Detecting Conficker w/ MARS?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2009 01:58 PM
Hi there,
I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?
Thanks!
Jason
- Labels:
-
MARS

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2009 09:35 AM
Hi Jason,
You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.
Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2009 09:46 AM
We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2009 10:35 AM
Your IDS may have a signature that detects this activity, I would look into that first if I were you.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2009 12:59 PM
Correct. What make/model of IPS do you have?
