Hi
According to the big hype about #regin I build a FortiAnalyzer Event Handler to track sessions to known regin C&C servers (I know they will change….).
Here is a sample: (THX to @kaspersky for detailed analysis)
Name: Abuse – Regin CC
Log Type: Traffic Log
Event Category: Others
Log messages that match: All
Primary Filter: Status – Not Equal To – Deny
Generic Text Filter:
(dstip==61.67.114.73
or dstip==202.71.144.113
or dstip==203.199.89.80
or dstip==194.183.237.145
)
Notification: Configure your prefered notifications
With this Event Handler you get an Event Alert if any communication is etablished to C&C Servers.
Have fun.
sirhartmann 