densta
asked on
SNMP v2 trap - how to spoof the source address?
Hi folks,
Consider the following:
Routers send their syslog messages to a FreeBSD syslog server which runs a parsing script to detect BGP up/down events. On detection of such events, the script generates a BGP trap (using Net-SNMP tools) towards Netcool probe.
[Router]----syslog---->[sy
Now the problem is that the trap contains the source address of the syslog server. However, the Netcool system needs to know the source of the original message (the router) for assurance purposes.
We considered an SNMP v1 trap and setting the agent address to that of the router, but the BGP v1 MIB does not contain the required bgpPeerRemoteAddr varbind. So we must use v2 traps.
Is there a way to spoof the source address of an SNMP v2 trap?
Regards
Dennis
Consider the following:
Routers send their syslog messages to a FreeBSD syslog server which runs a parsing script to detect BGP up/down events. On detection of such events, the script generates a BGP trap (using Net-SNMP tools) towards Netcool probe.
[Router]----syslog---->[sy
Now the problem is that the trap contains the source address of the syslog server. However, the Netcool system needs to know the source of the original message (the router) for assurance purposes.
We considered an SNMP v1 trap and setting the agent address to that of the router, but the BGP v1 MIB does not contain the required bgpPeerRemoteAddr varbind. So we must use v2 traps.
Is there a way to spoof the source address of an SNMP v2 trap?
Regards
Dennis
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks @bgoering for the response.
I was hoping that there would be an OOTB tool similar to "trapgen" (ncomtech) for BSD that allows you to set the sender IP. I understand the HP NNM snmpnotify allows you to do this but requires NNM licenses and libraries. Sockets programming is not something we want to get into if at all possible.
The problem with Cisco routers is that they don't support sending traps for IPv6 BGP state change events (IPv4 is okay). Cisco have indicated this feature won't be available for 2-3 years, hence the need for this syslog-based workaround.
There is the option of deploying a Netcool syslog probe, but our project wants something quick and dirty initially to meet operationao requirements, with a view to deploying a syslog probe longer term.
I was hoping that there would be an OOTB tool similar to "trapgen" (ncomtech) for BSD that allows you to set the sender IP. I understand the HP NNM snmpnotify allows you to do this but requires NNM licenses and libraries. Sockets programming is not something we want to get into if at all possible.
The problem with Cisco routers is that they don't support sending traps for IPv6 BGP state change events (IPv4 is okay). Cisco have indicated this feature won't be available for 2-3 years, hence the need for this syslog-based workaround.
There is the option of deploying a Netcool syslog probe, but our project wants something quick and dirty initially to meet operationao requirements, with a view to deploying a syslog probe longer term.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no I haven't but I'll run it past the project team. worth a shot - thanks!
ASKER
well that didn't work :(
the sender ip in the trapgen command is only valid for SNMP v1 (this wasn't clear in the README)
so back to square one - we may have to consider adding a varbind to the SNMP v1 trap with the peer's remote address or alternatively add a varbind to the SNMPv2 trap with the router's address.
either will require rework on the NC side which we were trying to avoid but at this stage i can't see a way around this.
the sender ip in the trapgen command is only valid for SNMP v1 (this wasn't clear in the README)
so back to square one - we may have to consider adding a varbind to the SNMP v1 trap with the peer's remote address or alternatively add a varbind to the SNMPv2 trap with the router's address.
either will require rework on the NC side which we were trying to avoid but at this stage i can't see a way around this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ha ha, i meant NetCool! But now I have another tool to consider - thanks!
Well the "NC" rang a bell with me that you could indeed spoof source IP with netcat and get it there with loose source routing (-g option) send arbitrary information via TCP or UDP. I see no reason the arbitrary information couldn't be a properly formatted UDP packet containing your trap.
Good Luck
Good Luck
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yea syslog probe is our longer term solution for this. but it requires licensing and prof services engagement which all requires time we don't have. We need something "quick and dirty" in place this week!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
I would expect most major router vendors to support something similar - and there is no reason the router couldn't send both the syslog to your freebsd system and the traps to your Netcool.