Solved

SNMP v2 trap - how to spoof the source address?

Posted on 2010-09-04
13
2,095 Views
1 Endorsement
Last Modified: 2012-05-10
Hi folks,

Consider the following:

Routers send their syslog messages to a FreeBSD syslog server which runs a parsing script to detect BGP up/down events.  On detection of such events, the script generates a BGP trap (using Net-SNMP tools) towards Netcool probe.

[Router]----syslog---->[syslog server]----trap---->[Netcool probe]

Now the problem is that the trap contains the source address of the syslog server.  However, the Netcool system needs to know the source of the original message (the router) for assurance purposes.  

We considered an SNMP v1 trap and setting the agent address to that of the router, but the BGP v1 MIB does not contain the required bgpPeerRemoteAddr varbind.  So we must use v2 traps.

Is there a way to spoof the source address of an SNMP v2 trap?

Regards
Dennis
1
Comment
Question by:densta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 300 total points
ID: 33605472
Is there a way? Yes -- but not with anything I am aware of out of the box. It will likely require some sockets programing. Take a look at http://www.enderunix.org/docs/en/rawipspoof/ for a discussion of how to do that.

Good Luck
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33605483
One thing to consider is that it may be easier to send the trap straight from the router. Cisco I know supports snmp traps for bgp state change events. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a05.shtml for how to configure.

I would expect most major router vendors to support something similar - and there is no reason the router couldn't send both the syslog to your freebsd system and the traps to your Netcool.
0
 

Author Comment

by:densta
ID: 33605570
Thanks @bgoering for the response.

I was hoping that there would be an OOTB tool similar to "trapgen" (ncomtech) for BSD that allows you to set the sender IP.  I understand the HP NNM snmpnotify allows you to do this but requires NNM licenses and libraries.  Sockets programming is not something we want to get into if at all possible.  

The problem with Cisco routers is that they don't support sending traps for IPv6 BGP state change events (IPv4 is okay).  Cisco have indicated this feature won't be available for 2-3 years, hence the need for this syslog-based workaround.

There is the option of deploying a Netcool syslog probe, but our project wants something quick and dirty initially to meet operationao requirements, with a view to deploying a syslog probe longer term.

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 300 total points
ID: 33608153
ncomtech trapgen has a linux product that should run ok on FreeBSD if you enable the linux compatibility features. Have you looked into that?
0
 

Author Comment

by:densta
ID: 33610035
no I haven't but I'll run it past the project team.  worth a shot - thanks!
0
 

Author Comment

by:densta
ID: 33611476
well that didn't work :(  

the sender ip in the trapgen command is only valid for SNMP v1 (this wasn't clear in the README)

so back to square one - we may have to consider adding a varbind to the SNMP v1 trap with the peer's remote address or alternatively add a varbind to the SNMPv2 trap with the router's address.

either will require rework on the NC side which we were trying to avoid but at this stage i can't see a way around this.
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 300 total points
ID: 33614783
Yes, if by NC you mean netcat that should work. Create scripts using "nc -u -s x.x.x.x" to send your snmpv2 trap data

Take a look at http://www.foromsn.com/Version_Imprimible.php?Id=240940 for more info on spoofing with netcat. Might be easier than the sockets programming I first proposed!

Good Luck
0
 

Author Comment

by:densta
ID: 33616978
ha ha, i meant NetCool!  But now I have another tool to consider - thanks!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33618583
Well the "NC" rang a bell with me that you could indeed spoof source IP with netcat and get it there with loose source routing (-g option) send arbitrary information via TCP or UDP. I see no reason the arbitrary information couldn't be a properly formatted UDP packet containing your trap.

Good Luck
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 200 total points
ID: 33618861
Netcool has a syslog probe that basically listens to the syslog on your syslog server and forwards everything to Netcool, without the syslog server's info. I don't manage it, but we do that here at my workplace.
0
 

Author Comment

by:densta
ID: 33623395
yea syslog probe is our longer term solution for this. but it requires licensing and prof services engagement which all requires time we don't have. We need something "quick and dirty" in place this week!
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 200 total points
ID: 33628143
You can also write a Netcool script that parses the syslog input from that server and strips off the source before displaying it- the real source is already in the messgae, as you know.
0
 

Author Closing Comment

by:densta
ID: 33752014
thanks
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dlink-DIR 816 router 4 60
Upgrading from Sonicwall Tz210 6 51
Netflix streaming problem 18 81
find the Exchange server name that Outlook is connected to. 6 64
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question