topic Re: botnet in General Topics

botnet

simsim — Sun, 16 Apr 2017 20:01:58 GMT

Hi,

If someone running a botnet inside local network ,is there a way to get an alert like siem, from reports ,from live stattistics ?

what are the steps to identify these kind of traffic ?

Finally how to block them when threshold reaches ?

Thanks

Re: botnet

reaper — Tue, 18 Apr 2017 14:11:13 GMT

A botnet can be detected using 2 methods:

-either it's a 'known' botnet (either signatures exist or heuristics engine can pick it up) and any outgoing traffic will be picked up and reported in your threat log, for which there are built in reports and you can create custom scheduled reports

-if the infection is unknown or is extremely sneaky (dorment/sleeper agents) the botnet report can help pick up infected hosts from 'suspicious' behavior (the botnet report can also be added to a scheduled report group)

Re: botnet

jsalmans — Tue, 18 Apr 2017 15:40:52 GMT

@reaper I just noticed that monitor option is missing from Panorama... is it just moved somewhere or is that not yet available?

Re: botnet

reaper — Tue, 18 Apr 2017 16:10:18 GMT

The botnet reports are only available on the firewall

Re: botnet

jsalmans — Tue, 18 Apr 2017 16:12:37 GMT

Thanks @reaper, I might reach out to our sales people to ask about this as a feature request for a future version of Panorama.

Re: botnet

simsim — Sun, 23 Apr 2017 14:29:39 GMT

Thanks reaper,

I had botnet in my network , and caused dataplace cpu hog ,

To avoid these kind of situation what we need to do ?

Thanks

Re: botnet

reaper — Mon, 24 Apr 2017 07:57:33 GMT

you can add the botnet report to a scheduled report group so you receive daily or weekly emails containing useful information regarding the overall health of your network

if you get a report containing botnet behavior you can then investigate the host that was acting suspiciously

to really avoid botnets from creeping into your network, you need to button down security by also securing the endpoints with something like Traps, adding Global Protect with HIP checks etc.

Re: botnet

simsim — Tue, 25 Apr 2017 06:22:53 GMT

Hi,
Let's say a bot sending heavily from the inside network ,How the system statics can help to figure out ?
Second thing ,Before we noticing the report ,How can we protect bot bringing down the pa?
Thanks

Re: botnet

reaper — Tue, 25 Apr 2017 08:13:58 GMT

ok so if we ignore the 'botnet' for a second: if the traffic being generated by the inside infected hosts is so severe it brings down your firewall, this will show up in the ACC and system dashboard

To protect the firewall from this you can set up zone protection profiles (here's a video on how to set these up: video tutorial : Zone protection profiles)

once zone protection is set up, you could create a log forwarding profile to send out emails on any critical system event

Zone Protection Recommendations