Detecting Conficker w/ MARS?

Unanswered Question
Jan 26th, 2009

Hi there,

I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?

Thanks!

Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rajett Wed, 01/28/2009 - 09:35

Hi Jason,

You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.

Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.

XenoPhage Fri, 01/30/2009 - 09:46

We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?

jnommensen Wed, 02/11/2009 - 10:35

Your IDS may have a signature that detects this activity, I would look into that first if I were you.

Actions

This Discussion