How can I track conflicker with the LANGuardian

Edit Subject

There are a number of IDS events which will be triggered by Conficker related network traffic.

Starting with the IDS ruleset you have the following rules

SPECIFIC-THREATS Conficker Traffic

SPECIFIC-THREATS Possible Downadup/Conficker-A Worm Activity

SPECIFIC-THREATS Downadup/Conficker A or B Worm reporting

SPECIFIC-THREATS Downadup/Conficker A Worm reporting

SPECIFIC-THREATS Conficker.a Shellcode

SPECIFIC-THREATS Conficker.b Shellcode

A further event which can also be triggered by Conficker activity is the NETBIOS SMB-DS repeated logon failure event. This can indicate that a host is attempting to access a File share which it does not have access to. If a host generates a large number of these events it can indicate Conficker activity as it attempts to spread itself to other hosts.

In order to help with tracking Conficker activity the LANGuardian includes a report called Systems generating a level of brute force logins normally associated with Conficker which can be used to track this activity in your network. This can be found in the Security -> Events -> Advanced Reports section.

1

A problem that can occur with these signatures is when your IDS sensor is seeing and recording Conficker events but the source of the traffic is your web proxy server?

The IDS signatures are written to search on traffic from your HOME NET to the EXTERNAL NET however if using a proxy this will mean only the proxy server will have the correct traffic patterns to trigger the signature.

A simple solution is to create a Custom signature based on the original signature and then change the EXTERNAL_NET value to be the IP address of the Proxy Server.

This looks like a good method of tracking down conflicker infected hosts.