04-14-2011 12:59 PM
So we have some conficker infections here where I work. The problem is that the PA sits at the edge, so all I see are Conficker DNS Requests that get proxied through our internal DNS Server to the Internet. I guess there is no way that PA can see what IP the original request came from ?
Any creative thoughts on how to do this ? What I've been doing is starting traces on the DNS Servers and looking for the sources manually. It's a pain. I have ports open. Should I mirror the DNS Server Ports ?
Thanks,
Justin
04-14-2011 02:18 PM
Do you have any unused ports on the PaloAlto? You could set up a vwire (2 ports) and insert this between the switch and the DNS Proxy. Then you would have the source IP of the machine making the request. One other option would be to configure a mirror port on the switch and configure a single port on the PA as a tap-mode. This will generate alerts but can not block or drop malicious packets.
Steve Krall
04-15-2011 05:12 AM
Thanks Steve,
I kind of figured that. I almost wish there was a small agent piece, or a Wireshark filter that could just tell me the sources by monitoring traffic on the machine. I might be able to author one. Getting a mirror port set up where I work could take a while.
I appreciate your reply,
Justin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
