The botnet report enables you to use heuristic and behavior-based mechanisms to identify potential malware- or botnet-infected hosts in your network. To evaluate botnet activity and infected hosts, the firewall correlates user and network activity data in Threat, URL, and Data Filtering logs with the list of malware URLs in PAN-DB, known dynamic DNS domain providers, and domains registered within the last 30 days. You can configure the report to identify hosts that visited those sites, as well as hosts that communicated with Internet Relay Chat (IRC) servers or that used unknown applications. Malware often use dynamic DNS to avoid IP blacklisting, while IRC servers often use bots for automated functions.
The firewall requires Threat Prevention and URL Filtering licenses to use the botnet report. You can Use the Automated Correlation Engine to monitor suspicious activities based on additional indicators besides those that the botnet report uses. However, the botnet report is the only tool that uses newly registered domains as an indicator.
Configure a Botnet Report
You can schedule a botnet report or run it on demand. The firewall generates scheduled botnet reports every 24 hours because behavior-based detection requires correlating traffic across multiple logs over that timeframe.
Configure a Botnet Report
Define the types of traffic that indicate possible botnet activity. Select Monitor > Botnet and click Configuration on the right side of the page. Enable and define the Count for each type of HTTP Traffic that the report will include. The Count values represent the minimum number of events of each traffic type that must occur for the report to list the associated host with a higher confidence score (higher likelihood of botnet infection). If the number of events is less than the Count, the report will display a lower confidence score or (for certain traffic types) won’t display an entry for the host. For example, if you set the Count to three for Malware URL visit, then hosts that visit three or more known malware URLs will have higher scores than hosts that visit less than three. For details, see Interpret Botnet Report Output. Define the thresholds that determine whether the report will include hosts associated with traffic involving Unknown TCP or Unknown UDP applications. Select the IRC check box to include traffic involving IRC servers. Click OK to save the report configuration.
Schedule the report or run it on demand. Click Report Setting on the right side of the page. Select a time interval for the report in the Test Run Time Frame drop-down. Select the No. of Rows to include in the report. ( Optional ) Add queries to the Query Builder to filter the report output by attributes such as source/destination IP addresses, users, or zones. For example, if you know in advance that traffic initiated from the IP address 10.3.3.15 contains no potential botnet activity, add not (addr.src in 10.0.1.35) as a query to exclude that host from the report output. For details, see Interpret Botnet Report Output. Select Scheduled to run the report daily or click Run Now to run the report immediately. Click OK and Commit.
Interpret Botnet Report Output
The botnet report displays a line for each host that is associated with traffic you defined as suspicious when configuring the report. For each host, the report displays a confidence score of 1 to 5 to indicate the likelihood of botnet infection, where 5 indicates the highest likelihood. The scores correspond to threat severity levels: 1 is informational, 2 is low, 3 is medium, 4 is high, and 5 is critical. The firewall bases the scores on:
Traffic type —Certain HTTP traffic types are more likely to involve botnet activity. For example, the report assigns a higher confidence to hosts that visit known malware URLs than to hosts that browse to IP domains instead of URLs, assuming you defined both those activities as suspicious. Number of events —Hosts that are associated with a higher number of suspicious events will have higher confidence scores based on the thresholds ( Count values) you define when you Configure a Botnet Report. Executable downloads —The report assigns a higher confidence to hosts that download executable files. Executable files are a part of many infections and, when combined with the other types of suspicious traffic, can help you prioritize your investigations of compromised hosts.
When reviewing the report output, you might find that the sources the firewall uses to evaluate botnet activity (for example, the list of malware URLs in PAN-DB) have gaps. You might also find that these sources identify traffic that you consider safe. To compensate in both cases, you can add query filters when you Configure a Botnet Report.

Related Documentation