Sec-C 6 Posted May 23, 2024 Posted May 23, 2024 Hi, I was wondering if there is a way to test if the botnet detection added in ESET Server Security for Linux 10.2.41.0 is actually doing anything. Maybe an harmless Test-URL or Test-IP I can use with wget/curl to see if botnet detection is blocking/reporting correctly. Something similar to what the EICAR file does for the on-access file scanner. Maybe even a list of test cases for each individual protection module available in Eset products.
itman 1,924 Posted May 23, 2024 Posted May 23, 2024 (edited) Very difficult to test since the botnet servers are not kept online: https://feodotracker.abuse.ch/browse/ Edited May 23, 2024 by itman
Sec-C 6 Posted May 27, 2024 Author Posted May 27, 2024 (edited) I tested several fedotracker IPs, but non of them were blocked by eset on linux. I also searched the logs for IPs blocked by eset on windows (detection name "EsetIpBlacklist.A" or "EsetIpBlacklist.B" + detection category "firewall"). Non the IPs blocked by eset on windows were blocked on linux. I tested by using a simple "wget hxxp://x.x.x.x". Edited May 27, 2024 by Sec-C
itman 1,924 Posted May 28, 2024 Posted May 28, 2024 On 5/27/2024 at 7:26 AM, Sec-C said: I tested by using a simple "wget hxxp://x.x.x.x". I believe only inbound traffic from blacklisted IP addresses is blocked; not outbound traffic.
Sec-C 6 Posted May 29, 2024 Author Posted May 29, 2024 Quote I believe only inbound traffic from blacklisted IP addresses is blocked; not outbound traffic. OK, I expected "botnet detection" to also block outgoing traffic (from an infected bot device to it's c&c server). If you are right, it would in deed be difficult to test.
Solution itman 1,924 Posted May 29, 2024 Solution Posted May 29, 2024 (edited) FYI. First, how Eset Botnet protection works; highlighted is the important part; Quote Since version 10.2, ESET Server Security for Linux supports Botnet Protection. Enable Botnet protection—Detects and blocks communication with malicious command and control servers based on typical patterns when the computer is infected and a bot is attempting to communicate. Requires web access protection to be enabled. Read more about Botnet Protection in the Glossary. https://help.eset.com/essl/10.3/en-US/network_protection.html?zoom_highlightsub=botnet Assumed is Eset is deploying more than just IP address checking since it is no longer effective; Quote WAFs also rely heavily on IP reputation to manage bots. If the IP reputation of a request is bad, it assumes all activity from that IP will be bad. Conversely, if the IP reputation is good (and doesn’t have any known negative association with bot IP addresses), the WAF is likely to let all requests coming from that IP through. Since bot operators can now rotate high-quality, residential IPs cheaply and easily, WAFs are now an ineffective solution to detect and prevent bots. https://datadome.co/guides/bot-protection/bot-detection-how-to-identify-bot-traffic-to-your-website/ Edited May 29, 2024 by itman Sec-C 1
Recommended Posts