View Source

Proof of Concept

Instead of using canned SSH-based probes for UNIX, we are using SNMP against unix boxes. We do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.

Since we have to touch all boxes anyway (even in "agentless" SSH probe mode), there is little or no opportunity cost to picking SNMP aside from the need to port the probes. But that cost is balanced by certain advantages:

SNMP doesn't require us to open up shell access to a broad population of machines
SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)

Linux

On Linux/net-snmp 5 here's one way to do extensions (there are several).

Use "exec" to add an extension to snmpd.conf
exec echotest /bin/cat /etc/motd

Restart snmpd and do a GET against a view which can see the extended MIBs

snmpget -v2c localhost -c public 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."echotest"'

...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.

Rewiring of Discovery

make sure SSH discovery doesn't happen
- no credentials
- configure the behavior of the MID server to skip SSH
Expand the stock Linux classifier for SNMP so that it runs additional Explore-phase probes

Write SNMP Hooks & Custom MIB

scripts to call from net-snmp extend directives. Put logic in these as opposed to SN... hides information, gives the discovery targets maximum control over the process.
custom MIB will aid in probe & sensor clarity

Probe Replacement

There are a couple of steps:

create a probe that gets the desires SNMP object(s)
add that probe to the "Triggers Probes" section of the Linux SNMP classifier
write a replacement sensor (next section)

Sensor Replacement

replace the sensor
You can probably do this with XML field mapping as well, but here is a very simple scripted sensor that works from an SNMP probe payload:

/*
 * sensor for SNMP Distribution discovery (Yale SNMP Discovery)
 * 
 * william.west@yale.edu
 */

new DiscoverySensor({
    process: function() {
        //
        // XML should be in var payload (a global)
        var element = XMLUtil.getText(payload, '//unk_111');
        var rows = element.split('\n'); //expecting multiple lines

        current.os         = rows[0];
        current.os_version = rows[1];
    },
        
    type: 'DiscoverySensor'
});

list the new sensor in the "Sensors" section of the appropriate probe record

Identifying Which Probes/Sensors to Replace

The most complete approach here is:

narrow down the sensors to those that apply to our asset types
look at which ci_ tables are being edited by those and combine sensors with the same function
generate a list of probes from those sensors
generate a list of data needed by SNMP
find out what standard MIBs provide the data
generate a list of needed extensions for data not covered above