RSA Admin

How to Detect Botnet Beaconing That is Blocked By Your Firewall

Discussion created by RSA Admin Employee on Sep 4, 2012
Latest reply on Oct 25, 2013 by RSA Admin

NetWitness NextGen can actually detect compromised endpoints on your network by detecting connection attempts to known Command and Control servers-  connection attempts that are being blocked by your firewall or smart proxy.  Also, if known C&C hosts get blackholed, those bots out there will still try to communicate, and we can see these.  Here's how you do it.


  • Step 1:  Deploy Zero Payload Rule.  Create a rule on the decoders to identify packets that have zero payload.  The rule should be called "Zero Payload" with the contents of the rule simply being "payload=0"  Deselect the option to stop rule processing and set the rule to alert into the Alert field.  Packets such as this are typically SYN connections.

  • Step 2:  Create an Informer Chart.  Create a chart in Informer that looks for instances of this rule firing to all destination IP addresses that are listed in our 3rd party Threat Feed lists.  The rule for this chart should look for
    ip.dst WHERE alert='zero payload' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
    and turn that rule into a chart.  Track the top 15  items.


  • Step 3:  Create your white list of known good destination organizations.  As you begin investigating the results of this chart and rule you will invariably find known IP destinations that are trusted.  Like Google, a host in a common CDN, etc.  Add these destination organizations to this whitelist referenced in the rule of Step 2.



When deployed in the field, I typically see several connection attempts to known bad destinations.  And since it is a chart, you will begin to see the timed pattern of the traffic as well.  What this usually represents is a compromised source IP address that is attempting to connect to a blocked or blackholed destination, or you have orphaned malware that is trying to call home.  Those sources should be pulled from the network for re-imaging or similar internal IR process.