Botnet traffic

By Dare02 ·
We have been receiving alert from our SIEM about botnet application in one of our client' environment. We checked the logs and discovered that the alert triggers during a DNS request. However, we do not see the host making this request, as the DNS server is set to do recursive DNS lookups. When the alert triggers we only see the internal DNS server IP address as the source and the public DNS server the request was sent to, not the initiator of the request. This has been going on for quite some, and we would like to tackle this as soon as possible. Can anyone provide information on how we can determine the initiator of this request. Thanks
NB: There's a fortigate in this environment seeing this traffic as a botnet. The fortigate is reporting that a torpig.mebroot type signature is being triggered.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Botnet traffic

by dbcomp In reply to Botnet traffic

This technology is designed by the expert security engineers to identify the botnet traffic and restrict it effectively.

Related Discussions

Related Forums