Announcement

Collapse
No announcement yet.

Problème pour traiter une trap SNMP Trend Micro Central Manager

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problème pour traiter une trap SNMP Trend Micro Central Manager

    Bonjour,
    Je n'arrive pas a traiter la Trap envoyé par Trend Micro Central Manager concernant un pc infecté par un virus.

    Voici la trap que je reçois : .1.3.6.1.4.1.6101.999.3.4

    J'arrête le service centreontrapd . (service centreontrapd stop).
    Dans le répertoire /var/spool/centreontrapd, voici le détail de la trap que j'apprends.
    14:16:11.664039 IP x.x.x.x.64743 > x.x.x.x.snmptrap: V2Trap(984)
    system.sysUpTime.0=524912734
    S:1.1.4.1.0=E:6101.999.3.4
    E:6101.1000.1.1=""
    E:6101.1000.1.2=""
    E:6101.1000.1.3=""
    E:6101.1000.1.4=""
    E:6101.1000.1.5="Virus found action result"
    E:6101.1000.1.6=""
    E:6101.1000.1.7="20/11/2017 15:14:40"
    E:6101.1000.1.8="20/11/2017 13:14:40 (UTC)"
    E:6101.1000.1.9="PC1"
    E:6101.1000.1.10="x.x.x.x"
    E:6101.1000.1.11=""
    E:6101.1000.1.12="XXX-OFFICESCAN"
    E:6101.1000.1.13=""
    E:6101.1000.1.14="XXX-TRENDMICRO"
    E:6101.1000.1.15=""
    E:6101.1000.1.16="\XXX-TRENDMICRO\Local Folder\New Entity\XXX-OFFICESCAN_OSCE\XXX\PC1"
    E:6101.1000.1.17=""
    E:6101.1000.1.18="OfficeScan"
    E:6101.1000.1.19="11.0"
    E:6101.1000.1.20=""
    E:6101.1000.1.25=""
    E:6101.1000.2.1="Malware"
    E:6101.1000.2.2=""
    E:6101.1000.2.3="Eicar_test_1" E:6101.1000.2.5="qsdsqd.txt"
    E:6101.1000.2.6="C:\Users\hcespedes\Desktop"
    E:6101.1000.2.7="N/A"
    E:6101.1000.2.8=""
    E:6101.1000.2.9="PC1"
    E:6101.1000.2.10="x.x.x.x"
    E:6101.1000.2.26="Move"
    E:6101.1000.2.28="File quarantined"
    E:6101.1000.2.30=""
    E:6101.1000.2.31="9.950.1006"
    E:6101.1000.2.33=""
    Voici le log de /var/log/messages (Désole pour la syntaxe)
    2017-11-21 09:54:06 <UNKNOWN> [UDP: [x.x.x.x]:51494->[x.x.x.x]]:#012DISMAN-EVENT-MIB:ysUpTimeInstance = Timeticks: (595587812) 68 days, 22:24:38.12#011SNMPv2-MIB:nmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.6101.999.3.4#011SNMPv2-SMI::enterprises.6101.1000.1.1 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.2 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.3 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.4 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.5 = STRING: "Virus found action result"#011SNMPv2-SMI::enterprises.6101.1000.1.6 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.7 = STRING: "21/11/2017 10:50:56"#011SNMPv2-SMI::enterprises.6101.1000.1.8 = STRING: "21/11/2017 08:50:56 (UTC)"#011SNMPv2-SMI::enterprises.6101.1000.1.9 = STRING: "PC1"#011SNMPv2-SMI::enterprises.6101.1000.1.10 = STRING: "x.x.x.x"#011SNMPv2-SMI::enterprises.6101.1000.1.11 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.12 = STRING: "XXX-OFFICESCAN"#011SNMPv2-SMI::enterprises.6101.1000.1.13 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.14 = STRING: "XXX-TRENDMICRO"#011SNMPv2-SMI::enterprises.6101.1000.1.15 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.16 = STRING: "\\XXX-TRENDMICRO\\Local Folder\\New Entity\\XXX-OFFICESCAN_OSCE\\XXX\\PC1"#011SNMPv2-SMI::enterprises.6101.1000.1.17 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.18 = STRING: "OfficeScan"#011SNMPv2-SMI::enterprises.6101.1000.1.19 = STRING: "11.0"#011SNMPv2-SMI::enterprises.6101.1000.1.20 = ""#011SNMPv2-SMI::enterprises.6101.1000.1.25 = ""#011SNMPv2-SMI::enterprises.6101.1000.2.1 = STRING: "Malware"#011SNMPv2-SMI::enterprises.6101.1000.2.2 = ""#011SNMPv2-SMI::enterprises.6101.1000.2.3 = STRING: "Eicar_test_1"#011SNMPv2-SMI::enterprises.6101.1000.2.5 = STRING: "qsdsqdsq.txt"#011SNMPv2-SMI::enterprises.6101.1000.2.6 = STRING: "C:\\Users\\hcespedes\\Desktop"#011SNMPv2-SMI::enterprises.6101.1000.2.7 = STRING: "N/A"#011SNMPv2-SMI::enterprises.6101.1000.2.8 = ""#011SNMPv2-SMI::enterprises.6101.1000.2.9 = STRING: "PC1"#011
    Lorsque je relance le service centreontrapd ( service centreontrapd start), voici le message d'erreur qui appairait dans les log centreontrapd.log.
    "/var/log/centreon/centreontrapd.log"
    sh: -c: line 0: Caractère de fin de fichier (EOF) prématuré lors de la recherche du « " » correspondant
    sh: -c: line 1: Erreur de syntaxe : fin de fichier prématurée
    Il manquerait un guillemet dans la Trap pour qu'elle soit correctement interprété ?

    J'arrive pourtant à interpréter une Trap de test : .1.3.6.1.4.1.6101.999.0.0
    1511200810
    <UNKNOWN>
    UDP: [172.16.0.81]:53500->[172.16.0.83]
    DISMAN-EVENT-MIB:ysUpTimeInstance 62:17:25:16.25
    SNMPv2-MIB:nmpTrapOID.0 SNMPv2-SMI::enterprises.6101.999.0.0
    SNMPv2-SMI::enterprises.6101.1000.1.1 ""
    SNMPv2-SMI::enterprises.6101.1000.1.2 ""
    SNMPv2-SMI::enterprises.6101.1000.1.3 ""
    SNMPv2-SMI::enterprises.6101.1000.1.4 ""
    SNMPv2-SMI::enterprises.6101.1000.1.5 "TEST_EVENT"
    SNMPv2-SMI::enterprises.6101.1000.1.7 "EVENT_TIME"
    SNMPv2-SMI::enterprises.6101.1000.1.8 "EVENT_UTC_TIME"
    SNMPv2-SMI::enterprises.6101.1000.1.9 "COMPUTER_NAME"
    SNMPv2-SMI::enterprises.6101.1000.1.10 "DEVICE_IP"
    SNMPv2-SMI::enterprises.6101.1000.1.14 "TMCM_SERVER_NAME"
    SNMPv2-SMI::enterprises.6101.1000.1.15 "0.0.0.0"
    SNMPv2-SMI::enterprises.6101.1000.1.18 "PRODUCT_NAME"
    SNMPv2-SMI::enterprises.6101.1000.1.19 "PRODUCT_VERSION"
    SNMPv2-SMI::enterprises.6101.1000.1.20 ""
    SNMPv2-SMI::enterprises.6101.1000.1.25 ""
    Je n'ai pas de soucis avec cette trap.

    Cordialement,
    Hervé Cespedes

    Last edited by herve.cespedes; 24th November 2017, 13:03.

  • #2
    Il doit surement me manquer des dépendances : SNMPv2-SMI , SNMPv2-TC , SNMPv2-CONF mais comment les installer ? Télécharger les mib et les importer ?

    Apriori non car les fichiersse trouvent dans le repertoire : /usr/share/snmp/mibs/

    [[email protected] ~]# locate SNMPv2-TC
    /usr/share/snmp/mibs/SNMPv2-TC.txt
    [[email protected] ~]# locate SNMPv2-CONF
    /usr/share/snmp/mibs/SNMPv2-CONF.txt
    [[email protected] ~]# locate SNMPv2-SMI
    /usr/share/snmp/mibs/SNMPv2-SMI.txt
    Last edited by herve.cespedes; 24th November 2017, 19:10.

    Comment

    Working...
    X