Detecting Conficker w/ MARS?

Unanswered Question
Jan 26th, 2009
User Badges:

Hi there,

I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rajett Wed, 01/28/2009 - 09:35
User Badges:
  • Cisco Employee,

Hi Jason,

You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.

Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.

XenoPhage Fri, 01/30/2009 - 09:46
User Badges:

We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?

jnommensen Wed, 02/11/2009 - 10:35
User Badges:

Your IDS may have a signature that detects this activity, I would look into that first if I were you.

rajett Thu, 02/12/2009 - 12:59
User Badges:
  • Cisco Employee,

Correct. What make/model of IPS do you have?


This Discussion