Custom OID Scan possible (GSM does not recognize old HP ProCurve Devices)?

Hello,

is it possible to add custom oid’s for scanning with snmp?

Our old ProCurve Switches are not recognized correctly. They appear as OS FreeBSD.


But with specific oid the manufacturer, model and firmware name could be read.
PRTG_with_custom_OIDs|690x155

I know HP/HPE/Aruba is not as good as Cisco concerning finding CVE for specific products, and CVEdetails prooves that, but would it be possible to connect to HP by API or something for checking for newer Software Releases?

Thanks and Kind Regards

Robert

There should be already a basic SNMP based OS detection for HP/HPE/Aruba switch devices available in the GCF and GSF done by the following VT:

scripts/gb_snmp_os_detection.nasl:

if( sysdesc =~ "^(Aruba|HP) J[^ ]+ .*Switch" ) {
  register_and_report_os( os:"Aruba/HPE Switch Firmware", cpe:"cpe:/o:arubanetworks:switch_firmware", banner_type:BANNER_TYPE, port:port, proto:"udp", banner:sysdesc, desc:SCRIPT_DESC, runs_key:"unixoide" );
  exit( 0 );
}

Please make sure that you have done a scan including the 161/udp port in your port list so that an SNMP based detection is done. The VT also requires that the device is reporting it’s SNMP sysDescr string to the scanner.

If this is already the case then the mentioned regex above might not match the banner reported by the device. In this case it should be easily possible to extend / improve it if you could provide the output of the following here:

snmpwalk -v 2c -c "public" $targetip 1.3.6.1.2.1.1.1.0

Note that vulnerability tests for HP/HPE/Aruba Switch devices itself are only part of the commercial GSF feed.

1 Like

Of course udp/161,162 has been added to the portlist.
Scan Type with OpenVAS and Full and Fast
Later we had used, copied and modified the Discovery template for networks purposes and faster results (no need for windows and services checks etc.)

Return of the provided/mentioned oid is:

C:\Users\r.grossmann\Downloads\SnmpGet>snmpget -v:2c -c:"COMMUNITY" -o:.1.3.6.1.2.1.1.1.0 -r:HOST

OID=.1.3.6.1.2.1.1.1.0
Type=OctetString
Value=ProCurve J9021A Switch 2810-24G, revision N.11.74, ROM N.10.01 (/sw/code/build/bass)

snmpget output for an other device, with os is correctly detected by gsm:

C:\Users\r.grossmann\Downloads\SnmpGet>snmpget -v:2c -c:"COMMUNITY" -o:.1.3.6.1.2.1.1.1.0 -r:HOST

OID=.1.3.6.1.2.1.1.1.0
Type=OctetString
Value=HP J8697A Switch 5406zl, revision K.16.02.0008, ROM K.15.30 (/ws/swbuildm/spokane_qt_qaoff/code/build/btm(swbuildm_spokane_qt_qaoff_spokane_qt)) (Formerly ProCurve)

The following OIDs would be more specific:

ent physical descr
1.3.6.1.2.1.47.1.1.1.1.2.1
ProCurve J9021A Switch 2810-24G

ent physical model name
1.3.6.1.2.1.47.1.1.1.1.13.1
J9021A

ent physical software rev
1.3.6.1.2.1.47.1.1.1.1.10.1
N.11.74

And this results in same output as above system description:

hpicf entity descr
1.3.6.1.4.1.11.2.14.11.1.2.4.1.4.1
ProCurve J9021A Switch 2810-24G, revision N.11.74, ROM N.10.01 (/sw/code/build/bass)

When I look at the results and the provided/mentioned scripts, it looks like the ProCurve statement is missing…

How can I access the cli to backup and modify the script?
SSH Sessions ends in an limited “GUI” for Greenbone OS Administration…

Bet even that, I am not sure if the script would report the os correctly, as the ProCurve os could not being detected by the hp image mib and the oid .1.3.6.1.4.1.11.2.14.11.5.1.59.1.4.1.5.1. Instead the oid .1.3.6.1.2.1.47.1.1.1.1.10.1 works, and works for all ProCurve/HP/ArubaOS Switch Models.

Is it possible to adjust the os and cpe detection in the register and report os section, too?

Thanks and kind regards

Thanks a lot for providing this information.

Ah indeed this is the culprit here because the existing SNMP based OS detection doesn’t look for that specific ProCurve string.

I have raised an internal ticket about improving this in the mentioned VT. Stay tuned for an update in the next few weeks.

Ok, sounds good. Then we will wait for an update. Commercial License is in Use.

Thank you and have a nice day. Stay healthy!

1 Like

If you have a valid GSF subscription you could raise a support ticket at the Greenbone support portal as customer related tickets are handled with a higher priority.

For the records, the SNMP based detection for such older ProCurve devices have been improved in the meantime and should be included in todays feed update.