Brought to you by Tenable…
Nessus uses data provided by Internet Identity IID, a company that maintains a list of hosts it has determined through various technical means are part of a botnet. Nessus does not perform the technical checks itself; rather it compares the IP addresses being scanned against a list maintained by IID. Inclusion in IID’s list is typically accurate, they experience a very low rate of false positives.
If a host is reported as part of a botnet, there are several things you can do to help validate the finding and respond to the issue:
If you still have questions about your host appearing in the list, you can contact IID at activeknowledge.signals.requests@internetidentity.com with questions. Your initial mail should include the IP address in question, when the IP was reported i.e., when you ran your Nessus scan and any additional information about the host that may be relevant.via Tenable Customer Support Portal (for registered users).
- Check the host against additional third-party lists to determine if the host shows up in those resources: http://isc.sans.edu/sources.html, http://www.malwaredomains.com, http://www.ipvoid.com
- Check the host against known Unsolicited Bulk E-mail UBE/spam blacklists: http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists
- Look for any evidence of the host being compromised e.g., suspicious activity, newly installed software, machine resources being heavily utilized.
- Perform a full vulnerability scan to determine if any high-risk or critical vulnerabilities are present, that may represent the point of intrusion. Ensure web application auditing is enabled, as Nessus can identify malicious web content related to botnet activities.
- Move the host to an isolated network and use a network sniffer to monitor traffic being sent from the machine.
12 Jan 2012
Nessus, IID & botnet detection
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment