Rewriting values

SNMP Proxy Forwarder can be configured to change the value part of SNMP PDU variable-bindings into something else.

This PDU modification is done by configuring the rewrite.py plugin module to pass command response PDUs through it thus letting the plugin get hold on the response variable-bindings.

You could test this configuration by running:

# this should return modified *sysDescr.0* value
$ snmpget -v1 -c public 127.0.0.1:1161 sysDescr.0

# this should zero out *system* branch values
$ snmpwalk -v1 -c public 127.0.0.1:1161 system

For more information please refer to the rewrite plugin documentation.

Server configuration

Server is configured to:

  • listen on UDP socket at localhost
  • respond to queries performed over SNMPv2c
  • forward all queries to snmpfwd client through an unencrypted trunk connection running in client mode
  • run variable-bindings in response PDU through the “rewrite.py” plugin changing matching variable-bindings
#
# SNMP forwarder: Agent part configuration
#

config-version: 2
program-name: snmpfwd-server

snmp-credentials-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address: 127.0.0.1:1161

  snmp-engine-id: 0x0102030405070809

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 2
  snmp-security-level: 1

  snmp-credentials-id: snmp-credentials
}

context-group {
  snmp-context-engine-id-pattern: .*?
  snmp-context-name-pattern: .*?

  snmp-context-id: any-context
}

content-group {
  snmp-pdu-type-pattern: .*?
  snmp-pdu-oid-prefix-pattern-list: .*?

  snmp-content-id: any-content
}

peers-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address-pattern-list: .*?
  snmp-peer-address-pattern-list: .*?

  snmp-peer-id: 100
}

plugin-modules-path-list: ./plugins ${plugin-dir}

plugin-group {
  plugin-module: rewrite
  plugin-options: config=${config-dir}/plugins/rewrite.conf

  plugin-id: rewrite-response-values
}

trunking-group {
  trunk-bind-address: 127.0.0.1
  trunk-peer-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: client

  trunk-id: trunk-1
}

routing-map {
  matching-snmp-context-id-list: any-context
  matching-snmp-content-id-list: any-content

  matching-snmp-credentials-id-list: snmp-credentials
  matching-snmp-peer-id-list: 100

  using-plugin-id-list: rewrite-response-values
  using-trunk-id-list: trunk-1
}

Download server configuration file.

Plugin configuration

The rewrite plugin is configured at the server part to add a note into sysDescr.0 and nullify all values in the “system” branch.

#
# SNMP Proxy Forwarder: rewrite plugin configuration
#

# rewrite sysDescr.0
"^1\.3\.6\.1\.2\.1\.1\.1\.0$" "(.*)" "\\1 (SNMP Proxy is watching you)" 0

# nullify all OIDs in the "system" branch
"^1\.3\.6\.1\.2\.1\.1.*$" ".*" "" 0

Download plugin configuration file.

Client configuration

Client is configured to:

  • listen on server-mode unencrypted trunk connection
  • process all incoming SNMP messages in the same way
  • place inbound PDUs into SNMP v2c messages and forward them to public SNMP agent running at demo.snmplabs.com
#
# SNMP forwarder: Manager part configuration
#

config-version: 2
program-name: snmpfwd-client

peers-group {
  snmp-engine-id: 0x0102030405070809

  snmp-transport-domain: 1.3.6.1.6.1.1.1
  snmp-bind-address: 0.0.0.0:0

  # time out SNMP request in 1 second
  snmp-peer-timeout: 100
  snmp-peer-retries: 0

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 2
  snmp-security-level: 1

  snmp-peer-address: 104.236.166.95:161
  snmp-peer-id: snmplabs
}

trunking-group {
  trunk-bind-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: server

  trunk-id: <discover>
}

original-snmp-peer-info-group {
  orig-snmp-bind-address-pattern: .*?
  orig-snmp-context-name-pattern: .*?

  orig-snmp-pdu-type-pattern: .*?
  orig-snmp-oid-prefix-pattern: .*?

  orig-snmp-engine-id-pattern: .*?
  orig-snmp-context-engine-id-pattern: .*?

  orig-snmp-transport-domain-pattern: .*?
  orig-snmp-peer-address-pattern: .*?

  orig-snmp-security-level-pattern: .*?

  orig-snmp-security-name-pattern: .*?
  orig-snmp-security-model-pattern: .*?

  orig-snmp-peer-id: manager-1
}

server-classification-group {
  server-snmp-credentials-id-pattern: .*?
  server-snmp-context-id-pattern: .*?
  server-snmp-content-id-pattern: .*?
  server-snmp-peer-id-pattern: .*?

  server-classification-id: any-classification
}

routing-map {
  matching-trunk-id-list: trunk-1
  matching-orig-snmp-peer-id-list: manager-1
  matching-server-classification-id-list: any-classification

  using-snmp-peer-id-list: snmplabs
}

Download client configuration file.