Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim ->-----Original Message----- ->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of ->Alexei Roudnev ->Sent: Friday, March 05, 2004 11:20 AM ->To: Sam Stickland; nanog@merit.edu ->Subject: One hint - how to detect invected machines _post ->morten_... Re: ->dealing with w32/bagle -> -> -> ->Just for information - may be useful for someone. -> ->Task - we determined, that few infected machines was ->connected to one of our ->offices few days ago. ->They run one of this viruses, which generated a lot of scans ->and created ->sugnificant traffic (but traffic was not ->big enough to rais alarm on outgoing gateway). Activity was short. -> ->Computers are not connected in the time of investigation. -> ->IDS system and Cisco logs was not active in this office (few ->tricks with ->Cisco ACL's and logs allows to detect many viruses instantly; good IDS ->systems can do it as well). -> ->Solution: ->- get all port statistics from switch (using SNMPGET and using simple ->'telnetting' script - we have 'RUN-cmd' tool allowing to run ->switch commands ->from shell file; ->- remove all ports with traffic less than some threshold; ->- calculate IN/OUT packets ratio for the rest of ports; ->- find ports, where IN/OUT ratio (IN - to switch) > 6; ->- in this ports, find ports with average packet size < 256 bytes; -> ->It shows all ports with infected notebooks (even if notebook ->was connected ->for a half of day). -> ->PS. Of course, after this few additional monitoring tools was ->installed, and ->we added _all_ switches and _all_ ports to 'snmpstat' ->monitoring system (it ->allows to see a traffic in real time, and analiz historical charts, ->including such things as packet size). -> -> -> -> ->