Problems with ListenTrapSNMP processor and secure SNMP v3 traps

Fri, 31 Jan 2025 03:00:18 -0800 

Hi,

I'm trying to receive secure SNMP v3 traps with NiFi 2 with no success thus
far. I tried the same with NiFi 1 and there I am able to receive the traps.
It seems that the ListenTrapSNMP processor (nifi-snmp-nar) does not handle
the security levels of SNMP v3 traps properly with NiFi 2.

In NiFi 1.x the processor processes all SNMP v3 traps regardless of
security level which is not the perfect behaviour but could be deemed
somewhat acceptable. Optimally it should only process the traps with the
given security level and settings.

In NiFi 2.x the processor processes only `noAuthNoPriv` traps and other
security levels are not processed at all. This is not acceptable behaviour
as secure traps do not get processed.

NiFi 1.x functionality tested with apache/nifi container tags: 1.23.2,
1.28.1
NiFi 2.x functionality tested with apache/nifi container tags: 2.0.0, 2.2.0


To reproduce:
1. Add ListenTrapSNMP processor (org.apache.nifi - nifi-snmp-nar)
  - Set following properties
    - SNMP Manager Port: 16230
    - SNMP Version: v3
    - SNMP Security Level: authPriv
    - USM Users Source: Json Content
    - USM Users JSON content:

[
  {
    "securityName": "snmpuser",
    "authProtocol": "SHA",
    "authPassphrase": "authsecret",
    "privProtocol": "AES128",
    "privPassphrase": "privsecret"
  }
]

2. Add LogAttribute processor (org.apache.nifi - nifi-standard-nar)
  - Use default properties
  - Set success relationship to terminate
3. Create Connection from ListenTrapSNMP to LogAttribute for all
relationships
4. Start processors
5. Send two SNMP traps from command line `snmptrap` (net-snmp) using
commands

snmptrap -v 3 -n "" \
  -e 0x010203040506070809 \
  -l noAuthNoPriv -u snmpuser \
  localhost:16230 '' \
  .1.3.6.1.2.1.192 \
  .1.3.6.1.2.1.192.1.2.1.11 s "noAuthNoPriv"

snmptrap -v 3 -n "" \
  -e 0x010203040506070809 \
  -l authPriv -u snmpuser \
  -a SHA -A authsecret \
  -x AES -X privsecret \
  localhost:16230 '' \
  .1.3.6.1.2.1.192 \
  .1.3.6.1.2.1.192.1.2.1.11 s "authPriv"


Expected behaviour:
- First trap contents are not logged as security level does not match
listener
- Second trap contents are logged as FlowFile Properties and show
  Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
          Value: 'authPriv'


Actual behaviour in NiFi 1.28.1:
- First trap contents are logged as FlowFile Properties and show
  Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
          Value: 'noAuthNoPriv'
- Second trap contents are logged as FlowFile Properties and show
  Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
          Value: 'authPriv'


Actual behaviour in NiFi 2.2.0:
- First trap contents are logged as FlowFile Properties and show
  Key: 'snmp$1.3.6.1.2.1.192.1.2.1.11$4'
          Value: 'noAuthNoPriv'
- Second trap contents are not logged


BR,
O-P Lamminen

Reply via email to