3 Replies Latest reply on Apr 23, 2015 8:39 AM by lubomir.cerny

    Alerts in NSP

    smalldog

      Hi All, i have some alerts BOT:... but that show outbound direction with external source ip and destination internal ip (see attachment file). I think with outboud direction must internal source ip? Could you explain for me? Thanks!

        • 1. Re: Alerts in NSP

          This is covered in the NSP FAQ in the KB:  http://kc.mcafee.com/corporate/index?page=content&id=KB75269

           

          Bot attacks use a different logic than 'source and destination' when being displayed. 

           

           

          How are botnet attacks displayed in the Threat Analyzer?
          When traffic is encountered the addresses are looked up against the botnet DAT file to determine if an IP or domain name is a known botnet address.


          If the data is matched, an alert will be triggered and the Command and control (C&C) IP or domain will be marked as an attacker. The attacker address will be put in the source IP column within the threat analyzer. The address of the host that is connecting to the Command and Control address will be labeled as a victim. The victim will appear in the destination IP column in the threat analyzer.


          The direction of the flow is based on who initiated the connection and will indicate whether the initiating flow was inbound or outbound.

           

           

          • 2. Re: Alerts in NSP
            smalldog

            Thanks Gfergus1!

            • 3. Re: Alerts in NSP
              lubomir.cerny

              Hi gfergus1.

              is there any way to browse/verify botnet DAT file content ? ie. to check if specific IP/domain is listed in current botnet dat file ?

               

              I got list of Sednit CC IPs and domains from our HQ to verify if NSM blocks these domains.

               

              thx.

              Lubomir