This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

I've Got a Botnet Problem

RSAAdmin
Beginner
Beginner

‎2013-04-01 02:42 PM

Below is a Screenshot of the last 24 hours view in the RSA FirstWatch Malware Sandbox.  Everything in the alert field represents KNOWN threats.  This makes it quite simple to filter out what is known to analyze traffic that is unknown.

 

lotsabots.JPG.jpg

Heh, If I was working a SOC shift and my alert fields looked like this, I'd probably want to quit and wish the IT response teams lotsaluck.

Much of this content that creates these alerts have been shared over this Community.  Check the latest blogs!

0 Likes
2 REPLIES 2

RSAAdmin
Beginner
Beginner

‎2013-04-02 05:59 AM

Wow.  You have more malware hosted in there than a Ukranian pr0n server.

 

Any chance you can share some interesting parsers or Informer rules/charts/alerts too?  There seems to be a distinct lack of examples, particularly of cool parsers, that we can use to get new ideas from.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-04-02 04:16 PM

At FirstWatch, one of our goals is to create rules using the default Live content to enable the broadest group of customers possible to detect these threats.  There have been a couple of parsers come out of our effort, but its mainly for research purposes at this point- for example, parsing out the additional HTML headers of VIA, ETAG and others.

 

See my other posts (click on my name) to see some of the cool Informer rules, reports and other content I've posted 'round here.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.