Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Detecting Conficker w/ MARS?

Hi there,

I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?



Cisco Employee

Re: Detecting Conficker w/ MARS?

Hi Jason,

You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.

Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.

New Member

Re: Detecting Conficker w/ MARS?

We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?

New Member

Re: Detecting Conficker w/ MARS?

Your IDS may have a signature that detects this activity, I would look into that first if I were you.

Cisco Employee

Re: Detecting Conficker w/ MARS?

Correct. What make/model of IPS do you have?

CreatePlease to create content