cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Venon
Level 7
Report Inappropriate Content
Message 1 of 2

BotNets and C&C correlation rule

Hi Gents

I would like to create a correlation rule based on firewall logs which will detect successful communication towards Botnet C&C IPs. My idea is to create dynamic watchlist which will be populated with malicious destination IPs and use it within the rule. 

Is anybody aware of a site that has a somewhat up-to-date mapping of botnets and any IPs that are known to belong to them?

Many thanks

1 Reply
brenta Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: BotNets and C&C correlation rule

If you subscribe to GTI, the malicious list contains mostly very poor reputation servers, and would be a viable to use for this case. 

If you don't have a subscription to GTI and don't plan on getting one, checkout FireHol (http://iplists.firehol.org/), they have a very good list of IPs, of various types.

Also remember C&Cs are not just using IP communication, now a days, they typically try to tunnel information through DNS servers.

Brent
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community