Question

  • Creator
    Topic
  • #2142632

    Botnet traffic

    Locked

    by dare02 ·

    We have been receiving alert from our SIEM about botnet application in one of our client’ environment. We checked the logs and discovered that the alert triggers during a DNS request. However, we do not see the host making this request, as the DNS server is set to do recursive DNS lookups. When the alert triggers we only see the internal DNS server IP address as the source and the public DNS server the request was sent to, not the initiator of the request. This has been going on for quite some, and we would like to tackle this as soon as possible. Can anyone provide information on how we can determine the initiator of this request. Thanks
    NB: There’s a fortigate in this environment seeing this traffic as a botnet. The fortigate is reporting that a torpig.mebroot type signature is being triggered.

All Answers

  • Author
    Replies
    • #2421371

      Botnet traffic

      by dbcomp ·

      In reply to Botnet traffic

      This technology is designed by the expert security engineers to identify the botnet traffic and restrict it effectively.

Viewing 0 reply threads