I have a interesting possible issue going on. I am running nagiosxi monitoring a few servers and switch's on the same networking I am running snort on a different box. Everything seems to coexist and work fine except I am seeing in snort a TON of udp packets coming from nagiosxi going to 1 particular switch. Over night I had a extra 70,000+ alerts added in snort and 85% of those are the udp packets coming from nagiosxi.
The alerts displayed are SNMP public access udp and SNMP request udp.
Any ideas on why its constantly requesting snmp access every 2-3 seconds to a switch or is this the general nature of the snmp request's coming from nagios?
NagiosXI and snort.
-
tonyyarusso
- Posts: 1128
- Joined: Wed Mar 03, 2010 12:38 pm
- Location: St. Paul, MN, USA
- Contact:
Re: NagiosXI and snort.
I'm not terribly familiar with Snort, so could you perhaps show us the actual packets you're talking about?
Re: NagiosXI and snort.
Yes This is the Base homepage showing how many snort alerts there are and how many are tcp/udp ect ect.
This screen shot s shows the Ip address of our nagios server and the destination ip address which is a swich we monitor. It might be hard to read but you can see the time stamps and there are quite a few every second and this goes on all day long.
Is this normal behavior monitoring from nagios via snmp?
This screen shot s shows the Ip address of our nagios server and the destination ip address which is a swich we monitor. It might be hard to read but you can see the time stamps and there are quite a few every second and this goes on all day long.
Is this normal behavior monitoring from nagios via snmp?
-
tonyyarusso
- Posts: 1128
- Joined: Wed Mar 03, 2010 12:38 pm
- Location: St. Paul, MN, USA
- Contact:
Re: NagiosXI and snort.
Sorry, I appear to have been misunderstood. I'm hoping for the actual packet content, as in the raw IP traffic, ideally in PCAP format. You can collect this with a tool such as WireShark (graphical) or TCPDump (command line). That way I can see exactly what requests we're working with, and have a better chance of being able to answer your question.
Re: NagiosXI and snort.
The second screen shot is all of the tcp data coming through snort it does the same thing as wireshark/tcpdump.
I can get you the payload data of the packets in pcap format from snort in just a second.
I can get you the payload data of the packets in pcap format from snort in just a second.
Re: NagiosXI and snort.
Ok attached in a .rar archive are 2 .pcap files. One should be the SNMP public access udp and the other should be the SNMP Request udp.
You do not have the required permissions to view the files attached to this post.
Re: NagiosXI and snort.
I'm really just interested if this is normal snmp monitoring behavior between nagios and a switch because if it is I have no problem suppressing the alerts, But it seems like to me it's an excessive amount of requests so I didn't know if there was something I could configure to reduce it?
-
tonyyarusso
- Posts: 1128
- Joined: Wed Mar 03, 2010 12:38 pm
- Location: St. Paul, MN, USA
- Contact:
Re: NagiosXI and snort.
I notice that both of the packets you attached have invalid IP header checksums, which I would imagine would make the IP subsystem of the OS continually request a re-send of the packet until it got a good one. Perhaps there's something wrong with the switch or a cable somewhere?