Working SNMP v3 Trap Using Net-SNMP Tools 5.1.2

I managed to get a SNMP v3 trap to work when sending the trap with Debian.

This is important because it confirms a bug was introduced into snmptrap somewhere in the 5.2.x line of Net-SNMP tools.

The version of snmptrap installed by Debian stable is 5.1.2. Here is what I set up.

The Debian host is macmini. I created /etc/snmp/snmpd.conf with the following.

createUser doit MD5 doitpassword DES doitpassword

When I ran snmpd, I saw the user created along with the engine ID for this host.

macmini:~# snmpd -f -Lo -Dusm
usmUser: created a new user doit at 80 00 07 E5 80 54 D7 15 E8 44 FA 12 65
Warning: no access control information configured.
It's unlikely this agent can serve any useful purpose in this state.
Run "snmpconf -g basic_setup" to help you configure the snmpd.conf file for this agent.
NET-SNMP version 5.1.2

This step also created /var/lib/snmp/snmpd.conf with the following:

usmUser 1 3 0x800007e58054d715e844fa1265 0x646f697400 0x646f697400 NULL .1.3.6.1.6.3.10.1.1.2
0x7118d87274c4aa4e22c27c003bf92add .1.3.6.1.6.3.10.1.2.2 0x7118d87274c4aa4e22c27c003bf92add ""
engineBoots 1
oldEngineID 0x800007e58054d715e844fa1265

0x800007e58054d715e844fa1265 is my engine ID. I need this when I set up snmptrapd.conf on hacom, which simulates a NMS using snmptrapd.

On hacom I create /usr/local/etc/snmp/snmptrapd.conf with the following:

createUser -e 0x800007e58054d715e844fa1265 doit MD5 doitpassword DES doitpassword

Next I start snmptrapd on hacom.

hacom:/root# snmptrapd -f -Lo -Dusm
usmUser: created a new user doit at 80 00 07 E5 80 54 D7 15 E8 44 FA 12 65
2006-09-02 19:25:10 NET-SNMP version 5.2.2 Started.

Finally I can send a trap from macmini to hacom.

richard@macmini:~$ snmptrap -Ddumph_send,dumpv_send,usm -v 3
-e 0x800007e58054d715e844fa1265
-u doit -a MD5 -A doitpassword -l authNoPriv 192.168.2.18 ''
SNMPv2-SMI::enterprises.3.1
dumph_send: SNMPv3 Message
dumph_send: PDU-TRAP2
dumph_send: VarBind
dumph_send: Value ObjID: SNMPv2-SMI::enterprises.3.1
dumph_send: Name ObjID: SNMPv2-MIB::snmpTrapOID.0
dumph_send: VarBind
dumph_send: Value UInteger: 637099911 (0x25F95F87)
dumph_send: Name ObjID: SNMPv2-MIB::sysUpTime.0
dumph_send: error index Integer: 0 (0x00)
dumph_send: error status Integer: 0 (0x00)
dumph_send: request_id Integer: 209733159 (0xC804627)
dumph_send: ScopedPdu
dumph_send: contextName String: [NULL]
dumph_send: contextEngineID String: ...å.J4..Dú.Z
dumph_send: msgSecurityModel Integer: 3 (0x03)
dumph_send: msgFlags String: .
dumph_send: msgMaxSize Integer: 65507 (0xFFE3)
dumph_send: msgID Integer: 29075524 (0x1BBA844)
dumph_send: SNMP Version Number Integer: 3 (0x03)
dumph_send: SM msgSecurityParameters
usm: USM processing has begun (offset 76)
usm: getting user doit
dumph_send: msgPrivacyParameters String: [NULL]
dumph_send: msgAuthenticationParameters String: ............
dumph_send: msgUserName String: doit
dumph_send: msgAuthoritativeEngineTime Integer: 637099911 (0x25F95F87)
dumph_send: msgAuthoritativeEngineBoots Integer: 1 (0x01)
dumph_send: msgAuthoritativeEngineID String: ...å.T×.èDú.e
usm: USM processing completed.

Here is what snmptrapd saw.

usm: USM processing begun...
usm: Verification succeeded.
usm: USM processing completed.
2006-09-02 19:26:50 macmini.taosecurity.com [UDP: [192.168.2.12]:34061]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (637099911) 73 days, 17:43:19.11
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1

Here is the packet that was sent.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 29075524
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800007E58054D715E844FA1265
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: U.C. Davis, ECE Dept. Tom (2021)
Engine ID Format: Reserved/Enterprise-specific (128): UCD-SNMP Random
Engine ID Data: 54D715E8
Engine ID Data: Creation Time: Sep 26, 2023 11:35:32
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 637099911
msgUserName: doit
msgAuthenticationParameters: 90E951108773145325537BF0
msgData: plaintext (0)
plaintext
contextEngineID: 800007E5804A34181044FA135A
data: sNMPv2-Trap (7)
sNMPv2-Trap
request-id: 209733159
error-status: noError (0)
error-index: 0
variable-bindings: 2 items
Item
name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
valueType: value (0)
value: simple (4294967295)
value: simple (4294967295)
application-wide: timeticks-value (3)
timeticks-value: 637099911
Item
name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
valueType: value (0)
value: simple (4294967295)
simple: objectID-value (2)
Value: OID: SNMPv2-SMI::enterprises.3.1

0000 00 40 48 b1 5c db 00 14 51 17 6a b2 08 00 45 00 .@H.\...Q.j...E.
0010 00 b3 00 00 40 00 40 11 b4 cb c0 a8 02 0c c0 a8 ....@.@.........
0020 02 12 85 0d 00 a2 00 9f de 3d 30 81 94 02 01 03 .........=0.....
0030 30 11 02 04 01 bb a8 44 02 03 00 ff e3 04 01 01 0......D........
0040 02 01 03 04 30 30 2e 04 0d 80 00 07 e5 80 54 d7 ....00........T.
0050 15 e8 44 fa 12 65 02 01 01 02 04 25 f9 5f 87 04 ..D..e.....%._..
0060 04 64 6f 69 74 04 0c 90 e9 51 10 87 73 14 53 25 .doit....Q..s.S%
0070 53 7b f0 04 00 30 4a 04 0d 80 00 07 e5 80 4a 34 S{...0J.......J4
0080 18 10 44 fa 13 5a 04 00 a7 37 02 04 0c 80 46 27 ..D..Z...7....F'
0090 02 01 00 02 01 00 30 29 30 10 06 08 2b 06 01 02 ......0)0...+...
00a0 01 01 03 00 43 04 25 f9 5f 87 30 15 06 0a 2b 06 ....C.%._.0...+.
00b0 01 06 03 01 01 04 01 00 06 07 2b 06 01 04 01 03 ..........+.....
00c0 01 .

If I want to send the trap encrypted, I do the following.

richard@macmini:~$ snmptrap -Ddumph_send,dumpv_send,usm -v 3
-e 0x800007e58054d715e844fa1265
-u doit -a MD5 -A doitpassword -x DES -X doitpassword -l authPriv 192.168.2.18 ''
SNMPv2-SMI::enterprises.3.1
dumph_send: SNMPv3 Message
dumph_send: PDU-TRAP2
dumph_send: VarBind
dumph_send: Value ObjID: SNMPv2-SMI::enterprises.3.1
dumph_send: Name ObjID: SNMPv2-MIB::snmpTrapOID.0
dumph_send: VarBind
dumph_send: Value UInteger: 637119304 (0x25F9AB48)
dumph_send: Name ObjID: SNMPv2-MIB::sysUpTime.0
dumph_send: error index Integer: 0 (0x00)
dumph_send: error status Integer: 0 (0x00)
dumph_send: request_id Integer: 472573359 (0x1C2AE5AF)
dumph_send: ScopedPdu
dumph_send: contextName String: [NULL]
dumph_send: contextEngineID String: ...å.ox¿9Dú..
dumph_send: msgSecurityModel Integer: 3 (0x03)
dumph_send: msgFlags String: .
dumph_send: msgMaxSize Integer: 65507 (0xFFE3)
dumph_send: msgID Integer: 56841470 (0x36354FE)
dumph_send: SNMP Version Number Integer: 3 (0x03)
dumph_send: SM msgSecurityParameters
usm: USM processing has begun (offset 76)
usm: getting user doit
String: æ/Øá:ë......⡯Qlpª.z.u.Á?ó8t5b_$V.Rq.ð³¥3..¦ºIÏnÇ.
?.¥ó·}Û?».c.YPü÷Ã_I®èö.Î...§m
usm: Encryption successful.
dumph_send: msgPrivacyParameters String: ....ÜF..
dumph_send: msgAuthenticationParameters String: ............
dumph_send: msgUserName String: doit
dumph_send: msgAuthoritativeEngineTime Integer: 637119304 (0x25F9AB48)
dumph_send: msgAuthoritativeEngineBoots Integer: 1 (0x01)
dumph_send: msgAuthoritativeEngineID String: ...å.T×.èDú.e
usm: USM processing completed.

Here is what snmptrapd sees.

2006-09-02 19:30:05 macmini.taosecurity.com [UDP: [192.168.2.12]:34061]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (637119304) 73 days, 17:46:33.04
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3.1

Here is what the trace looks like.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 56841470
msgMaxSize: 65507
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800007E58054D715E844FA1265
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: U.C. Davis, ECE Dept. Tom (2021)
Engine ID Format: Reserved/Enterprise-specific (128): UCD-SNMP Random
Engine ID Data: 54D715E8
Engine ID Data: Creation Time: Sep 26, 2023 11:35:32
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 637119304
msgUserName: doit
msgAuthenticationParameters: 2BBB80DD5668B46281AFDF39
msgPrivacyParameters: 00000001DC469993
msgData: encryptedPDU (1)
encryptedPDU: E62FD8E13AEB7F088B0B111EE2A1AF516C70AA177A9E759C...

0000 00 40 48 b1 5c db 00 14 51 17 6a b2 08 00 45 00 .@H.\...Q.j...E.
0010 00 c1 00 00 40 00 40 11 b4 bd c0 a8 02 0c c0 a8 ....@.@.........
0020 02 12 85 0d 00 a2 00 ad 40 32 30 81 a2 02 01 03 ........@20.....
0030 30 11 02 04 03 63 54 fe 02 03 00 ff e3 04 01 03 0....cT.........
0040 02 01 03 04 38 30 36 04 0d 80 00 07 e5 80 54 d7 ....806.......T.
0050 15 e8 44 fa 12 65 02 01 01 02 04 25 f9 ab 48 04 ..D..e.....%..H.
0060 04 64 6f 69 74 04 0c 2b bb 80 dd 56 68 b4 62 81 .doit..+...Vh.b.
0070 af df 39 04 08 00 00 00 01 dc 46 99 93 04 50 e6 ..9.......F...P.
0080 2f d8 e1 3a eb 7f 08 8b 0b 11 1e e2 a1 af 51 6c /..:..........Ql
0090 70 aa 17 7a 9e 75 9c c1 3f f3 38 74 35 62 5f 24 p..z.u..?.8t5b_$
00a0 56 8a 52 71 01 f0 b3 a5 33 91 14 a6 ba 49 cf 6e V.Rq....3....I.n
00b0 c7 1e 3f 7f a5 f3 b7 7d db 3f bb 18 63 7f 59 50 ..?....}.?..c.YP
00c0 fc f7 c3 5f 49 ae e8 f6 1a ce 14 13 1e a7 6d ..._I.........m

I am so glad I can get this to work. Everyone recommends using SNMP v3 but it's frustrating to figure it out when facing a bug in snmptrapd. Net-SNMP tools are really powerful, though.

The next challenge is figuring out the access control model in Net-SNMP 5.3.x. Apparently it's different from 5.2.x.

When 5.2.4 is released I plan to test out snmptrap on FreeBSD as well.

Comments

Anonymous said…
Thanks for posting your finding online. I have spent a few days to get SNMPv3 traps working on Net-SNMP but was not successful. I googled the net for a few days but all the information I found did not help me to resolve the problem, until I found your posting. Now I am happy.

I agree with you that it is frustrating trying to figure out SNMPv3, or SNMP for that matter.

Thanks!
Anonymous said…
Thanks Richard it was so hard to find a SNMP V3 configuration on Net. I am trying to fix this issue from longtime. But in my case i dont have much control over configure on sending end. Only I have @ receving end. Looks like they are not Authority set so I dont know how my snmptrapd.conf should look like.

This is my Message
msgAuthoritativeEngineID: 800007E580FD791162BFAE0042
msgFlags: 00
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
.
.
msgUserName: noAuthUser
msgAuthenticationParameters: MISSING
msgPrivacyParameters: MISSING

I tried to use in my .conf
createUser -e 0x800007E580FD791162BFAE0042 noAuthUse MD5

nothing worked

Please let me know if you find i am doing anything wrong.

Thanks once again for posting about SNMPV3.

regards
kiran

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics