North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
- From: McBurnett, Jim
- Date: Fri Mar 05 11:31:48 2004
Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
->From: email@example.com [mailto:firstname.lastname@example.org]On Behalf Of
->Sent: Friday, March 05, 2004 11:20 AM
->To: Sam Stickland; email@example.com
->Subject: One hint - how to detect invected machines _post
->dealing with w32/bagle
->Just for information - may be useful for someone.
->Task - we determined, that few infected machines was
->connected to one of our
->offices few days ago.
->They run one of this viruses, which generated a lot of scans
->sugnificant traffic (but traffic was not
->big enough to rais alarm on outgoing gateway). Activity was short.
->Computers are not connected in the time of investigation.
->IDS system and Cisco logs was not active in this office (few
->Cisco ACL's and logs allows to detect many viruses instantly; good IDS
->systems can do it as well).
->- get all port statistics from switch (using SNMPGET and using simple
->'telnetting' script - we have 'RUN-cmd' tool allowing to run
->from shell file;
->- remove all ports with traffic less than some threshold;
->- calculate IN/OUT packets ratio for the rest of ports;
->- find ports, where IN/OUT ratio (IN - to switch) > 6;
->- in this ports, find ports with average packet size < 256 bytes;
->It shows all ports with infected notebooks (even if notebook
->for a half of day).
->PS. Of course, after this few additional monitoring tools was
->we added _all_ switches and _all_ ports to 'snmpstat'
->monitoring system (it
->allows to see a traffic in real time, and analiz historical charts,
->including such things as packet size).