What rules should I make to find short lived connections?

securityconscious · June 06, 2022, 07:05:03 AM

What rules should I make to find short lived connections like ones made by malware?

EdwinKM · June 06, 2022, 11:31:02 AM

a firewall rule is permanent. Is this for prevention or are you investigating something?
Malware sessions are from inside to outside (internet). You can block known destinations.

securityconscious · June 06, 2022, 01:15:33 PM

Quote from: EdwinKM on June 06, 2022, 11:31:02 AM
a firewall rule is permanent. Is this for prevention or are you investigating something?
Malware sessions are from inside to outside (internet). You can block known destinations.

Both prevention and investigation. I suspect they are from inside and I don't know what IP they are connecting to. I'm new to firewalls and OPN Sense.

EdwinKM · June 06, 2022, 02:34:37 PM

you can off course block all (internet - !rfc1918) destinations and check the firewall blocks. But this creating bulk of logging. So unusable. You have any valid reason the suspect any malice?

What rules should I make to find short lived connections?

securityconscious

June 06, 2022, 07:05:03 AM

EdwinKM

June 06, 2022, 11:31:02 AM #1

securityconscious

June 06, 2022, 01:15:33 PM #2

EdwinKM

June 06, 2022, 02:34:37 PM #3