Sending and Receiving SNMP Traps

SNMP is turning into more voodoo than I expected. I decided to document the following examples for future reference.

SNMP traps are messages sent from agents to network management systems (NMS). A simple trap receive is Net-SNMP's snmptrapd. I started it as shown so I could watch messages roll in.

orr:/root# snmptrapd -f -Lo
2006-08-31 21:45:50 NET-SNMP version 5.2.3 Started.

As you can see, snmptrapd listens on port 162 UDP.

orr:/home/richard$ sockstat -4 | grep snmptrapd
root snmptrapd 5080 9 udp4 *:162 *:*

Now I will use the snmptrap program to generate traps.

First, a SNMP v1 trap for uptime.

orr:/home/richard$ snmptrap -v 1 -c read localhost '' localhost 6 1 ''

Here is what snptrapd sees.

2006-08-31 21:47:16 localhost.taosecurity.com [127.0.0.1] (via UDP: [127.0.0.1]:63651)
TRAP, SNMP v1, community read
SNMPv2-SMI::enterprises.3.1.1 Enterprise Specific Trap (1) Uptime: 16:45:42.27

Here is the SNMP v1 trap packet.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: trap (4)
trap
enterprise: 1.3.6.1.4.1.3.1.1 (SNMPv2-SMI::enterprises.3.1.1)
agent-addr: internet (0)
internet: 127.0.0.1 (127.0.0.1)
generic-trap: enterpriseSpecific (6)
specific-trap: 1
time-stamp: 6040353
variable-bindings: 0 items

0000 02 00 00 00 45 00 00 46 33 c5 00 00 40 11 48 e0 ....E..F3...@.H.
0010 7f 00 00 01 7f 00 00 01 f2 4d 00 a2 00 32 72 36 .........M...2r6
0020 30 28 02 01 00 04 04 72 65 61 64 a4 1d 06 08 2b 0(.....read....+
0030 06 01 04 01 03 01 01 40 04 7f 00 00 01 02 01 06 .......@........
0040 02 01 01 43 03 5c 2b 21 30 00 ...C.\+!0.

Second, a SNMP v2c trap for uptime, with the optional inform parameter.

orr:/home/richard$ snmptrap -v 2c -Ci -c read localhost '' SNMPv2-SMI::enterprises.3.1.1

Here is what snmptrapd sees.

2006-08-31 21:50:11 localhost.taosecurity.com [UDP: [127.0.0.1]:64215]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6051698) 16:48:36.98
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1.1

Here is the SNMP v2c trap packet, followed by confirmation.

Simple Network Management Protocol
version: v2c (1)
community: read
data: informRequest (6)
informRequest
request-id: 1679401786
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 6051698
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000 02 00 00 00 45 00 00 60 33 ed 00 00 40 11 48 9e ....E..`3...@.H.
0010 7f 00 00 01 7f 00 00 01 fa d7 00 a2 00 4c 32 1d .............L2.
0020 30 42 02 01 01 04 04 72 65 61 64 a6 37 02 04 64 0B.....read.7..d
0030 19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b ..:......0)0...+
0040 06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a .......C.\Wr0...
0050 2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04 +...........+...
0060 01 03 01 01

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-response (2)
get-response
request-id: 1679401786
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 6051698
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1.1

0000 02 00 00 00 45 00 00 60 33 ee 00 00 40 11 48 9d ....E..`3...@.H.
0010 7f 00 00 01 7f 00 00 01 00 a2 fa d7 00 4c 32 21 .............L2!
0020 30 42 02 01 01 04 04 72 65 61 64 a2 37 02 04 64 0B.....read.7..d
0030 19 a3 3a 02 01 00 02 01 00 30 29 30 0f 06 08 2b ..:......0)0...+
0040 06 01 02 01 01 03 00 43 03 5c 57 72 30 16 06 0a .......C.\Wr0...
0050 2b 06 01 06 03 01 01 04 01 00 06 08 2b 06 01 04 +...........+...
0060 01 03 01 01 ....

At the moment I cannot get v3 traps to work. I can get v3 informs to work:

First I create /usr/local/etc/snmp/snmptrapd.conf:

createUser trapman MD5 trappass DES trappass

Then I restart snmptrapd. Now I can perform the inform.

orr:/home/richard$ snmpinform -v 3 -u trapman -a MD5 -A trappass -l authNoPriv localhost 42 coldStart.0

Here is what snmptrapd sees.

2006-08-31 22:43:41 localhost.taosecurity.com [UDP: [127.0.0.1]:62491]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (42) 0:00:00.42
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-MIB::coldStart.0

Here is the traffic.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1039950895
msgMaxSize: 65507
msgFlags: 05
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0D33EF7A
Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 4
msgUserName: trapman
msgAuthenticationParameters: A5FC35A19F7AB9A97466BB1A
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800D33EF7ADD83F744
data: informRequest (6)
informRequest
request-id: 2014502362
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 42
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-MIB::coldStart.0

0000 02 00 00 00 45 00 00 b3 57 33 00 00 40 11 25 05 ....E...W3..@.%.
0010 7f 00 00 01 7f 00 00 01 f4 1b 00 a2 00 9f 95 af ................
0020 30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03 0.....0...=.d/..
0030 00 ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02 .....3.z...D....
0050 01 04 04 07 74 72 61 70 6d 61 6e 04 0c a5 fc 35 ....trapman....5
0060 a1 9f 7a b9 a9 74 66 bb 1a 04 00 30 4a 04 0d 80 ..z..tf....0J...
0070 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a6 37 .....3.z...D...7
0080 02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d ..x.........0)0.
0090 06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06 ..+.......C.*0..
00a0 0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01 .+...........+..
00b0 06 03 01 01 05 01 00 .......

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1039950895
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800D33EF7ADD83F744
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0D33EF7A
Engine ID Data: Creation Time: Aug 31, 2006 20:50:37
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 4
msgUserName: trapman
msgAuthenticationParameters: 2FEEE8643D86D468E81D09DD
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800D33EF7ADD83F744
data: get-response (2)
get-response
request-id: 2014502362
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 42
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-MIB::coldStart.0

0000 02 00 00 00 45 00 00 b3 57 34 00 00 40 11 25 04 ....E...W4..@.%.
0010 7f 00 00 01 7f 00 00 01 00 a2 f4 1b 00 9f 9f fb ................
0020 30 81 94 02 01 03 30 11 02 04 3d fc 64 2f 02 03 0.....0...=.d/..
0030 00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 02 01 19 02 .....3.z...D....
0050 01 04 04 07 74 72 61 70 6d 61 6e 04 0c 2f ee e8 ....trapman../..
0060 64 3d 86 d4 68 e8 1d 09 dd 04 00 30 4a 04 0d 80 d=..h......0J...
0070 00 1f 88 80 0d 33 ef 7a dd 83 f7 44 04 00 a2 37 .....3.z...D...7
0080 02 04 78 12 dd da 02 01 00 02 01 00 30 29 30 0d ..x.........0)0.
0090 06 08 2b 06 01 02 01 01 03 00 43 01 2a 30 18 06 ..+.......C.*0..
00a0 0a 2b 06 01 06 03 01 01 04 01 00 06 0a 2b 06 01 .+...........+..
00b0 06 03 01 01 05 01 00 .......

These instructions and my book say to add something like this to /usr/local/etc/snmp/snmptrapd.conf to enable SNMP v3 traps:

createUser -e 0x012345 doit MD5 doitpass DES doitpass

snmptrapd starts fine, and I see the new user added in /var/net-snmp/snmptrapd.conf above the first user:

usmUser 1 3 0x012345 0x646f697400 0x646f697400 NULL .1.3.6.1.6.3.10.1.1.2
0xd59dafffd9eadd362bbdde931d44f70b .1.3.6.1.6.3.10.1.2.2
0xd59dafffd9eadd362bbdde931d44f70b 0x00
usmUser 1 3 0x80001f88800d33ef7add83f744 0x747261706d616e00 0x747261706d616e00 NULL
.1.3.6.1.6.3.10.1.1.2 0x097eb8ceff51d21214b06c0a9ce6778d .1.3.6.1.6.3.10.1.2.2
0x097eb8ceff51d21214b06c0a9ce6778d 0x00
engineBoots 27
oldEngineID 0x80001f88800d33ef7add83f744

However, I get this error when trying to generate a trap:

orr:/home/richard$ snmptrap -e 0x012345 -v 3 -u doit -a MD5 -A doitpass -l authNoPriv
localhost '' SNMPv2-SMI::enterprises.3.1.1
snmptrap: USM unknown security name (no such user exists)

Any thoughts on this problem?

Update: This is most likely a bug mentioned in this thread and fixed by this patch. Apparently Net-SNMP 5.2.4 will incorporate this patch and fix sending SNMP v3 traps.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics