Enable and define
the Count for each type of HTTP Traffic that
the report will include. The Count values
you enter are the minimum number of events of each traffic type
that must occur for the report to list the associated host with
a higher confidence score (higher likelihood of botnet infection).
If the number of events is less than the Count,
the report will display the lower confidence score or (for certain
traffic types) won’t display an entry for the host. Malware
URL visit (range is 2–1000; default is 5)—Identifies
users communicating with known malware URLs based on malware and
botnet URL filtering categories. Use of dynamic DNS (range is 2–1000;
default is 5)—Looks for dynamic DNS query traffic that might indicate
malware, botnet communications, or exploit kits. Generally, using
dynamic DNS domains is very risky. Malware often uses dynamic DNS
to avoid IP address block lists. Consider using URL filtering to block
such traffic. Browsing to IP domains (range is 2–1000;
default is 10)—Identifies users who browse to IP domains instead
of URLs. Browsing to recently registered domains (range
is 2–1000; default is 5)—Looks for traffic to domains that were
registered within the past 30 days. Attackers, malware, and exploit
kits often use newly registered domains. Executable files from unknown sites (range
is 2–1000; default is 5)—Identifies executable files downloaded
from unknown URLs. Executable files are a part of many infections
and, when combined with other types of suspicious traffic, can help
you prioritize host investigations.
| 
