Ask Your Question

Steps taken after discovery of malicious traffic

asked 2018-04-19 07:59:00 +0000

ProtectNine gravatar image

Sorry for this noob question but I'm new to wireshark and I wasn't able to find the answer. What I'm trying to learn is more of a "big picture understanding" of how users of wireshark combats malicious traffic. From the little bit I've learned so far I understand that one way wireshark can be used is to detect malicious traffic and help trace where it comes from. I'm also assuming with wireshark I will be able to detect if a computer has malware or keylogger sending out data to a certain IP. What my question is, after I have discovered this malicious traffic, what is the next step, software, tactic administrators use to protect themselves. For instance if I figure out a certain IP is malicious, how does one protect themselves from this IP?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-04-19 17:36:30 +0000

sindy gravatar image

To ban any access to/from a remote IP using a firewall is relatively easy, but usually of little help as the source addresses of the attacks, or destination addresses to which the data collected in our network are sent, are usually just proxies unaware of acting as such - in another words, other malware victims used to hide the actual source/destination from you, and replaced easily once used.

Most anti-virus software can remove known malware, but sometimes a clean installation of the device may be the only remedy available at the time (when the malware is a new one). If you observe a clearly malicious traffic (like your machine sending tons of spam e-mails) and your anti-virus finds nothing, the malware may be yet unnoticed by anti-virus companies, so your anti-virus manufacturer may be happy to get a note from you and ask you for further cooperation.

So the best you can do is to keep security devices and operating systems up to date, back up data regularly, and use anti-virus software. Contemporary network security systems can work with traffic profiling and ban "unusual" traffic, but whether it is a usable model for you depends on your particular situation.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-04-19 07:59:00 +0000

Seen: 342 times

Last updated: Apr 19 '18