SNMP VARBIND Values

Question

I'm not really sure where to ask this question. I have been searching for an answer so I will try asking here.

We have an application that communicates with our devices via SNMP. Our GET messages are triggering IPS/IDS system alerts because of value 0x04 in the Varbind value.

I am being told by development that 0x04 means empty but I can't find anything to say this is true. In a Wireshark trace this shows up as being Invalid.

Now when I had them test switching the value to 0x05 in the GETs the IPS/IDS systems stop throwing alerts since 0x05 is a NULL.

I would like to find valid martial I can reference for this.

Answer 1

I have found the answer to my search

0x04 = Octet String 0x00 = Length

This is in fact valid as empty but not in GetRequest.

RFC 3416 Protocol Operations for SNMP

PDU Processing “In the elements of procedure below, any field of a PDU which is not referenced by the relevant procedure is ignored by the receiving SNMP entity. However, all components of a PDU, including those whose values are ignored by the receiving SNMP entity, must have valid ASN.1 syntax and encoding. For example, some PDUs (e.g., the GetRequest-PDU) are concerned only with the name of a variable and not its value. In this case, the value portion of the variable binding is ignored by the receiving SNMP entity. The unSpecified value is defined for use as the value portion of such bindings.”

The unSpecified value is defined for use as the value portion in PDUs (e.g., the GetRequest-PDU) which are concerned only with the name of a variable and not its value. The name is the OID. The value is the field that contains 0x04 0x00. GetRequest-PDU must use 0x05 0x00 (NULL, the definition of unSpecified)

Answer 2

Did you check out the RFC for SNMP

http://www.ietf.org/rfc/rfc1157.txt