I have been tinkering around with snmp recently as a means to monitoring various equipment on a LAN. The protocol itself is fairly straightforward and I have been using the net-snmp module in node js and have no problem connecting and communicating with the various kit by various manufacturers on the LAN.
As not all the equipment is made by the same manufacturer I am having to use specific object identifiers (oids) for each manufacturer to get a response that the item is on-line and available for communication. The problem I have is that each indivdual piece of equipment can at any time be removed, swapped or replaced by a different item at any time. Therefore hard programming with various manufacturers oids is not really working without having my code looping through a list of each manufacturers unique oids to see if the equipment is present. However if a new manufacturer's equipment is installed then it will obvioulsy be ignored until a responsive oid is added to my program.
I have looked online extensively and cannot find a definitive answer as the best way to solve this.
My question therefore, is there an oid that you can query for a response that is universal across all manufacturers that will respond with some sort of message, or should I persist with creating a collection of oids specific to the equipment on my network? Has anyone else out there come across this issue and how did you solve it?
You can check SNMPv2-MIB sysDescr or sysObjectID to identify the vendor.
Related
I'm trying to wrap my head around how to use SNMP in my networks. It's for industrial applications, networks with 200-800 IPs, but many quirks and security layers.
What I'd like to do is catch any traps, and periodically read parameters, over SNMP for all my network equipment. It will be sent to an external system for storage and viewing.
I understand now that even though my equipment uses the SNMP standards, the same OIDs can sometimes mean different things, and I then have to get all the MIB files from the vendors.
I find many parsers that can give me information from within the MIBs, but what I need is a whole system for importing MIBs, adding them to some kind of library, and for me to know which devices are currently supported by my library. Then, when I receive a message, I need the system to figure out what equipment has sent that, look up the correct info from the MIB and construct an alarm message based on that.
Is there any solution today that can take a list of IPs and send SNMP-get messages to all of those?
Do I need any setup just to receive SNMP traps, or will they just be
attempted delivered at the specified IP address, and I need only to
listen at the correct port?
Is there any way to parse all those MIBs and turn them into a manageable library?
How do I associate the devices with the info from the MIBs, so I interpret the information correctly?
I want to make a general solution for this, so I can expand it to more devices and vendors easily later. Below is a sketch of how a typical network would look like, but of course with a lot more components in real life. Hope someone has some good input.
I am using snmpwalk for retrieve my system(localhost) or remote system's mac address and I am using this command:
snmpwalk -v2c -c public localhost .1.3.6.1.2.1.2.2.1.6
and get an error like noSuchObject.
How can I solve this error? Is there another way to get system mac address using snmp?
There is no such thing as "system MAC address". Systems do not have MAC addresses; network interfaces do, and a system may have zero, one, two or more network interfaces.
That's why you use snmpwalk: because .1.3.6.1.2.1.2.2.1.6 (i.e. ifPhysAddress) is a column in a table of interfaces and you don't know in advance how many conceptual rows you'll get back (and what unique numerical index each row will use as its key).
So, you're using the command properly. But next we have to consider that times have changed since the SNMP and SMI RFCs were written, well before the dot-com boom and back when the internet was a relatively pleasant and happy place. Nowadays, implementations tend to be far more conservative in the information they disclose, because every piece of information you disclose is potentially another way to attack your system. Why does anyone need access to know your system's MAC address? They probably don't. I created an SNMP Agent recently and its support for "standard" objects doesn't go anywhere near listing network interfaces. And many of the RFC1213 packet/status counters in snmp were deliberately made obsolete when a "safe" subset was adopted into RFC1907.
What does this mean for you? Well, the remote system must have a network interface otherwise you wouldn't be able to talk to it. So, the SNMP Agent you're polling/querying (you didn't say which) is either hardcoded or configured not to provide this information. You can't get around that, except by talking to the person who created the software and asking whether it is configurable; prepare for the answer to be "no".
Domain Generation Algorithms(DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers
For example, an infected computer could create thousands of domain names such as: www.(gibberish).com and would attempt to contact a portion of these with the purpose of receiving an update or commands. - Wikipedia
But my question is we need to buy and register a domain name before we want to use. Then how hacker can generate 10 Thousand of domain name ? and use them ?
Thanks.
Consider this.
The malware infects many devices across the globe, and needs to establish communication with the malware controller after infection.
If this address/domain is hardcoded in the malware, it can be easily found and blocked.
For this reason and many others, malware make use of DGA.
DGAs use some sort of seed, for example, today's date.
Using this, and some operations, they come up with a few or thousands of domains in a day.
Now, the hacker/malware author does not have to register all those domains.
The malware will just go on contacting each possible domain to look for commands.
They have to register only one of those millions of possible domains.
When the infected device contacts that domain, the hacker/malware author now has control over that malware, and can now send it commands.
It has been found that authors of Dyre malware had registered some domains 2 years in advance, some authors register domains just a couple of days or even couple of hours before the malware starts making contact.
Bottomline, the malware may generate thousands of queries, but in most cases its only looking for one successful connection, or one registered domain.
before I start I realise there are a few SNMP related questions here already but not many seem to have been answered - that could mean I'm asking in the wrong place but I don't know where else to go at the moment.
I've been reading up as best I can on SNMP for a couple of days but am finding it difficult to get my head around what is meant to be happening. The idea is eventually we will integrate SNMP into our Java application server which will allow the end users to incorporate it into their pre-existing Network Management Systems(NMS).
Unfortunately I'm feeling entirely confused by what is meant to be going on. From what I understood from talking to the end users (which was unfortunately before any research) was that the monitoring allows their existing NMS to give their admin guys a view of the vital statistics in a tree type display, giving them feedback regarding different parts of the system at a high level and allowing them to dig down into specific subsystems.
From reading around we would implement an 'Agent' which has several defined interfaces allowing for GET requests etc to be processed and responded to. That makes sense but I am at a loss to work out what the format of the communication is - there don't seem to be any specific examples of what any of the messages look like, how the information is encoded.
More of my confusion though is regarding Management Information Base(MIB). I had, wrongly, assumed that the interface of the agent would allow for the monitored attributes to be requested and then in turn the values for those attributes requested. Allowing any new Agent to be started and detected without any configuration on the NMS end (with the exception of authentication in v3). This, if I understand correctly, is not the case and the Agent must instead define MIBs which can be used by the NMS to determine those attributes. My confusion is increased when people start referring to thousands of existing MIBs and that they can be reused which I don't understand. Is the intention that a single MIB definition can be used to say describe how a particular attribute of a network device (something simple like internet connected on a router:yes/no) for many different devices? If so I don't believe that our software would allow the monitoring of anything common to any other device/system but should we be looking for already exising MIBs? At the moment I don't really see any good rational for such a system, surely it would be easier for the Agent to export that information - so I'd appreciate it if someone could enlighten me!
I think it would help if I was able to setup a simple SNMP agent and some sort of client, I could begin to see the process and eventually inspect the communication between the two but am finding it difficult to find anywhere that provides any information on doing such a thing. Nagios has been recommended to us as a test 'client'/NMS but their 'get started quick' section recommends downloading a 600Mb virtual machine - surely there is a quicker way to get started?
Any help or suggestions will be appreciated, I have been through the Wiki page but it doesn't seem to go into much detail about the MIBs and the having not had to deal with anything like the referenced RFCs before, while they may contain all of the information they seem completely impenetrable to me at the moment. Or if there are any books that can be recommended for an overview and implementation of v3?
Thanks for reading and even more thanks if you think you can help!
It seems to me that you read all SNMP information piece by piece in an disorganized way. This is highly not recommended and of course lead you to confusion.
What about forgetting what you have learnt so far and dive into a good book such as Essential SNMP?
http://shop.oreilly.com/product/9780596008406.do
Click the Google Preview icon to preview it please.
You could not depend on a network forum to tell you the ABCs, as that's impractical I find out.
The communications interface is SNMP. That's the protocol used for transmission (usually on top of UDP). The thing that services information requests is an SNMP Agent. The thing that sends information requests is an SNMP Manager.
The definition of what information should be made available by the Agent, and requested by the Manager, goes in a MIB. A MIB is the "glue", a directory of what sort of things any particular system can/should offer. It maps numeric codes to names and types that allow us to make sense of the data, much like how a phone directory maps phone numbers to people's names and addresses.
Generally you would create and ship and use your own MIBs that can describe aspects specific to your own product, but you are supposed to service some standard information requests as well, which are defined in existing MIBs. Yes there are thousands of other pre-existing MIBs and the likelihood that you need more than one or two of these is remote. They are typically published versions of MIBs for existing products.
The conventional way to "toy around" is to install Net-SNMP (a software suite that includes an agent implementation and allows you to "bolt on" your own logic and your own MIBs fairly easily) then examine the results using a packet capturer like Wireshark.
For a fuller implementation in production you may stick with Net-SNMP, or write your own Agent software, or do what I did and create a hybrid of the two that's a little more flexible and performant but uses Net-SNMP's backend for handling all the low-level SNMP stuff.
Your first step, though, is to read a book or some other teaching material that can clear all your misconceptions, because guesswork won't cut it.
I had success using the samples from this page. Both the shell and Perl NetSNMP code was very straightforward to implement and query.
Question: I have to come up with unique ID for each networked client, such that:
it (ID) should persist once client software is installed on target computer, and should continue to persist if software is re-installed on same computer and same OS installment,
it should not change if hardware configuration is modified in most ways (except changing the motherboard)
When hard drive with client software installed is cloned to another computer with identical hardware configuration (or, as similar as possible), client software should be aware of that change.
A little bit of explanation and some back-story:
This question is basically age old question that also touches the topic of software copy-protection, as some of the mechanisms used in that area are mentioned here. I should be clear at this point that I'm not looking for a copy-protection scheme. Please, read on. :)
I'm working on a client-server software that is supposed to work in a local network. One of the problems I have to solve is to identify each unique client in the network (not so much of a problem), so that I can apply certain attributes to every specific client, retain and enforce those attributes during the deployment lifetime of a specific client.
While I was looking for a solution, I was aware of the following:
Windows activation system uses some kind of heavy fingerprinting mechanism that is extremely sensitive to hardware modifications,
Disk imaging software copies along all Volume IDs (tied to each partition when formatted), and custom, uniquely generated IDs during installation process, during first run, or in any other way, that is strictly software in its nature, and stored in registry or on hard drive, so it's very easy to confuse two.
The obvious choice for this kind of problem would be to find out BIOS identifiers (not 100% sure if this is unique through identical motherboard models, though), as that's the only thing I can rely on that isn't duplicated, transferred by cloning, and that can't be changed (at least not by using some user-space program). Everything else fails as either being not reliable (MAC cloning, anyone?), or too demanding (in terms that it's too sensitive to configuration changes).
Sub-question that I'd like to ask is, am I doing it correctly, architecture-wise? Perhaps there is a better tool for the task that I have to accomplish...
Another approach I had in mind is something similar to a handshake mechanism, where a server maintains an internal lookup table of connected client IDs (which can be even completely software-based and non-unique at any given moment), and tells the client to come up with a different ID during handshake, if a duplicate ID is provided upon connection. That approach, unfortunately, doesn't play nicely with one of the requirements to tie attributes to specific client during lifetime.
It seems to me that you should construct the unique ID corresponding to your requirements. This ID can be constructed as a hash (like MD5, SHA1 or SHA512) from the information which is important for you (some information about software and hardware component).
You can make your solution more secure if you sign such hash with your private key and your software verify during the starting, that the key (signed hash value) is signed (only public key must be installed together with your software). One can expand such kind of solution with different online services, but corporate clients could find online services not so nice.
What you're looking for is the Windows WMI. You can get the motherboard ID (which is unique across the same type of motherboard) or many many other types of unique identifiers and come up with some clever seeded function to generate a UHID. Whoa did I just make up an acronym?
And if you're looking specifically for getting the Motherboard (BIOS) ID:
WMI class: Win32_BIOS
Namespace: \Root\Cimv2
Documentation: http://msdn.microsoft.com/en-us/library/aa394077(VS.85).aspx
Sample code: http://msdn.microsoft.com/en-us/library/aa390423%28VS.85%29.aspx
Edit: You didn't specify a language (and I assumed C++), but this can be done in Java (with a COM driver), and any .NET language, as well.
Many programs use the hostId in order to build a license code (like those based on FlexLM). Have a look at what Matlab does depending on the operative system:
http://www.mathworks.com/support/solutions/en/data/1-171PI/index.html
Also have a look at this question:
Getting a unique id from a unix-like system
Once I also saw some programs basing their licenses on the serial number of the hard drive, an maybe that is the less likely thing to change. Some would suggest to use the MAC of your ethernet card, but that can be reprogrammed.
MAC
DON'T RELY ON MAC! EVER. It is not permanent. The user can easily change it (under 30 seconds).
Volume ID
DON'T RELY ON Volume ID! EVER. It is not permanent. The user can easily change it. It also changes by simply formatting the drive.
WMI
WMI is a service. Can be easily disabled. Actually, I tried that and I find out that on many computers is disabled or broken (yes, quite often broken).
License server
Connection to a validation server may cause you also lots of troubles because:
* your customers may not always be connected to the Internet.
* your customers may connect with special settings (router/NAT/proxy/gateway) that they need to input into your program in order to let it connect to the validation server.
* they may be behind a firewall that will block all programs except a few (my case). In some cases the firewall may not be under their control (valid for MOST corporate users)!
* it is super easy to redirect your program to a local fake webserver that emulates your licensing server.
Hardware data
If you need strong protection you need to rely on hardware. Something that cannot be edited by the user. Something like CPU ID instruction available in the Intel/AMD CPUs and the serial number written into the drive's IDE interface.
The CPU ID and HDD ID are permanent. They will never change, not even after you format the computer and reinstall Windows.
It is doable. For example this library reads the hardware ID of a computer. There is a compiled demo and also sourcecode/DLL. Disclaimer: the link leads to a commercial product (19€/no royalties).