Hi Intermapper experts
I'm having an issue with a custom trap probe I've written to receive
some rather large alert messages from a Fortinet Fortianalyzer
I Think it may be something internally to intermapper (maybe inadvertent
string termination or message size limit) as the message is arriving at
the server fine (observed in tcpdump) but the probe output is always
chomped at the same location
here is the tcpdump of a typical message:
13:04:51.406398 IP (tos 0x0, ttl 62, id 51862, offset 0, flags
[DF], proto: UDP (17), length: 978)
hostname.nms.griffith.edu.au.40328 >
server.griffith.edu.au.snmptrap: [udp sum ok] { SNMPv1 C=community
{ Trap(932) E:12356.20001 132.***.***.*** enterpriseSpecific s=1001
200952163 E:12356.1.2="FLG-2K3F08000343"
E:12356.20.1="^M^J====Alert====^M^JFrom:
FortiAnalyzer-2000A(FLG-2K3F08000343)^M^JTrigger Name:
Border-portscan-alert ^M^JLog type: attack log^M^JAlert Severity:
High^M^JTriggered Threshold: More than 1 event occured in the last
0.5 hour.^M^JSource Device:
hostname_FG3K8A3408600260[Hostname:hostname.gw.griffith.edu.au
SN:FG3K8A340860**** IP:132.***.***.***]^M^JLast Raw Message:
^M^Jitime=1231815890 date=2009-01-13 time=13:04:50 devname=hostname
device_id=FG3K8A34086***** log_id=0420073001 type=ips
subtype=anomaly pri=alert vd=WANBBONE294 serial=-671056004
attack_id=100663398 severity=critical src=***.***.***.***
dst=***.***.***.*** src_port=1419 dst_port=80 src_int="" dst_int=""
status=clear_session proto=6 service=http user=N/A group=N/A
ref="http://www.fortinet.com/ids/VID100663398"; count=357303755
msg="anomaly: tcp_port_scan, 101 > threshold 100, repeats 4 times"" } }
........0........comunity.....
[email protected]..
+.....D....FLG-2K3F080003430..^. +.....D.....O
====Alert====
From: FortiAnalyzer-2000A(FLG-2K3F08000343)
Trigger Name: Border-portscan-alert
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device:
hostname_FG3K8A3408600260[Hostname:hostname.griffith.edu.au
SN:FG3K8A3408600**** IP:***.***.***.***]
Last Raw Message:
itime=1231815890 date=2009-01-13 time=13:04:50 devname=hostname
device_id=FG3K8A340860**** log_id=0420073001 type=ips
subtype=anomaly pri=alert vd=WANBBONE294 serial=-671056004
attack_id=100663398 severity=critical src=hostname dst=hostname
src_port=1419 dst_port=80 src_int="" dst_int="" status=clear_session
proto=6 service=http user=N/A group=N/A
ref="http://www.fortinet.com/ids/VID100663398"; count=357303755
msg="anomaly: tcp_port_scan, 101 > threshold 100, repeats 4 times"
here is the Intermapper event log output:
01/13 16:49:29 TRAP g43928ac4-ap-test:***.***.***.***
SNMPv2-SMI::enterprises.12356.20001 (1001) {
SNMPv2-SMI::enterprises.12356.1.2 : "FLG-2K3F08000343",
SNMPv2-SMI::enterprises.12356.20.1 : "
====Alert====
From: FortiAnalyzer-2000A(FLG-2K3F08000343)
Trigger Name: Border-portscan-alert
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device:
hostname_FG3K8A3408600260[Hostname:hostname.griffith.edu.au
SN:FG3K8A3408600*** IP:***.***.***.***]
Last Raw Message:
itime=1231829367 date=2009-01-13 time=16:49:27 devname=hostname
device_id=FG3K8A3408600260 log_id=0420073001 type=ips
subtype=anomaly pri=alert vd=WANBBONE294 serial=-634867951
attack_id=100663398 severity=critical src=***.***.***.***
dst=***.***.***.*** src_port=3164 dst_port=80 src_int="" dst_int=""
status=clear_session proto=6 service=http user=N/A group=N/A
ref="http://www.fortinet.com/ids/VID100663398"; count=986838335
msg="anomaly: tcp_port_scan, 101 > threshold 100, repeats 445 times"" }
01/13 16:49:29 ntfy Sent command line notification to "Trap
Notifier" for "TRAP: ***.***.***.***".
This is the probe I've written to get the message:
<header>
type = "custom-snmp-trap"
package = "com.griffith"
probe_name = "snmp-trap"
human_name = "SNMP - Trap"
version = "1.1"
address_type = "IP,AT"
port_number = "162"
<!--flags = "SNMPv2c"-->
</header>
<description>
\GB\SNMP - Trap Only\P\
</description>
<parameters>
</parameters>
<snmp-device-variables>
-- MIB Variable -- --- OID
--- --- TYPE --- --- LEGEND ---
message,
1.3.6.1.4.1.12356.20.1,
TRAPVARIABLE, "Message"
</snmp-device-variables>
<snmp-device-thresholds>
</snmp-device-thresholds>
<snmp-device-display>
\B5\Trap Event\0P\
Message: ${message}
\P\
</snmp-device-display>
which should work but I'm left with:
Message:
====Alert====
From: FortiAnalyzer-2000A(FLG-2K3F08000343)
Trigger Name: Border-portscan-alert
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device: hostname_FG3K8A34086****
what I really need is the src and dst address's the threshold and the
repeat counts which have been chomped
if I add a command line notifier to pipe this to a file I get the same
output in the log file
Any Ideas?
Thanks in advance
Dale
____________________________________________________________________
List archives:
http://www.mail-archive.com/intermapper-talk%40list.dartware.com/
To unsubscribe: send email to: [email protected]
