Configure a Botnet Report

You can schedule a botnet report or run it on demand. The firewall generates scheduled botnet reports every 24 hours because behavior-based detection requires correlating traffic across multiple logs over that timeframe.
  1. Define the types of traffic that indicate possible botnet activity.
    1. Select
      Monitor
      Botnet
      and click
      Configuration
      on the right side of the page.
    2. Enable
      and define the
      Count
      for each type of HTTP Traffic that the report will include.
      The
      Count
      values represent the minimum number of events of each traffic type that must occur for the report to list the associated host with a higher confidence score (higher likelihood of botnet infection). If the number of events is less than the
      Count
      , the report will display a lower confidence score or (for certain traffic types) won’t display an entry for the host. For example, if you set the
      Count
      to three for
      Malware URL visit
      , then hosts that visit three or more known malware URLs will have higher scores than hosts that visit less than three. For details, see Interpret Botnet Report Output.
    3. Define the thresholds that determine whether the report will include hosts associated with traffic involving Unknown TCP or Unknown UDP applications.
    4. Select the
      IRC
      check box to include traffic involving IRC servers.
    5. Click
      OK
      to save the report configuration.
  2. Schedule the report or run it on demand.
    1. Click
      Report Setting
      on the right side of the page.
    2. Select a time interval for the report in the
      Test Run Time Frame
      drop-down.
    3. Select the
      No. of Rows
      to include in the report.
    4. (
      Optional
      )
      Add
      queries to the Query Builder to filter the report output by attributes such as source/destination IP addresses, users, or zones.
      For example, if you know in advance that traffic initiated from the IP address 10.3.3.15 contains no potential botnet activity, add
      not (addr.src in 10.0.1.35)
      as a query to exclude that host from the report output. For details, see Interpret Botnet Report Output.
    5. Select
      Scheduled
      to run the report daily or click
      Run Now
      to run the report immediately.
    6. Click
      OK
      and
      Commit
      .

Related Documentation