Cisco MARS event question

I am currently seeing some traffic in MARS that is being categorized as a worm propagation attempt and I am thinking that it is just regular traffic. Here is the raw details I am able to get from the reporting device:

%ASA-6-302020:Built outbound ICMP connection for faddr address1/137 gaddr address2/0 laddr address2/0

address1 and address2 in the raw event are of course actual addresses on my network but for privacy I just put down address1 and address2.

The other thing about address1 is that it is a DNS Server and address2 is a workstation on my network. What i am curious about is if MARS has the flow of traffic reversed and instead of address1 being the source it is actually the destination. If that is the case then I can assume that address2 being the workstation is just performing a DNS query? Hope you can can help me out with this.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Andretii

This will sound super stupid but I actually thought that you were talking about the mission on Mars of the robot taking pictures and now dropping worms to see if they can live. LOL

sexion8

zenlakin wrote:

I am currently seeing some traffic in MARS that is being categorized as a worm propagation attempt and I am thinking that it is just regular traffic. Here is the raw details I am able to get from the reporting device:

%ASA-6-302020:Built outbound ICMP connection for faddr address1/137 gaddr address2/0 laddr address2/0

address1 and address2 in the raw event are of course actual addresses on my network but for privacy I just put down address1 and address2.

The other thing about address1 is that it is a DNS Server and address2 is a workstation on my network. What i am curious about is if MARS has the flow of traffic reversed and instead of address1 being the source it is actually the destination. If that is the case then I can assume that address2 being the workstation is just performing a DNS query? Hope you can can help me out with this.

Why don't you run a sniffer on the LAN and actually look at the traffic. It's your best bet to make sure you're not getting hit up with false positives

zenlakin

Problem there is that I don't have the ability to put a sniffer on this network.

sexion8

zenlakin wrote:

Problem there is that I don't have the ability to put a sniffer on this network.

Sorry if this seems odd... So you in some capacity have the ability to monitor/configure/administrate MARS but you can't place a sniffer on the network. Sounds a little off. Maybe the locations are remote or something, maybe its a super segmented network or layered department. In either even, I'm guessing that its corporate in the Fortune 1000 realm based on you using MARS, which leads me to infer there is antivirus software installed. Is there anyone else who can get to the machine in some capacity? Can you remote desktop into the machine to see what listening processes are going on