Virus definitions often can't keep up with the rapid proliferation of Windows-based worms, letting them slip under your radar. How can you keep your network safe? Use the access lists on your routers along with a centralized logging database to help you quickly find and isolate infected hosts.
by Tim Conrad
June 2, 2004
ver the past few years, the number of Windows-based worm attacks has grown dramatically. Companies have implemented full-scale virus scanning and Windows update facilities to help stop the worm attacks. But, what do you do when you aren't entirely certain that your virus definitions are up to date, or some worm slips under the radar and infects hosts on your network? This article will show a method of using access lists on Cisco routers with a centralized logging database to find infected hosts quickly on your network.
This method was designed to work with Cisco routers, but can work with virtually any layer-3 device with syslog and access list capabilities. This method also will be using a Unix-based system and a relational database to store information. There are much more elaborate configurations out there that do similar things. This method is based on the syslog-ng configuration at http://vermeer.org/syslog/, although modified for Postgres and my own front end.
It's quick, easy and you get access to all the articles on DevX.
This registration/login is to allow you to read articles on devx.com. Already a member?
To become a member of DevX.com create your Member Profile by completing the form below. Membership is free!
ver the past few years, the number of Windows-based worm attacks has grown dramatically. Companies have implemented full-scale virus scanning and Windows update facilities to help stop the worm attacks. But, what do you do when you aren't entirely certain that your virus definitions are up to date, or some worm slips under the radar and infects hosts on your network? This article will show a method of using access lists on Cisco routers with a centralized logging database to find infected hosts quickly on your network.
