From: Catching modern botnets using active integrated evidential reasoning
Category | Evidence | Symptom | Action |
---|---|---|---|
E1(I&A) | e11(S c a n n i n g) | s1(high TCP failure rate) | a1 (snort) |
s2(fast varying dest ports) | a2 (argus) | ||
e12(S p a m m i n g) | s3(high volume TCP/25) | a3 (NetFlow) | |
s4(multi DNS MX queries) | a4 (DNS log) | ||
 |  | s5(multi SMTP dest) | a5 (snort) |
E2(C&C) | e21(P 2P) | s1(high TCP failure rate) | a1 (snort) |
s6(high In-and-Out degree) | a6 (Script 1) | ||
 |  | s7(high Max Degree Ratio) | a7 (Script 2) |