[unisog] zotob and returning students, what are you going to do?
michael.holstein at csuohio.edu
Thu Aug 18 20:21:30 GMT 2005
> I guess I’m just floating this out here for discussion and am wondering what
> others are doing. We block 445 at the perimeter, but once students are in
> Residence, they pretty much do what they want within that network.
I have a perlscript which checks my MySQL database (fed by snort) and
fires on any of the [sd|rx|ago]bot sigs -- then generates a email to
networking to shutdown the port (could be automatic via SNMP if they
trusted me with the RW strings)
I get the port information from Ciscoworks, imported into MySQL by
another process and queried by the same script.
It's like electronic 'whack-a-mole' ... if they try another port, it
gets nicked too. We've had entire labs go down before someone calls, but
eventually, they get the idea that something's wrong.
It can also be done for the wireless users, since we make them do 802.1x
-- and although I could automatically disable accounts via LDAP with my
script, but they won't let me do it :(
Works well enough for the wired networks though.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog