thank you rick, If you are asking how does the virus or worm get in, its by browsing or email :( for example at some of the segments where it has financial data we have the floppy and CD and USB ports disabled, the users can't access the interenet, and yet that segment specifically gets more infected than the other 14, by email of course. We have exchange aware antivirus on the email server and file based antivirus, we have corporate edition antivirus on every machine on the network which is updated always automatically. We have software firewalls (ISA2004) and hardware firewalls and access lists and filters on the VLANs and rules for the traffic bla bla bla, but the truth is the internal VLANs get infected About the destination port I assume all traffic will go to the last resort (the routers) so I thought mirroring the router port will do some good.
So if I set a monitor port on each switch I have on the network which will be done once for all, I can monitor the traffic remotely? I don't have distributed sinffer, do u know one that can sniff remotely all the monitor ports on all the switches, I think am in the same situation as the others, I want to find the worm without having to go to each switch on the network, is it impossible? rubic. On Sun, 26 Dec 2004 15:47:28 -0600, Rick Kingslan <[EMAIL PROTECTED]> wrote: > If you have the port that the internal interface of the router is connected > to mirrored - yes, you will then be able to sniff all traffic coming from > the router off of that interface. > > In the situation that you describe, it is complex and convoluted - and > sometimes difficult to capture the proper data unless you are using a > distributed sniffer with mirrors into each VLAN/PVLAN. However, at the > router port, you will capture all incoming traffic the only problem is that > it will be like drinking from a fire hose. Lots and lots of data in a very > short amount of time. > > If you knew, to some degree, who the target was, you could sniff on that > VLAN and reduce the amount of unnecessary traffic that you will have to wade > through. Given that it's a worm, you have an equal likelihood of catching > it at any segment. The more interesting question is this: > > Is it random through e-mail, or is it something that an outbound connection > brought in? Are you scanning and limiting WHERE your users can go, and what > ports that they can go there on? > > -rtk > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: Sunday, December 26, 2004 1:46 PM > To: [email protected] > Subject: Re: [ActiveDir] worm (very very OT) > > I see what you mean now, in the first part, but the last paragraph I got > confused, why is it a diminished chance to catch it at the switch which has > the router? > > I will tell u my pathatic situation, I have many VLANs, (around 15 for so > many different reasons), out of these 15 only one VLAN is accessible for all > the other VLANs, and this VLAN has for example the ISA servers (Internal > NICs of the ISAs), email servers, MOM , etc... > At times we have disaster on the network where huge traffic is passing the > router out, at this situation I know I have a worm inside and I can't locate > it just as Tom Kern who started the thread, at other times I have huge > traffic coming to the network, which also I can't do anything about it, > since the ISP says its none of his buisness, and if I apply the ACL at the > router the traffic still passed all the way from the ISP to the router and > utilized the bandwidth. If I try to trach the IPs of the incoming traffic I > usually get some high school in Korea or some other IPs from the far east. > > anyways back to the topic in the times when I have the worm, if I have the > router port at the switch mirrored and sniffed it its still a little chance > that I will be able to determine the worm infected PC? > So what will be the solution, how will I capture it before reaching the > destination (without having to go to every switch on the network) > > many thanks > > On Sun, 26 Dec 2004 12:12:26 -0600, Rick Kingslan <[EMAIL PROTECTED]> wrote: > > If we're speaking of a hub rather than a switch, you can plug in to > > any port and sniff the traffic. A hub runs at the physical layer, > > while a switch operates more at the MAC portion of the Data Link of the > good old OSI stack. > > > > A switch is designed to deliver only traffic destined for a specific > > port - not to flood all traffic to each port, and let the end devices > > (your > > computer) figure out what is for it and not. As to what port to > > mirror - depends on who the source or destination is. Suppose you > > could mirror all of them, but that Sometimes can be done, other times > > not. > > > > But, what Roger is saying is to capture the traffic BEFORE it gets to > > the switches. All of your traffic is going to have to go through some > > Layer 3 device. Once it gets to the switches, your opportunity to > > capture it has just diminished to pure chance. > > > > Rick Kingslan MCSE, MCSA, MCT, CISSP > > Microsoft MVP: > > Windows Server / Directory Services > > Windows Server / Rights Management > > Windows Security (Affiliate) > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > WebLog - www.msmvps.com/willhack4food > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > Sent: Sunday, December 26, 2004 12:07 AM > > To: [email protected] > > Subject: Re: [ActiveDir] worm (very very OT) > > > > do I need to mirror a specific port? Which one? > > Why can't I connect to any availble port on that switch and sniff the > > network? > > thanks > > rubix > > > > On Thu, 23 Dec 2004 14:01:51 -0500, Candee Vaglica <[EMAIL PROTECTED]> > wrote: > > > That's what I meant. > > > ;) > > > Thanks, Roger. > > > > > > On Thu, 23 Dec 2004 10:59:56 -0800, Roger Seielstad > > > <[EMAIL PROTECTED]> wrote: > > > > The way to track this down it so network scan on your egress > > > > router's interface. It should be relatively trivial to filter for > > > > the traffic based on destination port, and that will give you the > > > > MAC address of the sender (that is VERY much harder to spoof - not > > > > impossible, but a heck of a lot harder). > > > > > > > > >From that, you can look at the ARP table of the router and the > > > > >MAC address > > > > will be there from the *valid* traffic the machine is doing. You > > > > can guarantee that by ping sweeping the LAN, just in case. Then > > > > you're just matching MAC to MAC and you get the right IP address. > > > > > > > > Heck, I think there's perl code that will do most of that for you > > > > - I know we've got a MAC hunter app at work that does something > > > > similar to this to find the name of machines when all we have is a > > > > MAC > > address. > > > > > > > > -------- > > > > Roger Seielstad > > > > E-mail Geek & MS-MVP > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, > > > > > Tom > > > > > Sent: Thursday, December 23, 2004 8:30 AM > > > > > To: [email protected] > > > > > Subject: RE: [ActiveDir] worm (very very OT) > > > > > > > > > > we're a switched network. i'd have to go to every pc(500) and > > > > > run it. i'm trying to avoid that. might as well run netstat -an > > > > > on all pc's. > > > > > > > > > > ethereal won't tell me the real address. > > > > > > > > > > thanks > > > > > > > > > > -----Original Message----- > > > > > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, December 23, 2004 11:16 AM > > > > > To: [email protected] > > > > > Subject: Re: [ActiveDir] worm (very very OT) > > > > > > > > > > > > > > > Use a network scanner, like Ethereal to monitor the traffic. > > > > > > > > > > > > > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom > > > > > <[EMAIL PROTECTED]> > > > > > wrote: > > > > > > this is way off and i apologize but you guys are really > > > > > knowledgable and such a great help, i thought i'd try here. > > > > > > > > > > > > i have a number of pc's infected with some wom that goes > > > > > out on port 10000 tcp and tries to attemp a DOS attack. > > > > > > > > > > > > I don't know the worm and a google searched didn't really > > > > > turn anything up. > > > > > > > > > > > > here's the thing. the worm uses a spoofed source address. > > > > > my question is, is there anyway to track down a spoofed address > > > > > internally to the real address? > > > > > > > > > > > > I don't know how to find the infected pc's. > > > > > > > > > > > > thanks > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
