Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Command and Control Servers: More Information

Command and control (C&C) servers remotely send malicious commands to a botnet, or a network of compromised computers. The botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.

When a host on your network tries to initiate contact with a possible C&C server on the Internet, the SRX Series device can intercept the traffic and perform an enforcement action based on real-time feed information from Juniper ATP Cloud. The Web UI identifies the C&C server IP address, it’s threat level, number of times the C&C server has been contacted, etc.

An FP/FPN button lets you report false positive or false negative for each C&C server listed. When reporting false negative, Juniper ATP Cloud will assign a C&C threat level equal to the global threat level threshold you assign in the global configuration (Configure > Global Configuration).

Juniper ATP Cloud blocks that host from communicating with the C&C server and can allow the host to communicate with other servers that are not on the C&C list depending on your configuration settings. The C&C threat level is calculated using a proprietary algorithm.

You can also use the show services security-intelligence statistics or show services security-intelligence statistics profile profile-name CLI commands to view C&C statistics.

user@root> show services security-intelligence statistics
Category Whitelist: Profile Whitelist: Total processed sessions: 0 Permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 0 Block drop sessions: 0 Category CC: Profile cc_profile: Total processed sessions: 5 Permit sessions: 4 Block drop sessions: 1 Block close sessions: 0 Close redirect sessions: 0 Category JWAS: Profile Sample-JWAS: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile hostintel: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0

In the following example, the C&C profile name is cc_profile.

user@root> show services security-intelligence statistics profile cc_profile
Category CC: Profile cc_profile: Total processed sessions: 5 Permit sessions: 4 Block drop sessions: 1 Block close sessions: 0 Close redirect sessions: 0

You can also use the show services security-intelligence category detail category-name category-name feed-name feed-name count number start number CLI command to view more information about the C&C servers and their threat level.

Note Set both count and start to 0 to display all C&C servers.

For example:

user@root> show services security-intelligence category detail category-name CC 
feed-name cc_url_data count 0 start 0 Category name :CC Feed name :cc_url_data Version :20160419.2 Objects number:24331 Create time :2016-04-18 20:43:59 PDT Update time :2016-05-04 11:39:21 PDT Update status :Store succeeded Expired :No Options :N/A { url:http://g.xxxxx.net threat_level:9} { url:http://xxxx.xxxxx.net threat_level:9} { url:http://xxxxx.pw threat_level:2} { url:http://xxxxx.net threat_level:9}
...

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit