How to detect Malware infected systems in LAN network


Is there any software available in OpenWrt which can detect Malware Infected Connected clients in the LAN. I know there is another thread on the same topic but that was never got resolved.

I tried using nmap with it's NSE scripts but it does port scanning on the clients and if ports are closed, it can not output the result.


I don't know about within OpenWrt, but you could probably do well with suricata running on a RasPi 4 with a smart-switch port-mirroring everything to the suricata instance...

IDS is processor intensive so I'd be looking to offload this such as above.

a very cheap and effective method is looking for the dns-requests coming from devices on your network. from there you can correlate with blacklist/malwaredomainslist or anomaly detection.
since encrypted dns is on stage, i guess the effectiveness will decline but still catch a majority.

I have installed snort and running it in IDS mode. But I am not sure whether it is working properly. Logfile gets created but there is nothing in the log file. Will it log the events only if there is some malicious activity? How do I test it?

First of all it needs to see packets. If you're running it on the router and have a typical consumer router with a hardware switch, it will only see packets sent to the router for routing, not packets going through the hardware switch between LAN machines.

You should probably ask these kinds of questions on a forum specifically for the snort software where experts will tell you how it works.

Okay. Will try to look into a snort specific forum.