nanog mailing list archives
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
From: "James M. Kretchmar" <kretch () MIT EDU>
Date: Fri, 05 Mar 2004 13:22:03 -0500
Also take a look at Neo at http://www.ktools.org/ which is scriptable and does all the SNMP work behind the scenes for you. A beta of the new 2.0 version (in Python) will be out within a week. kretch
Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) > 6; - in this ports, find ports with average packet size < 256 bytes; It shows all ports with infected notebooks (even if notebook was connected for a half of day). PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).
Current thread:
- RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle McBurnett, Jim (Mar 05)
- Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Arnold Nipper (Mar 05)
- Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 06)
- Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 05)
- <Possible follow-ups>
- Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle James M. Kretchmar (Mar 05)
- Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Arnold Nipper (Mar 05)