Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNMPv3 trap support to snmp_trap input plugin #7294

Merged
merged 7 commits into from
Jun 4, 2020
Merged

SNMPv3 trap support to snmp_trap input plugin #7294

merged 7 commits into from
Jun 4, 2020

Conversation

kauppine
Copy link
Contributor

@kauppine kauppine commented Apr 8, 2020
edited
Loading

Extended snmp_trap input plugin to support SNMPv3 user security model in order to receive SNMPv3 traps. For authentication MD5 and SHA1 are supported, and for privacy DES, AES, AES192, AES259, AES192c and AES256c. Unit tests are implemented for all authentication and privacy protocols. The new code is adapted from snmp input plugin.
The gonsmp package claims that AES192, AES259, AES192c and AES256c would be also supported but I did not verify these.

This should solve issue #6918
Working unit tests have been implemented.

It currently has a test for the no authentication and no privacy case. I was not able to implement tests for authentication and privacy due to issues with sending traps with gosnmp. Those tests are currently commented out. However, I did verify authentication and privacy settings to work in real-life scenarios with MD5/SHA and DES/AES.

Required for all PRs:

  • Signed CLA.
  • Associated README.md updated.
  • Has appropriate unit tests.

@ssoroka ssoroka requested a review from reimda April 8, 2020 15:54
@kauppine
Copy link
Contributor Author

kauppine commented Apr 11, 2020
edited
Loading

I have a pull request to the upstream dependency, which fixes bugs regarding authentication and privacy key generation: gosnmp/gosnmp#224 After it is accepted, the tests regarding AuthNoPriv and AuthPriv scenarios should pass.

@danielnelson danielnelson added area/snmp feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin labels Apr 15, 2020
kauppine added 2 commits April 15, 2020 11:40
@kauppine
Updated gosnmp dependancy in order to included upstream fixes to snmp…
4ca0dd0 
… traps. Additionally added support to snmp_trap for AES192, AES192C, AES256 and AES256C with tests.
@kauppine
Run make check
7241460
@kauppine
Copy link
Contributor Author

My upstream pull requests was accepted and I updated the dependency. Now it has sufficient unit tests implemented that pass. I also added support for AES192, AES259, AES192c and AES256c as privacy protocols.

For some reason check "test-go-1.12" seems to be stuck on github, whereas circleci shows it has passed.

@kauppine kauppine marked this pull request as draft April 15, 2020 14:07
@kauppine kauppine marked this pull request as ready for review April 20, 2020 09:02
@kauppine kauppine marked this pull request as draft April 23, 2020 12:13
@reimda
Copy link
Contributor

reimda commented Apr 23, 2020

Hi kauppine, thanks for your contribution!

I built your branch and tried it with a v3 trap generated by net-snmp's sendtrap command. I haven't been able to get it to work, in fact I'm getting a panic in gosnmp when telegraf receives the trap. Could you take a look?

Here's the snmp_trap input section from my telegraf.conf.

[[inputs.snmp_trap]]
  #service_address = "udp://:162"
  service_address = "udp://:2000"
  ## Security Name.
  sec_name = "mysecname"
  ## Authentication protocol; one of "MD5", "SHA", "SHA224", "SHA256", "SHA384", "SHA512", or "".
  auth_protocol = "SHA"
  ## Authentication password.
  auth_password = "myauthpass"
  ## Security Level; one of "noAuthNoPriv", "authNoPriv", or "authPriv".
  sec_level = "authPriv"
  ## Context Name.
  context_name = "mycontextname"
  ## Privacy protocol used for encrypted messages; one of "DES", "AES", "AES192", "AES192C", "AES256", "AES256C" or "".
  priv_protocol = "AES"
  ## Privacy password used for encrypted messages.
  priv_password = "myprivpass"

Here's the snmptrap command I've been using. It sends to localhost so it needs to be run on the same machine as telegraf.

snmptrap -v3 -e 00abcdefabcdef00 -n mycontextname -l authPriv -u mysecname -a SHA -A myauthpass -x AES -X myprivpass udp:localhost:2000 "" .1.3.6.1.6.3.1.1.5.3.0 0 s "This is a test linkDown trap from v3 authPriv"

Here's the telegraf output including the panic.

2020-04-23T22:16:07Z I! Loaded inputs: snmp_trap
2020-04-23T22:16:07Z I! Loaded aggregators: 
2020-04-23T22:16:07Z I! Loaded processors: 
2020-04-23T22:16:07Z I! Loaded outputs: file
2020-04-23T22:16:07Z I! Tags enabled: 
2020-04-23T22:16:07Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:"", Flush Interval:1s
2020-04-23T22:16:07Z I! [inputs.snmp_trap] Listening on udp://:2000
panic: runtime error: slice bounds out of range [58:56]

goroutine 6 [running]:
github.com/soniah/gosnmp.(*UsmSecurityParameters).unmarshal(0xc00047b1e0, 0xc00047b103, 0xc0002fc000, 0xe8, 0x1000, 0x2d, 0xc0004cfe70, 0x3, 0x0)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/v3_usm.go:841 +0x1427
github.com/soniah/gosnmp.(*GoSNMP).unmarshalV3Header(0x428dd20, 0xc0002fc000, 0xe8, 0x1000, 0x1b, 0xc0000f62a0, 0xc0004cfe30, 0x3, 0x0)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/v3.go:401 +0x4c9
github.com/soniah/gosnmp.(*GoSNMP).unmarshalHeader(0x428dd20, 0xc0002fc000, 0xe8, 0x1000, 0xc0000f62a0, 0xc00008ae78, 0x5e5c3d, 0xc00066c088)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/marshal.go:820 +0x5b4
github.com/soniah/gosnmp.(*GoSNMP).UnmarshalTrap(0x428dd20, 0xc0002fc000, 0xe8, 0x1000, 0xe8)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/trap.go:296 +0xa0
github.com/soniah/gosnmp.(*TrapListener).listenUDP(0xc0000ae140, 0xc00080b127, 0x5, 0x0, 0x0)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/trap.go:174 +0x29b
github.com/soniah/gosnmp.(*TrapListener).Listen(0xc0000ae140, 0xc00080b127, 0x5, 0x0, 0x0)
	/home/reim/go/pkg/mod/github.com/soniah/[email protected]/trap.go:277 +0x1c5
github.com/influxdata/telegraf/plugins/inputs/snmp_trap.(*SnmpTrap).Start.func1(0xc0000c0a20, 0xc00080b127, 0x5)
	/home/reim/go/src/github.com/kauppine/telegraf/plugins/inputs/snmp_trap/snmp_trap.go:247 +0x46
created by github.com/influxdata/telegraf/plugins/inputs/snmp_trap.(*SnmpTrap).Start
	/home/reim/go/src/github.com/kauppine/telegraf/plugins/inputs/snmp_trap/snmp_trap.go:246 +0x55b

I think the trap is sent correctly because I can configure wireshark with the auth and priv info and it decrypts the packet as expected.
image

@kauppine
Copy link
Contributor Author

Hi @reimda
I took a look into it and the issue was resolved by updating the upstream dependency. However, it seems that the dependency reverted SHA2 support so I had to remove it from this plugin also.

@kauppine kauppine marked this pull request as ready for review April 24, 2020 05:53
@reimda
Copy link
Contributor

reimda commented Apr 24, 2020

Thanks for looking into the panic. With the newer upstream version I was able to get the snmptrap command from my last comment to work. I did also have to add version = "3" to my telegraf.conf.

Were you planning to work with gosnmp upstream to get SHA2 support added back before we move forward with this PR? I would guess SHA2 auth is a must have for many v3 trap users since MD5 and SHA1 have known weaknesses.

@kauppine
Copy link
Contributor Author

Sorry for late reply @reimda . I have monitored the SHA2 development in the gosnmp-package. However, there still seems to be some unresolved issues regarding SNMPv3 traps.
Therefore, in my opinion the SNMPv3 traps should be included to Telegraf without SHA2 support for now as it should be easy to add, if the issues in the upstream branch are fixed.

@sjwang90 sjwang90 added this to the 1.15.0 milestone May 29, 2020
@reimda reimda merged commit 36316ee into influxdata:master Jun 4, 2020
@reimda
Copy link
Contributor

reimda commented Jun 4, 2020

Thanks @kauppine!

jaecktec pushed a commit to jaecktec/telegraf that referenced this pull request Jun 8, 2020
@kauppine @jaecktec
Add SNMPv3 trap support to snmp_trap input plugin (influxdata#7294)
a430b55 
Extend snmp_trap input plugin to support SNMPv3 traps. MD5 and SHA1 authentication protocols are supported, and DES, AES, AES192, AES256, AES192c and AES256c privacy protocols are supported.
@reimda reimda linked an issue Jun 8, 2020 that may be closed by this pull request
Implement SNMP traps version 3 #6918
Closed
rhajek pushed a commit to bonitoo-io/telegraf that referenced this pull request Jul 13, 2020
@kauppine @rhajek
Add SNMPv3 trap support to snmp_trap input plugin (influxdata#7294)
c6bfa6b 
Extend snmp_trap input plugin to support SNMPv3 traps. MD5 and SHA1 authentication protocols are supported, and DES, AES, AES192, AES256, AES192c and AES256c privacy protocols are supported.
idohalevi pushed a commit to idohalevi/telegraf that referenced this pull request Sep 29, 2020
@kauppine
Add SNMPv3 trap support to snmp_trap input plugin (influxdata#7294)
ff1ee0c 
Extend snmp_trap input plugin to support SNMPv3 traps. MD5 and SHA1 authentication protocols are supported, and DES, AES, AES192, AES256, AES192c and AES256c privacy protocols are supported.
@dapryor dapryor mentioned this pull request Dec 8, 2020
Closed
arstercz pushed a commit to arstercz/telegraf that referenced this pull request Mar 5, 2023
@kauppine
Add SNMPv3 trap support to snmp_trap input plugin (influxdata#7294)
a6977ea 
Extend snmp_trap input plugin to support SNMPv3 traps. MD5 and SHA1 authentication protocols are supported, and DES, AES, AES192, AES256, AES192c and AES256c privacy protocols are supported.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reimda reimda Awaiting requested review from reimda

Assignees
No one assigned
Labels
area/snmp feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.

Implement SNMP traps version 3
4 participants
@kauppine @reimda @danielnelson @sjwang90