Just for information - may be useful for someone.
Task - we determined, that few infected machines was connected to one of our
offices few days ago.
They run one of this viruses, which generated a lot of scans and created
sugnificant traffic (but traffic was not
big enough to rais alarm on outgoing gateway). Activity was short.
Computers are not connected in the time of investigation.
IDS system and Cisco logs was not active in this office (few tricks with
Cisco ACL's and logs allows to detect many viruses instantly; good IDS
systems can do it as well).
Solution:
- get all port statistics from switch (using SNMPGET and using simple
'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
from shell file;
- remove all ports with traffic less than some threshold;
- calculate IN/OUT packets ratio for the rest of ports;
- find ports, where IN/OUT ratio (IN - to switch) > 6;
- in this ports, find ports with average packet size < 256 bytes;
It shows all ports with infected notebooks (even if notebook was connected
for a half of day).
PS. Of course, after this few additional monitoring tools was installed, and
we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
allows to see a traffic in real time, and analiz historical charts,
including such things as packet size).