Sec-C 6 Posted May 23 Share Posted May 23 Hi, I was wondering if there is a way to test if the botnet detection added in ESET Server Security for Linux 10.2.41.0 is actually doing anything. Maybe an harmless Test-URL or Test-IP I can use with wget/curl to see if botnet detection is blocking/reporting correctly. Something similar to what the EICAR file does for the on-access file scanner. Maybe even a list of test cases for each individual protection module available in Eset products. Quote Link to comment Share on other sites More sharing options...
itman 1,707 Posted May 23 Share Posted May 23 (edited) Very difficult to test since the botnet servers are not kept online: https://feodotracker.abuse.ch/browse/ Edited May 23 by itman Quote Link to comment Share on other sites More sharing options...
Sec-C 6 Posted May 27 Author Share Posted May 27 (edited) I tested several fedotracker IPs, but non of them were blocked by eset on linux. I also searched the logs for IPs blocked by eset on windows (detection name "EsetIpBlacklist.A" or "EsetIpBlacklist.B" + detection category "firewall"). Non the IPs blocked by eset on windows were blocked on linux. I tested by using a simple "wget hxxp://x.x.x.x". Edited May 27 by Sec-C Quote Link to comment Share on other sites More sharing options...
itman 1,707 Posted May 28 Share Posted May 28 On 5/27/2024 at 7:26 AM, Sec-C said: I tested by using a simple "wget hxxp://x.x.x.x". I believe only inbound traffic from blacklisted IP addresses is blocked; not outbound traffic. Quote Link to comment Share on other sites More sharing options...
Sec-C 6 Posted May 29 Author Share Posted May 29 Quote I believe only inbound traffic from blacklisted IP addresses is blocked; not outbound traffic. OK, I expected "botnet detection" to also block outgoing traffic (from an infected bot device to it's c&c server). If you are right, it would in deed be difficult to test. Quote Link to comment Share on other sites More sharing options...
Solution itman 1,707 Posted May 29 Solution Share Posted May 29 (edited) FYI. First, how Eset Botnet protection works; highlighted is the important part; Quote Since version 10.2, ESET Server Security for Linux supports Botnet Protection. Enable Botnet protection—Detects and blocks communication with malicious command and control servers based on typical patterns when the computer is infected and a bot is attempting to communicate. Requires web access protection to be enabled. Read more about Botnet Protection in the Glossary. https://help.eset.com/essl/10.3/en-US/network_protection.html?zoom_highlightsub=botnet Assumed is Eset is deploying more than just IP address checking since it is no longer effective; Quote WAFs also rely heavily on IP reputation to manage bots. If the IP reputation of a request is bad, it assumes all activity from that IP will be bad. Conversely, if the IP reputation is good (and doesn’t have any known negative association with bot IP addresses), the WAF is likely to let all requests coming from that IP through. Since bot operators can now rotate high-quality, residential IPs cheaply and easily, WAFs are now an ineffective solution to detect and prevent bots. https://datadome.co/guides/bot-protection/bot-detection-how-to-identify-bot-traffic-to-your-website/ Edited May 29 by itman Sec-C 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.