Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


SUMMARY

Nov 30, 2015

For the Snare Server SNMP is installed but not on by default as enabling any service by default, that is not specifically required by the user, can be considered a security risk. To enable SNMP if required, perform the following from the Snare Server console or on a Snare Central ssh session:

  • Change the configuration in /etc/snmp/snmpd.conf and enable snmpd. Change the contact and community strings as needed.

  • By default, the SNMP daemon will ONLY listen on the local loopback interface. To allow the daemon to respond to requests from other clients on the network, the agentAddress line should be modified. By default, it should have the following content:

    • agentAddress udp:127.0.0.1:161

    • In order to allow the snmpd daemon to listen on all network interfaces, modify the line as follows:

      • udp:161

  • Update the setting in /etc/default/snmpd and remove the 127.0.0.1 from the SNMPDOPTS parameter

  • Update the section to allow the SNMP process to run. Change the SNMPDRUN=no to yes

    1. # snmpd control (yes means start daemon).

    2. SNMPDRUN=yes

  • Restart the snmpd services /etc/init.d/snmpd restart . The snmp daemon should now be running and visible from the process list, using the command ps -aux |grep snmpd

  • Test it and run the following from the Snare Server shell prompt snmpwalk -c -v2c  - it should respond and show some details.

  • If you have the Snare firewall enabled then you will need to update the ufw firewall rules to allow UDP 161 in. Edit the /data/Snare/Supporting/configure-firewall.sh script to add in your rule for udp 161 as it only currently allows snmp traps on port 162. As of Snare Server patch 7.1.1 there is a new firewall management capability in the Snare Server Configuration Wizard.

NOTE: The Snare Enteprise Agents do not have any SNMP capability at present. If it is required to monitor the agent service on Windows servers then poll the SNMP status of services on the Windows server, as that will show that the agent is running but it will not show the status of sending events. Consult the Windows documentation on the SNMP mibs for polling a Windows Server. If you have your own SNMP software installed then it should show as part of that.

Please note it is advantageous to observe heartbeat events coming from the agents to the SIEM. This is a better indication that the agents are alive and sending logs. This is easily configured on the Heartbeat & Agent Logging page of the agent. If you are getting events real time then the agents are working. You should be able to generate some reports in your SIEM or Snare Server that will show if the agents have stopped sending events. The Snare Server will report agents that have stopped sending events on the Health Checker page.

MIBs that facilitate monitoring functions such as disk space, and uptime, are not included by default with the Snare Central server due to restrictive redistribution licensing conditions on the individual MIB files. IETF and IANA licenses do allow individuals and organisations to download and use the MIBS however, and the Snare Central server contains a script to download the MIB files, if your Snare Central server has a direct connection to the Internet.

In order to download the MIB files:

  • SSH into the Snare Central server, and log in as the ‘snare’ user account.

  • Exit the default administration menu to the shell, and run the following command:

    • sudo /usr/bin/snmp-mibs-downloader

  • Enter the snare user password when prompted.

  • Once the download is complete, please restart the snmp daemon once more:

    • service snmpd restart or

    • /etc/init.d/snmpd restart

  • No labels