Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Who is causing IP to be listed on CBL because of Gozi Trojan?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 507 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tillebeck
      last edited by

      I am using pfsense just as router and firewall for incoming trafic. But not the WAN IP is listed due to outbound trafic caused by Gozi Trojan.

      I have never looked into analyzing outbound trafic. So starting from scratch…. Is there a package or feature that can block outbound malicious trafic and log it so I can find local infected machines?

      thanks

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        :o    Quite the beast you think you may have. Link below will help you know the animal you are looking for including what to look for in a packet capture. They have also written a SNORT rule for detection.  You may be dealing with a newer variant.
        https://www.secureworks.com/research/gozi

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @Tillebeck:

          I am using pfsense just as router and firewall for incoming trafic. But not the WAN IP is listed due to outbound trafic caused by Gozi Trojan.

          I have never looked into analyzing outbound trafic. So starting from scratch…. Is there a package or feature that can block outbound malicious trafic and log it so I can find local infected machines?

          thanks

          If you want to indentify the infected machine on your LAN, then install the Snort package and configure your LAN as the interface to run it on.  This way any alerts generated by machines on your LAN will show up with their native LAN IP address.  If you run Snort on your WAN, it will only see your outbound internal traffic after NAT rules have been applied, so all internal LAN hosts will show up as having the WAN interface IP.  That won't be helpful with locating the infected internal host.

          If you have never used an IDS/IPS before, there some "getting started resources" in the Sticky Topics at the top of the IDS/IPS sub-forum within the Packages forum here.  There is also documentation on the pfSense Wiki for Snort.

          Bill

          1 Reply Last reply Reply Quote 0
          • T
            Tillebeck
            last edited by

            Thanks. I have found a guide on how to install/configure SNORT. Never tried. It will be fun :-)

            Best regards, Anders

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.