Definitely check the nat's that have been created
Show ip nat translations
You will often see lots of tcp 25 connections for the virus;
Another option is as you suggested ip accounting; set the accounting threshold high enough to catch all the microflow probes the virus may be doing of just a few bytes
-Joe
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Christopher Copley
Sent: Tuesday, July 21, 2009 12:19 PM
To: Cisco certification
Subject: finding port scans in Cisco LANS
Experts,
I have a virus running around my WAN network. I was wondering if any one
had any good ideas on how to use the Cisco ISR to find host on the network
that are infected? I was thinking of maybe CBAC, Accounting, etc? I know
that in the ASA logs can find this, but I can think of any way off hand.
Does any one have any ideas?
Chris
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 21 2009 - 12:22:00 ART
This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:22 ART