One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

• Previous message (by thread): One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
• Next message (by thread): dealing with w32/bagle
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you.  A beta of the
new 2.0 version (in Python) will be out within a week.

kretch

> Solution:
> - get all port statistics from switch (using SNMPGET and using simple
> 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
> from shell file;
> - remove all ports with traffic less than some threshold;
> - calculate IN/OUT packets ratio for the rest of ports;
> - find ports, where IN/OUT ratio (IN - to switch) > 6;
> - in this ports, find ports with average packet size < 256 bytes;
> 
> It shows all ports with infected notebooks (even if notebook was connected
> for a half of day).
> 
> PS. Of course, after this few additional monitoring tools was installed, and
> we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
> allows to see a traffic in real time, and analiz historical charts,
> including such things as packet size).

• Previous message (by thread): One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
• Next message (by thread): dealing with w32/bagle
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]