Dear,
We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing many number of "BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and destination address showing only DNS server which source address is my company internal DNS server and destination is ISP DNS server.
We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL against the DNS logs and find out the infected clients list.
I need your valuable help and guidelines on this.
Note: As you know, Astaro firewall is using Snort signature for IPS functionality.
This thread was automatically locked due to age.