[unisog] zotob and returning students, what are you going to do?

Michael Holstein michael.holstein at csuohio.edu
Thu Aug 18 20:21:30 GMT 2005

> I guess I’m just floating this out here for discussion and am wondering what
> others are doing. We block 445 at the perimeter, but once students are in
> Residence, they pretty much do what they want within that network.

I have a perlscript which checks my MySQL database (fed by snort) and 
fires on any of the [sd|rx|ago]bot sigs -- then generates a email to 
networking to shutdown the port (could be automatic via SNMP if they 
trusted me with the RW strings)

I get the port information from Ciscoworks, imported into MySQL by 
another process and queried by the same script.

It's like electronic 'whack-a-mole' ... if they try another port, it 
gets nicked too. We've had entire labs go down before someone calls, but 
eventually, they get the idea that something's wrong.

It can also be done for the wireless users, since we make them do 802.1x 
-- and although I could automatically disable accounts via LDAP with my 
script, but they won't let me do it :(

Works well enough for the wired networks though.


Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list