Topic
2 replies Latest Post - ‏2014-02-17T17:03:57Z by networkingkool
seconsultant
seconsultant
1 Post
ACCEPTED ANSWER

Pinned topic Communication to a known Bot CnC

‏2014-02-05T11:55:35Z |

Hello,

I want to know if there is a ip reputation database locally stored on the qradar or it is cloud based getting updated dynamically ?

We have seen few offenses related to Bot CnC communication with following IP addresses

195.22.26.231

195.22.26.252

195.22.26.254

185.24.233.224

Some of the IPs are listed in Botnet lookup websites. Just wondering how accurate is this information and from which place the qradar is taking this feed.

Regards,

Akhtar

 

 

  • Alaa Ali
    Alaa Ali
    8 Posts
    ACCEPTED ANSWER

    Re: Communication to a known Bot CnC

    ‏2014-02-06T22:39:37Z  in response to seconsultant

    The list of "botnet" IPs are found under Remote Networks under the Admin tab. You should see a BOT.BOT_IP group that lists all the IPs. The Communication to a known Botnet C&C rule uses that remote network group. These IPs are updated with the QRadar automatic updates (I want to say updated once a week, but I'm not sure). If you have automatic updates enabled, you'll sometimes find that you have to deploy for some changes to a file called remotenet.conf. That's the file that contains the IP addresses.

    These IP addresses should be being identified by IBM's XForce team, which is IBM's Trend and Risk analysis "sector".

    • networkingkool
      networkingkool
      1 Post
      ACCEPTED ANSWER

      Re: Communication to a known Bot CnC

      ‏2014-02-17T17:03:57Z  in response to Alaa Ali

      I also open a support ticket to ask about misc.AnonymousProxy. I receive a answer same as you said. However I still don't know the current list of IPs. So what file contain that info? Could I use vi or less to view the content of file.