T
T
tupoi2016-05-21 02:59:41
Computer networks
tupoi, 2016-05-21 02:59:41

How to find malicious traffic?

Good day. The task is to audit network traffic, there are 30 machines on the network, so a lot of packets are caught. The problem is, I can't figure out how to identify malicious traffic from all the caught traffic. I would be very grateful for any tips on this topic. I tried to find something about malware by what protocols they usually communicate with the "master" and so on, but as it turned out, protocols and schemes are over the roof, from a banal http get request to a central server, to p2p, irc and other things. How can you find signs of malware in traffic? Thanks in advance)

Answer the question

In order to leave comments, you need to log in

3 answer(s)
V
Victor Aubin, 2016-06-13
@tupoi

Some liquid answers were given to you. Malware does not use any specific protocols, they use everything that is available to legitimate software, with the exception of those animals that use data exchange based on OSCAR, IRC, and so on.
The most logical move is to use intrusion detection systems. Snort, Suricata, Bro. Snort, for example, is already old, the community is huge + long and hard development = easy to use, easy to configure, a lot of manuals and guides. A big plus of Snort is a huge rule base for detecting malicious packets in traffic, there are rules that are freely distributed, there are commercial rules that you need to buy, but in most cases, if you do not protect state secrets, then those that are published in the public domain will suffice (they must be timely update). For details google IDS or IPS and read on.
Since detection systems work on rules, they have a drawback - if the rule is not written for something specific, then this something will float by the SOA. Therefore, it makes sense to periodically look through traffic analyzers to see what is happening on the network. There is such a thing as IOC (indicator of compromise), based on them you can generate rules for detection systems yourself, these indicators are published in the public domain on many resources, for example https://www.threatminer.org/ . You catch traffic - check for IOC entry into it, generate the corresponding rule.

A
Alexander, 2016-05-21
@NeiroNx

You take the IP, do a reverse lookup - you get a list of DNS names, all long names from unknown domains are malicious traffic.

S
sergrok, 2016-05-22
@sergrok

Install a host with SNORT and wrap your mirrored traffic on it.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question