You can schedule a botnet report or run it
on demand. The firewall generates scheduled botnet reports every
24 hours because behavior-based detection requires correlating traffic across
multiple logs over that timeframe.
Define the types of traffic that indicate possible
right side of the page.
and define the
each type of HTTP Traffic that the report will include.
values represent the minimum
number of events of each traffic type that must occur for the report
to list the associated host with a higher confidence score (higher
likelihood of botnet infection). If the number of events is less
, the report will display a
lower confidence score or (for certain traffic types) won’t display
an entry for the host. For example, if you set the
Malware URL visit
, then hosts that
visit three or more known malware URLs will have higher scores than
hosts that visit less than three. For details, see Interpret Botnet Report Output.
Define the thresholds that determine whether the report
will include hosts associated with traffic involving Unknown TCP
or Unknown UDP applications.
check box to
include traffic involving IRC servers.
to save the report
Schedule the report or run it on demand.
the right side of the page.
Select a time interval for the report in the
Run Time Frame
No. of Rows
in the report.
to the Query Builder to filter the report output by attributes such
as source/destination IP addresses, users, or zones.
For example, if you know in advance that traffic initiated
from the IP address 10.3.3.15 contains no potential botnet activity,