How to set up logging for port 25 to find a virus on network

I have a virus on the network some place that keeps sending out .zip files and causing the email server to be blacklisted.  How do I set up logging  on ISA server 2004 for logging of port 25.  All directions I have found on this venue have not worked.   I do not have an SBS server - I have windows 2003 server, exchange 2003, isa server 2004 - all windows xp pro clients.  For example:

Doesn't have to be from a source port of 25 - it is the destination port you need to be more concerned over.

open the ISA gui
select - monitoring - logging
On the right, click edit query  (I do not have Edit query)  I have Edit Filter and followed the directions with that
Change the action to destination port  =  25
Click update
Change the time value to past 7 days  (I do not see a change the time value to past 7 days)
clicl uypdate
click start query  - I start query - but it just keeps "fetching results" forever

is any device listed as the source that is other than your SBS server?
manch03Asked:
Who is Participating?
 
leathersrConnect With a Mentor Commented:
TCPDUMP is generally useful anytime you need to find out where traffic is coming from on a network. If you don't have much Linux-fu you can also try WinDUMP. You'll need WinPcap as well. learn more here:
http://www.winpcap.org/windump/install/

There are elegant ways to deploy this in your network, but a straight forward, albeit ham fisted way is to have a PC with at least two network interfaces on it configured as bridge interfaces. This effectively lets your monitoring PC running TCPDUMP to sit on the wire between your server and the switch port it connects to.

There are all kinds of rules you could apply to match and log traffic of interest. For example
# tcpdump -vv src 192.168.1.0/24 or 172.16.0.0/16 and dst port 25

This would log all traffic that originated from either of the specified network address ranges if that traffic was going anywhere with a destination port of 25.  Really, any combination of protocols and network source and destinations can be used as matching criteria, so if you want more targeted logging of network traffic, TCPDUMP is a great choice.
0
 
manch03Author Commented:
I went to the site, downloaded the tcpdump - let it run - but it only takes me to a web page when I click on it.  There is nothing there.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.