Cisco MARS event question
I am currently seeing some traffic in MARS that is being categorized as a worm propagation attempt and I am thinking that it is just regular traffic. Here is the raw details I am able to get from the reporting device:
%ASA-6-302020:Built outbound ICMP connection for faddr address1/137 gaddr address2/0 laddr address2/0
address1 and address2 in the raw event are of course actual addresses on my network but for privacy I just put down address1 and address2.
The other thing about address1 is that it is a DNS Server and address2 is a workstation on my network. What i am curious about is if MARS has the flow of traffic reversed and instead of address1 being the source it is actually the destination. If that is the case then I can assume that address2 being the workstation is just performing a DNS query? Hope you can can help me out with this.
%ASA-6-302020:Built outbound ICMP connection for faddr address1/137 gaddr address2/0 laddr address2/0
address1 and address2 in the raw event are of course actual addresses on my network but for privacy I just put down address1 and address2.
The other thing about address1 is that it is a DNS Server and address2 is a workstation on my network. What i am curious about is if MARS has the flow of traffic reversed and instead of address1 being the source it is actually the destination. If that is the case then I can assume that address2 being the workstation is just performing a DNS query? Hope you can can help me out with this.
Comments
-
Andretii Member Posts: 210This will sound super stupid but I actually thought that you were talking about the mission on Mars of the robot taking pictures and now dropping worms to see if they can live. LOLXBL: Andretii
"I have 16 Millions different ways of pinging myself. Sounded kind of dirty but that's not how I meant it." J. Conrad
Working on:
VCP4 » 0%
LPIC-1 » 0% -
sexion8 Member Posts: 242zenlakin wrote:I am currently seeing some traffic in MARS that is being categorized as a worm propagation attempt and I am thinking that it is just regular traffic. Here is the raw details I am able to get from the reporting device:
%ASA-6-302020:Built outbound ICMP connection for faddr address1/137 gaddr address2/0 laddr address2/0
address1 and address2 in the raw event are of course actual addresses on my network but for privacy I just put down address1 and address2.
The other thing about address1 is that it is a DNS Server and address2 is a workstation on my network. What i am curious about is if MARS has the flow of traffic reversed and instead of address1 being the source it is actually the destination. If that is the case then I can assume that address2 being the workstation is just performing a DNS query? Hope you can can help me out with this.
Why don't you run a sniffer on the LAN and actually look at the traffic. It's your best bet to make sure you're not getting hit up with false positives"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius -
zenlakin Member Posts: 104Problem there is that I don't have the ability to put a sniffer on this network.
-
sexion8 Member Posts: 242zenlakin wrote:Problem there is that I don't have the ability to put a sniffer on this network.
Sorry if this seems odd... So you in some capacity have the ability to monitor/configure/administrate MARS but you can't place a sniffer on the network. Sounds a little off. Maybe the locations are remote or something, maybe its a super segmented network or layered department. In either even, I'm guessing that its corporate in the Fortune 1000 realm based on you using MARS, which leads me to infer there is antivirus software installed. Is there anyone else who can get to the machine in some capacity? Can you remote desktop into the machine to see what listening processes are going on"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius