Hi, where can I verify the nature of botnet malware-sites informations ?
I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 184.108.40.206) and obtain detail, like malware that generates that traffic.
That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not. I wrote some scripts to test known-malicious domain names against BTF. Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them.
You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find ' command, where is the domain name. Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.
A few other sites that can be helpful for correlation; there are plenty more out there: