Re: [Packetfence-users] invalid traps for adapters of oui=64:31:50

Olivier Bilodeau Thu, 18 Aug 2011 12:31:30 -0700

Hi Kevin,

You'll be happy to hear that I'm working on a fix for #1098[1] the
stringified MAC Addresses.


> The fix you provided me translates the mac address into:
> 5c:5c:26:20:38:78:47. Two problems:
> 
> 1) it is an invalid 14-char mac address because of the "\\" = 5c5c. No big
> deal, I added a line to substitute all "\\" with "\" ... fixed that one
> 

Good catch, this one is easy to fix.

> 2) the ascii representation for new line (0a) is being interpreted as an
> ascii space (20) in the provided fix, so it gives the wrong mac address:
> 
> 5c:26:20:38:78:47 instead of
> 5c:26:0a:38:78:47
> 
> Not sure how to code this one to interpret the new line from the snmptrap -
> any suggestions? 

Turns out this was done for multiline trap support in the pfsetvlan
daemon. I tried finding why it was done this way in our source control
history and couldn't go as back as that (before the 1.7 days). As a side
note: if anyone could point me torwards the previous SCM used by the
project to see commit history I would really appreciate it.

Back to the topic at hand: It was replacing the newline char with a
space and concatenating the multiline trap into a single string. I fixed
it by keeping the newline char and updating the global trap parser to
handle embedded newline characters. Patch is attached.

Now, I need to update all the trap parsers to handle both Hex-STRING and
STRING formats.

Nasty, nasty bug..

[1] http://www.packetfence.org/bugs/view.php?id=1098
-- 
Olivier Bilodeau
[email protected]  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

#
#
# patch "pf/sbin/pfsetvlan"
#  from [7f0a40e44525bd3d777ab6ba363a4fa226c05baf]
#    to [607bf9bc57a298808196e6c079a182769795c7de]
# 
# patch "pf/t/integration.t"
#  from [09bba7071f02c5db23fbeeed484eb3ea59b074e6]
#    to [f30d23c9af7ec2ccc93efbeb5c161669d6524a7f]
# 
# patch "pf/t/pfsetvlan.t"
#  from [b4c15fc7c16ae7cb5ac093bfbf20b0869644d5e4]
#    to [1da4503435ad5f68aa2521be3ee755ea281a012b]
#
============================================================
--- pf/sbin/pfsetvlan   7f0a40e44525bd3d777ab6ba363a4fa226c05baf
+++ pf/sbin/pfsetvlan   607bf9bc57a298808196e6c079a182769795c7de
@@ -149,7 +149,7 @@ my $TRAP_PATTERN = qr/
     (?:\-\>\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])?     # Optional "->[ip 
address]" (since net-snmp 5.4)
     \|([^|]*)\|                                         # Used to carry 
network device ip if it's a local trap
     (.+)$                                               # Trap message
-/x;
+/sx; # s for multiline support (if we encounter an Hex 0a which is encoded as 
a newline in STRING)
 
 my $fh = new File::Tail(
     'name'        => INSTALL_DIR . '/logs/snmptrapd.log',
@@ -280,7 +280,7 @@ while ( defined( $currentTrapLine = $fh-
         }
     } else {
         if ($inMultiLineTrap) {
-            $completeTrapLine .= " $currentTrapLine";
+            $completeTrapLine .= "\n$currentTrapLine";
             if ( $currentTrapLine =~ m/END VARIABLEBINDINGS$/ ) {
 
                 #end multiLine read
============================================================
--- pf/t/pfsetvlan.t    b4c15fc7c16ae7cb5ac093bfbf20b0869644d5e4
+++ pf/t/pfsetvlan.t    1da4503435ad5f68aa2521be3ee755ea281a012b
@@ -14,7 +14,7 @@ use lib '/usr/local/pf/lib';
 
 use lib '/usr/local/pf/lib';
 
-use Test::More tests => 4;
+use Test::More tests => 5;
 use Test::NoWarnings;
 
 use Log::Log4perl;
@@ -34,23 +34,25 @@ my $TRAP_PATTERN = qr/
     (?:\-\>\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])?     # Optional "->[ip 
address]" (since net-snmp 5.4)
     \|([^|]*)\|                                         # Used to carry 
network device ip if it's a local trap
     (.+)$                                               # Trap message
-/x;
+/sx; # s for multiline support (if we encounter an Hex 0a which is encoded as 
a newline in STRING)
 
 # This was before my time here so I'm not sure if it's v1 or a specific 
net-snmp version
-my $snmpv1_traps = "2010-04-19|21:43:26|192.168.1.61|0.0.0.0|BEGIN TYPE 0 END 
TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = 
Timeticks: (89282331) 10 days, 8:00:23.31|.1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10003 = Wrong Type (should be 
INTEGER): Gauge32: 10003|.1.3.6.1.2.1.31.1.1.1.1.10003 = STRING: 
FastEthernet0/3|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10003 = Hex-STRING: 90 E6 BA 70 
E7 4B  END VARIABLEBINDINGS";
+my $trap = "2010-04-19|21:43:26|192.168.1.61|0.0.0.0|BEGIN TYPE 0 END TYPE 
BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = 
Timeticks: (89282331) 10 days, 8:00:23.31|.1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10003 = Wrong Type (should be 
INTEGER): Gauge32: 10003|.1.3.6.1.2.1.31.1.1.1.1.10003 = STRING: 
FastEthernet0/3|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10003 = Hex-STRING: 90 E6 BA 70 
E7 4B  END VARIABLEBINDINGS";
+ok($trap =~ /$TRAP_PATTERN/, "Trap pattern matches SNMPv1 traps");
 
 # This was before my time here so I'm not sure if it's v2c or a specific 
net-snmp version
-my $snmpv2c_traps = "2010-04-19|21:43:26|UDP: 
[192.168.1.61]:52281|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE 
BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: (89282331) 10 days, 
8:00:23.31|.1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10003 = Wrong Type (should be 
INTEGER): Gauge32: 10003|.1.3.6.1.2.1.31.1.1.1.1.10003 = STRING: 
FastEthernet0/3|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10003 = Hex-STRING: 90 E6 BA 70 
E7 4B  END VARIABLEBINDINGS";
+$trap = "2010-04-19|21:43:26|UDP: [192.168.1.61]:52281|0.0.0.0|BEGIN TYPE 0 
END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 
= Timeticks: (89282331) 10 days, 8:00:23.31|.1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10003 = Wrong Type (should be 
INTEGER): Gauge32: 10003|.1.3.6.1.2.1.31.1.1.1.1.10003 = STRING: 
FastEthernet0/3|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10003 = Hex-STRING: 90 E6 BA 70 
E7 4B  END VARIABLEBINDINGS";
+ok($trap =~ /$TRAP_PATTERN/, "Trap pattern matches SNMPv2c traps");
 
 # Starting with Net-SNMP v5.4 trap format changed to add the ->[ip] thingy
-my $netsnmp_5dot4_traps = "2010-04-01|13:32:16|UDP: 
[127.0.0.1]:33469->[127.0.0.1]|217.117.225.53|BEGIN TYPE 6 END TYPE BEGIN 
SUBTYPE .0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.29464.1.1|.1.3.6.1.2.1.2.2.1.1.5 = INTEGER: 5 END 
VARIABLEBINDINGS";
+$trap = "2010-04-01|13:32:16|UDP: 
[127.0.0.1]:33469->[127.0.0.1]|217.117.225.53|BEGIN TYPE 6 END TYPE BEGIN 
SUBTYPE .0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.6.3.1.1.4.1.0 = OID: 
.1.3.6.1.4.1.29464.1.1|.1.3.6.1.2.1.2.2.1.1.5 = INTEGER: 5 END 
VARIABLEBINDINGS";
+ok($trap =~ /$TRAP_PATTERN/, "Trap pattern matches Net-SNMP v5.4 traps");
 
-ok($snmpv1_traps =~ /$TRAP_PATTERN/, "Trap pattern matches SNMPv1 traps");
+# reproducing the newline encoding problem of #1098
+$trap = '2011-05-19|19:36:21|UDP: [10.0.0.51]:1025|10.0.0.51|BEGIN TYPE 6 END 
TYPE BEGIN SUBTYPE .5 END SUBTYPE BEGIN VARIABLEBINDINGS 
.1.3.6.1.4.1.45.1.6.5.3.12.1.1.1.24 = INTEGER: 
1|.1.3.6.1.4.1.45.1.6.5.3.12.1.2.1.24 = INTEGER: 
24|.1.3.6.1.4.1.45.1.6.5.3.12.1.3.1.24 = STRING: "\\\\&
+8xG" END VARIABLEBINDINGS';
+ok($trap =~ /$TRAP_PATTERN/, "Trap pattern matches multiline trap (issue 
1098)");
 
-ok($snmpv2c_traps =~ /$TRAP_PATTERN/, "Trap pattern matches SNMPv2c traps");
-
-ok($netsnmp_5dot4_traps =~ /$TRAP_PATTERN/, "Trap pattern matches Net-SNMP 
v5.4 traps");
-
 =head1 AUTHOR
 
 Olivier Bilodeau <[email protected]>
============================================================
--- pf/t/integration.t  09bba7071f02c5db23fbeeed484eb3ea59b074e6
+++ pf/t/integration.t  f30d23c9af7ec2ccc93efbeb5c161669d6524a7f
@@ -58,6 +58,11 @@ ok(`pidof -x snort` eq "\n", "snort stop
 
 ok(`pidof -x snort` eq "\n", "snort stopped successfully");
 
+# TODO inject traps provoking reactions
+# this one here reproduces #1098
+#`echo '2011-05-19|19:36:21|UDP: [10.0.0.51]:1025|10.0.0.51|BEGIN TYPE 6 END 
TYPE BEGIN SUBTYPE .5 END SUBTYPE BEGIN VARIABLEBINDINGS 
.1.3.6.1.4.1.45.1.6.5.3.12.1.1.1.24 = INTEGER: 
1|.1.3.6.1.4.1.45.1.6.5.3.12.1.2.1.24 = INTEGER: 
24|.1.3.6.1.4.1.45.1.6.5.3.12.1.3.1.24 = STRING: "\\\\&
+#8xG" END VARIABLEBINDINGS' >> "/usr/local/pf/logs/snmptrapd.log"`;
+
 # TODO do tests for all other services handled by pf::services
 
 # TODO do a node_add then a node_view and expect everything to be correct

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] invalid traps for adapters of oui=64:31:50

Reply via email to