Topic
  • 2 replies
  • Latest Post - ‏2014-02-17T17:03:57Z by networkingkool
seconsultant
seconsultant
1 Post

Pinned topic Communication to a known Bot CnC

‏2014-02-05T11:55:35Z |

Hello,

I want to know if there is a ip reputation database locally stored on the qradar or it is cloud based getting updated dynamically ?

We have seen few offenses related to Bot CnC communication with following IP addresses

195.22.26.231

195.22.26.252

195.22.26.254

185.24.233.224

Some of the IPs are listed in Botnet lookup websites. Just wondering how accurate is this information and from which place the qradar is taking this feed.

Regards,

Akhtar

 

 

  • Alaa Ali
    Alaa Ali
    8 Posts

    Re: Communication to a known Bot CnC

    ‏2014-02-06T22:39:37Z  

    The list of "botnet" IPs are found under Remote Networks under the Admin tab. You should see a BOT.BOT_IP group that lists all the IPs. The Communication to a known Botnet C&C rule uses that remote network group. These IPs are updated with the QRadar automatic updates (I want to say updated once a week, but I'm not sure). If you have automatic updates enabled, you'll sometimes find that you have to deploy for some changes to a file called remotenet.conf. That's the file that contains the IP addresses.

    These IP addresses should be being identified by IBM's XForce team, which is IBM's Trend and Risk analysis "sector".

  • networkingkool
    networkingkool
    1 Post

    Re: Communication to a known Bot CnC

    ‏2014-02-17T17:03:57Z  
    • Alaa Ali
    • ‏2014-02-06T22:39:37Z

    The list of "botnet" IPs are found under Remote Networks under the Admin tab. You should see a BOT.BOT_IP group that lists all the IPs. The Communication to a known Botnet C&C rule uses that remote network group. These IPs are updated with the QRadar automatic updates (I want to say updated once a week, but I'm not sure). If you have automatic updates enabled, you'll sometimes find that you have to deploy for some changes to a file called remotenet.conf. That's the file that contains the IP addresses.

    These IP addresses should be being identified by IBM's XForce team, which is IBM's Trend and Risk analysis "sector".

    I also open a support ticket to ask about misc.AnonymousProxy. I receive a answer same as you said. However I still don't know the current list of IPs. So what file contain that info? Could I use vi or less to view the content of file.