Unleash Networks Blog

SNMPv3 suffers from a unique chicken and egg problem. To configure SNMPv3 users you need to use SNMPv3. So how does the intial user get configured ?

The intial users are configured via CLI or via standard factory settings. The cable industry has successfully adopted Diffie Hellman to help configure the initial users. However, this method is part of the DOCSIS (cable) standard, not SNMPv3.

Once the initial user is up and running, we can let SNMPv3 take over the user and key management functions. 

Unbrowse SNMP is under heavy development to help with SNMPv3 user management for small and medium scale networks. The idea is :

• Manage USM users like you would Unix users
• Automatically prevent users from changing passwords of other users, to delete themselves, or to elevate their rights.
• Hide gory details of Contexts, Groups, TreeFamilies
• Tools to automatically propagate changes through network

We have beta builds available for anyone who would like to give it a spin. Please contact us via email for access to the beta.

 

[tags] snmpv3, USM, VACM [/tags]

Some of our users manage dozens of network devices. Unbrowse SNMP features a scripting interface that allows you to automatically import SNMP agents from any format. You have to write a tiny bit of code in a scripting language like VBScript or Ruby.

This is the second and concluding part of the article. In the first part, we looked at the object model for SNMP Agents in Unbrowse.

The task

You are an organization running CiscoWorks to manage your dozens or hundreds of routers and switches.  You do not want to input the agent information (such as name, ip address, community) by hand – this is just too painful. If you have a flat file with agent information, you can write a simple script to import them into Unbrowse.

In this example, we will import a file in CiscoWorks DCRv3 format into Unbrowse SNMP. This is meant only to illustrate the scripting interface, you can adapt the script to your own file format quite easily.

Without much ado here is the script (in VBScript) :

To run the script, type “cscript impagent.vbs dcrtestfile.txt”

' ------------------------------------------------------------
' IMPORT agents in Ciscoworks DCRv3 format into Unbrowse SNMP
'
'  Usage: impagent
' ------------------------------------------------------------Const ForReading=1

Set Stdout = WScript.Stdout
Set FSO = CreateObject("Scripting.FileSystemObject")

' -----------------------
' Check usage & arguments
' -----------------------
if WScript.Arguments.Count 1 then
 Stdout.WriteLine "Usage: impagent "
 WScript.Quit
end if
DCRFileName = WScript.Arguments.Item(0)
' ----------------------------------
' Open input file and read all lines
' ----------------------------------
Set InputFile = FSO.OpenTextFile( DCRFileName, ForReading)

InputFileContents = InputFile.ReadAll
If Not Err.Number = 0 Then
  If Err.Number = 424 Then StdOut.WriteLine "Input DCR File not found" & DCRFileName & vbCRLF
  StdOut.WriteLine "Error : " & Err.Description
  WScript.Quit
End If

InputFileLines = Split(InputFileContents,vbCRLF)

' ----------------------------------
' Create the Unbrowse Agent Manager
' ----------------------------------
Set AgentMgr =  CreateObject("UnbrowseSNMP.AgentManager")
AgentMgr.Init()

validLinesBegin = False
dcrCheck = False
For Each sLine In InputFileLines

 Trim(sLine)
 ' Skip comments and zero length
 If Len(sLine) > 0 AND Mid(sLine,1,1)   ";"  Then

  If validLinesBegin Then
   ProcessLine (sLine)
  Else
   If dcrCheck Then
    If InStr(sLine,"management_ip_address") Then
     validLinesBegin = True
    End If
   Else
    If InStr(sLine,"Type=DCRCSV") Then
     dcrCheck = True
    End If
   End If

  End If
 End If
  
Next

If Not dcrCheck Then
 StdOut.WriteLine "The input file is not in CiscoWorks DCRv3 format : filename " & DCRFileName & vbCRLF
End If
' ------------------------------------------------------------------------------
' Process a single line
' Create an agent and set attributes as specified in the input line (CSV format)
' ------------------------------------------------------------------------------
Sub ProcessLine (Line)

 LineFields = Split(Line,",")

 If UBound(LineFields) > 3 Then

  ipaddr = LineFields(0)
  hostname = LineFields(1)
  rcomm = LineFields(8)
  wcomm = LineFields(9)

  Set OneAgent = AgentMgr.NewAgent
  OneAgent.Name = hostname
  OneAgent.IPAddress = ipaddr
  OneAgent.ReadComm = rcomm
  OneAgent.WriteComm = wcomm

  StdOut.WriteLine "Added agent " & hostname & " to Unbrowse repository" & vbCRLF

 End If

End Sub
 

A sample test file is shown below

; This file is generated by DCR Export utilityCisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0

;

;Start of section 0 - Basic Credentials

;

;HEADER:
management_ip_address,host_name,domain_name,device_identity,display_name,sysObjectID,dcr_device_type,mdf_type,snmp_v2_ro_comm_string,snmp_v2_rw_comm_string,user_defined_field_0,user_defined_field_1

;

10.77.202.40,Switch6009,cisco.com,,Switch2,1.3.6.1.4.1.9.1.281,0,268438100,public,private,field0,field1

10.77.202.10,Router7000,cisco.com,,Router1,1.3.6.1.4.1.9.1.8,0,278464493,public,private,field0,field1

10.77.202.30,Switch4006,cisco.com,,Switch1,1.3.6.1.4.1.9.5.46,0,268438086,public,private,field0,field1

10.77.202.20,Router6400,cisco.com,,Router2,1.3.6.1.4.1.9.1.180,0,269214543,public,private,field0,field1
;End of CSV file
 

[tags] SNMP, MIB Browser, Agents, VBScript [/tags]

One of our favorite tech bloggers Richard Bejtlich has put up a new post about web traffic analysis using a new open source tool. This prompted me to write this post about using Unsniff Network Analyzer to perform similar analysis. I hope our users will find this article useful. Also see this article  for a detailed overview of HTTP analysis.

Unsniff allows you to :

• Extract content from HTTP flows. We call this feature “User Objects”. Examples of user objects are images, css, flash, video, etc.
• Put together separate flows into a web page. This is a powerful feature that allows you to reconstruct web pages completely. This way CSS styles are applied, and inline images and flash content appear in the reconstructed web pages. See picture below.
• Script for automating analysis. For example: If you want to automatically extract all images from a lengthy capture into individual JPEG files, you can write a VBScript or Ruby program to do that. The Unsniff Scripting API allows such macro operations. See here for samples.
• Support for HTTPS. If you are a system admin with access to the server certificate, you can perform the same type of analysis for HTTPS. This is quite valuable for debugging website problems at the server. This powerful feature is enabled by Unsniff’s top notch support for decrypting SSLv3 and TLS traffic.

Advantages of correlating flows into a single page.

A single webpage is rendered by the browser by putting together several individual HTTP responses (flows). Sometimes these object come from different hosts. For example, a CSS stylesheet, a flash SWF file, a set of JPEG files, and the master HTML document must all be combined to produce a webpage.

The sample webpages below have been reconstructed from a tcpdump.

Sample 1: Technorati website contains embedded images, complex stylesheet. http://technorati.com

Sample 2: Richards website with CSS and embedded images. http://www.bejtlich.net/

Notes about this feature.

1. Switch to the “User Objects” sheet to see the individual flows.  
2. Click on the HTML object to view reconstructed web page.
3. Click on the image to see it rendered.
4. Right click an item and select “View Data” to see raw contents (eg, HTML text, CSS text, Image bytes, Flash etc)
5. Capture live traffic or select “File -> Import -> From TCPDUMP” to select a pre-captured file in libpcap (Ethereal or Wireshark native) format.

– – – – –

Here are solutions to some common problems emailed to us by users of this feature.

Step 1 : Enable HTTP reconstruction

1. Go to menu “Plugins -> Customize” and enable the “Reconstruct HTTP Session” option.  This is not the default.
2. Also check if the “Extract User Objects” option is enabled. This is the default.

Step 2 : Windows Firewall Warning

If you are running a personal firewall you may get a warning about a port. You can ignore that warning, that port is used internally by the HTTP reconstruction software.

Any questions ? Please leave a comment here or use our forum.

[tags] tcpdump, sniffer, website analysis, http analysis, unsniff [/tags]