by Ron Gula
June 17, 2011
This dashboard tracks inbound and outbound network activity associated with the command and control of botnets.
- June 16th 2011, version 1, SecurityCenter 4.2
- Required tools - LCE and PVS
- Download ThreatlistTrend.zip
The Log Correlation Engine is constantly updated with highly accurate lists of Internet sites and systems that are participating in major botnets such as Zeus. As the LCE processes logs from netflow, firewalls, real-time file sharing from the Passive Vulnerability Scanner and other forms of network connections, it inspects the IP addresses involved with these sessions and alerts if one of them is on a known botnet list.
The LCE is also updated with a list of URLs associated with botnet propagation. As network users surf the Internet, the PVS observes web traffic and sends a log of each web request to the LCE. These logs contain URLs and the LCE compares them against a list of hostile botnet URLs.
The combination of monitoring logs and network traffic for both IP addresses and URLs associated with botnets offers multiple chances to detect a botnet infection on your network.
The LCE normalizes all events associated with botnet activity with an event type of "threatlist".
This dashboard has several components:
- a trend line of all inbound and outbound threatlist activity
- a summary of ports associated with inbound threatlist activity
- a summary of ports associated with outbound threatlist activity
- a list of all IP addresses involved with the botnet activity