Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am working on small project. There is an organization in which it has 100 arou

ID: 653423 • Letter: I

Question

I am working on small project. There is an organization in which it has 100 around systems across the country. All of their machine's traffic goes through a single proxy monitored and maintained by the organization. Proxy is configured to use only white listed websites such as www.google.com and many others.(I am not aware about the proxy configuration that, are they using content based filtering or website URL based filtering? ).

If a machine sends traffic out of white listed domain, proxy alerts and then I need to manually analyze the machine.

Question:

How can I know due to which application/port/running process that traffic is occurring?

Is there any other way to stop this? Malware scanning tools identified nothing on the system.

If I recommend sysadmin to install disconnect, ghostery, blur, donottrackme and adblockplus like ad-dons will the number of reports generated by their proxy get reduced or not?

Any other permanent solution or global setting solution?

Explanation / Answer

You will not be able to tell the application/port/process based on the network traffic alone. For that, you will need to analyze the logs on the endpoint.

The add-ons you mention to block ads will help in reducing the noise you are seeing, since I imagine you're seeing a ton of random ad-traffic tied to legitimate white-listed sites users are browsing to. The modern Internet is very loud with that stuff.

I recommend gathering logs from two places:

+ Border firewalls that block all HTTP/S except from your proxy server as the source -- that way if a machine is trying to connect to a C&C server through a process that is not proxy-aware (aka malware dropper / Trojan downloader) it will be denied and you will have visibility of it.
+ SysMon on each endpoint with process tracking and network tracking enabled. That way you can connect to the remote Event Log during an incident response to track which processes were communicating on which ports, etc., or even better use Syslog or a SIEM to aggregate these to a central location for review.

You will need to apply some analytical discretion when getting alerted on this stuff; known ad sites and redirectors will likely accompany typical browsing, SysMon will tell you which browser was being used but browser history logs may be cleared (or Incognito was used), and remember that some malware is proxy-aware.

Related Questions

I am working on a study guide for a final exam for my C++ class and would like a
Question #3581462
I am working on a study guide for my C++ Prgramming Final Exam and I am having t
Question #3581343
I am working on a textbook question in C++ Programming: From Problem Analysis to
Question #3622915
I am working on a theatre seat assignment and i encountered a problem. The follo
Question #3686053
I am working on a theatre seat assignment and i want to make a change. The follo
Question #3686089
I am working on a unit converter i have got my code to start working but now i a
Question #3683617
I am working on a web app that displays some data and uses javascript. Right now
Question #646642
I am working on a web application. I currently have two select dropdowns which a
Question #3849068
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I am working on reverse-engineering and need to write a C translation of the NAS
Next
I am working on some Bash Scripting, working with matrices and I need help with

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.