Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Also take a look at Neo at http://www.ktools.org/ which is scriptable and does all the SNMP work behind the scenes for you. A beta of the new 2.0 version (in Python) will be out within a week. kretch
Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) > 6; - in this ports, find ports with average packet size < 256 bytes;
It shows all ports with infected notebooks (even if notebook was connected for a half of day).
PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).
participants (1)
-
James M. Kretchmar