https://community.cisco.com/t5/network-security/botnet-information-center/m-p/1874142#M456600 <HTML><HEAD></HEAD><BODY><P>Typically you would go to Senderbase, which is the IronPort reputation database.&nbsp; </P><P></P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;">209.53.113.221&amp;</DIV><P><A class="jive-link-external-small" href="http://www.senderbase.org/senderbase_queries/rep_lookup">http://www.senderbase.org/senderbase_queries/rep_lookup</A></P><P></P><P>That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not.&nbsp; I wrote some scripts to test known-malicious domain names against BTF.&nbsp; Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them.&nbsp; </P><P></P><P>You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find <SITENAME>' command, where <SITENAME> is the domain name.&nbsp; Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.</SITENAME></SITENAME></P><P></P><P>A few other sites that can be helpful for correlation; there are plenty more out there:</P><P></P><P class="MsoPlainText"><A href="http://www.trustedsource.org/">http://www.trustedsource.org</A></P><P class="MsoPlainText"><A class="jive-link-external-small" href="http://hosts-file.net/default.asp?s=123.123.123.123">http://hosts-file.net/default.asp?s=123.123.123.123</A></P><P class="MsoPlainText"><A class="jive-link-external-small" href="http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123">http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123</A></P><P class="MsoPlainText"></P><P class="MsoPlainText">Good luck.</P></BODY></HTML> Wed, 18 Jan 2012 17:55:17 GMT clausonna 2012-01-18T17:55:17Z https://community.cisco.com/t5/network-security/botnet-information-center/m-p/1874141#M456599 <P>Hi, where can I verify the nature of botnet malware-sites informations ?</P><P></P><P>I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 209.53.113.221) and obtain detail, like malware that generates that traffic.</P><P></P><P>thanks</P><P></P><P>rs</P> Mon, 11 Mar 2019 22:15:34 GMT https://community.cisco.com/t5/network-security/botnet-information-center/m-p/1874141#M456599 r.spiandorello 2019-03-11T22:15:34Z https://community.cisco.com/t5/network-security/botnet-information-center/m-p/1874142#M456600 <HTML><HEAD></HEAD><BODY><P>Typically you would go to Senderbase, which is the IronPort reputation database.&nbsp; </P><P></P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;">209.53.113.221&amp;</DIV><P><A class="jive-link-external-small" href="http://www.senderbase.org/senderbase_queries/rep_lookup">http://www.senderbase.org/senderbase_queries/rep_lookup</A></P><P></P><P>That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not.&nbsp; I wrote some scripts to test known-malicious domain names against BTF.&nbsp; Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them.&nbsp; </P><P></P><P>You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find <SITENAME>' command, where <SITENAME> is the domain name.&nbsp; Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.</SITENAME></SITENAME></P><P></P><P>A few other sites that can be helpful for correlation; there are plenty more out there:</P><P></P><P class="MsoPlainText"><A href="http://www.trustedsource.org/">http://www.trustedsource.org</A></P><P class="MsoPlainText"><A class="jive-link-external-small" href="http://hosts-file.net/default.asp?s=123.123.123.123">http://hosts-file.net/default.asp?s=123.123.123.123</A></P><P class="MsoPlainText"><A class="jive-link-external-small" href="http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123">http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123</A></P><P class="MsoPlainText"></P><P class="MsoPlainText">Good luck.</P></BODY></HTML> Wed, 18 Jan 2012 17:55:17 GMT https://community.cisco.com/t5/network-security/botnet-information-center/m-p/1874142#M456600 clausonna 2012-01-18T17:55:17Z