North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
- From: James M. Kretchmar
- Date: Fri Mar 05 13:24:37 2004
Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you. A beta of the
new 2.0 version (in Python) will be out within a week.
> - get all port statistics from switch (using SNMPGET and using simple
> 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
> from shell file;
> - remove all ports with traffic less than some threshold;
> - calculate IN/OUT packets ratio for the rest of ports;
> - find ports, where IN/OUT ratio (IN - to switch) > 6;
> - in this ports, find ports with average packet size < 256 bytes;
> It shows all ports with infected notebooks (even if notebook was connected
> for a half of day).
> PS. Of course, after this few additional monitoring tools was installed, and
> we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
> allows to see a traffic in real time, and analiz historical charts,
> including such things as packet size).