[Snort-users] Need help to detect BOTNET-CNC Palevo bot DNS attack
babudheen at ...5176...
Sun Dec 11 02:23:03 EST 2011
We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing many number of "BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and destination address showing only DNS server which source address is my company internal DNS server and destination is ISP DNS server.
We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL against the DNS logs and find out the infected clients list.
I need your valuable help and guidelines on this.
Note: As you know, Astaro firewall is using Snort signature for IPS functionality.
BOTNET-CNC Palevo bot DNS
request for C&C attempt
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users