Command and Control Servers: More Information
Command and control (C&C) servers remotely send malicious commands to a botnet, or a network of compromised computers. The botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.
When a host on your network tries to initiate contact with a possible C&C server on the Internet, the SRX Series Firewall can intercept the traffic and perform an enforcement action based on real-time feed information from Juniper ATP Cloud. The Web UI identifies the C&C server IP address, it’s threat level, number of times the C&C server has been contacted, etc.
An FP/FPN button lets you report false positive or false negative for each C&C server listed. When reporting false negative, Juniper ATP Cloud will assign a C&C threat level equal to the global threat level threshold you assign in the misc configuration (Configure > Misc Configuration).
Juniper ATP Cloud blocks that host from communicating with the C&C server and can allow the host to communicate with other servers that are not on the C&C list depending on your configuration settings. The C&C threat level is calculated using a proprietary algorithm.
You can also use the show services security-intelligence
statistics
or show services security-intelligence statistics
profile profile-name
CLI commands to view
C&C statistics.
user@root> show services security-intelligence statistics Category Whitelist: Profile Whitelist: Total processed sessions: 0 Permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 0 Block drop sessions: 0 Category CC: Profile cc_profile: Total processed sessions: 5 Permit sessions: 4 Block drop sessions: 1 Block close sessions: 0 Close redirect sessions: 0 Category JWAS: Profile Sample-JWAS: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile hostintel: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0
In the following example, the C&C profile name is cc_profile
.
user@root> show services security-intelligence statistics profile cc_profile Category CC: Profile cc_profile: Total processed sessions: 5 Permit sessions: 4 Block drop sessions: 1 Block close sessions: 0 Close redirect sessions: 0
You can also use the show services security-intelligence
category detail category-name category-name feed-name feed-name count number start number
CLI command to view more information about
the C&C servers and their threat level.
Set both count and start to 0 to display all C&C servers.
For example:
user@root> show services security-intelligence category detail category-name CC feed-name cc_url_data count 0 start 0 Category name :CC Feed name :cc_url_data Version :20160419.2 Objects number:24331 Create time :2016-04-18 20:43:59 PDT Update time :2016-05-04 11:39:21 PDT Update status :Store succeeded Expired :No Options :N/A { url:http://g.xxxxx.net threat_level:9} { url:http://xxxx.xxxxx.net threat_level:9} { url:http://xxxxx.pw threat_level:2} { url:http://xxxxx.net threat_level:9} ...