Downadup/Conficker-C + Pfsense



  • pfsense setup in a test public area that protect about 6 systems connect to pfsense test system with snort install we have been seeing a lot of blocks in the Snort Blocked Hosts Blocked list for the external adress that is assign to the pfsense box 65.xx.xxx.xx  ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)  its not showing any internal address being block just the outside address for the past 2 weeks. 1 of the pc in the test area was infected with a worm so it was pulled from the test enviroment and replace with a new clean system and the other systems while not infected were totally trash and reimage then we test with nmap and other tools and did not find any infections but still seeing 65.xx.xxx.xx  ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) so we pulled all connection to the pfsense box and reboot the box just leaving the external connection for 2 days and today when we connected to the pfsense box to check the log we still see the 65.xx.xxx.xx  ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) in the snort log.

    Question: Can pfsense get infected with the Conficker virus ?



  • Answer: No - only Windows systems can (and only then if it isn't patched or running decent AV).

    What you need to do is to read the alert - it will tell you what the source IP of the alert is.  If that IP address is the WAN IP of your pfSense host, and snort is running on the WAN interface, then it is possible the infection is on one of the 6 systems.  It is also entirely possible it is a false positive, but with so little to go on it is really hard to say.


Log in to reply