Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
2
Replies

botnet drops vs. scanning results

lcaruso
Level 6
Level 6

‎02-21-2011 12:06 PM - edited ‎03-11-2019 12:53 PM

Hi,

We are running the botnet filter for a few of our clients and have it set to the recommended level of dropping moderate to very high threats.

One server was sending unsolicited packets to CHINANET Fujian province network, so we were concerned about that and fairly certain this server was infected. After peforming complete, deep, heruistic scanning with a couple of products, we came up with nothing found on that server.

So my question is the scanning a false negative or the botnet a false postive? Is the botnet filter reliable? How do we reconcile these results?

Our clients are wondering if they wasted their money on this.

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎02-21-2011 05:32 PM

Hi,

Please check questions inline:

Where did you see the logs?

It was a botnet filter log message?

Is the site blacklisted at this point?

What is that website?

What kind of packets is the server sending?

If the site is not malicious, it might be a false positive and it that case you should open a TAC service request.

Let me know.

Mike

Mike
0 Helpful

lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎02-22-2011 09:02 AM

Yes, it was a botnet filter log message. Port 53. See attached.

I saw the drops under the "infected hosts" page and then expanding the "+" under that host to show which addresses/sites had drops.

It was an ip address not a dns name. I don't know if it's is blacklisted. How do I find outl?

GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 75.100.24.158... ok.
Final results obtained from whois.apnic.net.
Results:
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
inetnum:      218.85.0.0 - 218.86.127.255
netname:      CHINANET-FJ
descr:        CHINANET Fujian province network
descr:        Data Communication Division
descr:        China Telecom
country:      CN
admin-c:      CH93-AP
tech-c:       CA67-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-FJ
changed:      hostmaster@ns.chinanet.cn.net 20020422
status:       ALLOCATED NON-PORTABLE
source:       APNIC
role:         CHINANETFJ IP ADMIN
address:      7,East Street,Fuzhou,Fujian,PRC
country:      CN
phone:        +86-591-83309761
fax-no:       +86-591-83371954
e-mail:       fjnic@fjdcb.fz.fj.cn
trouble:      send spam reports  and abuse reports
trouble:      to abuse@fjdcb.fz.fj.cn
trouble:      Please include detailed information and
trouble:      times in UTC
admin-c:      FH71-AP
tech-c:       FH71-AP
nic-hdl:      CA67-AP
remarks:      www.fjtelecom.com
notify:       fjnic@fjdcb.fz.fj.cn
mnt-by:       MAINT-CHINANET-FJ
changed:      fjnic@fjdcb.fz.fj.cn 20100108
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net
address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (75.100.24.158) has visited 1 times today.
Preview file
22 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card