main.zeek

SNMP

Enables analysis and logging of SNMP datagrams.

Namespace:: SNMP
Imports:: base/protocols/conn/removal-hooks.zeek

Summary

Redefinable Options

`SNMP::ports`: `set` `&redef`	Well-known ports for SNMP.
`SNMP::version_map`: `table` `&redef` `&default` = `"unknown"`	Maps an SNMP version integer to a human readable string.

Types

SNMP::Info: record

Information tracked per SNMP session.

Redefinitions

`Log::ID`: `enum`	`SNMP::LOG`
`connection`: `record`	New Fields: `connection` snmp: `SNMP::Info` `&optional`

Events

SNMP::log_snmp: event

Event that can be handled to access the SNMP record as it is sent on to the logging framework.

Hooks

`SNMP::finalize_snmp`: `Conn::RemovalHook`	SNMP finalization hook.
`SNMP::log_policy`: `Log::PolicyHook`

Detailed Interface

Redefinable Options

SNMP::ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   162/udp,
   161/udp
}

Well-known ports for SNMP.

SNMP::version_map 

Type:

table [count] of string

Attributes:

&redef &default = "unknown"

Default:

{
   [0] = "1",
   [1] = "2c",
   [3] = "3"
}

Maps an SNMP version integer to a human readable string.

Types

SNMP::Info 

Type:

record

Fields:

ts: time &log: Timestamp of first packet belonging to the SNMP session.

uid: string &log: The unique ID for the connection.

id: conn_id &log: The connection’s 5-tuple of addresses/ports (ports inherently include transport protocol information)

duration: interval &log &default = 0 secs &optional: The amount of time between the first packet belonging to the SNMP session and the latest one seen.

version: string &log: The version of SNMP being used.

community: string &log &optional: v1/v2c: The community string (v1/v2c) of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. v3: The username of the first SNMP packet containing a non-zero username. See RFC 1157 (SNMP v1), RFC 1901 (SNMP v2), or RFC 2570 (SNMP v3).

get_requests: count &log &default = 0 &optional: The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.

get_bulk_requests: count &log &default = 0 &optional: The number of variable bindings in GetBulkRequest PDUs seen for the session.

get_responses: count &log &default = 0 &optional: The number of variable bindings in GetResponse/Response PDUs seen for the session.

set_requests: count &log &default = 0 &optional: The number of variable bindings in SetRequest PDUs seen for the session.

display_string: string &log &optional: A system description of the SNMP responder endpoint.

up_since: time &log &optional: The time at which the SNMP responder endpoint claims it’s been up since.

Information tracked per SNMP session.

Events

SNMP::log_snmp 

Type:: event (rec: SNMP::Info)

Event that can be handled to access the SNMP record as it is sent on to the logging framework.

Hooks

SNMP::finalize_snmp 

Type:: Conn::RemovalHook

SNMP finalization hook. Remaining SNMP info may get logged when it’s called.

SNMP::log_policy 

Type:: Log::PolicyHook