Hi. I don't think that is possible since the logged incident was a couple of days ago and I as far as I know torpig does not send data to the C&C server all the time?
After doing some reading I think Snort is my best help since this will happend to different ip adresses, ports, everything at a random time. Hopefully my snort setup will catch the infected computer soon. I followed this guide to set up Snort: http://blog.projectz.me/2012/03/19/how-to-set-up-an-intrusion-detection-system-using-snort-on-pfsense-20/ Very default setup, anyone know if anything special should be configured to catch Torpig? I set up some of the popular rules mentioned in the article and snort is active on both LAN and WAN. Stale J 2012/10/5 Lyle Giese <[email protected]> > On 10/5/2012 3:49 AM, Ermal Luçi wrote: > >> On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen <[email protected]> >> wrote: >> >>> Hi, >>> We have a customer running pfsense 2.0 and today the customer got an >>> email >>> from their ISP claiming that someone on the network was infected with >>> torpig >>> with the following description: "contacted known sinkhole (torpig)". As I >>> understand Torpig contacts different known Command and Control servers so >>> you should be able to track which computer is infected by looking at the >>> outgoing traffic. Does anyone here have experience with fixing torpig >>> with >>> the use of pfsense? Any package that might be good for tracking traffic >>> to >>> certain ip ranges and maybe send a alert if it does? >>> >>> The customer has 100 computers and as torpig seems really hard to remove >>> we >>> really need to find a way to track the right computer from the network >>> side. >>> This is something I found by googling but not sure if it's still valid >>> and >>> how to set up tracking of this in pfsense: >>> >>> "The best way to find the machine responsible is to look for connections >>> to >>> the Torpig C&C server. This detection was made through a connection to >>> 91.20.214.121, but this changes periodically. To find these infections, >>> we >>> suggest you search for TCP/IP connections to the range 91.19.0.0/16 and >>> 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually >>> destination >>> port 80 or 443, but you should look for all ports." >>> >> Probably snort should help here. >> >> Thanks in advance! >>> >>> Stale J >>> >>> >>> Couldn't you take a look at the state table in pfsense and see who has > a connection open to the C&D server? > > Lyle Giese > LCR Computer Services, Inc. > > ______________________________**_________________ > List mailing list > [email protected] > http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list> >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
