RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim ->-----Original Message----- ->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of ->Alexei Roudnev ->Sent: Friday, March 05, 2004 11:20 AM ->To: Sam Stickland; nanog@merit.edu ->Subject: One hint - how to detect invected machines _post ->morten_... Re: ->dealing with w32/bagle -> -> -> ->Just for information - may be useful for someone. -> ->Task - we determined, that few infected machines was ->connected to one of our ->offices few days ago. ->They run one of this viruses, which generated a lot of scans ->and created ->sugnificant traffic (but traffic was not ->big enough to rais alarm on outgoing gateway). Activity was short. -> ->Computers are not connected in the time of investigation. -> ->IDS system and Cisco logs was not active in this office (few ->tricks with ->Cisco ACL's and logs allows to detect many viruses instantly; good IDS ->systems can do it as well). -> ->Solution: ->- get all port statistics from switch (using SNMPGET and using simple ->'telnetting' script - we have 'RUN-cmd' tool allowing to run ->switch commands ->from shell file; ->- remove all ports with traffic less than some threshold; ->- calculate IN/OUT packets ratio for the rest of ports; ->- find ports, where IN/OUT ratio (IN - to switch) > 6; ->- in this ports, find ports with average packet size < 256 bytes; -> ->It shows all ports with infected notebooks (even if notebook ->was connected ->for a half of day). -> ->PS. Of course, after this few additional monitoring tools was ->installed, and ->we added _all_ switches and _all_ ports to 'snmpstat' ->monitoring system (it ->allows to see a traffic in real time, and analiz historical charts, ->including such things as packet size). -> -> -> -> ->
On 05.03.2004 17:26 McBurnett, Jim wrote:
Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices..
And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). You can't live without rancid if you have to do router/switch manipulation/polling ... Arnold
On 05.03.2004 17:26 McBurnett, Jim wrote:
Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from
We have the same freeware system, but I 100% agree with _you can not live without it_. ----- Original Message ----- From: "Arnold Nipper" <arnold@nipper.de> To: "McBurnett, Jim" <jmcburnett@msmgmt.com> Cc: "Alexei Roudnev" <alex@relcom.net>; "Sam Stickland" <sam_ml@spacething.org>; <nanog@merit.edu> Sent: Friday, March 05, 2004 8:37 AM Subject: Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle the
devices..
And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). You can't live without rancid if you have to do router/switch manipulation/polling ...
Arnold
It is interesting, I wil look. We have the same system (CCR 1.1 - Cisco Configuration Repository), which can read configurations (manually or on schedule), keep change history in CVS, and can be easily adapted for running commands (in reality, it have few tools to run a command) and we was thinking about putting it on sourceforge as a part of 'snmpstat' system, but I found a few interesting _existing_ systems, as well, so we will look. What we did additionally - add some security - if, for some reason, company do not want to keep passwords in public/private key encrypted format (which means, that root can decrypt them), you can use PASSPHRASE mode (which allows to crypt passwords using passphrase, so operators must know this phrase but do not require to know exact passwords) or you can use explicit passwords. One more quesstion - did anyone know tools, alllowing to generate 'cisco update' based on 2 configurations (old and new)? We wrote such thing 4 years ago (in Russia), but it was still limited to our scope of configurations. ----- Original Message ----- From: "McBurnett, Jim" <jmcburnett@msmgmt.com> To: "Alexei Roudnev" <alex@relcom.net>; "Sam Stickland" <sam_ml@spacething.org>; <nanog@merit.edu> Sent: Friday, March 05, 2004 8:26 AM Subject: RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim ->-----Original Message----- ->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of ->Alexei Roudnev ->Sent: Friday, March 05, 2004 11:20 AM ->To: Sam Stickland; nanog@merit.edu ->Subject: One hint - how to detect invected machines _post ->morten_... Re: ->dealing with w32/bagle -> -> -> ->Just for information - may be useful for someone. -> ->Task - we determined, that few infected machines was ->connected to one of our ->offices few days ago. ->They run one of this viruses, which generated a lot of scans ->and created ->sugnificant traffic (but traffic was not ->big enough to rais alarm on outgoing gateway). Activity was short. -> ->Computers are not connected in the time of investigation. -> ->IDS system and Cisco logs was not active in this office (few ->tricks with ->Cisco ACL's and logs allows to detect many viruses instantly; good IDS ->systems can do it as well). -> ->Solution: ->- get all port statistics from switch (using SNMPGET and using simple ->'telnetting' script - we have 'RUN-cmd' tool allowing to run ->switch commands ->from shell file; ->- remove all ports with traffic less than some threshold; ->- calculate IN/OUT packets ratio for the rest of ports; ->- find ports, where IN/OUT ratio (IN - to switch) > 6; ->- in this ports, find ports with average packet size < 256 bytes; -> ->It shows all ports with infected notebooks (even if notebook ->was connected ->for a half of day). -> ->PS. Of course, after this few additional monitoring tools was ->installed, and ->we added _all_ switches and _all_ ports to 'snmpstat' ->monitoring system (it ->allows to see a traffic in real time, and analiz historical charts, ->including such things as packet size). -> -> -> -> ->
participants (3)
-
Alexei Roudnev
-
Arnold Nipper
-
McBurnett, Jim