main.zeek

SNMP

Enables analysis and logging of SNMP datagrams.

Namespace: SNMP
Imports: base/protocols/conn/removal-hooks.zeek

Summary

Redefinable Options

SNMP::version_map: table &redef &default = "unknown"

Maps an SNMP version integer to a human readable string.

Types

SNMP::Info: record

Information tracked per SNMP session.

Redefinitions

`Log::ID`: `enum`	`SNMP::LOG`
`connection`: `record`	New Fields `connection` snmp: `SNMP::Info` `&optional`
`likely_server_ports`: `set` `&redef`

Events

SNMP::log_snmp: event

Event that can be handled to access the SNMP record as it is sent on to the logging framework.

Hooks

`SNMP::finalize_snmp`: `Conn::RemovalHook`	SNMP finalization hook.
`SNMP::log_policy`: `Log::PolicyHook`

Detailed Interface

Redefinable Options

SNMP::version_map 

Type

table [count] of string

Attributes

&redef &default = "unknown"

Default

{
   [0] = "1",
   [1] = "2c",
   [3] = "3"
}

Maps an SNMP version integer to a human readable string.

Types

SNMP::Info 

Type

record

ts: time &log: Timestamp of first packet belonging to the SNMP session.
uid: string &log: The unique ID for the connection.
id: conn_id &log: The connection’s 5-tuple of addresses/ports (ports inherently include transport protocol information)
duration: interval &log &default = 0 secs &optional: The amount of time between the first packet belonging to the SNMP session and the latest one seen.
version: string &log: The version of SNMP being used.
community: string &log &optional: The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.
get_requests: count &log &default = 0 &optional: The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.
get_bulk_requests: count &log &default = 0 &optional: The number of variable bindings in GetBulkRequest PDUs seen for the session.
get_responses: count &log &default = 0 &optional: The number of variable bindings in GetResponse/Response PDUs seen for the session.
set_requests: count &log &default = 0 &optional: The number of variable bindings in SetRequest PDUs seen for the session.
display_string: string &log &optional: A system description of the SNMP responder endpoint.
up_since: time &log &optional: The time at which the SNMP responder endpoint claims it’s been up since.

Information tracked per SNMP session.

Events

SNMP::log_snmp 

Type: event (rec: SNMP::Info)

Event that can be handled to access the SNMP record as it is sent on to the logging framework.

Hooks

SNMP::finalize_snmp 

Type: Conn::RemovalHook

SNMP finalization hook. Remaining SNMP info may get logged when it’s called.

SNMP::log_policy 

Type: Log::PolicyHook