Versions Compared

Old Version 4

changes.mady.by.user Steve Challans

Saved on

compared with

New Version 5

changes.mady.by.user Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


SUMMARY

Nov 30, 2015

For the Snare Central Server SNMP is installed but not on by default as enabling any service by default, that is not specifically required by the user, can be considered a security risk. To enable SNMP if required, perform the following from the Snare Central Server console or on a Snare Central ssh session:

  1. Change the configuration in /etc/snmp/snmpd.conf and enable snmpd. Change the contact and community strings as needed.

  2. By default, the SNMP daemon will ONLY listen on the local loopback interface. To allow the daemon to respond to requests from other clients on the network, the agentAddress line should be modified. By default, it should have the following content:

    1. agentAddress udp:127.0.0.1:161

    2. In order to allow the snmpd daemon to listen on all network interfaces, modify the line as follows:

      1. udp:161 - ie remove 127.0.0.1:

  3. Update the setting in /etc/default/snmpd and remove the 127.0.0.1 from the SNMPDOPTS parameter - this needs to be done or you cant access the SNMP service from the network as its currently restricted to the local loop back address

  4. Update the section to allow the SNMP process to run. Change the SNMPDRUN=no to yes

    1. # snmpd control (yes means start daemon).

    2. SNMPDRUN=yes

  5. Restart the snmpd services /etc/init.d/snmpd restart . The snmp daemon should now be running and visible from the process list, using the command ps -aux |grep snmpd

  6. Test it and run the following from the Snare Central Server shell prompt snmpwalk -c -v2c  - it should respond and show some details.

  7. If you have the Snare firewall enabled then you will need to update the ufw firewall rules to allow UDP 161 in. Edit the /data/Snare/Supporting/configure-firewall.sh script to add in your rule for udp 161 as it only currently allows snmp traps on port 162. As of Snare Central Server patch 7.1.1 and as part of v8 there is a new firewall management capability in the Snare Central Server Configuration Wizard.

...

Please note it is advantageous to observe heartbeat events coming from the agents to the SIEM. This is a better indication that the agents are alive and sending logs. This is easily configured on the Heartbeat & Agent Logging page of the agent. If you are getting events real time then the agents are working. You should be able to generate some reports in your SIEM or Snare Central Server that will show if the agents have stopped sending events. The Snare Central Server will report agents that have stopped sending events on the Health Checker page.

...