You can schedule a botnet report or run it
on demand. The firewall generates scheduled botnet reports every
24 hours because behavior-based detection requires correlating traffic across
multiple logs over that timeframe.
Define the types of traffic that indicate possible
botnet activity.
Select MonitorBotnet and click Configuration on the
right side of the page.
Enable and define the Count for
each type of HTTP Traffic that the report will include.
The Count values represent the minimum
number of events of each traffic type that must occur for the report
to list the associated host with a higher confidence score (higher
likelihood of botnet infection). If the number of events is less
than the Count, the report will display a
lower confidence score or (for certain traffic types) won’t display
an entry for the host. For example, if you set the Count to
three for Malware URL visit, then hosts that
visit three or more known malware URLs will have higher scores than
hosts that visit less than three. For details, see Interpret Botnet Report Output.
Define the thresholds that determine whether the report
will include hosts associated with traffic involving Unknown TCP
or Unknown UDP applications.
Select the IRC check box to
include traffic involving IRC servers.
Click OK to save the report
configuration.
Schedule the report or run it on demand.
Click Report Setting on
the right side of the page.
Select a time interval for the report in the Test
Run Time Frame drop-down.
Select the No. of Rows to include
in the report.
(Optional)Add queries
to the Query Builder to filter the report output by attributes such
as source/destination IP addresses, users, or zones.
For example, if you know in advance that traffic initiated
from the IP address 10.3.3.15 contains no potential botnet activity,
add not (addr.src in 10.0.1.35) as a query
to exclude that host from the report output. For details, see Interpret Botnet Report Output.
Select Scheduled to run the
report daily or click Run Now to run the
report immediately.