[Snort-users] Need help to detect BOTNET-CNC Palevo bot DNS attack

babu dheen babudheen at ...5176...
Sun Dec 11 02:23:03 EST 2011


Dear,
 
 We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing  many number of  "BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and destination address showing only DNS server which source address is my company internal DNS server and destination is ISP DNS server.
 
We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL against the DNS logs and find out the infected clients list.
 
I need your valuable help and guidelines on this.
 
Note: As you know, Astaro firewall is using Snort signature for IPS functionality. 
 





Rule ID

Rule Nmae

Group

Events


16297

BOTNET-CNC Palevo bot DNS
request for C&C attempt

Server

1018
 
 
Regards
Babu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111211/212bfa43/attachment.html>


More information about the Snort-users mailing list