[AF] Report in User Security prompts zombie host IP in Logs cannot find Network type Logs
Problem Description
When exporting Report from AF, the User Security in the Report indicates that there is a zombie host, but when querying the botnet log for the IP of the zombie host in Medium Monitor, no log is found at the corresponding time point
Effective troubleshooting steps
- Confirm that Report is exported from this Local. You can manually export another copy.
- Check if Sensitive zombie hosts in User Security and whether the corresponding time point Security Logs can be searched in monitoring-Logs
- The filtering conditions are indeed correct. I did not see any botnet logs for the corresponding IP. I checked other Logs and found that the botnet logs can be recorded normally. This IP was not marked as white. Sensitive other logs for this IP at the corresponding time pointLogs
- Communicate with R&D to confirm that in addition to the botnet Access Logs, the botnet host in the User Security report will also be marked as a botnet host if there is an IPS log (IPS Malware will have this behavior)
Root cause
User Security Report Medium the report In addition to detecting Network type logs, zombie hosts also detect whether Sensitive IPS Logs
solution
Explain to customers that IPS Logs will also indicate zombie hosts in User Security security
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1521&isOpen=true