One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
James M. Kretchmar
kretch at MIT.EDU
Fri Mar 5 18:22:03 UTC 2004
Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you. A beta of the
new 2.0 version (in Python) will be out within a week.
kretch
> Solution:
> - get all port statistics from switch (using SNMPGET and using simple
> 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
> from shell file;
> - remove all ports with traffic less than some threshold;
> - calculate IN/OUT packets ratio for the rest of ports;
> - find ports, where IN/OUT ratio (IN - to switch) > 6;
> - in this ports, find ports with average packet size < 256 bytes;
>
> It shows all ports with infected notebooks (even if notebook was connected
> for a half of day).
>
> PS. Of course, after this few additional monitoring tools was installed, and
> we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
> allows to see a traffic in real time, and analiz historical charts,
> including such things as packet size).
More information about the NANOG
mailing list