Finding a private (NAT) host's IP using historic destination data

Posted by l0c0b0x on Server Fault See other posts from Server Fault or by l0c0b0x
Published on 2010-05-28T22:58:00Z Indexed on 2010/05/28 23:02 UTC
Read the original article Hit count: 287

Filed under:
|
|
|
|

The issue:
An unknown private (NAT) client is infected with malware and it's trying to access a Bot server at random times/dates.

How we know about this:
We receive bot traffic notices/alerts from REN-ISAC. Unfortunately, we don't receive those until the next day after it has happened. What they provide to us is:

  • The source address (of the firewall)
  • The destination addresses (it varies, but they're going to network subnet allocated to a German ISP)
  • The source port (which varies--dynamic ports).

Question:
What would be the best approach to finding this internal host (historically) with a Cisco ASA as firewall?

I'm guessing blocking anything to the destination address(es), and logging that type of traffic/access might allow me to find the source host, but I'm not sure which tool/command would be the most useful.

I've seen Netflow thrown into a few responses when it comes to logging, but I'm confused with it's association of Logging, NAL, and nBAR, and how they relate to Netflow.

© Server Fault or respective owner

Related posts about networking

Related posts about cisco