9.6. Malware and Blacklist alerts

Note This feature requires the Badfellas plugin

The trisul_badfellas plugin adds the ability to check all of your network traffic against public blacklists for :

  1. Communication with known malicious IPs
  2. Retrieving malware from malicious URLs
  3. Falling victim to Phishing sites
  4. Trying to query DNS for known malicious domain names

9.6.1 What can you do with these alerts ?

You can get useful reports like

  1. Top 100 hosts with malware in my enterprise
  2. Infection trends over time
  3. Breakup of malware types (ZeUS, Gumblar, GhostNet, etc)
  4. Retrieve suspected malware flows
  5. Pull suspected malware packets into Wireshark or Unsniff
  6. Script using TRP

9.6.2 Evasions

Trisul is resistant to :

  • TCP frag attacks – it reassembles TCP before constructing the URL requested & HTTP Host
  • Both DNS requests and replies are checked for any malicious domains
  • Minor permutations in domains and URLs are automatically handled.