firewall connection log

tovi · September 24, 2020, 11:07pm

Hi
Could someone help me ; how can I get a record of the active connections of my routerboard. i am looking for a local computer infected with conficker botnet , it uses a tcp connection to public ip address 38.229.. port 80

I have installed wiresark on a pc in a mirror port of the port where I go to the internet. I’m continuously capturing but I can’t find that connection and they keep reporting that my public address is infected with confiker

could anyone give me a hint or some other way to find this connection?
i have installed kiwi syslog server but i’m looking how to send the connections log to the server..

i’m using webfig

thank you

neutronlaser · September 24, 2020, 11:15pm

Do ‘Torch’ on the Interface that is your ISP, and increase the time a bit to something like 3 minutes
It’ll show you a list of connections.

sindy · September 25, 2020, 4:17am

/ip firewall connection print detail where dst-address~“38.229.*:80” will show you if any such connection is currently established.

A firewall rule chain=prerouting action=log dst-address=38.229.0.0/16 protocol=TCP dst-port=80 connection-state=new log-prefix=virus added as the topmost one in /ip firewall mangle will log the initial packet of every matching connection.