01-26-2009 01:58 PM
Hi there,
I'm pretty new to Cisco MARS, so please bear with me. I have CS-MARS 4.3 deployed and I'm looking to create a report that we can use to identify users on our network that may be infected with the Conficker virus. I've tried creating a simple report looking for anything sourced from our address space and destined for ports 139/445, but this generates a pretty sizable report. Is there a way to reduce this output a bit and identify only those users that are truly infected?
Thanks!
Jason
01-28-2009 09:35 AM
Hi Jason,
You will need additional visibility into the traffic running over those ports as they are VERY busy ports on the typical network. I suggest using an IPS sensor on the network to gain that visibility.
Outside of that you may be able to use NBAR or another technology to "see" that malicious traffic.
01-30-2009 09:46 AM
We have IDS sensors in the network already, and I believe that data is sent to MARS for processing. So how do we correlate all of this together to identify the malicious traffic?
02-11-2009 10:35 AM
Your IDS may have a signature that detects this activity, I would look into that first if I were you.
02-12-2009 12:59 PM
Correct. What make/model of IPS do you have?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide