CSN15: Using ArcSight ESM for Malicious Domain Detection

Document created by jmerrill on Sep 10, 2010
Version 1Show Document
  • View in full screen mode

Using ArcSight ESM for Malicious Domain Detection
Chris Watley, Information Assurance Engineer, U.S. Government Agency
Level: Intermediate
The traditional way for detecting traffic to malicious domains involves writing Snort-based signatures to monitor DNS and HTTP traffic. This style of detection can have a high false-positive rate and deteriorate the performance of the sensors. By migrating detections into ArcSight ESM, false-positives no longer exist, and the sensors can be used for more proactive signatures. This session discusses how to utilize ArcSight ESM for domain detections: the interaction between active lists, filters and rules, with a heavy focus on the variables used. Attendees of this session should have an understanding of ArcSight rules, active lists and filters.