Thanks so much for all of your work.
From: shtery...@gmail.com [mailto:shtery...@gmail.com] On Behalf Of Shteryana
Sent: Thursday, April 03, 2014 9:09 AM
To: Marciano, Anthony
Cc: Hartmut Brandt; Bjoern A. Zeeb; email@example.com;
Subject: Re: Call for testers: SNMPv3 support for bsnmpd(1)
OK, I discovered and fixed several v3 bugs while testing this config.
1) A regresion introduced with SVN r256678 breaking parsing of v3
authentication part of a PDU - this is only in current; stable should be fine;
I've uploaded a patch here -
2) A bug in decoding string indexes in snmp_target(3), thus causing
bsnmpd(1) to not send v3 notifications properly and two missing return
statements which could lead to abort() in case of a rollback - this has never
worked in the svn tree, I am not sure why the patch didn't make it - a patch is
available here -
it was generated against head, but should apply cleanly against stable too - to
patch the module
#patch < snmp_target-20140403-01.diff
#make && make install
3) A problem with old SNMP engine time being returned to the client in some
cases (relevant to v3 only again) which would cause subsequent PDUs comming
from the same client to be considered out-of-time-window and discarded - patch
is available here -
4) There is also a problem with the handling of the connected UDP sockets -
e.g. if the client listening for the trap has not been available for sometime,
the socket error is not cleared until the first send() - causing "snmpd:
send: Connection refused"
messages in syslog even though the trap was successfully send - an old patch
(pre-v3 sources) is available here -
http://people.freebsd.org/~syrinx/snmp/bsnmp-20101220-03.diff, I'll update it
against head too
Comments, reviews and test reports are very welcome.
Now, the needed configuration for encrypted traps -
1) bsnmpd(1) part
#First v3 SNMP Engine value should be set, e.g.
engine := 0x80:0x10:0x08:0x10:0x80:0x25
snmpEngineID = $(engine)
#USM module should be enabled and at least one user with proper credentials
user1 := "bsnmp"
# SNMPv3 User-based security module - must be loaded for SNMPv3 USM #
begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so"
# Definition of user "bsnmp" with password "bsnmptest"
usmUserStatus.$(engine).$(user1) = 5
usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserStatus.$(engine).$(user1) = 1
#Definition of a Notification target where traps will be sent with the
credentials of $user1 # # SNMPv3 Notification Targets module #
begemotSnmpdModulePath."target" = "/usr/lib/snmp_target.so"
tag := "test"
snmpNotifyRowStatus.$(tag) = 4
snmpNotifyTag.$(tag) = $(tag)
# Specify the target parameters for the notifications - send with the
credentials # of user $user1 #
snmpTargetParamsRowStatus.$(tag) = 5
snmpTargetParamsMPModel.$(tag) = $(MPmodelSNMPv3)
snmpTargetParamsSecurityModel.$(tag) = $(securityModelUSM)
snmpTargetParamsSecurityName.$(tag) = $(user1)
snmpTargetParamsSecurityLevel.$(tag) = $(authPriv)
snmpTargetParamsRowStatus.$(tag) = 1
# Define the notifications' target address - port 162 on localhost #
snmpTargetAddrRowStatus.$(tag) = 5
snmpTargetAddrTAddress.$(tag) = 0x0a:0x0:0x0:0x01:0x0:0xa2 # hexstring
representing 10.0.0.119 in 4 octets and port 162 in two octets
snmpTargetAddrTagList.$(tag) = "test notification"
snmpTargetAddrParams.$(tag) = $(tag)
snmpTargetAddrRowStatus.$(tag) = 1
2) To receive the traps with net-snmp's snmptrapd put the following
coonfiguration in /etc/snmp/snmptrapd.conf createUser -e 0x801008108025 bsnmp
SHA "bsnmptest" AES "bsnmptest"
authuser log bsnmp
and start it e.g.
#snmptrapd -f -C -c /etc/snmp/snmptrapd.conf -Le
On Tue, Apr 1, 2014 at 2:47 PM, Marciano, Anthony <amarc...@redcom.com> wrote:
> Thank Harti.
> -----Original Message-----
> From: Hartmut Brandt [mailto:hartmut.bra...@dlr.de]
> Sent: Tuesday, April 01, 2014 2:06 AM
> To: Marciano, Anthony
> Cc: syr...@freebsd.org; Bjoern A. Zeeb; firstname.lastname@example.org;
> Subject: RE: Call for testers: SNMPv3 support for bsnmpd(1)
> On Mon, 31 Mar 2014, Marciano, Anthony wrote:
> MA>Currently, we are just looking to monitor standard objects such as
> MA>interfaces and send traps accordingly. Would it be possible to
> MA>provide a trap example of what needs to be added to the
> MA>snmpd.config file to monitor an object and have it sent via V3?
> MA>I've searched for this information and read through various RFCs
> MA>but have not discovered any bsnmpd specific trap syntax and/or examples.
> Well, bsnmp can send only the standard traps currently. This is configured
> via the begemotTrapSinkTable (/usr/share/snmp/mibs/BEGEMOT-SNMPD.txt).
> Each row in the table is a trap target and all traps are sent to all targets
> in the table. I don't know, how this interacts with v3, though.
email@example.com mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"