Hi, where can I verify the nature of botnet malware-sites informations ?
I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 126.96.36.199) and obtain detail, like malware that generates that traffic.
That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not. I wrote some scripts to test known-malicious domain names against BTF. Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them.
You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find ' command, where is the domain name. Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.
A few other sites that can be helpful for correlation; there are plenty more out there:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...