[c-nsp] Automatic SNMP trap generation

Bruce Pinsky bep at whack.org
Wed Apr 26 12:23:21 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gert Doering wrote:
> Hi,
> 
> On Wed, Apr 26, 2006 at 08:09:52AM -0700, Bruce Pinsky wrote:
>> But of course by doing this you expose the correct community string since
>> it is sent as part of the trap generated for the invalid community string.
>>  In general, this is a bad idea.
> 
> so you say "SNMP traps in response to network incidents are a bad idea"?
> 

No, just the one for invalid community since it can be generated on demand
if the proper access controls are not in place for SNMP.  Can also be a
vector for DoS.

See 6.3 in RFC 3512.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFET554E1XcgMgrtyYRAp6+AJ46QCYqu2UwNprZLYLugR8jqZ6GRACeOTnU
ptByjLDFt3vTOcwK8Fl6fqg=
=98xY
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list