Thank you both!!!
regards,
Pat Mahoney / pmahoney@agilent.com / 408.553.PATM (7286)
Agilent Technologies IT | Information Technology
mailto:8775338129@skytel.net (alphanumeric pager)
-----Original Message-----
From: GALBRAITH,BRUCE (A-Sonoma,ex1)
[mailto:bruce_galbraith@agilent.com]
Sent: Friday, August 10, 2001 2:33 PM
To: 'traffic-management@inmon.com'
Subject: RE: CodeRed Detection for InMon
Joe,
Job well done as always. Maybe Inmon should look at making this a
product feature. I found infected systems on our network already.
Bruce Galbraith
Agilent
-----Original Message-----
From: REVES,JOSEPH (HP-ColSprings,ex1) [mailto:joe_reves@hp.com]
Sent: Friday, August 10, 2001 12:52 PM
To: 'traffic-management@inmon.com'
Subject: CodeRed Detection for InMon
Folks,
Here's another CodeRed detection script, written in Perl. This scripts
incorporates an embedded link to the Traffic Server Host Report - which can
provide some snmp-derived Contact and Location information (if it's set).
More importantly, if this machine resides within your management domain, the
Host Report will provide you information about which switch, and what switch
port the infected host is connected to.
To use this script, you'll want to use the "Server -> Forwarding" facility
to enable sFlow Forwarding. Use an "Agent" value of "0.0.0.0/0" to forward
all sFlow packets to localhost, at 127.0.0.1, to the port of your choice -
e.g., "8888"
Then you'll need the "sFlow Toolkit" at InMon's site:
//www.inmon.com/sflowTools.htm
Install the sflowtool command line utility on your Traffic Server.
To use this script, start the sflowtool and pipe the output through the
CodeRed.pl script, and into an HTML file in the document root of your
machine:
> sflowtool -p 8888 | CodeRed.pl > infected.html
The script will produce a simple HTML table of infected hosts, with a link
to the Traffic Server Host Report. The script can be updated with
additional signatures if needed; hopefully, we're done with this particular
strain.
I've attached the script below. Please post comments, feedback, bugs, etc.
to the traffic-management list.
cheers,
joer
Joseph Reves
Hewlett-Packard
Enterprise Network Organization
Tel: (1) 272-5177 / +1 719 272 5177
ECard: https://ecardfile.com/id/jreves
------------------------------------------------
#!/usr/bin/perl
############################################################################
###
# CodeRed worm detection for the InMon Traffic Server
#
# joe_reves@hp.com HP Operations 10 August, 2001
#
# This script demonstrates some simple capabilities to pattern-match and
# detect signatures with a perl script, and then embed useful linkages in
# the output to standard reports available in the Traffic Server.
#
# This script requires the installation of the sflowtool, available
# at InMon's site at: //www.inmon.com/sflowTools.htm
#
# Usage: sflowtool | CodeRed.pl > infected.html
#
############################################################################
##
# flush output as you go
use FileHandle;
STDOUT->autoflush(1);
# Define your signature for simple pattern matching
$signature{"CodeRedV1"} = "64-65-66-61-75-6C-74-2E-69-64-61-3F-4E-4E-4E-4E";
$signature{"CodeRedV2"} = "64-65-66-61-75-6C-74-2E-69-64-61-3F-58-58-58-58";
# you can either set a hostname to find the Host Report, or use localhost
use Sys::Hostname;
$trafficServer="";
if (! $trafficServer) {
$trafficServer = hostname();
}
# build the URL for the Traffic Server Host Report
$itsHostReportURL =
"//$trafficServer/its/query/Host?addressType=IP&protocolType=IPV4&addre
ss=";
# write a simple HTML page header
print "<html>\n";
print "<head><title> \"CodeRed Infection Report\" </title></head>\n";
print "<body bgcolor=#ffffff>";
# process formatted packet output as it arrives
while (<>) {
if (/^sampleSequenceNo/) {
#
# Output the Alert for a match on the last sample
# Note I'm also checking for destination port 80, http
#
# We pick up all these values below
#
if ($match && $tcpDstPort == "80") {
print "<table border=\"1\">\n";
print "<tr><th>";
print scalar localtime($timestamp);
print "</th>";
# lookup a hostname
($oct1,$oct2,$oct3,$oct4) = split(/\./,$srcIP);
$addr = pack("C4",$oct1,$oct2,$oct3,$oct4);
$addr_type = 2;
$zombieHost = (gethostbyaddr($addr,$addr_type))[0];
# here's our link to the Host Report
print "<th>";
print "<a
href=\"$itsHostReportURL$srcIP\">$zombieHost</a>";
print "</th>";
# Source IP address of the infected machine
print "<th>";
print "$srcIP";
print "</th>";
# Source MAC address
print "<th>";
print "$srcMAC";
print "</th>";
# Which signature did we match?
print "<th>";
print "$match";
print "</th>";
print "</tr>";
print "</table>";
}
# Reset the alert
$payload=$match=$srcMAC=$srcIP=$tcpSrcIP="";
}
if (/^unixSecondsUTC/) {
($label,$timestamp) = split();
}
if (/^headerBytes/) {
($label,$payload) = split();
# look through all the signatures
foreach $sig (keys %signature) {
if ($payload =~ /$signature{$sig}/) {
$match = "$sig";
}
}
}
if (/^srcMAC/) {
($label,$srcMAC) = split();
}
if (/^srcIP/) {
($label,$srcIP) = split();
}
if (/^TCPDstPort/) {
($label,$tcpDstPort) = split();
}
}
exit;
This archive was generated by hypermail 2b29 : 08/10/01 EDT