May 2nd, 2005


Worm War More

Crisis does at least inspire invention. I've been working on a Perl script to paw through our daily firewall logs and pick out signs of infected PCs (it's not that hard, there are lots of them). I even concocted an acronym for it: the Worm And Virus Edge Surveillance System. WAVESS is pretty sharp -- it'll ID three common signs of infection and produce both text and HTML reports -- but it can't do one thing that the desktop techs need it to do.

Because the firewall logs are stored on a Linux server, WAVES runs there too. From the Linux box I can query DNS to resolve host names from their IP addresses. But, most of our IP ranges haven't been configured for reverse lookup, so I only get resolution on some of the names. The desktop techs need names if they're going to find the PCs. I can't access WINS or query the (Windows 2000) DHCP server from the Linux host. What to do? I did some additional legwork to enable WAVESS to match IP addresses to their subnets and subnets to subnet names, which helps in that you can tell what building the PC is in. But, the name of the PC itself has to come from somewhere else.

This is where that MySQL server comes in. Now, when WAVESS runs it stuffs its findings into a table on the MySQL server at the same time it's generating its reports. Now we can get at them from MS Access via ODBC and (hopefully) figure out a way using Visual Basic to poke the DHCP server and match up IPs to PC names.

The ODBC part was a something of a milestone for me. I know that ODBC connections are nothing new for Real Programmers, but for a Packet Pusher like me, getting Access to see the database and tables in the MySQL server was a cause for celebration. All of this made a fine antidote to the meetings and usual Hartford interdepartmental strife that otherwise punctuated my day.
  • Current Music
    Tangerine Dream -- Dream Sequence