I have malware in my LAN connecting to outgoing 449 TCP Port and I cannot locale it, I have created log firewall rule:
chain=forward action=log protocol=tcp dst-port=449 log=yes log-prefix="MALWARE"
after a few days I have exported log to file, and when I search any “MALWARE” text I have nothing.
How could I detect this connections?
You have 1 “flat” network ? So 1 large IP-space and the Mikrotik is the default gateway ?
If that malware is targeting internal servers you will not see it with this rule.
This rule would log packets going out to Internet hosts for example on TCP/449
What Mikrotik device ? Are you using a model with switch-ports ? (eg. RB30xx , RB40xx ?)
If you think its traffic within the local network, you can put this rule into BRIDGE / FILTER , use “forward” chain and log from there.
(PS: you might want to disable fast path etc. I think that might bypasses some IP filtering if used)
No I have native network and some Vlans and one DMZ, one mikrotik for all these networks as gateway with outgoing one WAN interface.
I use CCR1009 device, and my ISP sends me logs that I have output traffic with malware connecting to remote ip:449 ports.
I don’t know how to detect it, my antivirus software on endpoints do not detect anything for now.
@WeWiNet
I do not use any bridges in my mikrotik.
Tested on a simple firewall with 1st rule Accept established and related packets and 2nd rule Drop invalid packets (in forward section)
I have the log rule as 3rd and it works just fine.
Works with and without FastTrak and as long as the connection is forwarded.
Test with another port, like 443 to be sure your rule catches traffic.
Quick thought: It might be your router itself that sends that traffic. (maybe you use old ROS(?) and its compromised)
This is not that unusual…
For router created traffic the forward rule will not capture it.
Use a rule on chain “output” to check what leaves the router could be going to port 449.
Why don’t you try sniffing the packets and find out what it may be?