Is there a 'plugin' for wireshark to analyze traffic and spot infected (windows) hosts?
I have been using nepenthes with no luck. (and doubt all hosts are clean)

is there some better way (other than using antivirus on each host)?

Are you dead set on wireshark?

Have you looked at IDSs (Intrusion Detection Systems) such as Snort. You can use Snort to monitor outgoing traffic as well as incoming traffic. It does pattern matching on packets against a db of signatures amongst other things and will alert you of problems. It does have a bit of a learning curve and setting it up correctly will take a bit of time.

oki, thanks for the reply. IIRC, I did try snort long time ago but it required its own IP address. nevertheless, I'll try it again.

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Anything you can do in Snort, you should also have the capability to do in Wireshark. Also, Snort isn't just a package you can install and have automatically work...its a living breathing piece of software that can take AGES to get running correctly. It is not something you can install and have a solution to your issue within 5 min.

IMO, you're still better off with Wireshark, but if you're dead set on having a dedicated solution to intrusion, by all means, try Snort (again). Just be willing to go the extra mile or two to understand how to use it.

It should be easy to spot infected Windows hosts via Wireshark. Look for traffic that's indicative of infection. Yeah, that's a wide open statement but it is meant to be. In order to understand what you're looking for, you'll have to understand what typical (and even atypical) Windows look like as packets. As a quick hint, I'd look for large amounts of traffic going outbound (or attempting to) on ports 135, 138, 139, and/or 445. Look for anomalies. If you don't know how to read packet captures already, you should fortify your confidence right now...it can be confusing. A basic understanding (at least) of TCP is an absolute must.

1 members found this post helpful.

Looking for "bad" traffic in a wireshark is going to be like finding a needle in a haystack and it's not going to be easy.

I do agree Snort is rather extensive to setup, but it is your best bet. These may help:

http://www.snort.org/docs/setup-guides/

Running more rules generally means more noise/FPs, so start off with just enabling a few rule buckets. In your case, you definitely want to enable backdoor.rules, blacklist.rules, botnet-cnc.rules, spyware-put.rules and virus.rules.

A web proxy would also help in certain situations too.

Wireshark is great for "real time" monitoring of traffic, or analysing a dump of a few hours worth of traffic. However, an IDS system, once properly setup, will monitor traffic constantly and alert you to problems.

I want to reiterate that one shouldn't install Snort AFTER a compromise has happened...would you install a FW after your machine was cracked? If you're going to install Snort on an enterprise network, you should definitely have a game plan. You also have to understand where to place the sensor, network-wise. The OP wants to spot infected Windows hosts...this means that he should probably place it just inside the firewall/gateway, or wherever adjacent networks join. This may also mean that he will need to work with other teams to coordinate/plan the placement of the Snort machine.

About the comment of using Wireshark is like searching for a needle in a haystack...I disagree. If you know what you're looking for, it should be easy. The harder task is ensuring you understand HOW to look, which means understanding the exploit and symptoms of any infections you're searching for.

As for which rules to apply, enabling all the rules does NOT mean more FPs. One should only enable the rules that will detect the types of traffic that would be a concern. The OP is looking for infected Windows hosts, so one of the rulesets to enable would be the MS-related sigs. This may or may not cover other categories (such as backdoor traffic), but feel free to turn on as much as would be necessary. You should always be validating alerts and tuning as you go. You can either disable non-concerning rules or threshold them so that they are less noisy. This is why I stated that the process would be long-term and involved. Running Snort should never be something to be considered as a knee-jerk reaction...if it is, you're misjudging the level of complexity of properly setting up Snort...even if there are tons of tutorials in existence for setting up or utilzing it.

So, OP, do you have a plan and are considering all of this? I've seen places that hastily install Snort sensors only to end up being even more confused as to what they're supposed to be doing.

1 members found this post helpful.

If my computer did not have a firewall and it was cracked, yes I would install one. If the proper controls are not in place pre-compromise, post-compromise should be (it better be!) the eye opener. Not to mention some Snort rules are designed to detect post-compromise activity - botnet-cnc and blacklist rules are perfect examples.

And while enabling more rules does not 100% mean more FPs, you can certainly expect it (hence *generally*).

If your computer were cracked to the level that the intruder had root, a FW probably won't do jack if it is host-based. If this were an enterprise network, one doesn't just deploy a FW as a post-compromise step, and not not every employee will have the authority to do that. Post-compromise means that you're in reactive mode. Once you've lost control or trust in the host, you're pretty much lost...yeah, you can study the logs and state of the machine to determine what happened to allow the intrusion (if you can even do that), but that's pretty much the only reason you're investigating. Installing a FW would more than likely be just a means to contain the compromise...I don't even know why that would be done on the host itself when compromise usually entails "a loss of integrity". Pulling network connections is the better way to go and will ensure that the machine doesn't conduct activity that could cause you financial woes.

Your points are valid, but what I'm getting at is that if he's in some type of crisis mode in trying to hunt down infected machines, he's more than likely under some management-mandated deadline...that usually isn't the time to start deploying IDSs. He hasn't explained if this is some containment operation or if it is something that is long term, either. I've been using Snort professionally for close to ten years, so I know what it is...it definitely isn't some tool to just blurt out as a solution. There definitely has to be some thought into how it is to be used and where it is to be placed. There are even hardware considerations (will the IDS be able to keep up with a very chatty network segment, based on the equipment the OP may currently have). These are probably good things to know when one's job is at stake, as I'm thinking that this isn't some home project that the OP is curious about.

But we're getting ahead of ourselves...I haven't seen much of a response from the OP.

1 members found this post helpful.

wireshark did help. i uninstalled snort again, its too complex anyway.
actually its not my job to clean viruses, I'm just another host in network and don't have access to routers/switches.
i was trying to help out colleagues speed up their 'windoze boxes'.

thanks all for replies.