Page 1 of 1
send email when number of packets/second from IP is >1000
Posted: Sun Dec 12, 2004 12:31 pm
by mp3turbo2
hi folks,
scratching my head... Reason : viruses.
Many our clients have been infected with Popupblocker.exe and realplay.exe and that stuff. Usual traffic looks like : 250 packets / second, 2 Mbit/s. When infected client is allowed to get thru, 6000 packets / second is very common. As those infected PCs are not switched on at the same time, we are eliminating them one-by-one and it is very time consuming - somebody has to be looking at traffic monitor occasionally, several times a day, etc, etc. Would it be possible to create script, which would send alert when traffic goes over 2000 packets per second ?
thnx, mp3turbo.
Posted: Mon Dec 13, 2004 9:52 am
by Eugene
:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;
/ip firewall mangle add comment="script1" place-before=0
/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=example@example.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}
/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter
This one notifies when packet/s ratio is greater then threshold/interval, or 200 packet/s (2000 packets in 10 s) in the given example.
To look for individual IP's, add specific mangle rules and
:foreach
statement.
Eugene
Posted: Sun Jul 03, 2005 3:54 pm
by djdodo
Hello,i must add all scripts manualy and LOG say:
System-Error: Error sending e-mail: abnormal termination (timeout)
Mail not send
Can you help me?
:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;
/ip firewall mangle add comment="script1" place-before=0
/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=example@example.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}
/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter
This one notifies when packet/s ratio is greater then threshold/interval, or 200 packet/s in the given example.
To look for individual IP's, add specific mangle rules and
:foreach
statement.
Eugene
Posted: Sun Jul 03, 2005 7:06 pm
by [ASM]
add 'server=xxx.yyy.zzz.www' to /tool e-mail
Posted: Mon Jul 04, 2005 9:45 am
by djdodo
it is OK,our SMTP is added yet...
add 'server=xxx.yyy.zzz.www' to /tool e-mail
Posted: Mon Jul 04, 2005 11:41 am
by djdodo
but not work...
it is OK,our SMTP is added yet...
add 'server=xxx.yyy.zzz.www' to /tool e-mail
Posted: Mon Jul 04, 2005 11:59 am
by cmit
Do firewall rules disallow SMTP traffic from your MikroTik to your SMTP server?
Posted: Mon Jul 04, 2005 2:51 pm
by djdodo
Hello,SMTP traffic is not disallow, i tested 2 our SMTP servers and from this MK router is not work...
Do firewall rules disallow SMTP traffic from your MikroTik to your SMTP server?
Posted: Mon Jul 04, 2005 3:55 pm
by cmit
So you can telnet to port 25 on your SMTP server from your MikroTik router?
Posted: Mon Jul 04, 2005 4:07 pm
by djdodo
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available...
I dont know,why dont work and why telnet not work...e.g. telnet to any MK routers is work
So you can telnet to port 25 on your SMTP server from your MikroTik router?
Posted: Mon Jul 04, 2005 4:08 pm
by djdodo
[admin@igw aba] system> telnet 81.2.209.93
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system> telnet 81.2.209.93 25
Trying 81.2.209.93...
telnet: Unable to connect to remote host: Connection timed out
Welcome back!
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
System-Error: Error sending e-mail: abnormal termination (timeout)
[admin@igw aba] system>
from any MK routers is our SMTP on telnet 25 not available, but from any PCs behind this MK router is telnet 25 to our SMTP available...
I dont know,why dont work and why telnet not work...e.g. telnet to any MK routers is work
So you can telnet to port 25 on your SMTP server from your MikroTik router?
Posted: Mon Jul 04, 2005 4:10 pm
by cmit
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
Posted: Mon Jul 04, 2005 4:22 pm
by djdodo
i know...
1.filters now is disabled
2.yes accept
3.yes,ping
want you visit my MK router via ssh?
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
Posted: Mon Jul 04, 2005 4:27 pm
by djdodo
so,all filters is disabled and sending email from MK router is work,but have problem with check virus script and with e-backup.
i know...
1.filters now is disabled
2.yes accept
3.yes,ping
want you visit my MK router via ssh?
There are lots of places to look for the reason why SMTP isn't going through to your SMTP server. Some hints:
- firewall on the MikroTik: outgoing filters?
- is the SMTP server accepting connections from the IP address of your MikroTik?
- can you ping your SMTP server from your MikroTik (to verify routing is set up correctly)?
how to detect IPs with infected PC?
Posted: Mon Jul 04, 2005 4:32 pm
by djdodo
hello,if work send emails from our MK routers yet,so now wish have script on detect infected PC.
How to?
re
Posted: Mon Jul 04, 2005 4:40 pm
by djdodo
ideal solution is here:
-MK router detect infected PC by more send packets or ports
-send email to admin with IPs of infected clients
-disabled clients and redirect all traffic of infected clients to e.g. web page with warning
it is possible?
Posted: Wed Jul 06, 2005 6:43 pm
by bax
I have errors also :
script error: invalid item number
Is this is normal ... when is no infected PC ?
Also why mikrotik have no some centralised place for this usefull script for downloading in .rsc format ... or somebady know for some url?
Posted: Fri Sep 23, 2005 9:36 pm
by gianluca
is there a final version of the script that looks for those IP infected and act ?
for me best action would be to block internet access and redirect them (if possible) to a local web page that comunicates thet they are infected
thanks
Gianluca
Posted: Fri Sep 30, 2005 8:54 pm
by bogdan_mare
Gianluca,
I guess you can do that in 2.9 using pop-up advertising. I also thought about this. You can modify the above code to run a script which drops packets from the suspect ip and advertises the message to clean the computer. You can also set up the block to be temporary, say a 4 hours block.
I did not implement this yet, but I will try it soon, I am on the verge of reconfiguring the hardware of my router. I am not experienced with scripts so if anyone knows that what I said can/cannot be done, please lay it on me. javascript:emoticon(':D')
Very Happy
Cheers,
Radu
is there a final version of the script that looks for those IP infected and act ?
for me best action would be to block internet access and redirect them (if possible) to a local web page that comunicates thet they are infected
thanks
Gianluca
:D :D :D :D :D :D