<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Botnet database, overzealous? in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962586#M435697</link>
    <description>&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; We set up botnet filtering yesteray.&amp;nbsp; We have about 300 users behind the ASA-5510.&amp;nbsp; What a great tool!&amp;nbsp; But, the filter claims that we have about 70 "infected machines".&lt;/P&gt;&lt;P&gt;I investigated some of the IPs, like 173.194.79.99.&amp;nbsp; That IP belongs to Google and if you try http on that IP you get their search engine.&amp;nbsp; And every hit that we got was said to be "very high risk".&amp;nbsp; Many of the IPs that are in the database appear to innoculous.&amp;nbsp; So I'm wondering what's going on.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Also, we use DNS substitution.&amp;nbsp; When I enable DNS snooping, the substitution doesn't work, the query returns th outside IP.&amp;nbsp; I hava a SR open on this.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Interested in comments,&lt;/P&gt;&lt;P&gt;-&lt;/P&gt;&lt;P&gt;RObert&lt;/P&gt;&lt;P&gt;﻿&lt;/P&gt;</description>
    <pubDate>Tue, 26 Mar 2019 00:48:42 GMT</pubDate>
    <dc:creator>Robert Zeff</dc:creator>
    <dc:date>2019-03-26T00:48:42Z</dc:date>
    <item>
      <title>Botnet database, overzealous?</title>
      <link>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962586#M435697</link>
      <description>&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; We set up botnet filtering yesteray.&amp;nbsp; We have about 300 users behind the ASA-5510.&amp;nbsp; What a great tool!&amp;nbsp; But, the filter claims that we have about 70 "infected machines".&lt;/P&gt;&lt;P&gt;I investigated some of the IPs, like 173.194.79.99.&amp;nbsp; That IP belongs to Google and if you try http on that IP you get their search engine.&amp;nbsp; And every hit that we got was said to be "very high risk".&amp;nbsp; Many of the IPs that are in the database appear to innoculous.&amp;nbsp; So I'm wondering what's going on.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Also, we use DNS substitution.&amp;nbsp; When I enable DNS snooping, the substitution doesn't work, the query returns th outside IP.&amp;nbsp; I hava a SR open on this.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Interested in comments,&lt;/P&gt;&lt;P&gt;-&lt;/P&gt;&lt;P&gt;RObert&lt;/P&gt;&lt;P&gt;﻿&lt;/P&gt;</description>
      <pubDate>Tue, 26 Mar 2019 00:48:42 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962586#M435697</guid>
      <dc:creator>Robert Zeff</dc:creator>
      <dc:date>2019-03-26T00:48:42Z</dc:date>
    </item>
    <item>
      <title>Re: Botnet database, overzealous?</title>
      <link>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962587#M435698</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I set up the same thing last Thursday, and am seeing the same thing - connections to Google.com at &lt;/P&gt;&lt;P&gt;173.194.79.99 is logged as a malware site with a threat level of 'very-high'. &lt;/P&gt;&lt;P&gt;It's hard to appear credible to management if we're calling google a high threat.&lt;/P&gt;&lt;P&gt;--Scott&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 29 May 2012 21:10:59 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962587#M435698</guid>
      <dc:creator>scchesney</dc:creator>
      <dc:date>2012-05-29T21:10:59Z</dc:date>
    </item>
    <item>
      <title>Re: Botnet database, overzealous?</title>
      <link>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962588#M435699</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt; We did a bit of sniffing and found tha the "infected" hosts we not actually infected,&amp;nbsp; Most often the user was visiting a compromised ecommerse site (usually built with an outdated version of Wordpress) and these site were redirecting to a malware site.&amp;nbsp; So the cases that we looked at, the user was not infected (yet)&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;It is dropping about 1000 connections across 40 PCs per day.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;We have enabled automatic blacklisting and have not yet had any complaints.&lt;/P&gt;&lt;P&gt;-Robert&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 30 May 2012 13:39:09 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/botnet-database-overzealous/m-p/1962588#M435699</guid>
      <dc:creator>Robert Zeff</dc:creator>
      <dc:date>2012-05-30T13:39:09Z</dc:date>
    </item>
  </channel>
</rss>

