From: Peter Phaal (peter.phaal@inmon.com)
Date: 01/27/03
Here is a simple way to detect which hosts on your network have been
infected with the Slammer worm.
1. Use the Server->Forwarding option to forward samples to localhost port
8888.
2. Run the following script:
sflowtool -p 8888 | awk --source '
/sampleType/ {flag = 0;}
/01-01-01-01-01-01-01-01-01-01-01/ {flag = 1;}
/srcIP/ { sourceAddress = $2;}
/UDPDstPort/ {
if(flag && ($2 == 1434)) {
if(!infected[sourceAddress]) {
infected[sourceAddress] = "yes";
print sourceAddress;
}
}
}'
This will print out the IP addresses of infected hosts, by detecting a
signature in the packets that they are using to scan for new "victims".
Notes:
======
1. This will only work if your monitoring is sFlow or HP-Extended-RMON
based. Cisco-NetFlow monitoring does not include the appropriate
information.
2. For notes on configuring the forwarding, click on the on-line help links
in that page. For example, to forward everything in your entire site to the
script, just set it to:
agent: 0.0.0.0/0 address: localhost port: 8888
3. The sflowtool utility is available at
<http://www.inmon.com/sflowTools.htm>
----------------------
Peter Phaal
InMon Corp.
This archive was generated by hypermail 2.1.4 : 01/27/03 PST