Need help to detect BOTNET-CNC Palevo bot DNS attack

[babu dheen <babudheen () yahoo co in>]

Dear,
 
 We are using Astaro Firewall with IPS in pass through mode for last one year. We have been noticing  many number of  
"BOTNET-CNC Palevo bot DNS request for C&C attempt" attack showing in IPS summery report wherein source address and 
destination address showing only DNS server which source address is my company internal DNS server and destination is 
ISP DNS server.
 
We would like to find out the botnet infected clients which this IPS report shows. To help on this, we would like to 
know from which central URLs snort is downloading malware domains in its database so that we can refer the common URL 
against the DNS logs and find out the infected clients list.
 
I need your valuable help and guidelines on this.
 
Note: As you know, Astaro firewall is using Snort signature for IPS functionality. 
 





Rule ID

Rule Nmae

Group

Events


16297

BOTNET-CNC Palevo bot DNS
request for C&C attempt

Server

1018
 
 
Regards
Babu

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!