Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

  • From: James M. Kretchmar
  • Date: Fri Mar 05 13:24:37 2004

Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you.  A beta of the
new 2.0 version (in Python) will be out within a week.

kretch

> Solution:
> - get all port statistics from switch (using SNMPGET and using simple
> 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
> from shell file;
> - remove all ports with traffic less than some threshold;
> - calculate IN/OUT packets ratio for the rest of ports;
> - find ports, where IN/OUT ratio (IN - to switch) > 6;
> - in this ports, find ports with average packet size < 256 bytes;
> 
> It shows all ports with infected notebooks (even if notebook was connected
> for a half of day).
> 
> PS. Of course, after this few additional monitoring tools was installed, and
> we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
> allows to see a traffic in real time, and analiz historical charts,
> including such things as packet size).




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.