NeDi Community
NeDi Software Specific => Discovery => Topic started by: pato on April 20, 2018, 10:04:10 am
-
Hi all
I'm using the current Nedi 1.6.100p4, which I've installed two days ago.
This all worked fine and after some time I even discovered why the discovery took hours instead of minutes (ssh access wasn't allowed).
What disturbs me though, if I run a ./nedi.pl -p -v, I can see that nedi sends my snmp v2 strings to devices that aren't in the filter list that I've configured. Don't have any snmpv3 ones. Not sure if it also does the same with my ssh credentials.
Is this by (undocumented) design or a bug?
My netfilter:
# Only discover devices where ip address matches this regular expression.
# This way NeDi will not send any login credentials to rogue/evil devices.
;netfilter ^192\.168\.0|^172\.16
netfilter ^192\.168\.0|^192\.168\.62
# To avoid networks
;netfilter ^(?!192.168.1).*$
netfilter .
And I see in the debug that it tries to connect to 10.10.2.50 (for example), which it shouldn't based on the netfilter.
-
pato
-
i'm not sure if you realy need to escape the dots.
i use these filter and it works perfect.
netfilter 10.68.255.23[3-8]|10.68.16.8$|10.68.18.100|10.68.52.{1,3}|10.68.53.{1,3}|10.68.84.22[5-6]|10.68.14[4-7].[5-9]$|10.68.144.10$|10.72.3.{1,3}|10.72.15.{1,3}|10.72.49.1[5-8]$|10.72.99.[2,3]|10.72.4.[4,7]$|10.81.105.1[1-9]$|10.81.105.1$|10.81.220.15[1-4]|10.81.223.229|10.81.223.230|10.81.223.24[3-6]|10.81.223.254|10.81.223.16[1-9]|10.82.23.254|10.82.23.7[0-9]|10.81.64.241|10.81.64.225|10.81.64.235|10.81.92.{1,3}|10.81.172.10$|10.81.175.{1,3}|10.81.175.1[3-5][0-9]|10.81.192.1|10.81.194.73|10.81.175.[6-9][0-9]|10.81.175.1[0-2][0-9]|10.80.146.254|10.81.132.[1-5]$|10.81.134.[6-9][0-9]|10.81.134.1[0-2][0-9]|10.81.179.[6-9][0-9]|10.81.179.1[0-2][0-9]|10.80.140.[1-5]$|10.80.142.[6-9][0-9]|10.80.142.1[0-2][0-9]|10.80.148.[1-5]$|10.80.150.[6-9][0-9]|10.80.150.1[0-2][0-9]|10.81.128.[1-5]$|10.81.130.[6-9][0-9]|10.81.130.1[0-2][0-9]|10.80.49.[1-5]$|10.80.51.[6-9][0-9]|10.80.51.1[0-2][0-9]|10.80.105.[6-9][0-9]|10.80.105.1[0-2][0-9]|10.81.177.5$|10.80.100.[1-5]$|10.80.102.[6-9][0-9]|10.80.102.1[0-2][0-9]|10.80.136.[1-5]$|10.80.138.[6-9][0-9]|10.80.138.1[0-2][0-9]|10.80.39.[1-5]$|10.80.41.[6-9][0-9]|10.80.41.1[0-2][0-9]|10.80.108.[1-5]$|10.80.110.[6-9][0-9]|10.81.116.[1-5]$|10.81.118.[6-9][0-9]|10.81.118.1[0-2][0-9]|10.80.60.[1-5]$|10.80.62.[6-9][0-9]|10.80.62.1[0-2][0-9]|10.81.111.[1-5]$|10.81.113.[6-9][0-9]|10.81.113.1[0-2][0-9]|10.81.121.[1-5]$|10.81.123.[6-9][0-9]|10.81.123.1[0-2][0-9]|10.80.54.[1-5]$|10.80.56.[60-99]|10.80.56.1[0-29]|10.240.16.62$|10.80.254.249|10.80.254.245|10.72.243.246|10.72.129.20$|10.80.99.121|10.80.23.19[3-9]|10.80.23.2[0-29]|10.80.3.190|10.80.3.13[0-9]|10.80.181.19[3-9]|10.80.181.20[0-9]|10.80.17.[1-9]$|10.80.17.1[0-9]$|10.81.215.254|10.96.1.[0-99]|10.96.1.1[0-27]|10.80.167.[0-99]|10.80.167.1[0-27]|10.80.159.[0-99]|10.80.159.1[0-27]|10.80.32.254|10.81.240.5$|10.81.240.9$|10.80.202.254|10.80.202.66|10.81.191.254|10.81.191.7[0-9]|10.80.47.66|10.80.47.254|10.34.60.20$|10.34.94.10$|149.216.32.176|10.80.27.254|10.80.15.17[1-4]|10.80.22.4$|10.80.15.206|10.80.98.254|10.80.97.254
-
That's how it is shown in the config file.
And you are sure that the credentials aren't sent to other devices if you do a -p discovery?
You need to enable -v (verbose) mode to actually see it.
-
i*m quite sure.
i keep forgetting to add new subnets to the filter and NeDi will not discover them since they are out the netfilter range.
after i add them than the discovery works
-
The thing is, I believe they will not show up in the GUI because of the filter, but they still get sent the credentials in the -p discovery.
-
Sniff the discovery and doublecheck :) I've added netfilter upon request from the community in order to avoid exactly that...
-
Just found the time to test it, with tcpdump running. Indeed the snmp community strings get sent to devices not included in the netfilter.
I run the discovery with this command (as shown for the initial discovery in the web interface):
/usr/bin/perl /var/nedi/nedi.pl -p -SGg -v
For me it looks like the discovery tries all devices found by CDP and sending them the snmp communities, ignoring the netfilter.
EDIT
I was curious, so I let tcpdump running a tad longer. The snmp strings get even sent in the normal crontab update process to devices not included in the netfilter configuration.
This is my crontab:
0 1-23 * * * /var/nedi/nedi.pl -Aall -Smvj > /var/log/nedi/nedi-`date +\%H`.run 2>&1
0 0 * * * /var/nedi/nedi.pl -v -b -Aall -SAF > /var/log/nedi/nedi-00.bup 2>&1
# or 5 min interval (for very small networks)
#*/5 * * * * /var/nedi/nedi.pl -vp > /var/log/nedi/nedi-`date +\%H\%M`.run 2>&1
#3 0 * * * /var/nedi/nedi.pl -vB5 -A 'login !=""' -SsmgafpijtedobwOA > /var/log/nedi/nedi-0003.bup 2>&1
# Run netflow policer every 5 min
#/5 * * * * /var/nedi/flowi.pl -v > /var/log/nedi/nedi-`date +\%H\%M`.flow 2>&1
# weekly statistic Mondays 6:00 as a chat message
#0 6 * * 1 /var/nedi/stati.pl
# monthly DB cleanup on the 1st at 1:00 with output in /var/log/nedi
0 1 1 * * /var/nedi/inc/nedio_db_maintenance.sh /var/nedi/nedi.conf /var/log/nedi/nedi-dbcleanup
-
If the regexp works correctly, you should see a netfiiter message and the device will NOT be contacted...
-
I'm no programmer at all, so I have sadly no idea if the regexp works correctly or not.