Analyzing outgoing network traffic (part 2)

Published: 2012-08-30
Last Updated: 2012-08-30 11:42:11 UTC
by Bojan Zdrnja (Version: 1)
5 comment(s)

Last week I posted a diary about analyzing outgoing network traffic and asked our readers to comment what data sources they use when monitoring outbound connections our users establish.

Besides the sources I listed in the original diary we got quite a few comments and some good questions, so I’m combining all these in this, second, diary:

These include the lists I verified in the mean time – for more check comments in the first diary.

One of our readers, Arnim, also asked about a potentially very useful list of IP addresses belonging to remote access services such as LogMeIn, NetViewer and similar. I’m not aware of such a list but it would be very useful. Emerging Threat’s has something similar – a list of outgoing ToR nodes but that only helps you figure out if someone that visited your network used ToR. The list is available at

Thanks to everyone that submitted their comments, including Christian, Ben, Arnim, Hal, Matt, Brent and many others.




5 comment(s)



I hope this will be helpful
Here daily i will be posting only Malware Callback Domains and IPs.
They are extracted from behaviour analysis of malware samples and filtered based on heuristics removing the legitimate domains/IPs.

Any hit to those IPs or domains is a confirmed malware infection.
You can validate them by googling the domain/IP on internet.
@Uma: That looks like a useful resource for automatic firewall/IDP maintenance. Are the lists available in a more-easily-usable downloadable file format so that we don't have to write a blog scraper to get updates?
You can get the list from malwaredomainlist via this link:
sure, i will do it by next week
You can find an overview of the downloadable lists at here:

Diary Archives