botnet

simsim · ‎04-16-2017

Hi,

If someone running a botnet inside local network ,is there a way to get an alert like siem, from reports ,from live stattistics ?

what are the steps to identify these kind of traffic ?

Finally how to block them when threshold reaches ?

Thanks

reaper · ‎04-18-2017

A botnet can be detected using 2 methods:

-either it's a 'known' botnet (either signatures exist or heuristics engine can pick it up) and any outgoing traffic will be picked up and reported in your threat log, for which there are built in reports and you can create custom scheduled reports

-if the infection is unknown or is extremely sneaky (dorment/sleeper agents) the botnet report can help pick up infected hosts from 'suspicious' behavior (the botnet report can also be added to a scheduled report group)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

jsalmans · ‎04-18-2017

@reaper I just noticed that monitor option is missing from Panorama... is it just moved somewhere or is that not yet available?

reaper · ‎04-18-2017

The botnet reports are only available on the firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

jsalmans · ‎04-18-2017

Thanks @reaper, I might reach out to our sales people to ask about this as a feature request for a future version of Panorama.

simsim · ‎04-23-2017

Thanks reaper,

I had botnet in my network , and caused dataplace cpu hog ,

To avoid these kind of situation what we need to do ?

Thanks

reaper · ‎04-24-2017

you can add the botnet report to a scheduled report group so you receive daily or weekly emails containing useful information regarding the overall health of your network

if you get a report containing botnet behavior you can then investigate the host that was acting suspiciously

to really avoid botnets from creeping into your network, you need to button down security by also securing the endpoints with something like Traps, adding Global Protect with HIP checks etc.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

simsim · ‎04-24-2017

Hi,
Let's say a bot sending heavily from the inside network ,How the system statics can help to figure out ?
Second thing ,Before we noticing the report ,How can we protect bot bringing down the pa?
Thanks

reaper · ‎04-25-2017

ok so if we ignore the 'botnet' for a second: if the traffic being generated by the inside infected hosts is so severe it brings down your firewall, this will show up in the ACC and system dashboard

To protect the firewall from this you can set up zone protection profiles (here's a video on how to set these up: video tutorial : Zone protection profiles)

once zone protection is set up, you could create a log forwarding profile to send out emails on any critical system event

Zone Protection Recommendations

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Unlock your full community experience!

botnet

botnet

Show your appreciation!