Block and monitor

  • Hi,
    I'm new to pfSense so please excuse my ignorance. I recently took over network admin responsibilities at my office and the hardware running pfSense was running version 2.2.4 so I updated it to 2.3.5. The ISP has been threatening to turn off service for a few months because of possible malicious activity from our IP address. They mentioned that one of the network devices is infected by Mirai. Originally they told me that the virus was utilizing port 23. So, I went into the firewall and blocked port 23 on the LAN and the WAN. But after reading up on pfSense, it seems like everything is blocked and only what is allowed is what is allowed in the firewall settings. But according to the ISP, the virus communicates on these ports: 23, 2323, 3389, 5555 and 7547. How can I monitor the traffic to find out what device is causing this malicious activity? I've also installed Snort and I've activated in on the LAN and the WAN (I'm not sure if I should only activate it on one or the other). I've read that with Snort configured I can stop any P2P traffic. I didn't see any specific settings to enable that feature so it must be enabled by default? Thanks for your help!