Tuesday, October 25, 2011

snmp_bot

snmp_bot is a library for botloader. Instead of attacking a target snmp_bot gathers data from it. It works best when the data-gathering and the attacking are carried out on separate networks:

Configuring snmp_bot

To configure snmp_bot you need to specify an option-string in the conf file which you feed to botloader. Because data-gathering bots behave differently from attack bots the name of snmp_bot is prefixed with '#':

#snmp_bot 1 debug=1 time=120 oids=inOctets:.1.3.6.1.4.1.8072.2.6.1.1.0,droppedOctets:.1.3.6.1.4.1.8072.2.6.1.2.0,outOctets:.1.3.6.1.4.1.8072.2.6.1.3.0,cpuLoad1Min:.1.3.6.1.4.1.8072.2.6.1.4.0,userCPU%:.1.3.6.1.4.1.8072.2.6.1.5.0,systemCPU%:.1.3.6.1.4.1.8072.2.6.1.6.0,realMemoryFree%:.1.3.6.1.4.1.8072.2.6.1.7.0,totalMemoryFree%:.1.3.6.1.4.1.8072.2.6.1.8.0 dest_ip=192.168.200.68

This must all be on one line, so it's a bit difficult to edit. The snmp_oids are specified via the oids option. This consists of a comma-separated list of oids, with an optional column-heading separated by a colon. So the oid value "droppedOctets:.1.3.6.1.4.1.8072.2.6.1.2.0" means "monitor the oid .1.3.6.1.4.1.8072.2.6.1.2.0" on the target and write the values to a file with the heading "droppedOctets". The interval for sampling the oid value is set to 5 seconds, but you can change this when invoking botloader on the commandline:

sudo botloader -c snmp_bot.conf -i en0 -t 10

This means that the sampling interval should be 10 seconds instead of 5.

Other values

Botloader itself takes charge of gathering data from any data bots it is asked to monitor. But it also gathers sent and received counts from the attack bots and adds that to the log. So you will find columns "sent" and "rcvd" also in the output.

The default output file is called "data.dat". If you rename this as "something.txt" you can load it into Excel or OpenOffice spreadsheet as CSV format, using tabs as delimters. Then you can see the table of values properly: