Enabling SNMP on the Snare Central Server
SUMMARY
April, 2021
For the Snare Central Server SNMP is installed but not on by default as enabling any service by default, that is not specifically required by the user, can be considered a security risk. To enable SNMP if required, perform the following from the Snare Central Server console or on a Snare Central ssh session:
Change the configuration in /etc/snmp/snmpd.conf and enable snmpd. Change the contact and community strings as needed.
By default, the SNMP daemon will ONLY listen on the local loopback interface. To allow the daemon to respond to requests from other clients on the network, the agentAddress line should be modified. By default, it should have the following content:
agentAddress udp:127.0.0.1:161
In order to allow the snmpd daemon to listen on all network interfaces, modify the line as follows:
udp:161 - ie remove 127.0.0.1:
Update the setting in /etc/default/snmpd and remove the 127.0.0.1 from the SNMPDOPTS parameter - this needs to be done or you cant access the SNMP service from the network as its currently restricted to the local loop back address
Update the section to allow the SNMP process to run. Change the SNMPDRUN=no to yes
# snmpd control (yes means start daemon).
SNMPDRUN=yes
Restart the snmpd services /etc/init.d/snmpd restart . The snmp daemon should now be running and visible from the process list, using the command ps -aux |grep snmpd
Test it and run the following from the Snare Central Server shell prompt snmpwalk -c <SNMP Community string> -v2c - it should respond and show some details.
If you have the Snare firewall enabled then you will need to update the ufw firewall rules to allow UDP 161 in. Edit the /data/Snare/Supporting/configure-firewall.sh script to add in your rule for udp 161 as it only currently allows snmp traps on port 162. As of Snare Central Server patch 7.1.1 and as part of v8 there is a new firewall management capability in the Snare Central Server Configuration Wizard.
NOTE: The Snare Enteprise Agents do not have any SNMP capability at present. If it is required to monitor the agent service on Windows servers then poll the SNMP status of services on the Windows server, as that will show that the agent is running but it will not show the status of sending events. Consult the Windows documentation on the SNMP mibs for polling a Windows Server. If you have your own SNMP software installed then it should show as part of that.
Please note it is advantageous to observe heartbeat events coming from the agents to the SIEM. This is a better indication that the agents are alive and sending logs. This is easily configured on the Heartbeat & Agent Logging page of the agent. If you are getting events real time then the agents are working. You should be able to generate some reports in your SIEM or Snare Central Server that will show if the agents have stopped sending events. The Snare Central Server will report agents that have stopped sending events on the Health Checker page.
MIBs that facilitate monitoring functions such as disk space, and uptime, are not included by default with the Snare Central server due to restrictive redistribution licensing conditions on the individual MIB files. IETF and IANA licenses do allow individuals and organisations to download and use the MIBS however, and the Snare Central server contains a script to download the MIB files, if your Snare Central server has a direct connection to the Internet.
In order to download the MIB files:
SSH into the Snare Central server, and log in as the ‘snare’ user account.
Exit the default administration menu to the shell, and run the following command:
sudo /usr/bin/snmp-mibs-downloader
Enter the snare user password when prompted.
Once the download is complete, please restart the snmp daemon once more:
service snmpd restart or
/etc/init.d/snmpd restart