This should be easy to answer for the Mikrotik guys but as a noob I’m lost.
I have an RB750 router which connects my 120 PC LAN to the internet. My email server is being blacklisted because one or more PC’s on the LAN is contacting a p2pZeus command and control centre. When Spamhaus blacklists me, they provide me with the information that my public IP xxx.xxx.xxx.xxx on port xxxx contacted their sinkhole at IP xxx.xxx.xxx.xxx on port 80.
I have tried to use Torch to build a list of the the internal IPs and how they are NAT to the external IPs. I set the retention period of the Torch list to 01:00:00. I’m thinking that should Spamhaus blacklist my email server server again, I can use the external sinkhole IP they provide and match it with the Torch history to determine the internal IPs of the PCs infected with the p2pZeus trojan.
Problem is that Winbox keeps on losing the connection to the router or the Torch windows crashes after approximately 300 entries have been recorded in the Torch window.
Is there a way for me to monitor and keep a history of all the connections made through the router between IPs of the internal LAN PCs and the corresponding IP of the destination internet connection over a longer period of time, maybe 48 hours or more?
Any help will be appreciated.