We found that the best indicator is non-unicast packets; an infected device will arp large numbers of addresses, so if you look at inbound NUCAST packets on the router interface, you will see it go up if something's infected. ARP patterns are what we key on with an analyzer to find RPC DCOM infections.
-----Original Message----- From: Mike Krygeris [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:01 PM To: [EMAIL PROTECTED] Subject: RE: [WhatsUp Forum] OT - MRTG Port Monitoring [sls_ADV?] Unfortunately this sort of thing is not easy to do unless you run a Cisco Net flow card or RMON2(I think). Simple MIBII just doesn't cut it. I'm not sure how the worm works. Maybe look at non-unicast packets? Does it send out broadcasts? Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jones, David H Sent: Wednesday, August 13, 2003 11:29 AM To: [EMAIL PROTECTED] Subject: [WhatsUp Forum] OT - MRTG Port Monitoring I know this is off topic, but there seems to be a lot of MRTG gurus on this list. With the RPC DCOM worm out there, we're looking to monitor traffic patterns for certian ports, specifically 135 and 139. I was wondering if someone could give me some pointers on how to create this graph in MRTG, or point me to some good documentation to do so. I poked around the MRTG site, but didn't really find anything helpful. Thanks a lot! -David Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
