Need to find the origin of this traffic BAD-TRAFFIC Conficker.
-
Hi all,
I must all for helping me out so far. To be honest this is the best community I have come across.
I have snort listening on the WAN side. I can see some external ip's getting blocked and have plenty of alerts. What confused me was the alert below:
06/09-20:50:39.667417 [ ** ] [ 3:15450:2 ] BAD-TRAFFIC Conficker C/D DNS traffic detected [ ** ] [ Classification: A Network Trojan was detected ] [ Priority: 1 ] {UDP} Firewall IP/my gateway:51806 -> 208.67.222.222:53
I can see that some pc in my network generated Conficker traffic. and it is going to an external ip. How do I figure out which PC in my network caused it?
I tried using snort on LAN and WAN and my firewall went crazy, I had to reboot it and disable lan.
Thanks all.
-
You will need snort to listen on the LAN to track this down.
Listening on WAN and LAN should be ok, but will be resource-intensive. At least it used to work, I haven't tried it lately.
-
You will need snort to listen on the LAN to track this down.
Listening on WAN and LAN should be ok, but will be resource-intensive. At least it used to work, I haven't tried it lately.
That probably explains why my firewall freezed on me when I turned the LAN/WAN on.
-
A kludge might be, if you catch it in the log fast enough, to check the state table and see which machine(s) is/are getting nat'd out to port 51806, though since this is DNS traffic it might be going through the DNS forwarder.
You could also just scan your network for Conficker-infected hosts, apparently nmap's script for this is fairly reliable. See the post on the nmap page about scanning for Conficker.