• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

How to set up logging for port 25 to find a virus on network

I have a virus on the network some place that keeps sending out .zip files and causing the email server to be blacklisted.  How do I set up logging  on ISA server 2004 for logging of port 25.  All directions I have found on this venue have not worked.   I do not have an SBS server - I have windows 2003 server, exchange 2003, isa server 2004 - all windows xp pro clients.  For example:

Doesn't have to be from a source port of 25 - it is the destination port you need to be more concerned over.

open the ISA gui
select - monitoring - logging
On the right, click edit query  (I do not have Edit query)  I have Edit Filter and followed the directions with that
Change the action to destination port  =  25
Click update
Change the time value to past 7 days  (I do not see a change the time value to past 7 days)
clicl uypdate
click start query  - I start query - but it just keeps "fetching results" forever

is any device listed as the source that is other than your SBS server?
0
manch03
Asked:
manch03
1 Solution
 
leathersrCommented:
TCPDUMP is generally useful anytime you need to find out where traffic is coming from on a network. If you don't have much Linux-fu you can also try WinDUMP. You'll need WinPcap as well. learn more here:
http://www.winpcap.org/windump/install/

There are elegant ways to deploy this in your network, but a straight forward, albeit ham fisted way is to have a PC with at least two network interfaces on it configured as bridge interfaces. This effectively lets your monitoring PC running TCPDUMP to sit on the wire between your server and the switch port it connects to.

There are all kinds of rules you could apply to match and log traffic of interest. For example
# tcpdump -vv src 192.168.1.0/24 or 172.16.0.0/16 and dst port 25

This would log all traffic that originated from either of the specified network address ranges if that traffic was going anywhere with a destination port of 25.  Really, any combination of protocols and network source and destinations can be used as matching criteria, so if you want more targeted logging of network traffic, TCPDUMP is a great choice.
0
 
manch03Author Commented:
I went to the site, downloaded the tcpdump - let it run - but it only takes me to a web page when I click on it.  There is nothing there.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now