.....0.........
0030  00 ff e3 04 01 03 02 01 03 04 39 30 37 04 0d 80   ..........907...
0040  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02   .....~.c...D....
0050  02 01 b6 04 07 72 69 63 68 61 72 64 04 0c a5 54   .....richard...T
0060  da dd f2 6e e2 ec 97 6b a9 dd 04 08 00 00 00 19   ...n...k........
0070  11 e1 cd 8c 04 40 a5 cb 20 56 ab 68 b8 5c b9 ab   .....@.. V.h.\..
0080  99 9f b6 08 0a 35 36 dc 08 6f 3d f2 0d ec eb b3   .....56..o=.....
0090  1b 19 08 d1 cd 86 72 5e 2a 77 67 ee df f5 90 79   ......r^*wg....y
00a0  5f a0 27 db df 30 06 95 af 67 9b a9 16 8e 65 0e   _.'..0...g....e.
00b0  3a 2d 75 69 d8 64                                 :-ui.d

As you can see, this last example is encrypted. This is the best way to deploy SNMP v3. However, you can disable the encryption by using this snmpd.conf.

rwuser  richard auth 
createUser      richard MD5 bejtlichpass

You can run the following to generate an unencrypted SNMP v3 get.

orr:/home/richard$ snmpget -v 3 -u richard -l authNoPriv -a MD5
 -A bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the unencrypted SNMP v3 get.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1246784484
        msgMaxSize: 65507
        msgFlags: 05
        .... .1.. = Reportable: Set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 27
    msgAuthoritativeEngineTime: 31
    msgUserName: richard
    msgAuthenticationParameters: 210D87D7EF2AADAD95DF201C
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800F7E06630CC1F644
            data: get-request (0)
                get-request
                    request-id: 1827121577
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        Item
                            name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                            valueType: unSpecified (1)
                                unSpecified

0000  02 00 00 00 45 00 00 97 90 2f 00 00 40 11 ec 24   ....E..../..@..$
0010  7f 00 00 01 7f 00 00 01 fe c4 00 a1 00 83 a9 65   ...............e
0020  30 79 02 01 03 30 11 02 04 4a 50 6b e4 02 03 00   0y...0...JPk....
0030  ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80 00   .........00.....
0040  1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02 01   ....~.c...D.....
0050  1f 04 07 72 69 63 68 61 72 64 04 0c 21 0d 87 d7   ...richard..!...
0060  ef 2a ad ad 95 df 20 1c 04 00 30 2f 04 0d 80 00   .*.... ...0/....
0070  1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a0 1c 02   ....~.c...D.....
0080  04 6c e7 a9 a9 02 01 00 02 01 00 30 0e 30 0c 06   .l.........0.0..
0090  08 2b 06 01 02 01 01 06 00 05 00                  .+.........

Here is the unencrypted SNMP v3 response.

Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1246784484
        msgMaxSize: 65507
        msgFlags: 01
        .... .0.. = Reportable: Not set
        .... ..0. = Encrypted: Not set
        .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: 0F7E0663
    Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
    msgAuthoritativeEngineBoots: 27
    msgAuthoritativeEngineTime: 31
    msgUserName: richard
    msgAuthenticationParameters: 539C1C59C5B2C9B47BE3112A
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001F88800F7E06630CC1F644
            data: get-response (2)
                get-response
                    request-id: 1827121577
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        Item
                            name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
                            valueType: value (0)
                                value: simple (4294967295)
                                    simple: string-value (1)
                                        Value: STRING: somewhere

0000  02 00 00 00 45 00 00 a1 90 30 00 00 40 11 ec 19   ....E....0..@...
0010  7f 00 00 01 7f 00 00 01 00 a1 fe c4 00 8d cf 61   ...............a
0020  30 81 82 02 01 03 30 11 02 04 4a 50 6b e4 02 03   0.....0...JPk...
0030  00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80   ..........00....
0040  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02   .....~.c...D....
0050  01 1f 04 07 72 69 63 68 61 72 64 04 0c 53 9c 1c   ....richard..S..
0060  59 c5 b2 c9 b4 7b e3 11 2a 04 00 30 38 04 0d 80   Y....{..*..08...
0070  00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a2 25   .....~.c...D...%
0080  02 04 6c e7 a9 a9 02 01 00 02 01 00 30 17 30 15   ..l.........0.0.
0090  06 08 2b 06 01 02 01 01 06 00 04 09 73 6f 6d 65   ..+.........some
00a0  77 68 65 72 65                                    where

SNMP is cool. The biggest problem for SNMP v3 seems to be user and key management.

Read More

SNMP Comments

08.26    No comments

I've been reading the book pictured at left, which I hope to review with the next few days. In the text they show examples using Net-SNMP tools to read and change system attributes using SNMP.

One of the examples involves something like the following. They show modification of the sysLocation value.

orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here I'm reading the system location. Where does "somewhere" come from? I look at /usr/ports/net-mgmt/net-snmp/Makefile and find this:

CONFIGURE_ARGS+=--enable-shared --enable-internal-md5 
--with-mib-modules="${_NET_SNMP_MIB_MODULES}"                 
--with-default-snmp-version="${DEFAULT_SNMP_VERSION}"                 
--with-sys-contact="${NET_SNMP_SYS_CONTACT}"                 
--with-sys-location="${NET_SNMP_SYS_LOCATION}"                 
--with-logfile="${NET_SNMP_LOGFILE}"                 
--with-persistent-directory="${NET_SNMP_PERSISTENTDIR}"
--with-gnu-ld --with-libwrap --with-libs="-lkvm -ldevstat"
...edited...
DEFAULT_SNMP_VERSION?=  3
NET_SNMP_SYS_CONTACT?=  nobody@nowhere.invalid
NET_SNMP_SYS_LOCATION?= somewhere
NET_SNMP_LOGFILE?=      /var/log/snmpd.log
NET_SNMP_PERSISTENTDIR?=/var/net-snmp
NET_SNMP_MIB_MODULES?=  ${NET_SNMP_MIB_MODULE_LIST}

Since I installed the FreeBSD package, I'm using the default value.

System location is defined in /usr/local/share/snmp/mibs/SNMPv2-MIB.txt

sysLocation OBJECT-TYPE
    SYNTAX      DisplayString (SIZE (0..255))
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "The physical location of this node (e.g., 'telephone
            closet, 3rd floor').  If the location is unknown, the
            value is the zero-length string."
    ::= { system 6 }

As you can see, this is read-write. I should be able to modify it using the example in the text.

orr:/home/richard$ snmpset -v 1 -c write 127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

I can also use SNMP v2c.

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 sysLocation.0 s Manassas
SNMPv2-MIB::sysLocation.0 = STRING: Manassas

Here is my /usr/local/etc/snmp/snmpd.conf. Note that if I set syslocation and syscontact in this file, I would not be able to change these values using snmpset. The FAQ makes that point. 

###########################################################################
#
# snmpd.conf
#
#   - created by the snmpconf configuration program
#
###########################################################################
# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rocommunity  read  

# rwcommunity: a SNMPv1/SNMPv2c read-write access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rwcommunity  write

As you can see I have no access control and I do not set sysLocation here.

I can alter other values, too. For example:

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 1.3.6.1.2.1.11.30.0
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 1.3.6.1.2.1.11.30.0 = 1
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: enabled(1)

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 1.3.6.1.2.1.11.30.0
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: enabled(1)

orr:/home/richard$ snmpset -v 2c -c write 127.0.0.1 1.3.6.1.2.1.11.30.0 = 2
SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)

I appreciate Dale Coddington pointing out a syntax error that caused problems with the first version of this post!

Read More

September Issue of (IN)SECURE Magazine Posted

05.59    No comments

Mirko Zorz told me a new issue (IN)SECURE Magazine is available online as Issue 1.8 September 2006 (.pdf).

Read More

Rabu, 30 Agustus 2006

FreeBSD Snort 2.6.0 Port Available

17.46  ,  No comments

The FreeBSD security/snort port now offers 2.6.0. Just run portsnap fetch && portsnap update and you're ready. I'm not sure if/when Snort 2.6.0.1 will be added to the ports tree. I haven't tried 2.6.1 Beta, yet.

Read More

Attacks Against WEP and Bump Keys

17.07    No comments

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP.

At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias. MSNBC and Slashdot ran stories, and this week a NBC affiliate reported on the problem as well. This week Marc Tobias is blogging on the subject, and I've learned that locks by Abloy and Medeco are resistant to bump keys. Finally, the blogosphere has some commentary on the problem.

It seems to me that attacks against WEP and bump keys are examples of the same problem. In either case, a determined intruder with sufficient tools and expertise is going to overcome your preventative security measures and compromise you. In my books I call this fact prevention eventually fails. Eventual compromise is the reason I recommend detection and response, as well as insurance.

However, relying solely on WEP while the front door to your data center is propped open is no better than installing a vulnerable door lock on a shoddy frame. In those cases, addressing the popular flaw (vulnerable WEP, vulnerable door lock) still leaves many other avenues of attack open. Most opportunistic wireless intruders will pass a WEP-encrypted network for one that is wide open. Most opportunistic physical intruders will pass a locked door for one that is wide open.

In both cases, fighting the battle to address vulnerabilities is a losing cause. Removing threats by prosecuting criminals is the most effective way to reduce risk.

I feel better knowing I have a big dog in my house, though.

Read More

Pandemic Reporting Like Digital Security Incident Reporting

12.52  , ,  No comments

The 12 August 2006 issue of the Economist featured the story Global Health: A Shot of Transparency (subscription required). It reminded me of the state of reporting digital security incidents.

At the moment, the world's pandemic-alert system is distressingly secretive. Some countries, such as Vietnam, have been fairly open about new outbreaks of the sorts of infectious disease that might lead to pandemics, and have even invited foreigners in to help diagnose the problem. Most, however, have not been so forthright. Public-health experts point to China and Thailand, both of which suffered outbreaks of potential pandemic illnesses in the past few years (SARS in China and avian influenza in Thailand) as examples of places that do not fully disclose the relevant details...

The reasons for countries' reluctance to share information are understandable, though hardly defensible. Some believe that full disclosure could cause locals to panic and foreign tourists to stay away...

Larry Brilliant, a former WHO official who helped to eradicate smallpox in India, dreams of an open-source, non-governmental, public-access network that would help the world move quickly whenever potential pandemics start brewing. He looks for inspiration to the Global Public Health Intelligence Network (GPHIN), an obscure programme run by the Canadian government that searches public databases in seven languages looking for early signs of disease outbreak...

His proposed open network could well spot the next, as yet undiscovered, threat.

I don't want to stretch the analogy too far, but some interesting ideas are here. I wonder what the effect of publishing the IP addresses of botnet hosts would be? Not the controllers, but the hosts themselves. That would reveal (at least in the narrow botnet case) how widespread certain compromises might be (ignoring the NAT effect).

I was hoping to hear other ways of encouraging reporting, but no others appeared in the article.

Read More

Virtual Desktop Infrastructure Seminar

12.35    No comments

Last week I attended a seminar featuring VMware and Wyse pitching their Virtual Desktop Infrastructure. (Is it just me or does VMware's site seldom render properly in Firefox?)

The Wyse rep passed around the Wyse S10 pictured at left. It lists for $299, "runs BSD" (called "ThinOS"), and features a 450 MHz AMD Geode CPU. Although it has USB ports you can't use them for thumb drives or CD-ROM drives. (More powerful units support those devices.) It has a PPTP client with support for SSL VPNs on the product roadmap. Also on the roadmap is 802.1X, PoE, and wireless support. The S10 is basically a box to access remote desktops using RDP, ICA, or a Leostream connection broker. The box can be managed remotely, and can have its firmware flashed remotely.

This is the future of "business computing." It may also be the future of non-power-user consumer computing, at least for people with modest, office-like (email, Web, etc.) needs. The local hardware will be nothing more than a window (pun intended) to remote desktops. I imagine people might want local storage, but most of it will be stored remotely.

I have to start imagining how to monitor this sort of architecture. I guess we'll spend far more time watching data centers and hardly any time watching end nodes?

Update: I forgot to mention that I believe at some point ISPs will replace their cable modems with these devices. Power users will still be able to use "dumb" cable modems or just avoid the thin client features in their new ISP platform. I also think some hardware vendor will package this thin client into a LCD screen, like the iMac.

In general, this sort of architecture will make it easy for smart PDAs to gain access to the same information I might want on my laptop or desktop. When metropolitan wireless is ubiquitous, we won't have to worry as much about synchronization issues either. Fun!

Read More

Atom Feed Truncated -- Not My Fault

12.04    No comments

If you're subscribed to taosecurity.blogspot.com/atom.xml, sometime today Blogger decided to post summaries and not full stories. I changed nothing, I have full content publishing selected, and I even republished the whole blog. The RSS feed at taosecurity.blogspot.com/rss.xml is publishing whole content though.

Update: It looks like the Atom feed fixed itself.

Read More

Notes from Cisco TV on CCNP

08.39  ,  No comments

I'm listening to the first episode of CCNP TV. It's not really TV, more like slides plus audio. I'm listening because I wanted to know about the CCNP changes mentioned earlier. The new material will all use Cisco IOS 12.4. I found this change interesting: assume I earn my CCNP; in the future, I can recertify using any Professional level exam, like one from CCSP.

Mixing and matching of old and new exams will be allowed within the guidelines explained in these two press releases.

Parts of this webcast were hilarious. Despite Cisco's drive into voice, none of the callers could communicate with the hosts. The caller who got closest to speaking should have been told "turn your radio down!" because the broadcast was on a 30 second-or-so delay. The host also asked two questions twice each, and the other panel members pretended like it didn't happen. I heard the terms "billion dollar marketplace" and "revenue opportunity" repeated several times. This was probably the funniest exchange:

Host (paraphrasing): "So what's the difference between the old and the new?"

Bob: "These new networks go up to layer 7."

Host: "Oooohhh."

If you have questions the best place to look for answers is www.cisco.com/go/certifications or www.cisco.com/go/certsupport. For specifics on preparing for CCNP, try www.cisco.com/go/prep-ccnp.

Read More

Review of Inside Network Perimeter Security, 2nd Ed Posted

07.16    No comments

Amazon.com just posted my three star review of Inside Network Perimeter Security, 2nd Ed. From the review:

I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

Read More

Selasa, 29 Agustus 2006

Again, External Threat Is More Prevalent

13.51    No comments

I almost fell out of my chair when word of the following story reached my Bloglines account: Study: Rethink the Outsider Threat. I published my thoughts on the prevalence of external threats in my first book, and I reiterated those thoughts recently. Now I appear to have some outside help. From the article:

The report took data from the Department of Justice Computer Crime and Intellectual Property Section's network intrusion and data-theft prosecutions between 1999 and 2006. (See How Much Does a Hack Cost?) Phoenix Technologies commissioned the report, but the data came from DOJ cases...

Outside attackers committed 79 percent of the crimes where user accounts were infiltrated[,] and former employees were the perpetrators in 21 percent of these types of breaches. And overall, 57 percent of attackers had no relationship with the victim organizations, 22 percent were former employees, 14 were current employees, and 7 percent had a customer or supplier relationship or similar "connection" to the victimized organization. (comma added, emphasis added)

Where's the 80% myth now? Gone, except in the minds of people who cling to it. I don't expect to see it disappear overnight. Please, if you want to repeat the 80% myth, at least cite a source. (You won't be able to find anything authoritative, just reports citing each other in a circular manner.)

Read More

Liveview

12.46    No comments

Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images.

I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get.

Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at realdigitalforensics.com to patch the image.


orr:/home/richard$ ls -al *.gz
-rw-rw-rw-  1 richard  richard  181673834 Aug 29 15:06 BRJDEV.dd.gz
-rw-rw-rw-  1 richard  richard  389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ ls -al patch0001.bin 
-rw-r--r--  1 richard  richard  42635114 Mar  7 12:16 patch0001.bin
orr:/home/richard$ dd if=patch0001.bin of=BRJDEV.dd.gz bs=512 seek=271560 
83271+1 records in
83271+1 records out
42635114 bytes transferred in 5.059636 secs (8426518 bytes/sec)

orr:/home/richard$ ls -al *.gz
-rw-rw-rw-  1 richard  richard  181673834 Aug 29 15:26 BRJDEV.dd.gz
-rw-rw-rw-  1 richard  richard  389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ md5 BRJDEV.dd.gz
MD5 (BRJDEV.dd.gz) = 3f274b39803068d69f8b62730e101d64

Since BRJDEV.dd.gz had the proper MD5 hash, I moved it over to my Windows station, gunzipped it, and then ran Liveview. I tried to run Liveview on FreeBSD (it's Java), but I saw too many errors. Liveview is easy enough to use. I pointed it at the proper .dd file, and told it where I wanted the image produced.

Liveview built a .vmx file, a .vmdk file, and told VMware Server where to find the new VM. At this point it looked ready to start, so I fired up VMware Server.

Things started to proceed well. I got a Linux bootloader image, so something was working. The Linux kernel started to load too.

Unfortunately, I didn't get very far. Eventually Linux reported a kernel panic and complained that it was unable to mount the root filesystem.

I believe I would have more success if I used an image of a Windows system, but I do not have one handy.

While writing this blog I found dd2vmdk, a project with similar goals. I bet VMware's P2V might import dd images, but I'm not sure.

Read More

Using FCC Filings to Learn About Wireless Cards

10.24    No comments

One of the cool hints I learned in Ted Wallingford's 802.11 book involved finding your specific hardware in the FCC Equipment Authorization System Generic Search. My Linksys WPC54gv3, for example, has these exhibits. I entered Q87 as the Grantee Code and -WPC54GV3 as the Product Code (including the leading dash). You can get these codes by reading them on your NIC.

Using the Internal Photos .pdf, I can see that this NIC uses a Broadcom chipset. Plenty of other information is available too.

Read More

WildPackets OmniPeek Personal

09.55    No comments

Three years ago I attended a WildPackets traffic analysis seminar, which I liked. In June WildPackets announced the availability of the free (as in beer) OmniPeek Personal product. I learned of it from Average Admins.

After using OmniPeek personal for a short time, I have to say I still prefer Wireshark for straightforward packet analysis. I'm sure I'm going to hear from diehard WildPackets fans that OmniPeek is the cat's meow, but hear me out.

I realize that the power of OmniPeek lies in its network analysis features. OmniPeek and other WildPackets products are like "network troubleshooters in software." That's great, since Wireshark doesn't support many of those features. That is not a daily issue I face, however.

My first problem with OmniPeek is that it runs on Windows. Why didn't I complain about that with NetWitness? Well, NetWitness is a network forensics product, like EnCase is a host forensics product. I'm willing to deal with a Windows interface when I have no Unix alternative. With OmniPeek on Windows, I can turn to Wireshark on Windows or Unix. I prefer Unix when possible.

Second, I don't really like the OmniPeek interface. There are too many windows which need managing. I like the fact that I can highlight a packet in the top Wireshark pane and see corresponding details below. Oh, you can do that in OmniPeek, you might say. Well, why do I have a separate pane for every packet upon which I double-click? Can that be changed to emulate Wireshark's behavior? Argh, annoying.

Furthermore, the packet content highlight feature doesn't work as I would expect. I expect to highlight any part of the decode and see the corresponding hex and ASCII contents highlighted, and vice-versa. That is not the default behavior in OmniPeek, or at least it doesn't work reliably.

I admit a certain level of inertia is at play here. I have been using Wireshark and its predecessor for years, and I am familiar with the interface. I'm sure there's a lot of power available with OmniPeek if I am willing to put some time into learning how to use the product. For example, I think OmniPeek has some helpful visualization tools built into it. I am always looking for tools with statistics and other traffic summarization features. OmniPeek offers those.

In the short term I will continue to use Wireshark for normal packet analysis tasks. I will probably try to learn about the features in OmniPeek that could complement those in Wireshark. I do not plan to perform per-packet analysis with OmniPeek though.

If you care to see more, I've uploaded some screen shots.

Incidentally, it appears I am not the only blogger with these sentiments.

Read More

June 2006 Issue of (IN)SECURE Magazine Posted

08.41    No comments

Yes, I missed this event from two months ago! I just realized that a new edition of Mirko Zorz's (IN)SECURE Magazine is available online as Issue 1.7 June 2006 (.pdf).

Read More

NSM Wiki created

08.41  ,  No comments

David Bianco of Vorant created a Network Security Monitoring Wiki to share information on effective use of Sguil and other NSM tools. You might also like David's blog.

If you've got custom queries you run in Sguil, or performance reports, or related issues, please share them on the Wiki. If you have questions about Sguil use, post them to the Sguil users list via email to sguil-users [at] lists.sourceforge.net. Questions on Sguil development should go to sguil-devel [at] lists.sourceforge.net. As always, you can discuss Sguil and NSM on irc.freenode.net in channel #snort-gui.

Read More

Review of Penetration Testing and Network Defense Posted

08.36    No comments

Amazon.com just posted my three star review of Penetration Testing and Network Defense. This was another disappointment that duped me into trying to read it. From the review:

Penetration testing is becoming a hot topic again, but the available books on the subject continue to underwhelm. Penetration Testing and Network Defense (PTAND), published in the fall of 2005, would be a four star book if it had been published two years earlier. Stephen Northcutt, unlike all other reviewers, noticed this fact as well. When you combine this problem with PTAND with several other deficiencies, the result is a book you can unfortunately skip.

On a brighter pen testing note, I read that work is progressing on version 3.0 of Pete Herzog's Open Source Security Testing Methodology Manual (OSSTMM). Maybe we'll see a new version in a few weeks?

Also, the Active Filter Detection tool implements a cool function needed by OSSTM.

Read More

Senin, 28 Agustus 2006

Non-Review: Practical VoIP Security

17.24    No comments

Here's a first for the TaoSecurity Blog. As mentioned in a pre-review, I planned to read Practical VoIP Security and then write a Amazon.com review. I'd had a bad experience reading VoIP Security, so I hoped this new book would be better. Wrong.

My policy for writing Amazon.com reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security, I couldn't make it past the first chapter. In fact, by page 4 -- the third page of text -- I was frustrated. In three pages the author (who was the lead author and technical editor) had mentioned terms like PBX, SS7, H.323, SIP, SNMP, VoIP, and SIGTRAN (which never appears again in this book!) without explaining any of them. I am familiar with all except the last, but I should not have to rely on past knowledge when reading the introductory pages of a "practical" book. The first chapter, overall, is a rambling collection of ideas that do nothing to prepare the reader for what follows.

If you want more details, I found Rob Slade's review to be good.

On a note related to Intruders Selling Security Software, I found this interview with the lead author of Practical VoIP Security to be a sign of foolish boasting or outright deception:

CSOonline: What is your background, and why are you called a hacker?

-name omitted-: I’m a hacker in the more traditional sense. Old-school hackers want to learn how things work and try to take it apart or gain access out of curiosity. Getting into networks and systems is good or bad based on your vantage point. Most traditional hackers do it just to see if they can, but they’re not there to steal information or destroy the integrity of a system. (emphasis added)

I'm setting you up for material to follow. You might guess the "vantage point" comment doesn't sit well with me. The interview continues.

Can you mention some of your notorious hacks?

Nothing that I’ve done has made public news, and there are some things I’d rather not mention. I did raise the interest of the Defense Department once, but I’ve never been involved in any criminal activity. At one point in my career, I was interested in finding proof of alien life, so I did access the network at China Lake, also known as Area 51 in Roswell, New Mexico. (emphasis added)

Oh, you mean the super-secret Naval Air Weapons Station China Lake, home of the MAJIC Morale, Welfare and Recreation office? I think this hax0r was trying to find Groom Lake, and if that were the case we wouldn't be hearing from him.

The interview continues:

How does a hacker disclose his or her credentials?

There are two kinds of hackers. Those who do it to impress their friends or become famous, and those that you don’t know about. The really good, and smart, hackers won’t tell you that they are hackers. Many of them are also not very sociable--they keep what they do on the QT, and if they have real credentials or experience, they don’t say anything about it. (emphasis added)

Now you see why I added emphasis to the first paragraph. Sigh. Why are people like this getting attention from the media?

I guess I'm going to have to wait for Hacking Exposed: VoIP in December. For general books on VoIP, Switching to VoIP and VoIP Hacks by Ted Wallingford look good.

Read More

Security Engineering Book in Digital Form

13.52    No comments

I just read at Light Blue Touchpaper that one of my top ten books of the past ten years is now available online. Now you have no excuse not to read this incredible book (reviewed here).

It seems funny that the blog commenters asking about making a single .pdf have not heard of Pdftk.

Thanks to jimmythegeek for getting this news to me faster than my Bloglines feed.

Read More

More Snort and Sguil Tuning

12.15  ,  No comments

Let's assume you built a new Sguil sensor and have tuned Snort using advice in my Tuning Snort article. What I like to do next is wait a day or so and then run the following query to look for problematic alert types.

mysql> select count(*) as total, event.signature from event where
 event.status=0 group by event.signature order by total desc;
+-------+------------------------------------------------------------------------+
| total | signature                                                              |
+-------+------------------------------------------------------------------------+
| 43416 | SHELLCODE x86 NOOP                                                     | 
|  4145 | POLICY SMTP relaying denied                                            | 
|  3394 | WEB-MISC PCT Client_Hello overflow attempt                             | 
|  2148 | WEB-CGI calendar access                                                | 
|  1645 | tag: Tagged Packet                                                     | 
|  1267 | SHELLCODE x86 stealth NOOP                                             | 
|  1031 | WEB-MISC weblogic/tomcat .jsp view source attempt                      | 
|   817 | http_inspect: OVERSIZE REQUEST-URI DIRECTORY                           | 
|   683 | INFO web bug 0x0 gif attempt                                           | 
|   491 | SHELLCODE x86 0x90 unicode NOOP                                        | 
|   175 | ftp_pp: Invalid FTP command                                            | 
|   128 | WEB-IIS view source via translate header                               | 
|   126 | WEB-MISC robots.txt access                                             | 
|    88 | Snort Alert [1:5856:0]                                                 | 
|    74 | SHELLCODE x86 inc ebx NOOP                                             | 
|    71 | portscan: Open Port                                                    | 
|    47 | WEB-MISC intranet access                                               |
|    28 | MISC MS Terminal server request                                        | 
|    28 | WEB-FRONTPAGE /_vti_bin/ access                                        | 
|    27 | portscan: TCP Portsweep                                                | 
|    21 | WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt | 
|    19 | ATTACK-RESPONSES 403 Forbidden                                         | 
|    16 | http_inspect: BARE BYTE UNICODE ENCODING                               | 
|    13 | Snort Alert [1:6031:0]                                                 | 
|    12 | ATTACK-RESPONSES directory listing                                     | 
|    12 | SHELLCODE x86 0xEB0C NOOP                                              | 
|     5 | Snort Alert [1:6033:0]                                                 | 
|     4 | portscan: TCP Portscan                                                 |
|     4 | Snort Alert [1:5718:0]                                                 | 
|     3 | EXPLOIT gobbles SSH exploit attempt                                    | 
|     3 | MISC MS Terminal server request RDP                                    | 
|     2 | MS-SQL sp_start_job - program execution                                | 
|     2 | WEB-IIS WebDAV file lock attempt                                       | 
|     1 | WEB-FRONTPAGE posting                                                  | 
|     1 | ATTACK-RESPONSES Invalid URL                                           | 
|     1 | WEB-MISC Chunked-Encoding transfer attempt                             | 
|     1 | MS-SQL xp_reg* - registry access                                       | 
|     1 | WEB-FRONTPAGE rad fp30reg.dll access                                   | 
|     1 | WEB-MISC WebDAV search access                                          | 
|     1 | NEW POLICY RDP attempted Administrator connection request              | 
+-------+------------------------------------------------------------------------+
40 rows in set (2.40 sec)

Wow, that first line is popular. Let's break these out by source IP. (Thanks to VictorJ for catching a dumb error in my original syntax.)

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip)
 from event where event.status=0 and event.signature='SHELLCODE x86 NOOP'
 group by event.signature, event.src_ip order by total desc;
+-------+--------------------+-------------------------+
| total | signature          | INET_NTOA(event.src_ip) |
+-------+--------------------+-------------------------+
| 43002 | SHELLCODE x86 NOOP | 10.20.30.14             | 
|   334 | SHELLCODE x86 NOOP |   6.16.237.132          | 
|    46 | SHELLCODE x86 NOOP |   6.16.237.140          | 
|    18 | SHELLCODE x86 NOOP | 192.168.0.14            | 
|    11 | SHELLCODE x86 NOOP |   3.87.180.190          | 
|     3 | SHELLCODE x86 NOOP |   6.16.237.138          | 
|     2 | SHELLCODE x86 NOOP | 192.168.1.197           | 
+-------+--------------------+-------------------------+
7 rows in set (0.64 sec)

10.20.30.14 is the big offending source IP. Let's see the destination IPs.

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip), 
 INET_NTOA(event.dst_ip) from event where event.status=0 and 
 event.signature='SHELLCODE x86 NOOP' and event.src_ip=INET_ATON('10.20.30.14')
 group by event.signature, event.src_ip, event.dst_ip order by total desc;
+-------+--------------------+-------------------------+-------------------------+
| total | signature          | INET_NTOA(event.src_ip) | INET_NTOA(event.dst_ip) |
+-------+--------------------+-------------------------+-------------------------+
| 43002 | SHELLCODE x86 NOOP | 10.20.30.14             |   6.16.237.137          | 
+-------+--------------------+-------------------------+-------------------------+
1 row in set (0.94 sec)

It looks like there are 43002 SHELLCODE x86 NOOP from 10.20.30.14 to 6.16.237.137. Is that really true though? We can validate these findings by looking for alerts where 6.16.237.137 is not the destination IP.

mysql> select count(*) as total, event.signature, INET_NTOA(event.src_ip), 
 INET_NTOA(event.dst_ip) from event where event.status=0 and
 event.signature='SHELLCODE x86 NOOP' and event.src_ip=INET_ATON('10.20.30.14') and 
 event.dst_ip!=INET_ATON('6.16.237.137') group by event.signature, event.src_ip,
 event.dst_ip order by total desc;
Empty set (1.20 sec)

With an empty response, we confirm there are 43002 SHELLCODE x86 NOOP from 10.20.30.14 to 6.16.237.137.

I have two options here. First, I could simply delete all of these items from the database. I doubt 43002 SHELLCODE alerts from an internal IP address are malicious. On the other hand, I might want to look at them.

The problem with inspecting them is that they are currently in Sguil's inspection queue. If I fire up Sguil it's going to load 43002 alerts into the client. While they will be aggregated, it will take a long time for that to happen.

In cases like these I prefer to mark the events as "NA" and then inspect a sample later.

Before running the following, kill sguild. You should never update the database while Sguil is trying to make sense of it.

mysql> UPDATE event SET status=1, last_modified='2006-08-28 15:45:00', last_uid='sguil'
 where event.status=0 and event.signature='SHELLCODE x86 NOOP' and 
 event.src_ip=INET_ATON('10.20.30.14');
Query OK, 43002 rows affected, 43002 warnings (5.91 sec)
Rows matched: 43002  Changed: 43002  Warnings: 43002

You can repeat this process for the other large event count alerts, or just restart sguild and fire up the Sguil client to deal with them manually.

How can we prevent such a huge number of alerts from occurring again?

My original article mentioned "Thresholding and Suppression." The SHELLCODE x86 NOOP alert might be a good candidate for thresholding.

A look in sid-msg map shows two sids:

$ grep "SHELLCODE x86 NOOP" sid-msg.map 
648 || SHELLCODE x86 NOOP || arachnids,181
1394 || SHELLCODE x86 NOOP

A look in the .rules files shows two rules.

grep "SHELLCODE x86 NOOP" *.rules
shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
 (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; 
 reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:8;)
shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any 
 (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa";
 classtype:shellcode-detect; sid:1394; rev:5;)

I add the following to threshold.conf to limit Snort to generate one alert per 60 seconds for each source IP causing SHELLCODE x86 NOOP alerts.

threshold gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 60
threshold gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 60

Remember to enable your local threshold.conf in snort.conf:

include /usr/local/etc/nsm/threshold.conf

After restarting Snort, I can expect a lower number of alerts should SHELLCODE x86 NOOP get out of hand again. When Snort starts you'll see the sig-id of your new threshold rule applied.

| gen-id=1      sig-id=648        type=Limit     tracking=src count=1   seconds=60
...edited...
| gen-id=1      sig-id=1394       type=Limit     tracking=src count=1   seconds=60

That's one item for tuning... expect others in the future.

Read More

NoVA Sec First Meeting Pictures at novasec.org

11.52    No comments

Paul Zedeck was kind enough to send pictures from the first NoVA Sec meeting last week. Please visit the NoVA Sec Blog for details.

I try to avoid cross-posting, so keep an eye on that blog for word on the next NoVA Sec meeting.

Read More

Network Forensics with NetWitness

10.46    No comments

Ten days ago I had the privilege of attending a day of product training for NetWitness. NetWitness is a real network forensics tool produced by a company of the same name. Anyone who's read my books or attended my training knows I am a big fan of open source tools. NetWitness, however, is built to facilitate investigating network traffic.

It's important to differentiate between packet collectors, protocol analyzers, and network forensics tools. Dumpcap is the prototypical packet collector. Simpler than Tcpdump and much simpler than Tshark, all Dumpcap does is record packets. It's especially suited for this role, however, because it offers native trace rotation capabilities.

Tcpdump, Tshark, and Wireshark are all protocol analyzers. Yes, Tcpdump is a protocol analyzer, although it is not as robust as Tshark or Wireshark. Protocol analyzers are suited for packet-centric inspection. For example, I used Wireshark extensively while learning about 802.11 traffic. Protocol analyzers are also helpful for network troubleshooting, with varying degrees of automated analysis. Commercial protocol analyzers are especially robust in this regard. Protocol analyzers often feature tools for rebuilding TCP sessions, but that is usually the extent of those features. Protocol analyzers also permit searching traffic, but the analyst generally must have a good grasp of what he is looking for and how to get that idea across to the protocol analyzer.

Network forensics tools are not packet-centric; they are data centric. NetWitness, for example, cares less about the underlying packets and more about the data they contain. The partial screen capture (original here) hints at NetWitness' depiction of files, accounts, and email addresses recognized in a network trace.

Investigators don't (necessarily) look at packets when they use NetWitness for network forensics. Rather, they look for useful data. One investigation might require finding all information related to a specific username. That username (or a portion of it) would be searchable in email, instant messaging, Web logins, documents, and so forth. While you could do some manual searching with tools like Ngrep or Flowgrep, NetWitness is built around discovering information and is well-suited for this process of discovery.

When you find results, they are presented within the context of the session in which they were contained. NetWitness rebuilds the session and presents it in human-friendly format. If they subject viewed an email, you will see the email. If he visited a Web page, you will see the Web page. There are limitations to this model, such as a browser displaying cache graphics instead of requesting them on the wire. However, this sort of model works very well for forensic analysts.

This second partial screen capture (original here) demonstrates two other powerful NetWitness features. First, NetWitness represents traffic using a noun-verb-adjective-like language. When you see the mention of "GET", for example, it's not necessarily an HTTP get. GET actions include FTP retrievals and other actions where a subject acquires data. This meta-language simplifies investigations by letting the analyst look for actions and not for specific protocol activities.

Second, NetWitness performs port-agnostic protocol identification. When you see "HTTP" it doesn't just mean port 80. HTTP is identified by inspecting traffic and looking for the HTTP protocol. This is an important mechanism for finding back doors and covert channels. Obviously encryption will hamper this feature, but port-agnostic protocol identification is a must-have for forensics tools.

I could say quite a bit about NetWitness, but I hope you've gotten the idea that it's a powerful tool. In case you are wondering, I am not being compensated for this review. I did get to attend the training class for free. I am also not selling NetWitness to anyone. The purpose of this review is to share insights on this tool, and to keep those of us with ties to the open source world aware of applications outside of it.

I am open to hearing from NetWitness' main competitors, Niksun and Sandstorm, if they'd like to comment. Sandstorm's NetIntercept holds a special place in my heart, since it runs on FreeBSD. NetWitness is a Windows-based product. (In production I recommend capturing traffic with a program like Dumpcap or Tcpdump, and then analyzing it in NetWitness.)

Read More
Langganan: Postingan (Atom)