# Final columns: # timestamp|s-port|sc-http-status|sc-bytes|sc-header-bytes|c-port|cs-bytes|cs-header-bytes|cs-method|cs-url|x-elapsed-time|s-ip|c-ip|cs-mime-type|cs(Referer)|cs(User-Agent) # The bot IP must be changed (here 10.0.2.16), along with the V# number. Also add a final word in the label for the capture, here as XXXX # Normal stuff to windows filter="s-port=80 and c-ip=10.0.2.16 and s-ip=66.171.231.15" label="Normal-Windows-msftncsi" # Google filter="s-port=80 and sc-http-status=302 and c-ip=10.0.2.16 and cs-url=google.com" label="From-Botnet-V1-google.com-redirecting-to-other-site-XXXX" filter="s-port=80 and c-ip=10.0.2.16 and cs-url=google.com" label="From-Botnet-V1-google.com" filter="s-port=80 and c-ip=10.0.2.16 and cs-url=google.cz" label="From-Botnet-V1-google.cz" # Bing filter="s-port=80 and c-ip=10.0.2.16 and cs-url=bing.com" label="From-Botnet-V1-bing.com" # Binary downloads? filter="c-ip=10.0.2.16 and cs-url=.exe and sc-http-status=200" label="From-Botnet-V1-binary-download" filter="c-ip=10.0.2.16 and cs-url=.exe and sc-http-status!=200" label="From-Botnet-V1-binary-download-attempt" # custom binary filter="c-ip=10.0.2.16 and cs-url=.gmp and sc-http-status=200" label="From-Botnet-V1-custom-binary-download-success-XXXX" filter="c-ip=10.0.2.16 and cs-url=.gmp and sc-http-status!=200" label="From-Botnet-V1-custom-binary-download-attempt-XXXX" filter="c-ip=10.0.2.16 and cs-url=.gmz and sc-http-status=200" label="From-Botnet-V1-compressed-custom-binary-download-success-XXXX" filter="c-ip=10.0.2.16 and cs-url=.gmz and sc-http-status!=200" label="From-Botnet-V1-compressed-custom-binary-download-attempt-XXXX" filter="c-ip=10.0.2.16 and cs-url=.dll and sc-http-status=200" label="From-Botnet-V1-unknown-download-success-XXXX" filter="c-ip=10.0.2.16 and cs-url=.dll and sc-http-status!=200" label="From-Botnet-V1-unknown-download-attempt-XXXX" filter="c-ip=10.0.2.16 and cs-url=.gmz and sc-http-status!=200" label="From-Botnet-V1-unknown-download-attempt-XXXX" # Default for botnet filter="c-ip=10.0.2.16" label="From-Botnet-V1-XXXX" #Default filter="" label="Background-XXXX"