search

graylog-labs / graylog-plugin-snmp

Graylog plugin to receive SNMP traps
Other
27 stars 7 forks source link

Unable to decode SNMP PDU #3

Closed andreaconsadori closed 9 years ago

andreaconsadori commented 9 years ago

i download the mibs, change the path and restart graylog-server but i still have this error msg

2015-08-12T08:55:37.290+02:00 ERROR [SnmpCodec] Unable to decode SNMP PDU
java.io.IOException: Unsupported PDU type: -92
        at org.snmp4j.PDU.decodeBER(PDU.java:555)
        at org.graylog.snmp.codec.SnmpCodec.decode(SnmpCodec.java:43)
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:120)
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:79)
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:56)
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:33)
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:138)
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
bernd commented 9 years ago

Looks like your device is using a PDU type that is not supported by the SNMP standard. Which device are you using?

andreaconsadori commented 9 years ago

stormshield firewall (old name was netasq)here the mibs http://documentation.netasq.com/firewall/guide/v1/en/default.htm?turl=Documents%2Fstormshieldnetworkmibs.htm

bernd commented 9 years ago

Thanks for the update. Can you show us the configuration of the SNMP agent? It's possible that we need to update the implementation and expose some more configuration options. Thank you!

andreaconsadori commented 9 years ago

graylog snmp agent is default root@Graylog:/var/lib/mibs# cat /etc/snmp/snmp.conf## As the snmp packages come without MIB files due to license reasons, loading# of MIBs is disabled by default. If you added the MIBs you can reenable# loaging them by commenting out the following line.mibs : i put only mib file path in snmp input configuration "port: 1620mibs_path: /var/lib/mibsoverride_source:bind_address: 0.0.0.0"

Date: Wed, 12 Aug 2015 01:50:58 -0700 From: notifications@github.com To: graylog-plugin-snmp@noreply.github.com CC: andrea.consadori@hotmail.it Subject: Re: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3)

Thanks for the update. Can you show us the configuration of the SNMP agent? It's possible that we need to update the implementation and expose some more configuration options. Thank you!

— Reply to this email directly or view it on GitHub.

andreaconsadori commented 9 years ago

if usefould i also send you the dump of the incoming trap

From: andrea.consadori@hotmail.it To: reply@reply.github.com Subject: RE: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3) Date: Wed, 12 Aug 2015 11:11:18 +0200

graylog snmp agent is default root@Graylog:/var/lib/mibs# cat /etc/snmp/snmp.conf## As the snmp packages come without MIB files due to license reasons, loading# of MIBs is disabled by default. If you added the MIBs you can reenable# loaging them by commenting out the following line.mibs : i put only mib file path in snmp input configuration "port: 1620mibs_path: /var/lib/mibsoverride_source:bind_address: 0.0.0.0"

Date: Wed, 12 Aug 2015 01:50:58 -0700 From: notifications@github.com To: graylog-plugin-snmp@noreply.github.com CC: andrea.consadori@hotmail.it Subject: Re: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3)

Thanks for the update. Can you show us the configuration of the SNMP agent? It's possible that we need to update the implementation and expose some more configuration options. Thank you!

— Reply to this email directly or view it on GitHub.

andreaconsadori commented 9 years ago

and finally the firewall snmp agent config xxx>cat /var/snmp/snmpd.conf############################################################################# snmpd.conf## - created by buildsnmp# - do not edit by hand###########################################################################

############################################################################ SECTION: System Information Setup## This section defines some of the information reported in# the "system" mib group in the mibII tree. syslocation xxxsyscontact who@wheresysname xxxsysservices 72 ############################################################################ SECTION: Access Control Setup## This section defines who is allowed to talk to your running# snmp agent. rocommunity publicrouser xxx ############################################################################ SECTION: Trap Destinations## Here we define where the snmp agent will send traps trapsink 192.168.0.95:1620 public ############################################################################ SECTION: DisMan Event MIB## Here we define when and what traps should be generated agentSecName internalrouser internallinkUpDownNotifications yes authtrapenable 2interface em5 6 30000000interface em4 6 30000000

From: andrea.consadori@hotmail.it To: reply@reply.github.com Subject: RE: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3) Date: Wed, 12 Aug 2015 11:16:02 +0200

if usefould i also send you the dump of the incoming trap

From: andrea.consadori@hotmail.it To: reply@reply.github.com Subject: RE: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3) Date: Wed, 12 Aug 2015 11:11:18 +0200

graylog snmp agent is default root@Graylog:/var/lib/mibs# cat /etc/snmp/snmp.conf## As the snmp packages come without MIB files due to license reasons, loading# of MIBs is disabled by default. If you added the MIBs you can reenable# loaging them by commenting out the following line.mibs : i put only mib file path in snmp input configuration "port: 1620mibs_path: /var/lib/mibsoverride_source:bind_address: 0.0.0.0"

Date: Wed, 12 Aug 2015 01:50:58 -0700 From: notifications@github.com To: graylog-plugin-snmp@noreply.github.com CC: andrea.consadori@hotmail.it Subject: Re: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3)

Thanks for the update. Can you show us the configuration of the SNMP agent? It's possible that we need to update the implementation and expose some more configuration options. Thank you!

— Reply to this email directly or view it on GitHub.

bernd commented 9 years ago

if usefould i also send you the dump of the incoming trap

A dump of the raw trap data would be great so we can test it locally.

andreaconsadori commented 9 years ago

here the file http://www.filedropper.com/dump_1

bernd commented 9 years ago

here the file http://www.filedropper.com/dump_1

This file doesn't seem to exist. Getting a 404 :confused:

andreaconsadori commented 9 years ago

i can download it... you have preferred file sharing platform?

Date: Thu, 13 Aug 2015 01:26:07 -0700 From: notifications@github.com To: graylog-plugin-snmp@noreply.github.com CC: andrea.consadori@hotmail.it Subject: Re: [graylog-plugin-snmp] Unable to decode SNMP PDU (#3)

here the file http://www.filedropper.com/dump_1

This file doesn't seem to exist. Getting a 404

— Reply to this email directly or view it on GitHub.

bernd commented 9 years ago

i can download it... you have preferred file sharing platform?

Yes, it works now. :smile: Sorry for the noise...

bernd commented 9 years ago

I can reproduce the issue with your snmpd config as well and will try to search for a fix.

bernd commented 9 years ago

@andreaconsadori I just released version 0.3.0 of the plugin. This should fix the issues you had. (tested with your payload)

You have to delete your existing SNMP inputs and create them again because some internals have changed. (delete it before installing the new plugin)

The new release artifacts should show up here once travis finished building them.