hi folks,
scratching my head… Reason : viruses.
Many our clients have been infected with Popupblocker.exe and realplay.exe and that stuff. Usual traffic looks like : 250 packets / second, 2 Mbit/s. When infected client is allowed to get thru, 6000 packets / second is very common. As those infected PCs are not switched on at the same time, we are eliminating them one-by-one and it is very time consuming - somebody has to be looking at traffic monitor occasionally, several times a day, etc, etc. Would it be possible to create script, which would send alert when traffic goes over 2000 packets per second ?
thnx, mp3turbo.
Eugene
December 13, 2004, 7:52am
2
:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;
/ip firewall mangle add comment="script1" place-before=0
/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=example@example.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}
/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter
Edit:
To look for individual IP’s, add specific mangle rules and :foreach
djdodo
July 3, 2005, 12:54pm
3
Hello,i must add all scripts manualy and LOG say:
Mail not send
Can you help me?
Eugene:
:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;
/ip firewall mangle add comment="script1" place-before=0
/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=example@example.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}
/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter
Edit:
To look for individual IP’s, add specific mangle rules and :foreach
_ASM
July 3, 2005, 4:06pm
4
add ‘server=xxx.yyy.zzz.www’ to /tool e-mail
it is OK,our SMTP is added yet…
cmit
July 4, 2005, 8:59am
7
Do firewall rules disallow SMTP traffic from your MikroTik to your SMTP server?
djdodo
July 4, 2005, 11:51am
8
Hello,SMTP traffic is not disallow, i tested 2 our SMTP servers and from this MK router is not work…
cmit
July 4, 2005, 12:55pm
9
So you can telnet to port 25 on your SMTP server from your MikroTik router?
djdodo
July 4, 2005, 1:07pm
10
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available…
I dont know,why dont work and why telnet not work…e.g. telnet to any MK routers is work
djdodo
July 4, 2005, 1:08pm
11
[admin@igw aba] system> telnet 81.2.209.93
Welcome back!
djdodo:
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available…
I dont know,why dont work and why telnet not work…e.g. telnet to any MK routers is work
cmit
July 4, 2005, 1:10pm
12
There are lots of places to look for the reason why SMTP isn’t going through to your SMTP server. Some hints:
firewall on the MikroTik: outgoing filters?
is the SMTP server accepting connections from the IP address of your MikroTik?
can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
djdodo
July 4, 2005, 1:22pm
13
i know…
1.filters now is disabled
want you visit my MK router via ssh?
djdodo
July 4, 2005, 1:27pm
14
so,all filters is disabled and sending email from MK router is work,but have problem with check virus script and with e-backup.
djdodo
July 4, 2005, 1:32pm
15
hello,if work send emails from our MK routers yet,so now wish have script on detect infected PC.
djdodo
July 4, 2005, 1:40pm
16
ideal solution is here:
-MK router detect infected PC by more send packets or ports
it is possible?
bax
July 6, 2005, 3:43pm
17
I have errors also :
Is this is normal … when is no infected PC ?
Also why mikrotik have no some centralised place for this usefull script for downloading in .rsc format … or somebady know for some url?
is there a final version of the script that looks for those IP infected and act ?
Gianluca,
I guess you can do that in 2.9 using pop-up advertising. I also thought about this. You can modify the above code to run a script which drops packets from the suspect ip and advertises the message to clean the computer. You can also set up the block to be temporary, say a 4 hours block.
I did not implement this yet, but I will try it soon, I am on the verge of reconfiguring the hardware of my router. I am not experienced with scripts so if anyone knows that what I said can/cannot be done, please lay it on me. javascript:emoticon(‘:D’)
Cheers,
