RE: [NV-L] FW: Varbind errors

The "illegal characters" are those which follow the backslashes in the messages. You can strip them out with a SED command on Unix/Linux (sed -e "s/\\//g") somewhere along the line. I'm not sure how to do the same in a ruleset. They are inserted to forestall hackers who might try to bury something executable in the attribute strings forwarded by SNMP. This write-up is copied from the IBM Redbook on Event Management SG24-6094.

Security fix and its impact on NetView automated actions
A fix has been made to ovactiond, nvcorrd, and actionsvr to close a potential
security hole. This hole may allow any non-authorized user, with some
knowledge of NetView trap customization, to gain root access to the NetView
system by sending a trap to the NetView system from anywhere in the network.
This did not happen in the product as it is shipped, but can occur after trap
customization is done by the NetView administrator or anyone with root authority
on the NetView system. The security hole opened when a trap was customized
to include a variable in the Command for Automatic Action field. A trap can then
be sent from any system using command substitution, rather than the intended
variable, to execute unauthorized operating system commands on the NetView
system.
The UNIX daemons impacted by this fix are ovactiond, nvcorrd, and actionsvr.
The Windows daemons impacted by this fix are nvcorrd and trapd. These
daemons now filter out all non-alphanumeric characters except for the minus sign
(-) and the decimal point (.). All characters that do not fall into this set are
replaced with an underscore (_). If a minus sign or decimal point is encountered,
it is escaped (preceded by a back slash (\)) as a precaution.
If any non-alphanumeric character is encountered (and filtering is not disabled), a
message is logged to the appropriate log file (if logging is enabled). On UNIX, the
log files are /usr/OV/log/nvcorrd.alog, /usr/OV/log/ovactiond.log, and
/usr/OV/log/nvaction.alog. On Windows, the log files are \usr\ov\log\nvcorrd.alog
and trapd.log.
The modified characters include: $, ‘, ;, &, |, @, #, %, ^, <, >, /, \, =, {, }, -, ", and !.
When these characters are encountered, a message is entered into the
appropriate daemon log file.
This list of filtered characters can be configured by creating a variable (UNIX) or
a registry variable (Windows) called AdditionalLegalTrapCharacters. If you set
this variable to disable, then no filtering is done. If you set the variable to a string
containing nonalphanumeric characters, then the filtering allows those
characters to pass through the filter, but they are escaped.
Stop and restart the NetView daemons after setting the variable.

Bill Evans

-----Original Message-----
From: nv-l-bounces AT lists.ca.ibm DOT com [mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of JaneTaylor AT HBOSplc DOT com
Sent: Tuesday, November 06, 2007 2:48 AM
To: nv-l AT lists.ca.ibm DOT com
Subject: [NV-L] FW: Varbind errors

> Can anyone help?
>
> I'm trying to generate new traps after receiving certain traps and
> then forward them to our tec server. The reason being, I don't want to
> send them all. I'm getting the following errors
>
> 2007/05/11 18:23:28    UserExitDnode.C[345] :   Varbind contained an
> illegal character.
> Issuing sanitized version of the varbind:
> 2007/05/11 18:23:28    UserExitDnode.C[346] :
> NVATTR_3="1\.3\.6\.1\.3\.94\.1\.8\.1\.2\.33\.0\.0\.96\.223\.34\.84\.18
> 2\.0\.0\.0\.0\.0\.0\.0\.0\.12"
> 2007/05/11 18:23:28    UserExitDnode.C[345] :   Varbind contained an
> illegal character.
> Issuing sanitized version of the varbind:
> 2007/05/11 18:23:28    UserExitDnode.C[346] :
> NVATTR_4="BUFFER_RETRIEVAL_REQUEST S_success F_IO Board 11 DD_RAM
> Buffer needs to be retrieved\. Either it has reached its threshold or
> the periodic retrieval is needed\. This event triggers EM to
> automatically retrieve the file\. Board is IO Board 11\."
>
> I'm just trying to forward the same fields from the original trap. The
> NVATTR_3 is an ObjectIdentifier and NVATTR_4 is an OctetString. These
> are actually the ones
>
> In fact, I just want to drop some of these traps by parsing what's in
> the description (NVATTR_4). Is there an easy way of doing that in a
> ruleset?
>
> Help greatly appreciated.
>
> Jane
>
> Jane Taylor
> Enterprise Monitoring & Automation Service
> Group Technology
> Group Operations - HBOS Plc
> (7584)   38733
> 01422 338733
> Copley Ground Floor West Wing
> JaneTaylor AT HBOSplc DOT com
> COP/CG/GT/OPS/EMAS/JBT/348063
> For details of monitoring solutions and statistics....
> http://hww.intranet.hx-online.hxgroup.com/intranet/sites/site46.nsf?op
> endatabase
> Please direct any general queries to our Global Mailbox:
> $Enterprise Monitoring & Automation (HO)
>
>

.
--------------------------------------------------------------------------------------------------------------------

HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are authorised and regulated by the Financial Services Authority.

==============================================================================

_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)