Community discussions

MikroTik App
 
maga79
just joined
Topic Author
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Script global variable get from SNMP OID

Thu May 13, 2021 2:07 pm

I setup the global variable.

> :global testvalue 100
Then I add a script to output the value of variable.
> /system script add dont-require-permissions=no name=test-result owner=madi policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":put \$testvalue"
> /system script environment print
# NAME VALUE
2 testvalue 100
I want to get the value with monitor software by SNMP oid
snmpwalk -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.8
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.5 = STRING: "AliDnsploss"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "AliDnsavgRtt"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.5 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
But there is no any value for variable .

From wiki , I found that
----------------------------------------------------------------------------
https://wiki.mikrotik.com/wiki/Manual:SNMP
Runing scripts with GET
It is possible to run /system scripts via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.

Add script:

/system script
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/sy reboot "
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"[:put output]"

Get the script OID table

$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0
To run script use table 18

$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"
--------------------------------------------------------------------------------------------------

When I snmpwalk the device , I can't find the SNMP oid 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
snmpget -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.18
SNMPv2-SMI::enterprises.14988.1.1.18 = No Such Object available on this agent at this OID
snmpget -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
SNMPv2-SMI::enterprises.14988.1.1.18 = No Such Object available on this agent at this OID

Why I can't get the value of variable ?
The SNMP oid 1.3.6.1.4.1.14988.1.1.18 is correct ?
 
maga79
just joined
Topic Author
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Re: Script global variable get from SNMP OID

Sat May 15, 2021 6:55 pm

I solved this problem.
It was cause by the SNMP read access.
When I set the community read access permission , snmpwalk adn snmpget would not output the value.
When I set add the community write access permission , then snmpwalk adn snmpget would output the value.
Why the community read access can not get the value , and write access could?
The SNMP server just read the snmp oid , didn't change it. Why this action need write permission ?

Set the SNMP read permission
# snmpget -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
Error in packet
Reason: (readOnly) The two parties used do not have access to use the specified SNMP PDU.

Set the SNMP write permission
# snmpwalk -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
SNMPv2-SMI::enterprises.14988.1.1.18.1.1.2.2 = STRING: "47"
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Script global variable get from SNMP OID

Tue Jul 05, 2022 8:41 am

I agree with this, Somehow we should have the ability to only allow read access to the results of scripts (queried by an snmp oid).

The main reason: the combination of the script -> oid being dynamic + requiring snmp-write access enabled on a snmp-community (ie ability to execute a script that does more than just return a value) = dangerous! (dangerous in the sense that the snmp monitoring engine could start triggering a script, repeatedly, that you do not want to have run)!

Example, i have 2x scripts;
ros Script-#1- which i use to quickly create (loop) N number of: Vlans , ip addresses, dhcp-servers (+ ip-pool, dhcp-networks), and queues.
ros Script-#2- a simple script of only: "/ip firewall connection print count-only" (which allows me to retrieve/monitor the current nat table count , via snmp).

if i have snmp set to query 1.3.6.1.4.1.14988.1.1.18.1.1.2.2 every 10minutes, and one day i clone/move the scripts around, that every 10min OID query could keep triggering my #1 script (ie creating vlans, ips, ect).

If we could use read-only to pull values returned by scripts, this would avoid the above issue.
Another solution might be to add a new policy/option to the scripts policies check-boxes, called "SNMP" - if it is checked off, then the script is available via a SNMP oid, if its NOT checked off, then the script does NOT appear in a snmpwalk of OID: 1.3.6.1.4.1.14988.1.1.8 (nor is that script accessible at all via snmp)

(for now, the above scenario has me scared enough that i have stopped using snmp to retrieve script output , and ive also removed snmp-write permissions from any/all my snmp communities)

or maybe im missing something here?

thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script global variable get from SNMP OID

Wed Jul 06, 2022 11:35 am

I was looking at this as well.
My goal was to read a global variable from the router using SNMP directly, but there seems to not be any OID to do that.
And even better if you could set a global variable on the router using write SNMP.

Who is online

Users browsing this forum: diamuxin and 28 guests