North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Also take a look at Neo at http://www.ktools.org/ which is scriptable and does all the SNMP work behind the scenes for you. A beta of the new 2.0 version (in Python) will be out within a week. kretch > Solution: > - get all port statistics from switch (using SNMPGET and using simple > 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands > from shell file; > - remove all ports with traffic less than some threshold; > - calculate IN/OUT packets ratio for the rest of ports; > - find ports, where IN/OUT ratio (IN - to switch) > 6; > - in this ports, find ports with average packet size < 256 bytes; > > It shows all ports with infected notebooks (even if notebook was connected > for a half of day). > > PS. Of course, after this few additional monitoring tools was installed, and > we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it > allows to see a traffic in real time, and analiz historical charts, > including such things as packet size).
|