Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

botnet information center

Hi, where can I verify the nature of botnet malware-sites informations ?

I'd like to detail the output of "show dynamic report top malware-sites" and I'm looking for a site where I can insert the IP (i.e. 209.53.113.221) and obtain detail, like malware that generates that traffic.

thanks

rs

Everyone's tags (3)
1 REPLY
Bronze

Re: botnet information center

Typically you would go to Senderbase, which is the IronPort reputation database. 

209.53.113.221&

http://www.senderbase.org/senderbase_queries/rep_lookup

That said, the BTF (Botnet Traffic Filter) database is supposedly a subset of that database, and (in my experiences) completely hit-or-miss on whether a triggering IP address/domain name is in there or not.  I wrote some scripts to test known-malicious domain names against BTF.  Out of over 15,000 malicious/suspicious domains, BTF only triggered on about 10% of them. 

You can test for yourself by logging into the ASA and issuing the 'dynamic-filter database find ' command, where is the domain name.  Sites like malwaredomainlist.com and malwaredomains.com are good sources for lists.

A few other sites that can be helpful for correlation; there are plenty more out there:

http://www.trustedsource.org

http://hosts-file.net/default.asp?s=123.123.123.123

http://www.google.com/safebrowsing/diagnostic?site=123.123.123.123

Good luck.

817
Views
0
Helpful
1
Replies