[68207] in North American Network Operators' Group
RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Fri Mar 5 11:29:19 2004
Date: Fri, 5 Mar 2004 11:26:00 -0500
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Alexei Roudnev" <alex@relcom.net>,
"Sam Stickland" <sam_ml@spacething.org>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Take a look at Kiwi-cattools. It has some great Cisco Automation =
ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from =
the
devices..
Jim
->-----Original Message-----
->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
->Alexei Roudnev
->Sent: Friday, March 05, 2004 11:20 AM
->To: Sam Stickland; nanog@merit.edu
->Subject: One hint - how to detect invected machines _post=20
->morten_... Re:
->dealing with w32/bagle
->
->
->
->Just for information - may be useful for someone.
->
->Task - we determined, that few infected machines was=20
->connected to one of our
->offices few days ago.
->They run one of this viruses, which generated a lot of scans=20
->and created
->sugnificant traffic (but traffic was not
->big enough to rais alarm on outgoing gateway). Activity was short.
->
->Computers are not connected in the time of investigation.
->
->IDS system and Cisco logs was not active in this office (few=20
->tricks with
->Cisco ACL's and logs allows to detect many viruses instantly; good IDS
->systems can do it as well).
->
->Solution:
->- get all port statistics from switch (using SNMPGET and using simple
->'telnetting' script - we have 'RUN-cmd' tool allowing to run=20
->switch commands
->from shell file;
->- remove all ports with traffic less than some threshold;
->- calculate IN/OUT packets ratio for the rest of ports;
->- find ports, where IN/OUT ratio (IN - to switch) > 6;
->- in this ports, find ports with average packet size < 256 bytes;
->
->It shows all ports with infected notebooks (even if notebook=20
->was connected
->for a half of day).
->
->PS. Of course, after this few additional monitoring tools was=20
->installed, and
->we added _all_ switches and _all_ ports to 'snmpstat'=20
->monitoring system (it
->allows to see a traffic in real time, and analiz historical charts,
->including such things as packet size).
->
->
->
->
->
