User Guide

OmniAccess SafeGuard OS Administration Guide

377

Chapter 10: Detecting and Isolating Malware Security Threats

2 66.166.203.235 TCP 4322 445 66.166.141.177 65/Fri Mar 17 13:02:31.171 2006

3 192.168.101.1 TCP 4765 135 66.137.210.181 65/Fri Mar 17 13:02:50.622 2006

4 192.168.101.1 TCP 4322 445 66.166.141.177 65/Fri Mar 17 13:02:51.002 2006

Ta ble 3 0 explains the output fields of the show malware event-info command.

Displaying Malware Trace Information

Trace information is available for certain types of new worms. When trace is specified,

the history of the last eight unique sites the infected host visited are displayed. Repeated

events are not shown. Depending upon the type of event trace information is available in

IP trace and port trace formats. Malware categories that do not carry trace information

are:

■ Outbound TCPSYN DoS attacks

■ Outbound ICMP DoS attacks

■ Outbound ICMP IP scans

To display the contents of the last eight sites visited before the malware event triggered

for a given host, use the show malware trace command. The Privileged Exec command

has the following syntax:

show malware trace ipaddress

Table 30 Show Malware Event-Info Output Fields

Field Description

Event ID A system-generated identifier for the event.

Host IP The host at this address is generating the event.

Protocol The protocol being used when the event was triggered. Valid

protocols are TCP, UDP or ICMP.

Src Port The source port number generating the request. This field shows

as N/A for ICMP.

Dst Port The destination port number. This field shows as N/A for ICMP.

Dst IP The destination IP address.

Mirror Interval (Seconds) The amount of time that traffic is mirrored. Valid values are from

15 to 180 seconds. The default is 60 seconds.

Start Time The date an timestamp for when the malware event began.

Syntax Description ipaddress Displays last eight destination IP and

destination ports for this infected IP address.