Create Command and Control Profile
Create a Command and Control (C&C) profile to provide information on C&C servers that have attempted to contact and compromise hosts on your network. A C&C server is a centralized computer that issues commands to botnets of compromised networks of computers and receives reports back from them.
To create a C&C profile:
-
Click Secure Edge > Security Subscriptions > SecIntel >
Profiles.
The SecIntel Profiles page opens.
-
Select Create > Command & Control.
The Create Command & Control Profile page appears.
- Complete the configuration according to the guidelines provided in Table 1.
-
Click OK to save the changes. To discard your changes, click
Cancel.
Once you create the C&C profile, you can associate it with the SecIntel profile groups.
Table 1: Fields on the Create Command & Control Profile page Field
Action
Name
Enter a name for the C&C profile.
The name must be a unique string of alphanumeric and special characters; 63-character maximum. Special characters < and > are not allowed.
Description
Enter a description for the C&C profile.
Default action for all feeds
Drag the slider to change the action to be taken for all the feed types. Actions are Permit (1 - 4), Log (5-6), and Block (7 - 10).
Log will have the permit action and also logs the event.
Specific action for feeds
Do the following:
-
Click + to define feeds and threat score for the C&C profile.
The Add Feeds window appears.
-
Enter the following details:
-
Feeds—Select one or more feeds that are known command and control for botnets from the Available column and move it to the Selected column.
-
Threat score—Drag the slider to change the action to be taken based on the threat score.
-
-
Click OK.
Block action
Select one of the following block actions from the list:
-
Drop Packets—Device silently drops the session’s packet and the session eventually times out.
-
Close session options—Device sends a TCP RST packet to the client and server and the session is dropped immediately.
Close session options
Select one of the following options from the list: None, Redirect URL, or Redirect message.
Redirect URL
Enter a remote file URL to redirect users when connections are closed.
Redirect message
Enter a custom message to send to the users when connections are closed.
-