One of my remote users got a nasty trojan that apparently spammed and got us listed on a spam RBL. I know exactly which trojans are the problem, and am working on cleaning this client up, but I want to make sure none of my other clients are also infected. Here's the description of it:
ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).
To find an infected computer on a NATted network you will have to search through your firewall logs for connections from/to UDP port 11245. However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports (10,000 and higher) should be looked at closely.
This is exactly what I want to do. I want to check/monitor logs for any other clients on my network tx/rx large numbers on these ports that may be infected. What is the best way to do this in my Cisco ASA 5500? I am somewhat familiar with cios but not sure how to do this. Thank you!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...