Thanks so much for all of your work.

Much appreciated.


-----Original Message-----
From: [] On Behalf Of Shteryana 
Sent: Thursday, April 03, 2014 9:09 AM
To: Marciano, Anthony
Cc: Hartmut Brandt; Bjoern A. Zeeb;;
Subject: Re: Call for testers: SNMPv3 support for bsnmpd(1)

Hi all,

OK, I discovered and fixed several v3 bugs while testing this config.

1) A regresion introduced with SVN r256678 breaking parsing of v3 
authentication part of a PDU - this is only in current; stable should be fine; 
I've uploaded a patch here -

2) A bug in decoding string indexes in snmp_target(3), thus causing
bsnmpd(1) to not send v3 notifications properly and two missing return 
statements which could lead to abort() in case of a rollback - this has never 
worked in the svn tree, I am not sure why the patch didn't make it - a patch is 
available here -,
it was generated against head, but should apply cleanly against stable too - to 
patch the module

#cd <sources-directory>/contrib/bsnmp
#patch < snmp_target-20140403-01.diff
#cd ../../usr.sbin/bsnmpd/modules/snmp_target/
#make && make install

3) A problem with old SNMP engine time being returned to the client in some 
cases (relevant to v3 only again) which would cause subsequent PDUs comming 
from the same client to be considered out-of-time-window and discarded - patch 
is available here -

4) There is also a problem with the handling of the connected UDP sockets - 
e.g. if the client listening for the trap has not been available for sometime, 
the socket error is not cleared until the first send() - causing "snmpd[8573]: 
send: Connection refused"
messages in syslog even though the trap was successfully send - an old patch 
(pre-v3 sources) is available here -, I'll update it 
against head too

Comments, reviews and test reports are very welcome.

Now, the needed configuration for encrypted traps -
1) bsnmpd(1) part

#First v3 SNMP Engine value should be set, e.g.
engine := 0x80:0x10:0x08:0x10:0x80:0x25
snmpEngineID = $(engine)

#USM module should be enabled and at least one user with proper credentials 
user1 := "bsnmp"
user1passwd := 
# SNMPv3 User-based security module - must be loaded for SNMPv3 USM #
begemotSnmpdModulePath."usm"    = "/usr/lib/"

# Definition of user "bsnmp" with password "bsnmptest"
usmUserStatus.$(engine).$(user1) = 5
usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserStatus.$(engine).$(user1) = 1

#Definition of a Notification target where traps will be sent with the 
credentials of $user1 # # SNMPv3 Notification Targets module #
begemotSnmpdModulePath."target"    = "/usr/lib/"
tag        := "test"
snmpNotifyRowStatus.$(tag) = 4
snmpNotifyTag.$(tag) = $(tag)

# Specify the target parameters for the notifications - send with the 
credentials # of user $user1 #
snmpTargetParamsRowStatus.$(tag) = 5
snmpTargetParamsMPModel.$(tag) = $(MPmodelSNMPv3)
snmpTargetParamsSecurityModel.$(tag) = $(securityModelUSM)
snmpTargetParamsSecurityName.$(tag) = $(user1)
snmpTargetParamsSecurityLevel.$(tag) = $(authPriv)
snmpTargetParamsRowStatus.$(tag) = 1

# Define the notifications' target address - port 162 on localhost #
snmpTargetAddrRowStatus.$(tag) = 5
snmpTargetAddrTAddress.$(tag) = 0x0a:0x0:0x0:0x01:0x0:0xa2 # hexstring 
representing in 4 octets and port 162 in two octets
snmpTargetAddrTagList.$(tag) = "test notification"
snmpTargetAddrParams.$(tag) = $(tag)
snmpTargetAddrRowStatus.$(tag) = 1

2) To receive the traps with net-snmp's snmptrapd put the following 
coonfiguration in /etc/snmp/snmptrapd.conf createUser -e 0x801008108025 bsnmp 
SHA "bsnmptest" AES "bsnmptest"
authuser log bsnmp

and start it e.g.
#snmptrapd -f -C -c /etc/snmp/snmptrapd.conf -Le


On Tue, Apr 1, 2014 at 2:47 PM, Marciano, Anthony <> wrote:
> Thank Harti.
> Tony
> -----Original Message-----
> From: Hartmut Brandt []
> Sent: Tuesday, April 01, 2014 2:06 AM
> To: Marciano, Anthony
> Cc:; Bjoern A. Zeeb;; 
> Subject: RE: Call for testers: SNMPv3 support for bsnmpd(1)
> On Mon, 31 Mar 2014, Marciano, Anthony wrote:
> MA>Currently, we are just looking to monitor standard objects such as 
> MA>interfaces and send traps accordingly. Would it be possible to 
> MA>provide a trap example of what needs to be added to the 
> MA>snmpd.config file to monitor an object and have it sent via V3?
> MA>
> MA>I've searched for this information and read through various RFCs 
> MA>but have not discovered any bsnmpd specific trap syntax and/or examples.
> Well, bsnmp can send only the standard traps currently. This is configured 
> via the begemotTrapSinkTable (/usr/share/snmp/mibs/BEGEMOT-SNMPD.txt).
> Each row in the table is a trap target and all traps are sent to all targets 
> in the table. I don't know, how this interacts with v3, though.
> harti
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to