A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: woensdag 28 maart 2018 18:44 To: 44net@mailman.ampr.org Subject: [44net] MikroTik worm - please check your RouterOS version!
All these should be good now, I've check the upgrade and it's on the newest code. Please let me know if you see anything else.
I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears.
I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple
tshark -i eth0 -f "tcp dst port 8291"
because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees.
So I use:
while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done
Of course it would also be possible to limit it to AMPRnet:
tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8"
Rob
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net