Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1292
Views
0
Helpful
1
Replies

botnet information center

r.spiandorello
Level 1
Level 1

‎01-17-2012 06:08 AM - edited ‎03-11-2019 03:15 PM

Hi, where can I verify the nature of botnet malware-sites informations ?

I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 209.53.113.221) and obtain detail, like malware that generates that traffic.

thanks

rs

Labels:
0 Helpful
1 Reply 1

clausonna
Level 3
Level 3

‎01-18-2012 09:55 AM

Typically you would go to Senderbase, which is the IronPort reputation database. 

209.53.113.221&

http://www.senderbase.org/senderbase_queries/rep_lookup

That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not.  I wrote some scripts to test known-malicious domain names against BTF.  Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them. 

You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find ' command, where is the domain name.  Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.

A few other sites that can be helpful for correlation; there are plenty more out there:

http://www.trustedsource.org

http://hosts-file.net/default.asp?s=123.123.123.123

http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123

Good luck.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card