Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

  • From: McBurnett, Jim
  • Date: Fri Mar 05 11:31:48 2004

Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..

Jim
->-----Original Message-----
->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
->Alexei Roudnev
->Sent: Friday, March 05, 2004 11:20 AM
->To: Sam Stickland; nanog@merit.edu
->Subject: One hint - how to detect invected machines _post 
->morten_... Re:
->dealing with w32/bagle
->
->
->
->Just for information - may be useful for someone.
->
->Task - we determined, that few infected machines was 
->connected to one of our
->offices few days ago.
->They run one of this viruses, which generated a lot of scans 
->and created
->sugnificant traffic (but traffic was not
->big enough to rais alarm on outgoing gateway). Activity was short.
->
->Computers are not connected in the time of investigation.
->
->IDS system and Cisco logs was not active in this  office (few 
->tricks with
->Cisco ACL's and logs allows to detect many viruses instantly; good IDS
->systems can do it as well).
->
->Solution:
->- get all port statistics from switch (using SNMPGET and using simple
->'telnetting' script - we have 'RUN-cmd' tool allowing to run 
->switch commands
->from shell file;
->- remove all ports with traffic less than some threshold;
->- calculate IN/OUT packets ratio for the rest of ports;
->- find ports, where IN/OUT ratio (IN - to switch) > 6;
->- in this ports, find ports with average packet size < 256 bytes;
->
->It shows all ports with infected notebooks (even if notebook 
->was connected
->for a half of day).
->
->PS. Of course, after this few additional monitoring tools was 
->installed, and
->we added _all_ switches and _all_ ports to 'snmpstat' 
->monitoring system (it
->allows to see a traffic in real time, and analiz historical charts,
->including such things as packet size).
->
->
->
->
->




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.