ver the past few years, the number of Windows-based worm attacks has grown dramatically. Companies have implemented full-scale virus scanning and Windows update facilities to help stop the worm attacks. But, what do you do when you aren't entirely certain that your virus definitions are up to date, or some worm slips under the radar and infects hosts on your network? This article will show a method of using access lists on Cisco routers with a centralized logging database to find infected hosts quickly on your network.
This method was designed to work with Cisco routers, but can work with virtually any layer-3 device with syslog and access list capabilities. This method also will be using a Unix-based system and a relational database to store information. There are much more elaborate configurations out there that do similar things. This method is based on the syslog-ng configuration at http://vermeer.org/syslog/, although modified for Postgres and my own front end.
Since this solution deals with router configurations, make sure you fully understand what is happening with the configuration changes that are outlined here. Though nothing in this article is malicious, some parts need to be read carefully because a misunderstanding could have a severe impact on your network.
This isn't the most difficult thing to configure and set up, however, it is a bit lengthy, and there are many parts to it. This section will give an overview of what will need to be done, and what you can expect out of this on your network.
|Figure 1. An Example Network: This example network demonstrates how the centralized syslog server concept works.|
Assume you have a basic network (like the one shown in Figure 1). There's one central office with three branch offices. Each office has 50-100 PCs and a few servers. Each branch office is connected to the central office via a frame relay T-1 connection. The central office has a 3MB frame relay connection to the branch offices. This example network explains how the centralized syslog server concept works, but this can extend to many different varieties of network configurations.