Detect and drop or redirect clients with viruses

RouterOS Scripting
1

Hello , i was searching for script for my liitle idea but i am not soo mutch inside the mikrotik things :slight_smile:
Can somebody provide a script who Detect the infected users and automaticly drop them or redirect them to a page telling them they have a virus infection and they need a good looking antivirus protection. It will decide allot of problems in allot of networks

Tnaks in advice , and sorry for the bad looking English :wink:

2

Nice idea, however, the biggest problem is in the detecting the infected client. The only way i know so far is that some trojans/viruses sends huge amount of emails (probalby used as the spam relay) which can be detected. For the other ways i dunno how to be sure. Common trojan ports can be changed easily on the server/client so detection wonโ€™t work (becouse is different port).

3

It will be good also to get just the usual ports , you cant clean your network on 100% but when the network is large itโ€™s nice to try to prevent some of the viruses :slight_smile: not all .. :slight_smile:

4

I found that all my users who are broadcasting on port 445 135-139 1433-1434 10000 heve a viruses there is no one without virus, thats why i created a rule to put them in address-list

/ ip firewall filter
add chain=forward action=accept dst-port=80 protocol=tcp src-address-list=VIRUSES comment=โ€œAccept port 80 in VIRUSESS listโ€ disabled=no
add chain=forward action=add-src-to-address-list in-interface=ether1 dst-port=10000 protocol=tcp limit=50,5 address-list=VIRUSES address-list-timeout=5m comment=โ€œโ€ disabled=no
add chain=forward action=add-src-to-address-list in-interface=ether1 dst-port=1433-1434 protocol=tcp limit=50,5 address-list=VIRUSES address-list-timeout=5m comment=โ€œโ€ disabled=no
add chain=forward action=add-src-to-address-list in-interface=ether1 dst-port=135-139 protocol=tcp limit=50,5 address-list=VIRUSES address-list-timeout=5m comment=โ€œโ€ disabled=no
add chain=forward action=add-src-to-address-list in-interface=ether1 dst-port=445 protocol=tcp limit=50,5 address-list=VIRUSES address-list-timeout=5m comment=โ€œโ€ disabled=no
add chain=forward action=drop src-address-list=VIRUSES comment=โ€œDrop for VIRUSES-listโ€ disabled=no

After that i created a rule in the nat table where it sends all connections to port 80 from the infected users to web page where it sayng VIRUS is detected pls fix your pc with theese tools โ€ฆ

/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=80 dst-port=80 protocol=tcp src-address-list=VIRUSES comment=โ€œโ€ disabled=no

I hope it will help to somebody :wink: I hope it will help to me also :stuck_out_tongue:
If somebody heve other idea or to make it better pls let us now, tnks !

5

http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output

6

Does it work? would you like to shear your result?

Thanks