Botnet analysis

This help contains the following topics:

Introduction
vSystem support information
Restrictions and guidelines
Configuration guidelines

Introduction

The device analyses all security logs related to botnets and supports displaying information about hosts that might be zombie hosts, including zombie host IP and peer IP. The security logs include IPS logs, anti-virus logs, WAF logs, file filtering logs, URL filtering logs, and reputation logs. This feature helps you identify and locate zombie hosts, and then take prevention actions.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

This feature is available only after a hard disk or USB disk is correctly installed on the device.
To improve analysis accuracy, make sure the following services have been enabled with logging:
- Botnet detection | Botnet(comprehensive analysis).
- DPI | Threat log+statistics.
- DPI | WAF log.
- DPI | Reputation log.
- DPI | URL filter log+statistics.
- DPI | File filter log+statistics.
- DPI | DGA detection log.
Support for logging of the services varies by device model.

Configuration guidelines

Import logs

To import a log file and analyze the contained botnet information:

Click the Monitor tab.
In the navigation pane, select Synthetic Analysis > Botnet Analysis.
Click Import.
In the dialog box that opens, click OK.
Select a log file, and enter the password for the log file.
Click OK.

Export logs

To export all security logs related to botnets:

Click the Monitor tab.
In the navigation pane, select Synthetic Analysis > Botnet Analysis.
Click the button for a column, specify the search criteria to filter the logs to be exported, and click Apply.
Click Export.

On the page that opens, configure the log export settings.

Table-1 Log export configuration items

Item	Description
Set password	Enter a password for encrypting the log files. This password is required when you view the exported log files.
Logs per file	Set the maximum number of log entries in each log file: If the number of exported log entries is smaller than this limit, all log entries are exported to one file. If the number of exported log entries is larger than this limit, the log entries are exported into multiple files based on this limit.

Item

Description

Set password

Enter a password for encrypting the log files. This password is required when you view the exported log files.

Logs per file

Set the maximum number of log entries in each log file:

If the number of exported log entries is smaller than this limit, all log entries are exported to one file.
If the number of exported log entries is larger than this limit, the log entries are exported into multiple files based on this limit.

Click Export.

Configure an internal asset address range

To perform statistical analysis on asset traffic, configure an asset address range. The device identifies the specified address range as the internal network and identifies addresses outside the range as the external network. In addition, the device will analyze traffic between internal-internal, internal-external, and external-external networks. If no asset address range is configured, the device will analyze only traffic between Trust-Trust, Trust-Untrust, and Untrust-Trust security domains. In this case, the device identifies the Trust domain as the internal network and the Untrust domain as the external network, and does not analyze traffic from other security domains.

To configure an internal asset address range:

Click the Monitor tab.
In the navigation pane, select Synthetic Analysis > Botnet Analysis.
Click Asset Address Range on top of the page.
Configure asset addresses as needed.