Re: Need Help with SNMP

From: Undisclosed (
Date: 07/30/04

Date: Thu, 29 Jul 2004 20:49:52 -0400

Keith A. Lewis wrote:

> Lyndon Bartels <> writes in article <40f44eb5$0$430$> dated Tue, 13 Jul 2004 16:05:57 -0500:
>>I'm looking into using SNMP to monitor my VMS machines.
>>VMS v7.3-1 & later
>>TCPIP 5.3 & later
>>I've managed to start and config the master agent, and the monitor
>>system (OpenNMS) can see information from my machine. So far, so good.
>>Now.. One of my goals is to monitor given process to 1. See if it
>>exists, and 2. What resources it is consuming.
>>I want to write a subagent to do this.
>>But.. I have no experience writing sub-agents.
>>I've been doing a lot of reading of the manuals, and I'm hoping to find
>>some simple examples on creating a simple sub-agent. Just some simple
>>task that I can use to see how everything is done. From how to
>>write/build a sub-agent, to seeing what data it collects (via an
>>snmpwalk), to seeing that data collected/monitored by an Management System.
>>Anybody got some examples they can send me? Or pointers to some? I've
>>been looking on the freeware CDs, and in Sys$examples: (chess seems too
>>big for the beginner.) But I haven't run across anything yet.
> I wrote an agent which does that and more, but I hesitate to share it because
> it seems to develop memory problems after running for a while. I think
> eSNMP is stepping on my DEC C malloc'd structures, which are extensive.
> VMS eSNMP would be a much better product if it came with the source.
> I would recommend looking for a freeware implementation of the eSNMP
> subagent libraries, or if you don't need the MIBs that come with TCPIP for
> OpenVMS, an entire SNMP server.
> FWIW, my information security department has declared the entire SNMP
> *protocol* bad tech. I'm not sure exactly why but from what I know SNMPv1
> is completely insecure and most implemenations would be quite vulnerable to
> DOS attacks.
> If you need snmpwalk for VMS, try CMU's "snmpapps" package. It didn't take
> much to get it to compile on VMS.
> --Keith Lewis klewis {at}
> The above may not (yet) represent the opinions of my employer.

SNMPv3 is fine, from what I hear, but not widely implimented. It's got
adequate cryptographic protections.

SNMPv1 is horribly horribly broken from a security standpoint.. once you
know the "public string" used as the identifier for the device, you have
full access to the SNMP resource.

imagine a wireless access point with a "hidden" non-broadcast SSID that
gave you total control of it once you brute-forced or dictionary
searched for the SSID, and you have an analogous situation.

even worse, many hardware manufacturers have set their product's SNMP
public string to some known value like their company name. So, once you
identify the device, all you have to do is look up the product in a
default password database.