<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
What about using it's mac address to quarantine it?<br>
<br>
<br>
We've done something similar in the past for virus/worm infected
machines. Basically we used tcpdump to capture find what we were
looking for and that output was processed by a perl script. When a
computer was found it's IP address was written to a file. Every minute
that file would be read and a tool to spoof the mac address was put
into action. Once running, it caught nearly all that offending
machines in the first 5-10 minutes... and continued to catch machines
as they were turned on.<br>
<br>
An email alert would then be sent to the admin who could then take his
time quarantining and fixing the machines.<br>
<br>
In the end we found more than 70 of our 300+ machines had been infected
with a worm... The network was unusable until we tried the above. In
fact when we setup it up and started it the techs though they had fixed
the problem when they patched and restarted a computer.... the network
just happened to be usable again after they finished. Boy were they
dissapointed to find out that they still had to patch all the rest of
the computers ;-)<br>
<br>
John P. Rouillard wrote:
<blockquote cite="mid200602131959.k1DJxeoQ020192@mx1.cs.umb.edu"
type="cite">
<pre wrap="">In message <a class="moz-txt-link-rfc2396E" href="mailto:43F0BF02.6070005@op5.se"><43F0BF02.6070005@op5.se></a>, Andreas Ericsson writes:
</pre>
<blockquote type="cite">
<pre wrap="">C. Bensend wrote:
[some other attributions lost in response]
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">contact the individual addresses? my assumption was that for
NIS broadcasting you simply put some noise on the wire, and any
masters on the local network segment responded.
</pre>
</blockquote>
<pre wrap="">Personally, I need something like:
check_nis -d domain1,domain2 -x -s server1,server2
... that will return a non-OK value if any _more_ servers respond,
</pre>
</blockquote>
<pre wrap="">And this is where the trouble lies. How long should we wait for any
other server to respond, and how many broadcasts should we send?
</pre>
<blockquote type="cite">
<pre wrap="">other than server1 or server2, such as an unintentional or rogue
server3 answering the broadcast.
I know I can't code it, but I could certainly help test it if
someone were to take a shot. :)
</pre>
</blockquote>
<pre wrap="">A much better way is to set up a daemon which listens to broadcasts and
shouts out loud if it hears one from the wrong server.
</pre>
</blockquote>
<pre wrap=""><!---->
IIRC the client broadcasts for the server. The server replies using
the client's IP address. So it's not a broadcast response but a
niswatch (doesn't look like google knows of a niswatch that does this)
type daemon (sort of like arpwatch) would work if you have a port on
your switches than can be used to monitor all traffic looking for the
response.
You can probably cobble something together from tcpdump and nagios
passive service results.
</pre>
<blockquote type="cite">
<pre wrap="">You still have to
implement the NIS protocol (partially) but you can get rid of the
problem of having plugins run with elevated privileges and determining
how long to wait.
</pre>
</blockquote>
<pre wrap=""><!---->
Well you can use regular network NIS traffic as your probe and just
look for incorrect responses.
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
<a class="moz-txt-link-freetext" href="http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642">http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642</a>
_______________________________________________________
Nagios Plugin Development Mailing List <a class="moz-txt-link-abbreviated" href="mailto:Nagiosplug-devel@lists.sourceforge.net">Nagiosplug-devel@lists.sourceforge.net</a>
Unsubscribe at <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagiosplug-devel">https://lists.sourceforge.net/lists/listinfo/nagiosplug-devel</a>
::: Please include plugins version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
</pre>
</blockquote>
</body>
</html>