Welcome, Guest. Please login or register.

Author Topic: Discovery ignoring netfilter?  (Read 3681 times)

pato

  • Newbie
  • *
  • Posts: 5
    • View Profile
Discovery ignoring netfilter?
« on: April 20, 2018, 10:04:10 am »
Hi all
I'm using the current Nedi 1.6.100p4, which I've installed two days ago.
This all worked fine and after some time I even discovered why the discovery took hours instead of minutes (ssh access wasn't allowed).

What disturbs me though, if I run a ./nedi.pl -p -v, I can see that nedi sends my snmp v2 strings to devices that aren't in the filter list that I've configured. Don't have any snmpv3 ones. Not sure if it also does the same with my ssh credentials.

Is this by (undocumented) design or a bug?
My netfilter:
# Only discover devices where ip address matches this regular expression.
# This way NeDi will not send any login credentials to rogue/evil devices.
;netfilter      ^192\.168\.0|^172\.16
netfilter       ^192\.168\.0|^192\.168\.62

# To avoid networks
;netfilter      ^(?!192.168.1).*$
netfilter       .

And I see in the debug that it tries to connect to 10.10.2.50 (for example), which it shouldn't based on the netfilter.

-
pato

ascii

  • Full Member
  • ***
  • Posts: 107
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #1 on: April 23, 2018, 11:53:36 am »
i'm not sure if you realy need to escape the dots.

i use these filter and it works perfect.

Code: [Select]
netfilter 10.68.255.23[3-8]|10.68.16.8$|10.68.18.100|10.68.52.{1,3}|10.68.53.{1,3}|10.68.84.22[5-6]|10.68.14[4-7].[5-9]$|10.68.144.10$|10.72.3.{1,3}|10.72.15.{1,3}|10.72.49.1[5-8]$|10.72.99.[2,3]|10.72.4.[4,7]$|10.81.105.1[1-9]$|10.81.105.1$|10.81.220.15[1-4]|10.81.223.229|10.81.223.230|10.81.223.24[3-6]|10.81.223.254|10.81.223.16[1-9]|10.82.23.254|10.82.23.7[0-9]|10.81.64.241|10.81.64.225|10.81.64.235|10.81.92.{1,3}|10.81.172.10$|10.81.175.{1,3}|10.81.175.1[3-5][0-9]|10.81.192.1|10.81.194.73|10.81.175.[6-9][0-9]|10.81.175.1[0-2][0-9]|10.80.146.254|10.81.132.[1-5]$|10.81.134.[6-9][0-9]|10.81.134.1[0-2][0-9]|10.81.179.[6-9][0-9]|10.81.179.1[0-2][0-9]|10.80.140.[1-5]$|10.80.142.[6-9][0-9]|10.80.142.1[0-2][0-9]|10.80.148.[1-5]$|10.80.150.[6-9][0-9]|10.80.150.1[0-2][0-9]|10.81.128.[1-5]$|10.81.130.[6-9][0-9]|10.81.130.1[0-2][0-9]|10.80.49.[1-5]$|10.80.51.[6-9][0-9]|10.80.51.1[0-2][0-9]|10.80.105.[6-9][0-9]|10.80.105.1[0-2][0-9]|10.81.177.5$|10.80.100.[1-5]$|10.80.102.[6-9][0-9]|10.80.102.1[0-2][0-9]|10.80.136.[1-5]$|10.80.138.[6-9][0-9]|10.80.138.1[0-2][0-9]|10.80.39.[1-5]$|10.80.41.[6-9][0-9]|10.80.41.1[0-2][0-9]|10.80.108.[1-5]$|10.80.110.[6-9][0-9]|10.81.116.[1-5]$|10.81.118.[6-9][0-9]|10.81.118.1[0-2][0-9]|10.80.60.[1-5]$|10.80.62.[6-9][0-9]|10.80.62.1[0-2][0-9]|10.81.111.[1-5]$|10.81.113.[6-9][0-9]|10.81.113.1[0-2][0-9]|10.81.121.[1-5]$|10.81.123.[6-9][0-9]|10.81.123.1[0-2][0-9]|10.80.54.[1-5]$|10.80.56.[60-99]|10.80.56.1[0-29]|10.240.16.62$|10.80.254.249|10.80.254.245|10.72.243.246|10.72.129.20$|10.80.99.121|10.80.23.19[3-9]|10.80.23.2[0-29]|10.80.3.190|10.80.3.13[0-9]|10.80.181.19[3-9]|10.80.181.20[0-9]|10.80.17.[1-9]$|10.80.17.1[0-9]$|10.81.215.254|10.96.1.[0-99]|10.96.1.1[0-27]|10.80.167.[0-99]|10.80.167.1[0-27]|10.80.159.[0-99]|10.80.159.1[0-27]|10.80.32.254|10.81.240.5$|10.81.240.9$|10.80.202.254|10.80.202.66|10.81.191.254|10.81.191.7[0-9]|10.80.47.66|10.80.47.254|10.34.60.20$|10.34.94.10$|149.216.32.176|10.80.27.254|10.80.15.17[1-4]|10.80.22.4$|10.80.15.206|10.80.98.254|10.80.97.254

pato

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #2 on: April 23, 2018, 03:46:40 pm »
That's how it is shown in the config file.
And you are sure that the credentials aren't sent to other devices if you do a -p discovery?
You need to enable -v (verbose) mode to actually see it.

ascii

  • Full Member
  • ***
  • Posts: 107
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #3 on: April 24, 2018, 09:25:56 am »
i*m quite sure.
i keep forgetting to add new subnets to the filter and NeDi will not discover them since they are out the netfilter range.
after i add them than the discovery works

pato

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #4 on: April 24, 2018, 09:43:25 am »
The thing is, I believe they will not show up in the GUI because of the filter, but they still get sent the credentials in the -p discovery.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2893
    • View Profile
    • NeDi
Re: Discovery ignoring netfilter?
« Reply #5 on: April 27, 2018, 08:17:59 pm »
Sniff the discovery and doublecheck :) I've added netfilter upon request from the community in order to avoid exactly that...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

pato

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #6 on: May 03, 2018, 04:00:55 pm »
Just found the time to test it, with tcpdump running. Indeed the snmp community strings get sent to devices not included in the netfilter.
I run the discovery with this command (as shown for the initial discovery in the web interface):
/usr/bin/perl /var/nedi/nedi.pl -p -SGg -v

For me it looks like the discovery tries all devices found by CDP and sending them the snmp communities, ignoring the netfilter.

EDIT
I was curious, so I let tcpdump running a tad longer. The snmp strings get even sent in the normal crontab update process to devices not included in the netfilter configuration.
This is my crontab:

0 1-23 * * *    /var/nedi/nedi.pl -Aall -Smvj > /var/log/nedi/nedi-`date +\%H`.run 2>&1
0 0    * * *    /var/nedi/nedi.pl -v -b -Aall -SAF > /var/log/nedi/nedi-00.bup 2>&1

# or 5 min interval (for very small networks)
#*/5 * * * *    /var/nedi/nedi.pl -vp > /var/log/nedi/nedi-`date +\%H\%M`.run 2>&1
#3   0 * * *    /var/nedi/nedi.pl -vB5 -A 'login !=""'  -SsmgafpijtedobwOA > /var/log/nedi/nedi-0003.bup 2>&1

# Run netflow policer every 5 min
#/5 * * * *     /var/nedi/flowi.pl -v > /var/log/nedi/nedi-`date +\%H\%M`.flow 2>&1

# weekly statistic Mondays 6:00 as a chat message
#0 6 * * 1      /var/nedi/stati.pl

# monthly DB cleanup on the 1st at 1:00 with output in /var/log/nedi
0 1 1 * *       /var/nedi/inc/nedio_db_maintenance.sh /var/nedi/nedi.conf /var/log/nedi/nedi-dbcleanup
« Last Edit: May 03, 2018, 04:07:43 pm by pato »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2893
    • View Profile
    • NeDi
Re: Discovery ignoring netfilter?
« Reply #7 on: May 31, 2018, 06:40:14 pm »
If the regexp works correctly, you should see a netfiiter message and the device will NOT be contacted...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

pato

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Discovery ignoring netfilter?
« Reply #8 on: June 01, 2018, 09:03:02 am »
I'm no programmer at all, so I have sadly no idea if the regexp works correctly or not.