I will try to install Snort. Seems like it is rules for Torpig there. Thanks!
2012/10/5 Ermal Luçi <[email protected]> > On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen <[email protected]> > wrote: > > Hi, > > We have a customer running pfsense 2.0 and today the customer got an > email > > from their ISP claiming that someone on the network was infected with > torpig > > with the following description: "contacted known sinkhole (torpig)". As I > > understand Torpig contacts different known Command and Control servers so > > you should be able to track which computer is infected by looking at the > > outgoing traffic. Does anyone here have experience with fixing torpig > with > > the use of pfsense? Any package that might be good for tracking traffic > to > > certain ip ranges and maybe send a alert if it does? > > > > The customer has 100 computers and as torpig seems really hard to remove > we > > really need to find a way to track the right computer from the network > side. > > This is something I found by googling but not sure if it's still valid > and > > how to set up tracking of this in pfsense: > > > > "The best way to find the machine responsible is to look for connections > to > > the Torpig C&C server. This detection was made through a connection to > > 91.20.214.121, but this changes periodically. To find these infections, > we > > suggest you search for TCP/IP connections to the range 91.19.0.0/16 and > > 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually > destination > > port 80 or 443, but you should look for all ports." > > Probably snort should help here. > > > > > Thanks in advance! > > > > Stale J > > > > _______________________________________________ > > List mailing list > > [email protected] > > http://lists.pfsense.org/mailman/listinfo/list > > > > > > -- > Ermal > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
