reverse engineering things that predecessors left without any documentation and throwing them out the window because devops
Menu
menu

SNMPv3 traps are far superior to the SNMPv1 and v2c traps, as long as your network devices support it. SNMPv3 provides us with security that the previous SNMP versions do not offer (remember that SNMPv1 and v2c only use clear-text community names which can be easily intercepted).

Version 3 protocol also allows the administrator to specify the authentication and privacy passwords as well as various security schemas. SNMPv3 uses SHA and MD5 for authentication hashing, and DES and AES for privacy encryption. The three security schemas present in version 3 are “noAuthNoPriv”, “authNoPriv”, and “authPriv” which are pretty self-explanatory.

The first schema does not use any authentication or privacy mechanisms, whereas the “authNoPriv” only uses authentication, and “authPriv” uses the fullblown security mechanism. Now, all this security mumbo-jumbo does not make SNMPv3 perfect. Since we are securing it we are also obscuring it, as the protocol is not supported by all devices and is harder to configure (which is probably why it’s not supported by all devices in the first place, chicken and the egg kind of thing).

SNMPv3 traps require both authentication in the form of username and password as well as engineid. Engineid is a random string (usually made up of SNMP user and IP/Mac addresses) from a remote SNMP host which needs to be placed in /var/net-snmp/snmptrapd.conf or /etc/snmp/snmptrapd.conf (the first one being a persistent file) of the SNMP NMS. It is in a hexidecimal form and each byte is a character string of two hex digits. Finding out that engineid can be fairly tricky, but here is the general gist of it that should help you get started:

1. Run tcpdump to see if the packets come in:
[code]sudo /sbin/tcpdump -vvv port 161 or port 162[/code] 2. Run snmptrapd in debug mode:
[code]sudo /usr/sbin/snmptrapd -On -Lsd -Lf /var/log/snmp.log -p /var/run/snmptrapd.pid -D -d -f[/code] The snmptrapd command basically starts snmptrapd daemon in a debug mode redirected to the /var/log/snmp.log file.

3. Watch the snmp log with:
[code]tail -f /var/log/snmp.log[/code] 4. Try to send a test SNMP trap to the NMS
5. In the debug log, search for the ‘lcd_set_enginetime: engineID’ string after which you should see a string of hext digits. Copy those down, add ‘0x’ in front of it and dump it into the either snmptrapd.conf file that you have created (preferably /etc/snmp/snmptrapd.conf) in the following format:

[code]createUser -e 0xXXXXXXXXXXXXXXX auth_user MD5 auth_user_password[/code]

You must note that is important to find the engineid for every remote SNMP device that will be sending you SNMPv3 traps as each device will have a different engineid.

All in all, SNMPv3 requires quite a bit of work and understanding to set up. Whether it’s worth it or not is up to the systems administrator, but one must remember that security should trump everything in this age of digital mess. You never know if somebody is snooping on your or not so it is safe put down some basic security that at least hides your traffic since SNMP can be easily (of course, once understood) used to find out an insane amount of information about your network.