Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] NRPE query script

From: David Fifield <david () bamsoftware com>
Date: Thu, 30 Dec 2010 13:51:16 -0800
On Tue, Dec 14, 2010 at 05:22:30PM -0600, Mak Kolybabi wrote:

I am submitting the attached script for (hopefully) inclusion into Nmap. This
script queries Nagios NRPE daemons, and returns the results from the plugins.

The list of commands that it attempts to execute are the ones enabled by default
if you compile from source. The list of commands can be overridden by a
script-arg.

Comments, concerns, criticism, and testing are appreciated.


I tested this by installing the Debian packages nagios-nrpe-plugin,
nagios-nrpe-server, nagios-plugins-basic, and nagios-plugins-standard. I
had trouble because the server was using SSL but the script wasn't.
Here's the output in daemon.log:

Dec 30 08:50:00 debian nrpe[17694]: Error: Network server getpeername() failure (107: Transport endpoint is not 
connected)
Dec 30 08:50:00 debian nrpe[17694]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.
Dec 30 08:50:00 debian nrpe[17694]: Daemon shutdown
Dec 30 08:50:00 debian nrpe[17697]: Error: Could not complete SSL handshake. 1
Dec 30 08:50:00 debian nrpe[17699]: Error: Could not complete SSL handshake. 1
Dec 30 08:50:00 debian nrpe[17701]: Error: Could not complete SSL handshake. 1
Dec 30 08:50:00 debian nrpe[17703]: Error: Could not complete SSL handshake. 1
Dec 30 08:50:00 debian nrpe[17705]: Error: Could not complete SSL handshake. 1

And here's Nmap's output:

NSE: Starting 'nrpe-enum' (thread: 0x2266390) against 127.0.0.1:5666.
NSE: Can't read NRPE response: ERROR
NSE: Can't read NRPE response: ERROR
NSE: Can't read NRPE response: ERROR
NSE: Can't read NRPE response: ERROR
NSE: Can't read NRPE response: ERROR
NSE: Finished 'nrpe-enum' (thread: 0x2266390) against 127.0.0.1:5666.

Running with -sV and detecting SSL doesn't help. If I make this patch:

--- scripts/nrpe-enum.nse
+++ scripts/nrpe-enum.nse
@@ -152,7 +152,7 @@ local nrpe_check = function(host, port, cmd)
        -- Create socket.
        local sock = nmap.new_socket("tcp")
        sock:set_timeout(2000)
-       local status, err = sock:connect(host, port)
+       local status, err = sock:connect(host, port, "ssl")
        if not status then
                stdnse.print_debug(1, "Can't connect: %s", err)
                sock:close()

I then get this output:

PORT     STATE SERVICE REASON
5666/tcp open  nrpe    syn-ack
| nrpe-enum:
| Command             State     Response
| check_hda1          CRITICAL  DISK CRITICAL - /dev/hda1 is not accessible: No such file or directory
| check_load          OK        OK - load average: 0.04, 0.05, 0.01|load1=0.040;15.000;30.000;0; 
load5=0.050;10.000;25.000;0; load15=0.010;5.000;20.000;0;
| check_total_procs   WARNING   PROCS WARNING: 192 processes
| check_users         WARNING   USERS WARNING - 7 users currently logged in |users=7;5;10;0
|_check_zombie_procs  OK        PROCS OK: 0 processes with STATE = Z

What do you think, is there a good way to make this work? I notice that
the check_nrpe command has a -n option for "no SSL." Using that option
makes the commands fail for me in the same way.

$ /usr/lib/nagios/plugins/check_nrpe -H localhost -c check_total_procs
PROCS WARNING: 194 processes
$ /usr/lib/nagios/plugins/check_nrpe -n -H localhost -c check_total_procs
CHECK_NRPE: Error receiving data from daemon.

Please use the copy of the script I have renamed and attached. It's
changed to work with some changes to tab.lua I made today.

David Fifield

Attachment: nrpe-enum.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: