Highlighted
303 views

IP stack information to ArcSight

Hello,

I have a use case where I want to get information about DHCP entries, MAC addresses and physical switch ports.

I am thinking of storing this data in session lists for correlation. Basically we want to get 2 additional information fields with source or destination address: end devices MAC address and physical port where ir is connected in the network.

I did some research and I found that I can query cisco switches for MAC addresses with SNMP flex connector but I am not quite sure how can I get physical port name from there.

Maybe any of you did similar things and have some experience with it?

Labels (1)
0 Likes
Reply
3 Replies
Highlighted
Absent Member.
Absent Member.

Re: IP stack information to ArcSight

Interesting question. I haven't done it yet, but how about Using SNMP to Find a Port Number from a MAC Address on a Catalyst Switch - Cisco or cisco - Using SNMP to retrieve the ARP and mac-address tables from a switch - Network Engineering Stack Exchange:

Polling the mac-address table:

If you really want the mac-address table from the switch, then remember you have to change the community string you poll with... it should be in the form of <commity@vlan>... each vlan you poll needs a different community.

In my example below, the switch at 172.16.1.210 is configured with snmp-server community public ro, and I'm polling the mac-address table in vlan-10 with dot1dTpFdbPort from BRIDGE-MIB.

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public@10 -OXsq 172.16.1.210 \ .1.3.6.1.2.1.17.4.3.1.2 dot1dTpFdbPort[0:6:53:fe:39:e0] 52 dot1dTpFdbPort[0:1d:a1:cd:53:46] 52 dot1dTpFdbPort[0:30:1b:bc:a7:d7] 52 dot1dTpFdbPort[0:80:c8:0:0:0] 52 dot1dTpFdbPort[38:ea:a7:6d:2e:8e] 52 dot1dTpFdbPort[80:ee:73:2f:b:40] 52 [mpenning@tsunami ~]$ 

In the output above, 52 is the value of dot1dBasePort, which is a number the MIB uses to index the dot1dTp table. To translate that into a normal interface name, you have to map that to an ifName... BRIDGE-MIB does that with dot1dBasePortIfIndex...

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public@10 -m BRIDGE-MIB 172.16.1.210 \ .1.3.6.1.2.1.17.1.4.1.2 BRIDGE-MIB::dot1dBasePortIfIndex.52 = INTEGER: 10048 [mpenning@tsunami ~]$ [mpenning@tsunami ~]$ snmpget -v 2c -c public 172.16.1.210 ifName.10048 IF-MIB::ifName.10048 = STRING: Fa0/48 [mpenning@tsunami ~]$ 

Thus we know that all the mac-addresses on this switch were learned through FastEthernet 0/48 in vlan-10.

Regards,

Heiko

0 Likes
Reply
Highlighted

Re: IP stack information to ArcSight

I am trying to configure a Cisco switch with snmp V3.

On cisco side everything looks kinda fine. And traps are being sent. I can see them in Wireshark. But one thing is strange. Everything is configured as a SNMPv3 and cisco sends everything encrypted with correct user, I can decrypt it in wireshark and I see that it says msgVersion:snmpv3

But ArcSight SNMP flex connector does not receive any data. I dont even get the (not configured) trap info.

I checked and the port UDP 162 is up and listening. There are no firewalls.

I have also checked the unified SNMP connector and it is the same.

0 Likes
Reply
Highlighted

Re: IP stack information to ArcSight

At the moment I am getting 2 different traps from Cisco Switch. One contains connected MAC address:

Received SNMPv2 trap

        Port : 162

        Generating Agent : WIN-0VVMAALUERJ/10.48.7.65

        Sending Agent : 10.48.7.55/64253

        Time Stamp : 56759950

        Enterprise OID : 1.3.6.1.4.1.9.9.215.2

        Trap Type : 1

        Var Binds:2

VarBind #0

        1.3.6.1.4.1.9.9.215.1.1.8.1.2.1

        StringValue: 02:00:01:00:1e:be:90:4a:a3:00:04:00

        TimeStamp: 0

        Type: OctetString

        Value: 02:00:01:00:1e:be:90:4a:a3:00:04:00

VarBind #1

        1.3.6.1.4.1.9.9.215.1.1.8.1.3.1

        StringValue: 5675994

        TimeStamp: 0

        Type: Integer32

        Value: 5675994

And another that contains Physical port info:

Received SNMPv2 trap

        Port : 162

        Generating Agent : WIN-0VVMAALUERJ/10.48.7.65

        Sending Agent : 10.48.7.55/64253

        Time Stamp : 57182380

        Enterprise OID : 1.3.6.1.6.3.1.1.5

        Trap Type : 0

        Var Binds:4

VarBind #0

        1.3.6.1.2.1.2.2.1.1.10003

        StringValue: 10003

        TimeStamp: 0

        Type: Integer32

        Value: 10003

VarBind #1

        1.3.6.1.2.1.2.2.1.2.10003

        StringValue: FastEthernet0/3

        TimeStamp: 0

        Type: OctetString

        Value: FastEthernet0/3

VarBind #2

        1.3.6.1.2.1.2.2.1.3.10003

        StringValue: 6

        TimeStamp: 0

        Type: Integer32

        Value: 6

VarBind #3

        1.3.6.1.4.1.9.2.2.1.1.20.10003

        StringValue: up

        TimeStamp: 0

        Type: OctetString

        Value: up

Now I have no way of relating these two traps. They have no fields in common for correlation.

And maybe somebody can explain how to write a parser for snmp? The flex connector manual provides no valuable information...

I have this:

trap.types=1

token.count=2

token[0].name=macAddress

token[0].type=String

token[0].oid=1.3.6.1.4.1.9.9.215.1.1.8.1.2.1

token[1].name=timestamp

token[1].type=timestamp

token[1].oid=1.3.6.1.4.1.9.9.215.1.1.8.1.3.1

event.name=__stringConstant(MAC_address)

event.deviceReceiptTime=timestamp

ANd it does not work.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.