RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..

Jim
->-----Original Message-----
->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
->Alexei Roudnev
->Sent: Friday, March 05, 2004 11:20 AM
->To: Sam Stickland; nanog@merit.edu
->Subject: One hint - how to detect invected machines _post
->morten_... Re:
->dealing with w32/bagle
->
->
->
->Just for information - may be useful for someone.
->
->Task - we determined, that few infected machines was
->connected to one of our
->offices few days ago.
->They run one of this viruses, which generated a lot of scans
->and created
->sugnificant traffic (but traffic was not
->big enough to rais alarm on outgoing gateway). Activity was short.
->
->Computers are not connected in the time of investigation.
->
->IDS system and Cisco logs was not active in this office (few
->tricks with
->Cisco ACL's and logs allows to detect many viruses instantly; good IDS
->systems can do it as well).
->
->Solution:
->- get all port statistics from switch (using SNMPGET and using simple
->'telnetting' script - we have 'RUN-cmd' tool allowing to run
->switch commands
->from shell file;
->- remove all ports with traffic less than some threshold;
->- calculate IN/OUT packets ratio for the rest of ports;
->- find ports, where IN/OUT ratio (IN - to switch) > 6;
->- in this ports, find ports with average packet size < 256 bytes;
->
->It shows all ports with infected notebooks (even if notebook
->was connected
->for a half of day).
->
->PS. Of course, after this few additional monitoring tools was
->installed, and
->we added _all_ switches and _all_ ports to 'snmpstat'
->monitoring system (it
->allows to see a traffic in real time, and analiz historical charts,
->including such things as packet size).
->
->
->
->
->

And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). You can't live without rancid if you have to do router/switch manipulation/polling ...

Arnold

It is interesting, I wil look. We have the same system (CCR 1.1 - Cisco
Configuration Repository), which can read configurations (manually or on
schedule), keep change history in CVS, and can be easily adapted for running
commands (in reality, it have
few tools to run a command) and we was thinking about putting it on
sourceforge as a part of 'snmpstat' system, but
I found a few interesting _existing_ systems, as well, so we will look.

What we did additionally - add some security - if, for some reason, company
do not want to keep passwords in public/private key encrypted format (which
means, that root can decrypt them), you can use PASSPHRASE mode (which
allows to crypt passwords using passphrase, so operators must know this
phrase but do not require to know exact passwords) or you can use explicit
passwords.

One more quesstion - did anyone know tools, alllowing to generate 'cisco
update' based on 2 configurations (old and new)? We wrote such thing 4 years
ago (in Russia), but it was still limited to our scope of configurations.

We have the same freeware system, but I 100% agree with _you can not live
without it_.