cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1036
Views
0
Helpful
1
Replies

botnet information center

r.spiandorello
Beginner
Beginner

Hi, where can I verify the nature of botnet malware-sites informations ?

I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 209.53.113.221) and obtain detail, like malware that generates that traffic.

thanks

rs

1 Reply 1

clausonna
Participant
Participant

Typically you would go to Senderbase, which is the IronPort reputation database. 

209.53.113.221&

http://www.senderbase.org/senderbase_queries/rep_lookup

That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not.  I wrote some scripts to test known-malicious domain names against BTF.  Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them. 

You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find ' command, where is the domain name.  Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.

A few other sites that can be helpful for correlation; there are plenty more out there:

http://www.trustedsource.org

http://hosts-file.net/default.asp?s=123.123.123.123

http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123

Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers