First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Steps taken after discovery of malicious traffic

Sorry for this noob question but I'm new to wireshark and I wasn't able to find the answer. What I'm trying to learn is more of a "big picture understanding" of how users of wireshark combats malicious traffic. From the little bit I've learned so far I understand that one way wireshark can be used is to detect malicious traffic and help trace where it comes from. I'm also assuming with wireshark I will be able to detect if a computer has malware or keylogger sending out data to a certain IP. What my question is, after I have discovered this malicious traffic, what is the next step, software, tactic administrators use to protect themselves. For instance if I figure out a certain IP is malicious, how does one protect themselves from this IP?

ProtectNine's avatar
1
ProtectNine
asked 2018-04-19 07:59:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

To ban any access to/from a remote IP using a firewall is relatively easy, but usually of little help as the source addresses of the attacks, or destination addresses to which the data collected in our network are sent, are usually just proxies unaware of acting as such - in another words, other malware victims used to hide the actual source/destination from you, and replaced easily once used.

Most anti-virus software can remove known malware, but sometimes a clean installation of the device may be the only remedy available at the time (when the malware is a new one). If you observe a clearly malicious traffic (like your machine sending tons of spam e-mails) and your anti-virus finds nothing, the malware may be yet unnoticed by anti-virus companies, so your anti-virus manufacturer may be happy to get a note from you and ask you for further cooperation.

So the best you can do is to keep security devices and operating systems up to date, back up data regularly, and use anti-virus software. Contemporary network security systems can work with traffic profiling and ban "unusual" traffic, but whether it is a usable model for you depends on your particular situation.

sindy's avatar
6.2k
sindy
answered 2018-04-19 17:36:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer