This is covered in the NSP FAQ in the KB: http://kc.mcafee.com/corporate/index?page=content&id=KB75269
Bot attacks use a different logic than 'source and destination' when being displayed.
How are botnet attacks displayed in the Threat Analyzer?
When traffic is encountered the addresses are looked up against the botnet DAT file to determine if an IP or domain name is a known botnet address.
If the data is matched, an alert will be triggered and the Command and control (C&C) IP or domain will be marked as an attacker. The attacker address will be put in the source IP column within the threat analyzer. The address of the host that is connecting to the Command and Control address will be labeled as a victim. The victim will appear in the destination IP column in the threat analyzer.
The direction of the flow is based on who initiated the connection and will indicate whether the initiating flow was inbound or outbound.
is there any way to browse/verify botnet DAT file content ? ie. to check if specific IP/domain is listed in current botnet dat file ?
I got list of Sednit CC IPs and domains from our HQ to verify if NSM blocks these domains.