[c-nsp] Automatic SNMP trap generation
Bruce Pinsky
bep at whack.org
Wed Apr 26 12:23:21 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gert Doering wrote:
> Hi,
>
> On Wed, Apr 26, 2006 at 08:09:52AM -0700, Bruce Pinsky wrote:
>> But of course by doing this you expose the correct community string since
>> it is sent as part of the trap generated for the invalid community string.
>> In general, this is a bad idea.
>
> so you say "SNMP traps in response to network incidents are a bad idea"?
>
No, just the one for invalid community since it can be generated on demand
if the proper access controls are not in place for SNMP. Can also be a
vector for DoS.
See 6.3 in RFC 3512.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFET554E1XcgMgrtyYRAp6+AJ46QCYqu2UwNprZLYLugR8jqZ6GRACeOTnU
ptByjLDFt3vTOcwK8Fl6fqg=
=98xY
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list