Trying to understand virus' better.

RouterOS General
1

I've setup virus entries in the firewall filter and set them to send to the syslog. Apparently I have two different kinds of viruses. Now #1 this is all that appears in the log. Can this firewall entry be mistaking something a cellphone was trying to do for a virus?

#2 though, okay this is the blaster virus but why the hell is it trying to talk to an ip address that does not exist on our network (192.168.1.100)?


1)

2011-09-26 15:43:46 Daemon.Info 192.168.16.252 Sep 26 15:00:44 MikroTik UNKNOWN VIRUS forward: in:LAN out:WAN, src-mac 84:2b:2b:66:xx:xx, proto TCP (ACK,PSH), 192.168.16.2 (2008server.xxxxxx.local) :443->166.147.113.103 (mobile-166-147-113-103.mycingular.net) :1029, len 153
2011-09-26 15:43:46 Daemon.Info 192.168.16.252 Sep 26 15:00:44 MikroTik UNKNOWN VIRUS forward: in:LAN out:WAN, src-mac 84:2b:2b:66:xx:xx, proto TCP (ACK,FIN), 192.168.16.2 (2008server.xxxxxx.local) :443->166.147.113.103 (mobile-166-147-113-103.mycingular.net) :1029, len 52
2011-09-26 15:43:48 Daemon.Info 192.168.16.252 Sep 26 15:00:45 MikroTik UNKNOWN VIRUS forward: in:LAN out:WAN, src-mac 84:2b:2b:66:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.16.2 (2008server.xxxxxx.local) :443->166.147.113.103 (mobile-166-147-113-103.mycingular.net) :1029, len 153



2)

2011-09-27 08:02:24 Daemon.Info 192.168.16.252 Sep 27 07:18:35 MikroTik BLASTER VIRUS ON TCP forward: in:LAN out:WAN, src-mac 00:23:15:99:xx:xx, proto TCP (SYN), 192.168.16.20 (JEFF-LAPTOP) :49342->192.168.1.100 (unresolved) :139, len 52

2

Anybody have any idea about this? I looked at the users computer and he has a shared network drive pointing to that 192.168.1.100 ip, and he has to use a sonicwall sslvpn to connect to it.


Could this rule simply be mistaking the communication for a virus type when its really legit? If so, how can I fix this?

3

What are you using for “virus rules”?

Typically just filtering based on a single port number is prone to a LOT of false positives and is not recommended. From the best I can tell, your “virus” in example 1 is someone’s phone making an ssl connection back to their company’s webpage (most likely Exchange ActiveSync).

My general rule with “virus” filters is don’t use them unless you explicitly understand how and what they are flagging and have a reason to be flagging it. If you couldn’t write that rule yourself, it will probably just cause you trouble down the road, ESPECIALLY with port based filters. Since most viruses change ports now anyway, it really defeats the point even more so.

That said, it isn’t a bad idea to have a few logging things just to keep an eye on certain “high value” indicators. Watching for excessive use of SMTP (TCP 25), Windows File Sharing (TCP 445,139 & UDP 137,138), and maybe MS SQL (TCP 1433,1434). Again, some traffic on these is normal or can be simple misconfigurations. What you want to look for is things like 10 new connections in a 30 second window, which indicates something actively scanning and looking for outside hosts.

4

Yea they are port based. I setup these rules based off an online course for Mikrotik I had found. I figured false positives would be pretty high with this method. Has someone scripted a better set of rules out there that really can detect them in a better manner? Here are my firewall rules. Thanks!









add action=log chain=input comment=“Log SSH brute force” disabled=no
log-prefix=“SSH BRUTE FORCE” src-address-list=ssh_blacklist
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=22 protocol=tcp
add action=log chain=forward comment=“log virus spammer” disabled=no
log-prefix=“INTERNAL VIRUS” src-address-list=spammer
add action=drop chain=virus comment=“Drop Spammer” disabled=no dst-port=25
protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d
chain=virus comment=“add to spammer list” connection-limit=30,32 disabled=
no dst-port=25 limit=50,5 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” disabled=no
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=no
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=no
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=no
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=no
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=forward comment=“Log port scanners” disabled=no
log-prefix=“PORT SCANNER” src-address-list=“port scanners”
add action=drop chain=forward comment=“dropping port scanners” disabled=no
src-address-list=“port scanners”
add action=log chain=forward comment=“Log brute force rdpers” disabled=no
dst-port=3389 log-prefix=“RDP BRUTE FORCE” protocol=tcp src-address-list=
rdp_blacklist
add action=drop chain=forward comment=“Drop brute force rdpers” disabled=no
protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w3d chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=
rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=1m chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=
rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=1m chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=
rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=1m chain=forward disabled=no dst-address=1.1.1.1
dst-port=3389 protocol=tcp
add action=log chain=forward comment=“Log brute force ftpers” disabled=no
dst-port=21 log-prefix=“BRUTE FORCE FTP” protocol=tcp src-address-list=
ftp_blacklist
add action=drop chain=forward comment=“Drop brute force ftpers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ftp_blacklist
address-list-timeout=1w3d chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=
ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3
address-list-timeout=30s chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=
ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2
address-list-timeout=30s chain=forward connection-state=new disabled=no
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=
ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1
address-list-timeout=30s chain=forward disabled=no dst-address=1.1.1.1
dst-port=21 protocol=tcp
add action=accept chain=forward comment=“allow established connections”
connection-state=established disabled=no
add action=accept chain=forward comment=“allow related connections”
connection-state=related disabled=no
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=no
add action=log chain=forward comment=“Log Blaster Worm” disabled=no dst-port=
135-139 log-prefix=“BLASTER VIRUS ON TCP” protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
135-139 protocol=tcp
add action=log chain=forward comment=“Log Blaster Worm” disabled=no dst-port=
445 log-prefix=“BLASTER WORM VIRUS” protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
445 protocol=udp
add action=log chain=forward comment=“Log Unknown Virus” disabled=no dst-port=
593 log-prefix=“UNKNOWN VIRUS” protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=
tcp
add action=log chain=forward comment=“Log Unknown Virus” disabled=no dst-port=
1024-1030 log-prefix=“UNKNOWN VIRUS” protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030
protocol=tcp
add action=log chain=forward comment=“Log MYDOOM virus” disabled=no dst-port=
1080 log-prefix=“MYDOOM VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=1080
protocol=tcp
add action=log chain=forward comment=“Log Unknown Virus” disabled=no dst-port=
1214 log-prefix=“UNKNOWN VIRUS” protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214
protocol=tcp
add action=log chain=forward comment=“Log NDM requester” disabled=no dst-port=
1363 log-prefix=“NDM VIRUS” protocol=tcp
add action=drop chain=virus comment=“ndm requester” disabled=no dst-port=1363
protocol=tcp
add action=log chain=forward comment=“Log NDM Server Virus” disabled=no
dst-port=1364 log-prefix=“NDM SERVER VIRUS” protocol=tcp
add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364
protocol=tcp
add action=log chain=forward comment=“Log Screen Cast Virus” disabled=no
dst-port=1368 log-prefix=“SCREEN CAST VIRUS” protocol=tcp
add action=drop chain=virus comment=“screen cast” disabled=no dst-port=1368
protocol=tcp
add action=log chain=virus comment=“Log HROMGRAFX Virus” disabled=no dst-port=
1373 log-prefix=“HROMGRAFX VIRUS” protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=log chain=forward comment=“Log Cchlid Virus” disabled=no dst-port=
1377 log-prefix=“CICHLID VIRUS” protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=
tcp
add action=log chain=forward comment=“Log Worm Virus” disabled=no dst-port=
1433-1434 log-prefix=“WORM VIRUS” protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=log chain=forward comment=“Log Bagle Virus” disabled=no dst-port=
2745 log-prefix=“BAGLE VIRUS” protocol=tcp
add action=drop chain=virus comment=“Bagle Virus” disabled=no dst-port=2745
protocol=tcp
add action=log chain=forward comment=“Log Dumaru.Y Virus” disabled=no dst-port=
2283 log-prefix=“DUMARU.Y VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=2283
protocol=tcp
add action=log chain=forward comment=“Log Beagle Virus” disabled=no dst-port=
2535 log-prefix=“BEAGLE VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Beagle” disabled=no dst-port=2535
protocol=tcp
add action=log chain=forward comment=“Log Beagle.C-K Virus” disabled=no
dst-port=2745 log-prefix=“BEAGLE.C-K VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.C-K” disabled=no dst-port=2745
protocol=tcp
add action=log chain=forward comment=“Log MyDoom Virus” disabled=no dst-port=
3127-3128 log-prefix=“MYDOOM VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=
3127-3128 protocol=tcp
add action=log chain=forward comment=“Log Backdoor OptixPro Virus” disabled=no
dst-port=3410 log-prefix=“BACKDOOR OPTIXPRO VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Backdoor OptixPro” disabled=no
dst-port=3410 protocol=tcp
add action=log chain=forward comment=“Drop Worm Virus” disabled=no dst-port=
4444 log-prefix=“WORM VIRUS” protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=log chain=forward comment=“Drop Worm Virus” disabled=no dst-port=
4444 log-prefix=“WORM VIRUS” protocol=udp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=log chain=forward comment=“Log Sasser Virus” disabled=no dst-port=
5554 log-prefix=“SASSER VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Sasser” disabled=no dst-port=5554
protocol=tcp
add action=log chain=forward comment=“Drop Beagle.B Virus” disabled=no
dst-port=8866 log-prefix=“BEAGLE.B VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.B” disabled=no dst-port=8866
protocol=tcp
add action=log chain=forward comment=“Log Dabber.A-B Virus” disabled=no
dst-port=9898 log-prefix=“DABBER.A-B VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Dabber.A-B” disabled=no dst-port=9898
protocol=tcp
add action=log chain=forward comment=“Log Dumaru.Y Virus” disabled=no dst-port=
10000 log-prefix=“DUMARU.Y VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=10000
protocol=tcp
add action=log chain=forward comment=“Log MyDoom.B Virus” disabled=no dst-port=
10080 log-prefix=“MYDOOM.B VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom.B” disabled=no dst-port=10080
protocol=tcp
add action=log chain=forward comment=“Log Netbus Virus” disabled=no dst-port=
12345 log-prefix=“NETBUS VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop NetBus” disabled=no dst-port=12345
protocol=tcp
add action=log chain=forward comment=“Log Kuang2 Virus” disabled=no dst-port=
17300 log-prefix=“KUANG2 VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop Kuang2” disabled=no dst-port=17300
protocol=tcp
add action=log chain=forward comment=“Log Subseven Virus” disabled=no dst-port=
27374 log-prefix=“SUBSEVEN VIRUS” protocol=tcp
add action=drop chain=virus comment=“Drop SubSeven” disabled=no dst-port=27374
protocol=tcp
add action=log chain=forward comment=“Log Phatbot, Agobot, Gaobot Virus”
disabled=no dst-port=65506 log-prefix=“PHATBOT, AGOBOT, GAOBOT VIRUSES”
protocol=tcp
add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” disabled=no
dst-port=65506 protocol=tcp
add action=accept chain=forward comment=“Allow HTTP” disabled=no dst-port=80
protocol=tcp
add action=accept chain=forward comment=“Allow SMTP” disabled=no dst-port=25
protocol=tcp
add action=accept chain=forward comment=“allow TCP” disabled=no protocol=tcp
add action=accept chain=forward comment=“allow ping” disabled=no protocol=icmp
add action=accept chain=forward comment=“allow udp” disabled=no protocol=udp
add action=drop chain=forward comment=“drop everything else” disabled=no

5

On of the big reasons you are seeing false positives is because when a computer makes an outbound connection, it picks a random source port greater than 1024. While this packet would make it through your rules, the return packet could trip your virus rules as it could be a “virus” destination port.

Honestly, since most viruses use random ports anymore, I wouldn’t suggest running one of these lists, they don’t do anything besides cause trouble and waste your time chasing viruses which aren’t there. Just monitor a few “risky” ports like I mentioned above and you should be fine.

If you still want to run one, some considerations:

  • An “allow established” rule at the top will stop false positives on return packets. It will also greatly reduce CPU load as each packet won’t have to be matched against the whole chain.
  • At the bottom you are only allowing ICMP, TCP, and UDP, then blindly dropping all other IP protocols. You are breaking lots of things including PPTP vpn’s (IP47 GRE), 6to4 IPv6 tunneling (IP41 IPv6), and anything using IPSEC (IP50 ESP, IP51 AH).