I have setup my networked printers to use SNMP v2. I set a public and private community string. Every time Open-Audit runs a discovery I get the following in the discovery log for my HP and Xerox devices:
I have set a system wide credential for SNMP v1/2 using public. I have verified that SNMP is configured and working by running snmpwalk -v2c -c private 10.x.y.z and snmpwak-v2c -c public 10.x.y z and it outputs the SNMP information.
If run nmap -sU -p 161 10.x.y.x I get the following:161/udp open|filtered snmp
This seems to be an issue with my HP and Xerox printers. I have a couple of Toshiba machines and SNMP v2c discovery of them appears to work fine. The Toshiba device discovery log shows:
The only difference I can find is that when I run:
nmap -sU -p 161 <Toshiba ip> i get the following
161/udp open snmp
I am guessing that there is an issue with seeing port 161 as being filtered and not truly open and that is where the problem is, but I am not an NMAP or SNMP expert. Any help is appreciated.
OK, I have been WAY OVERTHINKING THIS. With the Enterprise 20 device license installed I can change the scan Options for the UltraFast. On of the options is:Consider Open|Filtered Ports Open
If you set this to Yes, it then treats filtered ports as open so then my HP and Xerox printers that respond back as filtered then get audited via SNMP. Just hope that the setting stays once I add more subnets and I will exceed my 20 device license. we will see, but basically the answer if to set the above to YES.
OK, I t dumped my database and only having 20 items. The the community dashboards I still cannot change anything, but through the Enterprise dashboard, I can change the scan options. I changed it to SuperFast. This appears to not scan for udp 161. I still have the same problem. I then added crre3dentials to just one HP network printer and it still will not query it via SNMP. I don't know what else to try. snmpwalk -v2c -c public 10.x.y.z still returns all of the mib's. Any help is apprecaited. Thanks
OK finally after banging my head against the wall and conceding defeat I asked the question here. Then low and behold I had a Google epiphany and found your youtub video located here:Open-AudIT - Introducing Discovery Options - YouTube
After watching the video, it appears that I am correct. Since I am running the free version with the 20 Node license (which I have exceeded the 20 Nodes) I do not have the ability to change my scan types from the default of Ultrafast. The Ultrafast scan type includes udp 161 and, according to the video, if the port does not report as open (not filtered|open) then Open-Audit will not attempt to perform an SNMP audit.Since I have installed the 20 free device licenses, I can however see the different scan types and was hoping to be able to modify the UltraFast Scan Options, but I cannot remove UDP 161 from the UltraScan option or make any changes to ANY of the scan options. My guess is if I have a valid license, I can change my scan option or modify the UltraFast scan option to excluded udp port 161. Then SNMP queries would be attempted on ALL devices.We have just started using Open-Audit per recommendations from MS-ISAC, DHS, and CIS. Right now, we are looking to try and collect an inventory of devices on all of our subnets. I do for see in the near future the need to purchase a professional or Enterprise license, but for our immediate need I need to show upper management the capabilities. Not being able to query all printers does not look good to non-technical oriented upper management. I know this is a device vendor issue for not answering the NMAP UDP scan. (More information here https://nmap.org/book/scan-methods-udp-scan.html). After that long winded answer to my own question, I have a few new ones:
Is there any way that I can modify the Scan Options without buying a license?
I am still working on populating the system and learning how it works but would really like to show upper management ALL of the information that was collected before having to pitch purchasing licensing for all of the other features that make life easier.
Would removing all of my devices except 20 of them give me the ability to modify the scans?
I don't mind having to do this. Re-adding the other subnets discovered devices would not be a problem.
Will the Scan Options stay as modified if I go beyond 20 devices again?
If no, then there is no point in dumping the 1400+ discovered devices (Lots of duplicates due to devices having multiple NICs on multiple subnets, but that is for another time )
Powered by a free Atlassian Confluence Open Source Project License granted to Opmantek. Evaluate Confluence today.