hi folks,
scratching my head... Reason : viruses.
Many our clients have been infected with Popupblocker.exe and realplay.exe and that stuff. Usual traffic looks like : 250 packets / second, 2 Mbit/s. When infected client is allowed to get thru, 6000 packets / second is very common. As those infected PCs are not switched on at the same time, we are eliminating them one-by-one and it is very time consuming - somebody has to be looking at traffic monitor occasionally, several times a day, etc, etc. Would it be possible to create script, which would send alert when traffic goes over 2000 packets per second ?
thnx, mp3turbo.
Code: Select all
:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;
/ip firewall mangle add comment="script1" place-before=0
/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=example@example.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}
/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotterThis one notifies when packet/s ratio is greater then threshold/interval, or 200 packet/s (2000 packets in 10 s) in the given example.
To look for individual IP's, add specific mangle rules and :foreach
statement.
Eugene
Last edited by Eugene on Mon Jul 04, 2005 11:27 am, edited 2 times in total.
Hello,i must add all scripts manualy and LOG say:
System-Error: Error sending e-mail: abnormal termination (timeout)
Mail not send
Can you help me?
System-Error: Error sending e-mail: abnormal termination (timeout)
Mail not send
Can you help me?
Edit:Code: Select all:global interval; :global threshold; :set interval 10; :set threshold 2000; /ip firewall mangle add comment="script1" place-before=0 /system script add name="script1-virus-spotter" source={ :if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={ /tool e-mail send \ to=example@example.com \ subject=("Traffic through the router exceeded " . $threshold . " packets/s") /ip firewall mangle reset-counters; } } /system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter
This one notifies when packet/s ratio is greater then threshold/interval, or 200 packet/s in the given example.
To look for individual IP's, add specific mangle rules and :foreach
statement.
Eugene
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available...
I dont know,why dont work and why telnet not work...e.g. telnet to any MK routers is work
I dont know,why dont work and why telnet not work...e.g. telnet to any MK routers is work
So you can telnet to port 25 on your SMTP server from your MikroTik router?
[admin@igw aba] system> telnet 81.2.209.93
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system> telnet 81.2.209.93 25
Trying 81.2.209.93...
telnet: Unable to connect to remote host: Connection timed out
Welcome back!
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system> telnet 81.2.209.93 25
Trying 81.2.209.93...
telnet: Unable to connect to remote host: Connection timed out
Welcome back!
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available...
I dont know,why dont work and why telnet not work...e.g. telnet to any MK routers is work
So you can telnet to port 25 on your SMTP server from your MikroTik router?
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
i know...
1.filters now is disabled
2.yes accept
3.yes,ping
want you visit my MK router via ssh?
1.filters now is disabled
2.yes accept
3.yes,ping
want you visit my MK router via ssh?
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
so,all filters is disabled and sending email from MK router is work,but have problem with check virus script and with e-backup.
i know...
1.filters now is disabled
2.yes accept
3.yes,ping
want you visit my MK router via ssh?
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
how to detect IPs with infected PC?
hello,if work send emails from our MK routers yet,so now wish have script on detect infected PC.
How to?
How to?
re
ideal solution is here:
-MK router detect infected PC by more send packets or ports
-send email to admin with IPs of infected clients
-disabled clients and redirect all traffic of infected clients to e.g. web page with warning
it is possible?
-MK router detect infected PC by more send packets or ports
-send email to admin with IPs of infected clients
-disabled clients and redirect all traffic of infected clients to e.g. web page with warning
it is possible?
-
-
bogdan_mare
just joined
- Posts: 22
- Joined:
- Location: Baia Mare, Romania
Gianluca,
I guess you can do that in 2.9 using pop-up advertising. I also thought about this. You can modify the above code to run a script which drops packets from the suspect ip and advertises the message to clean the computer. You can also set up the block to be temporary, say a 4 hours block.
I did not implement this yet, but I will try it soon, I am on the verge of reconfiguring the hardware of my router. I am not experienced with scripts so if anyone knows that what I said can/cannot be done, please lay it on me. javascript:emoticon(':D')
Very Happy
Cheers,
Radu
I guess you can do that in 2.9 using pop-up advertising. I also thought about this. You can modify the above code to run a script which drops packets from the suspect ip and advertises the message to clean the computer. You can also set up the block to be temporary, say a 4 hours block.
I did not implement this yet, but I will try it soon, I am on the verge of reconfiguring the hardware of my router. I am not experienced with scripts so if anyone knows that what I said can/cannot be done, please lay it on me. javascript:emoticon(':D')
Very Happy
Cheers,
Radu
:D :D :D :D :D :Dis there a final version of the script that looks for those IP infected and act ?
for me best action would be to block internet access and redirect them (if possible) to a local web page that comunicates thet they are infected
thanks
Gianluca