FreeBSD : Install and configure Tripwire

ADD THE TRIPWIRE SECURITY COMPONENT

Setup Tripwire (ref: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html)
Edit the /etc/tripwire/twcfg.txt file to reflect the following:

EDITOR =/usr/bin/pico

Edit the /etc/tripwire/twpol.txt file to reflect the following:

Install/Setup (only once):

Initialize:

SNMP Simple Network Management Protocol

== Background ==

The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

Two versions of SNMP exist: SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). Both versions have a number of features in common, but SNMPv2 offers enhancements, such as additional protocol operations. Standardization of yet another version of SNMP—SNMP Version 3 (SNMPv3)—is pending. This chapter provides descriptions of the SNMPv1 and SNMPv2 protocol operations. Figure 56-1 illustrates a basic network managed by SNMP.

This howto can be used on any UNIX distribution (BSD,Sunos…)

== Linux ==

I use Fedora 9 and Net-SNMP here are the packages you need:

net-snmp-libs-5.4.1-18.fc9.i386
net-snmp-utils-5.4.1-18.fc9.i386
net-snmp-5.4.1-18.fc9.i386
net-snmp-perl-5.4.1-18.fc9.i386
net-snmp-gui-5.4.1-18.fc9.i386

To install all these and the dependencies : ”yum install net-snmp*”

To add the latest MIB copy GbESM-10Ub-SC.txt to the mibs directory /usr/share/snmp/mibs. Also in that dir there is a file named ”.index”, edit that file and add to the bottom if it : BLADE-ROOT-MIB GbESM-10Ub-SC.txt. Save and quit!

SNMP itself does not define which information (which variables) a managed system should offer. Rather, SNMP uses an extensible design, where the available information is defined by ”management information bases” (MIBs). MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace containing object identifiers (OID). Each OID identifies a variable that can be read or set via SNMP.

=== snmptranslate ===

”’snmptranslate – translate MIB OID names between numeric and textual form”’

To get the OID from the MIB use the ”snmptranslate” tool.

snmptranslate -m +BLADE-ROOT-MIB -IR -On agCurDaylightSavings.0
.1.3.6.1.4.1.26543.2.5.1.1.1.55.0
snmptranslate -m +BLADE-ROOT-MIB -IR -On agSaveConfiguration.0
.1.3.6.1.4.1.26543.2.5.1.1.1.4.0

Where -m indicates snmptranslate to load mibs from the MIB directory ”/usr/share/snmp/mibs/”. The “+” tells to use that specific MIB. To specify all mibs use the ”ALL” param.

To view all the MIB structure:

snmptranslate -m +BLADE-ROOT-MIB -Tt -On
org(3) type=0
dod(6) type=0
internet(1) type=0
directory(1) type=0
mgmt(2) type=0
mib-2(1) type=0
system(1) type=0
sysDescr(1) type=2 tc=4 hint=255a
sysObjectID(2) type=1
sysUpTime(3) type=8
sysUpTimeInstance(0) type=0
sysContact(4) type=2 tc=4 hint=255a
sysName(5) type=2 tc=4 hint=255a
sysLocation(6) type=2 tc=4 hint=255a
sysServices(7) type=3
sysORLastChange(8) type=8 tc=14
sysORTable(9) type=0
sysOREntry(1) type=0
sysORIndex(1) type=3
sysORID(2) type=1
sysORDescr(3) type=2 tc=4 hint=255a
sysORUpTime(4) type=8 tc=14
interfaces(2) type=0
ifNumber(1) type=16
ifTable(2) type=0
ifEntry(1) type=0
ifIndex(1) type=16 tc=23 hint=d
ifDescr(2) type=2 tc=4 hint=255a
ifType(3) type=3 tc=20
ifMtu(4) type=16
ifSpeed(5) type=7
ifPhysAddress(6) type=2 tc=5 hint=1x:
ifAdminStatus(7) type=3
ifOperStatus(8) type=3
ifLastChange(9) type=8
ifInOctets(10) type=6
ifInUcastPkts(11) type=6
ifInNUcastPkts(12) type=6
ifInDiscards(13) type=6
ifInErrors(14) type=6
ifInUnknownProtos(15) type=6
ifOutOctets(16) type=6
ifOutUcastPkts(17) type=6
ifOutNUcastPkts(18) type=6
ifOutDiscards(19) type=6
ifOutErrors(20) type=6
ifOutQLen(21) type=7
ifSpecific(22) type=1
at(3) type=0
atTable(1) type=0
atEntry(1) type=0
atIfIndex(1) type=3
atPhysAddress(2) type=2 tc=57
atNetAddress(3) type=4
ip(4) type=0
ipForwarding(1) type=3
ipDefaultTTL(2) type=16
ipInReceives(3) type=6
ipInHdrErrors(4) type=6
ipInAddrErrors(5) type=6
ipForwDatagrams(6) type=6
ipInUnknownProtos(7) type=6
….

Print a graphical tree, rooted at the specified OID:

snmptranslate -m +BLADE-ROOT-MIB -Tp -OS

Dump a labeled form of all objects:

snmptranslate -m +BLADE-ROOT-MIB -Tl -OS

Show the path of a specific mib:

snmptranslate -m +BLADE-ROOT-MIB -Onf -IR hwPartNumber
.iso.org.dod.internet.private.enterprises.blade.private-mibs.aws-switch.agent.agentInfo.hardware.hwPartNumber

View description of a MIB

snmptranslate -m +BLADE-ROOT-MIB -Td -OS .iso.org.dod.internet.private.enterprises.blade.private-mibs.aws-switch.agent.agentInfo.hardware.hwPartNumber

=== snmpwalk ===

”’snmpwalk – retrieve a subtree of management values using SNMP GETNEXT requests”’

snmpwalk -v 2c -m +BLADE-ROOT-MIB -c public alteon
SNMPv2-MIB::sysDescr.0 = STRING: Nortel 1/10Gb Uplink Ethernet Switch Module
BladeCenter OFM with Nortel/BNT Extensions, Non Stack
SNMPv2-MIB::sysObjectID.0 = OID: BLADE-ROOT-MIB::gbESM-1-10U-L2L3-SM
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9295200) 1 day, 1:49:12.00
SNMPv2-MIB::sysContact.0 = STRING: test
SNMPv2-MIB::sysName.0 = STRING: rizzo
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 6
………………..

As you can see snmpwalk extracts values from a specific device using the ”BLADE-ROOT-MIB” mib. Also you can specify a subtree, e.g:

snmpwalk -v 2c -m +BLADE-ROOT-MIB -c public alteon system
SNMPv2-MIB::sysDescr.0 = STRING: Nortel 1/10Gb Uplink Ethernet Switch Module
BladeCenter OFM with Nortel/BNT Extensions, Non Stack
SNMPv2-MIB::sysObjectID.0 = OID: BLADE-ROOT-MIB::gbESM-1-10U-L2L3-SM
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9309000) 1 day, 1:51:30.00
SNMPv2-MIB::sysContact.0 = STRING: test
SNMPv2-MIB::sysName.0 = STRING: rizzo
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 6

..or even other subtree..

snmpwalk -v 2c -m +BLADE-ROOT-MIB -c public alteon system.sysName.0
SNMPv2-MIB::sysName.0 = STRING: rizzo

..or you can specify an OID (which you`ll get from the snmptranslate tool)

snmpwalk -v 2c -m +BLADE-ROOT-MIB -c public alteon .1.3.6.1.2.1.1.5.0
SNMPv2-MIB::sysName.0 = STRING: rizzo

From snmpwalk man page:

OPTIONS
-Cc Do not check whether the returned OIDs are increasing. Some agents (LaserJets are an example) return OIDs out of order, but can complete the walk anyway. Other agents return OIDs that are out of order and can cause snmpwalk to loop indefinitely. By default, snmpwalk tries to detect this
behavior and warns you when it hits an agent acting illegally. Use -Cc to turn off this check.

-Ci Include the given OID in the search range. Normally snmpwalk uses GETNEXT requests starting with the OID you specified and returns all results in the MIB subtree rooted at that OID. Sometimes, you may wish to include the OID specified on the command line in the printed results if it is a
valid OID in the tree itself. This option lets you do this explicitly.

-CI In fact, the given OID will be retrieved automatically if the main subtree walk returns no useable values. This allows a walk of a single instance to behave as generally expected, and return the specified instance value. This option turns off this final GET request, so a walk of a single instance will return nothing.

-Cp Upon completion of the walk, print the number of variables found.

-Ct Upon completion of the walk, print the total wall-clock time it took to collect the data (in seconds). Note that the timer is started just before the beginning of the data request series and stopped just after it finishes. Most importantly, this means that it does not include snmp library
initialization, shutdown, argument processing, and any other overhead.

=== snmpset ===
”’snmpset – communicates with a network entity using SNMP SET requests”’

From man page:

The TYPE is a single character, one of:
i INTEGER
u UNSIGNED
s STRING
x HEX STRING
d DECIMAL STRING
n NULLOBJ
o OBJID
t TIMETICKS
a IPADDRESS
b BITS

Some examples :

To save the configuration on the switch :

snmpset -v 2c -m +BLADE-ROOT-MIB -c private alteon agSaveConfiguration.0 i 2
BLADE-ROOT-MIB::agSaveConfiguration.0 = INTEGER: saveActive(2)

and the switch console will print :

Or to apply the config :


snmpset -v 2c -m +BLADE-ROOT-MIB -c private alteon agApplyConfiguration.0 i 2
BLADE-ROOT-MIB::agApplyConfiguration.0 = INTEGER: apply(2)

=== snmpdelta ===

”’snmpdelta – Monitor delta differences in SNMP Counter values”’

Real traffic..

snmpdelta -v 2c -m +BLADE-ROOT-MIB -Cs -c public alteon IP-MIB::ipInDelivers.0 IP-MIB::ipOutRequests.0

[14:50:42 10/2] IP-MIB::ipInDelivers.0 /1 sec: 7
[14:50:42 10/2] IP-MIB::ipOutRequests.0 /1 sec: 8
[14:50:43 10/2] IP-MIB::ipInDelivers.0 /1 sec: 3
[14:50:43 10/2] IP-MIB::ipOutRequests.0 /1 sec: 4

..and so on.

SNMP uses 2 communities one for read (public) and one for read (private).

== Windows ==
=== SNMPc ===
=== iReasoning MIB Browser ===

== Links ==

* [http://www.henrys.de/daniel/download/SNMP.HTM Description of the SNMP packet breakdown]
* [http://www.snmp.com/FAQs/snmp-faq-part1.txt SNMP FAQ part 1]
* [http://www.snmp.com/FAQs/snmp-faq-part2.txt SNMP FAQ part 2]
* [http://www.snmptools.net SNMP products and technical articles]
* [http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html Cisco’s description of SNMP and how to use in their products]
* [http://www.snmp.com/conferences/ Articles by SNMP Research]
* [http://www.rane.com/note161.html SNMP: Simple? Network Management Protocol]
* [http://www.emnico.com/mib Emnico SNMP MIB Library: A comprehensive collection of SNMP MIBs]
* [http://www.infrax.com/fr/network_protocols/snmp_protocol_reference.pdf SNMP v1, v2, and v3 Message Protocol Handy Reference (pdf)]