Detecting Conficker w/ MARS?

XenoPhage · ‎01-26-2009

Hi there,

I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?

Thanks!

Jason

rajett · ‎01-28-2009

Hi Jason,

You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.

Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.

XenoPhage · ‎01-30-2009

We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?

jnommensen · ‎02-11-2009

Your IDS may have a signature that detects this activity, I would look into that first if I were you.

rajett · ‎02-12-2009

Correct. What make/model of IPS do you have?