Unleash Networks Blog

Thanks to a user request, we just released a new build of Unbrowse SNMP with some advanced SNMPv3 features. Now, you can –

• Run an authentication check on all SNMPv3 traps
• Work as a “normal” trap receiver (see end of post)

Why authenticate ?

Out of the box, Unbrowse SNMP will show you all traps that fly past it. It does not care if the traps are ‘real’ or ‘forged’. This allows you to see all trap activity on the network. While, this behavior is favored in a large number of cases, sometimes you want to flag them as being authentic or not.

Yellow – Not authenticated (You must enter the required passphrases for the agent + username)   Green – Authenticated OK Red – Authentication FAIL (The signatures dont match, you can get some more detail in the details window) The auth check is not run for noAuthNoPriv and SNMPv2 traps.

How this works ?

When the authentication check is turned on, a HMAC signature is calculated for each received trap. This computation is based on the authentication protocol (MD5/SHA), and auth password available with Unbrowse SNMP. If the computed signature matches the one carried in the trap message, we declare the trap authenticated.
 

Using the feature

• First enable this feature via Tools->Customize->Authenticate Incoming Traps.
• Enter agent information IP address, user name, auth protocol, and auth password using Agents->Manage
• Run the trap receiver as usual. Unbrowse will now run an auth check for all agents + users for which it has the required passphrases available.

For advanced users

A major part of running the authentication check is the key localization algorithm. This is the process of converting a pass phrase to a key that is unique for every engine ID. You can speed things up by having Unbrowse SNMP use the key instead of the passphrase.

To do this :

• Open the Agent Manager via Agent->Manage
• Enter name, address, and select SNMPv3
• Enter the User Name, select auth protocol, and enter the auth password
• Now click on Advanced
• Uncheck the Discover Engine ID box and click Discover Now !

Unbrowse will discover the engine ID and localize the password for that agent. See screenshot.

Now, continue to use the Trap Receiver as usual.

Operate as a normal trap receiver

First – a secret! Unbrowse is fundamentally different from other trap receivers out there – it doesnt actually listen for traps on a specific UDP port. It is designed to work as a Zero Configuration Passive Trap Receiver. What that means is that you can stick Unbrowse SNMP in front of a troublesome router or management station and immediately start seeing traps. No messy addition of trap targets.  All vendors, all boxes are supported right out of the box. You can listen to traps on many UDP ports (not just one). It makes it very easy for a network admin to plugin and plugout with ease and safety.

The downside is that if you are using Unbrowse as your primary trap receiver, then you may get an ICMP Destination Unreachable / Port Unreachable packet back.  This is because no one is listening on the standard SNMP Trap port 162.

We had a user request this feature earlier (how can we see loopback traps?). So, we have added an option that makes Unbrowse SNMP listen to a UDP port, like all the rest.

To use this :

1. Go to Tools – Customize – Advanced – Trap Console

2. Select “Normal UDP Socket” as the Preferred Provider

If you want to change the default port 162, edit the TBCFG.xml file in %APPDATA%/Unbrowse/Cfg folder.

These are FREE FEATURES (thats right !) Download your copy of Unbrowse SNMP today.

 

[tags] SNMP traps, SNMPv3 trap receiver, Unbrowse SNMP, authentication [/tags]

We recently updated the Cisco MIB package ZIP file for Unbrowse SNMP. You can download it for free here. (28.9 MB). The new MIB package contains all the latest MIBs released by Cisco on their public website.  This package contains 1024 MIB Modules, and over 68,000 unique objects.

In only two steps you can get Unbrowse SNMP completely up to speed on every Cisco model network equipment.

Step 1 : Download the MIB Package from here. It is a 28.9MB download and requires about 200MB of free hard drive space.

Step 2 : Select “Repository -> Import MIB Package” from the Unbrowse SNMP main menu. Choose the downloaded package file (named AllCisco.zip). Click OK. Wait for about 6-7 minutes for it to install.

Thats it! Now you dont have to worry about missing MIBs or OIDs for any Cisco equipment.

Why must I install these MIBs ?

If you are using Unbrowse SNMP without installing any MIBs, then you can still access all its functionality such as the trap receiver, MIB walker, etc. The only problem is you will see OIDs (numbers like .1.3.6.1.4 or enterprises.cisco.1.45) instead of names.

A SNMP tool is only as smart as the number of MIBs you install into and and how up-to-date they are.

 

Before adding MIBs

Lets see how the passive SNMP Trap Receiver behaves without adding in any extra MIBs other than those that ship with Unbrowse SNMP.

Click on the thumbnail for the screenshot.

Image : Trap Receiver without the required Cisco MIBs

You can see that the trap names are shown as “enterprises.9.9.43.2.0.1”. You can also see that the enumerations and other variables are also not interpreted.

After adding MIBs

If you add in the Cisco MIBs using the package or by compiling them individually, you will get an enhanced trap receiver functionality.

Click on the the thumbnail for the screenshot

Now, you can see that the traps are labelled accurately as “ciscoConfigManEvent” and the variables and enumerations are also described clearly as “(1) commandLine” etc.

PS: We also have MIB Packages for other popular vendors such as Juniper Networks, Motorola Canopy Wireless, and more. Please check our main MIB Packages page for more.

[tags] Cisco MIBs, SNMP MIB Packages, SNMP Trap Receiver, Unbrowse SNMP [/tags]

 

Thanks to Richard Bejtlich of Tao Security, I came across the LBL-ICSI Enterprise Tracing project.

 

One of its key features of the upcoming Unsniff 1.5 release is a real-time, completely customizable traffic dashboard. We will run the LBL traces past Unsniff and post the results on this blog shortly. The first one should appear soon.

Meanwhile, here is something I learned working with some live data at a clients site recently.

Top-Chatters or Top-Sulkers ?

The Unsniff beta build (1.5) we are using at the site has a Top-N feature for a whole set of statistics (IPs, MACs, Conversations, protocols, subnets, interfaces, etc). This is a fairly common feature in many tools. We ran Top-N for a while on one of their key entry points.  It was fine and produced great results from a traffic analysis point of view. Day in and day out, these Top-N feature the same hosts/subnets at the same time of day.

From a Network Security Monitoring (NSM) angle, this kind of data invariably features entities that already have a high trust level. Most Top-N analysis are soon taken over by the “usual guys” like Exchange, company video streaming, training, VoIP and so forth.

I really think we need a Bottom-N or a “Top-Sulkers” analysis to complement the Top-N approach. To repeat a cliche, it is always the quiet ones who do the damage. It takes a lot of effort to send just one packet. Snort may miss these because the packets themselves may not be suspicious.

Specifically, we want to focus on the following.

1. Mr Mix-A-Lot : Talks to a lot of hosts, but says very little to each host.

2. Mr Mono-Syllable : Displays normal behavior, but occasionally blurts out single words to complete strangers. (The single packet case – snort might catch it)

3. Mr Scratchy-Record : Normal on the outside, but speaks the same message at regular intervals. (Beacons, hearbeats, keepalives)

4. Ms Shy : Shows a lot of interest in talking, but stops when the other side shows interest. (Lot of connection attempt, but nothing is said)

5. Ms Language expert : Tries to talk a lot of languages, but rarely says much in any of them. (Tries lot of ports, but not much traffic)

Guess what, a pure Top-N approach is going to miss all of the above cases.

Expect a Top-Sulkers feature in Unsniff 1.5. If you would like to participate in a beta, please send email via the Contact page.