Francois> However our trap collection system was still based on
Francois> a (hacked) version of the cmu trap deamon. It was
Francois> limited and also I don't want to port it to Solaris. I
Francois> am trying to start using the scotty straps/trap-script
Francois> system but I have the following difficulties:
Francois> 1 - Is there any documentation: straps is started
Francois> automatically by the bind in the trap-script and dies
Francois> on the kill of the script. Why is it not a normal
Francois> deamon or an inetd client?
One of the reasons was that it simplifies the installation process.
You don't have to hack rc.local or inetd.conf in order to get it
running. It just starts up when you need it and it goes away if noone
is interested in traps anymore. This was the reasoning at the time it
was written. I am not sure if I would do it the way today.
Francois> 2 - the system seems to hang after a while despite
Francois> both tasks still alive, no traps is reported
Francois> anymore. How to debug?
I would start with strace. If this does not show what is going wrong,
attach your favourite debugger.
Francois> 3 - the script listens only to well defined traps
Francois> (snmp version and community). How to do to receive
Francois> every thing possible? In particular I do not manage to
Francois> receive trap from my old CMU trap emulator despite
Francois> having set the same community.
Are you really interested to see any garbage trap someone sends to
you? I think it is a good thing to restrict the traps you accept.
Regarding the "old CMU trap emulator": make sure your version really
sends SNMPv1 traps. I know that some old versions send traps with
encoding errors that are simply ignored by scotty.
Francois> 4 - what people use the trap community for, usually?
Francois> We have well defined get and set communities defined
Francois> on our network (not the public default) (as a mild
Francois> protection!). But up to now the trap communities were
Francois> variously set in our devices as we were not seeing its
Francois> purpose. With the scotty more precise system we would
Francois> have to have a more strict approach.
You can and IMHO should use the community string to protect your trap
sink from garbage traps send by the evil hacker on your network. It is
quite easy to fake trap messages that look as if they are coming from
e.g. one of your core routers. Checking community strings does not
give you real security, but it is definitely better than nothing.
Juergen
-- Juergen Schoenwaelder schoenw@ibr.cs.tu-bs.de http://www.cs.tu-bs.de/~schoenw Technical University Braunschweig, Dept. Operating Systems & Computer Networks Bueltenweg 74/75, D-38106 Braunschweig, Germany. (Tel. +49 531 / 391-3283)-- !! This message is brought to you via the `tkined & scotty' mailing list. !! Please do not reply to this message to unsubscribe. To subscribe or !! unsubscribe, send a mail message to <tkined-request@ibr.cs.tu-bs.de>. !! See http://wwwsnmp.cs.utwente.nl/~schoenw/scotty/ for more information.