how to capture trap message in net-snmp - snmp

i work with net-snmp and i try a few commands like:
snmptrap -v 1 -c public host TRAP-TEST-MIB::demotraps localhost 6 17 '' \
SNMPv2-MIB::sysLocation.0 s "Just here"
snmptrap -v 2c -c public localhost '' NOTIFICATION-TEST-MIB::demo-notif \
SNMPv2-MIB::sysLocation.0 s "just here"
snmptrap -v 1 -c public host NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification "" 6 17 "" \
netSnmpExampleHeartbeatRate i 123456
but is just give me a new line without error or something
someone can give me advice ?

Netsnmp provides Snmptrapd for this purpose.
It is an application which can listen on a port (default 162) on a host for traps and will log those that are received.
//EDIT ...
Here is an example ...
snmptrapd -f -m +ALL -Lo -c /tmp/snmptrapd.conf 9876
where /tmp/snmptrapd.conf only contains one line which for simplicity disables community/password checking
disableAuthorization yes
Use man snmptrapd to see what the flags/arguements mean.

Related

Using socat to dump traffic to pcap

Hi everyone this is my first question on stackoverflow!
I'm using this software (it's a NIDS); one of its features is using socat to create a proxy that saves the traffic to a pcap.
That's the command it uses to do this: /usr/bin/socat -d OPENSSL-LISTEN:50010,cipher=HIGH,method=TLS1.2,reuseaddr,pf=ip4,fk,cert=/usr/local/owlh/src/owlhnode/conf/certs/ca.pem,verify=0 SYSTEM:"/usr/sbin/tcpdump -n -r - -s 0 -G 50 -W 100 -w /usr/local/owlh/pcaps/remote-test%d%m%Y%H%M%S.pcap not port 22"
That's what happens when using curl i try to make a request to google through the proxy:
╭─myasnik#tanuki ~/…/ossihr-poc/docker ‹master*›
╰─$ export https_proxy=https://0.0.0.0:50010/
╭─myasnik#tanuki ~/…/ossihr-poc/docker ‹master*›
╰─$ export http_proxy=https://0.0.0.0:50010/
╭─myasnik#tanuki ~/…/ossihr-poc/docker ‹master*›
╰─$ curl --proxy-insecure www.google.it
curl: (52) Empty reply from server
root#owlh-node:/# /usr/bin/socat -d OPENSSL-LISTEN:50010,cipher=HIGH,method=TLS1.2,reuseaddr,pf=ip4,fk,cert=/usr/local/owlh/src/owlhnode/conf/certs/ca.pem,verify=0 SYSTEM:"/usr/sbin/tcpdump -n -r - -s 0 -G 50 -W 100 -w /usr/local/owlh/pcaps/remote-test%d%m%Y%H%M%S.pcap not port 22"
tcpdump: unknown file format
2020/08/18 12:00:08 socat[1590] W system("/usr/sbin/tcpdump -n -r - -s 0 -G 50 -W 100 -w /usr/local/owlh/pcaps/remote-test%d%m%Y%H%M%S.pcap not port 22") returned with status 256
2020/08/18 12:00:08 socat[1590] W system(): No such file or directory
2020/08/18 12:00:08 socat[1589] E waitpid(): child 1590 exited with status 1
Thanks a lot for your help in advantage!
Here is the answer to the question, i think i misunderstood the way it was supposed to be done: https://github.com/OwlH-net/OwlH-Node/issues/47

Can't get some data with SNMPv3

I have to change from snmp v2c to snmp v3.
With snmp v2c, if I run the follow command line:
$ snmpwalk -c MyCom -v 2c 10.10.6.2 sysUpTime
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (44765283) 5 days, 4:20:52.83
I can get the systemUptime
But after config snmpv v3 in the same devide (Switch HP A5120)
$ snmpwalk -v3 -u UserSnmp -l AuthNoPriv -a MD5 -A 'SnmpPAss' 10.10.6.2 sysUpTime
SNMPv2-MIB::sysUpTime = No Such Object available on this agent at this OID
If i run snmpwalk -v3 -u UserSnmp -l AuthNoPriv -a MD5 -A 'SnmpPAss' 10.10.6.2 I receive a list of OID, the problem occurs only for item under sys table
I tried to find specific MIB for snmpv3 but I can't find anyone.
How can I solve this?
The problem was not related with MIB or snmpwalk command.
The config on switch was wrong, the snmp user was not allowed to see some specific OID's.

Nagios SNMP v3 on HP Procurve 2910

I'm having trouble getting the check_snmp plugin to connect and return values. I'm running CentOS7, Nagios 4.0.8, check_snmp 2.0.3. While can snmpget and snmpwalk from the command line, check_snmp fails. Here are some examples...
snmpget:
# snmpget -v 3 -u myuser -x aes -X mypasswd -a md5 -A mypasswd -c Public -l AuthPriv 111.222.333.111 sysUpTime.0
...returns...
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10475998) 1 day, 5:05:59.98
snmpwalk:
# snmpwalk -v 3 -u myuser -x aes -X mypasswd -a md5 -A mypasswd -c Public -l AuthPriv 111.222.333.111 sysUptime
...returns...
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10473493) 1 day, 5:06:10.93
check_snmp:
/usr/lib64/nagios/plugins/check_snmp -H 111.222.333.111 -o sysUpTime.0 -P 3 -l AuthPriv -U myuser -A mypasswd -a md5 -X mypasswd -x aes
...returns...
External command error: Error in packet
Reason: authorizationError (access denied to that object)
Failed object: DISMAN-EVENT-MIB::sysUpTimeInstance
When I run check_snmp with verbose on, I get...
/usr/bin/snmpget -Le -t 1 -r 5 -m ALL -v 3 [authpriv] 156.128.2.250:161 sysUpTime.0
check_snmp is clearly not constructing the snmpget command with the args that are being passed to it. I'm at a loss for why.
The syntax is a little different for check_snmp sec level. Try:
-L authPriv
instead of:
-l AuthPriv
You can confirm this by invoking the help of the plugin with -h:
./check_snmp -h
check_snmp v2.0.3 (nagios-plugins 2.0.3)
...
-L, --seclevel=[noAuthNoPriv|authNoPriv|authPriv]
...

Starting amqp-consume on Debian 8

I used to consume messages from amqp-consume with this command below at debian 7, but I installed debian 8 I think the amqp-tools is different and it does not recognize my command.
I noticed some changes. My web interface change the port from 55672 to 15672.
amqp-consume -d -q queue.udrive.admin.uiscsi -s 10.0.1.251 -p 5672 -e "directExchangeUdrive" --vhost "/" -r "" --username=guest --password=guest /bin/bash remoteManageUiSCSI.sh
error: both --server and --url options specify server host
I think the command expects it:
amqp-consume
consuming command not specified
Usage: amqp-consume [-dxA?] [-u|--url=amqp://...] [-s|--server=hostname] [--port=port] [--vhost=vhost] [--username=username] [--password=password] [--ssl] [--cacert=cacert.pem] [--key=key.pem] [--cert=cert.pem] [-q|--queue=queue] [-e|--exchange=exchange] [-r|--routing-key=routing key] [-d|--declare] [-x|--exclusive] [-A|--no-ack] [-c|--count=limit] [-p|--prefetch-count=limit] [-?|--help] [--usage] [OPTIONS]... <command> <args>
I tried all kinds of things on amqp:// and it dodn't work.
I got the answer at other site https://qpid.apache.org/releases/qpid-0.30/programming/book/QpidJNDI.html but I still wonder to know why this answer was not at the "man amqp-consume" or rabbitmq web site....
The command works for me is:
amqp-consume -d -u amqp://test:test#ustorageprod/%2f -q queue.udrive.admin.uiscsi -e "directExchangeUdrive" -r "" /bin/bash remoteManageUiSCSI.sh
amqp-publish -u amqp://test:test#ustorageprod/%2f -r "queue.udrive.ustorage" -e "directExchangeUdrive" -b "$msg"

Ldap search with negative parameter

I'm trying to do a search on my LDAP base like that:
ldapsearch -x -h localhost -p 389 -D uid=xxxadmin,ou=administrators,ou=topologymanagement,o=netscaperoot -v -w 12345 -b "ou=Usuarios,ou=Alunos,ou=XXXX,o=xxXXXxx" -f (!(objectClass=ntUser)) 1.1
Basically I want to list all the entries without the objectClass ntUser and add the objectClass to them.
I'm getting this as an answer:
-bash: !: event not found
From http://www.openldap.org/lists/openldap-software/200104/msg00196.html
This message comes from the shell (bash). It states that the command
`!' didn't find the event you unintentionally asked for. This happens
because the double quotes in bash do not prevent some command
invocation. Use single quotes instead:
Your search should be like this:
ldapsearch -x -h localhost -p 389 -D 'uid=xxxadmin,ou=administrators,ou=topologymanagement,o=netscaperoot' -v -w 12345 -b 'ou=Usuarios,ou=Alunos,ou=XXXX,o=xxXXXxx' -f '(!(objectClass=ntUser))' 1.1
Your search should work. But, for bash, you will need to quote the parameters.
Something like:
ldapsearch -x -h localhost -p 389 -D uid=xxxadmin,ou=administrators,ou=topologymanagement,o=netscaperoot -v -w 12345 -b "ou=Usuarios,ou=Alunos,ou=XXXX,o=xxXXXxx" -f "(!(objectClass=ntUser))" 1.1
Tested both openLDAP
#(#) $OpenLDAP: ldapsearch (Ubuntu) (Mar 17 2014 21:19:27) $buildd#aatxe:/build/buildd/openldap-2.4.31/debian/build/clients/tools
(LDAP library: OpenLDAP 20431)
ldapsearch -x -h localhost -p 389 -D "cn=admin" -W -b "dc=example,dc=com" -s sub -a always -z 1000 "(!(objectClass=inetOrgPerson))" "objectClass"
and OpenDJ
ldapsearch --version
OpenDJ 2.7.0-20140727
Build 20140727000040Z
ldapsearch -h localhost -p 389 -D "cn=admin" -b "dc=example,dc=com" -s sub -a always -z 1000 "(!(objectClass=inetOrgPerson))" "objectClass"
-jim
Its happening because bash thinks ! as a special character
"!" Start a history substitution, except when followed by a space, tab, the end of the line, ‘=’ or ‘(’
So finally, you should be able to solve your problem by putting single quotes around the term as follow:
ldapsearch -x -h localhost -p 389 -D uid=xxxadmin,ou=administrators,ou=topologymanagement,o=netscaperoot -v -w 12345 -b "ou=Usuarios,ou=Alunos,ou=XXXX,o=xxXXXxx" -f '(!(objectClass=ntUser))' 1.1
Please refer following question on stackoverflow.
Which characters need to be escaped in Bash? How do we know it?

Resources