How to identify botnet/malicious traffic

Leverage on ips capability then but can be chicken and egg as if you can do it then really no need the botnet filters.  The key is the deep packet inspect and classification of the various botnets. Maybe the manual approach first

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html#wpxref52567

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html#wp1130197

I see is to have the malicious traffic generated so that the alerts from the rule triggers...I know of evader as a tool to test ips evasion scheme coverage but to really test botnet, the key is to prevent and alert on C&C callbacks based on known blacklist...the anomalies will need the filter checks where possible ...

Thanks breadtan. But, both of those links deal with the filter, which I'm not keen on implementing at the moment. But, you have me started thinking on the blacklist approach. Where do you find your callback blacklist?

If you looks at the links they are xonfiguring access list based on blacklist. The filter is on the dynamic database which will be categorised into malware type if you have the filter. Blacklisted ip or dns domain can be easily gotten from sitrs such as abuse.ch, dnsbl, emerging threats etc...

This blog maybe of interest but maintaining a blacklist is never going to end hence do consider outbound anomalies as mentuoned in the sans paper (do a google using "sans outbound firewall rules")
http://www.iggdawg.com/blog/2011/05/netting-the-botnets-with-cisco-asa-for-free/

I had read that page before and didn't know how to implement it. Not sure if I want to side step Cisco.

There is ready blacklist from
http://rules.emergingthreats.net/fwrules/

But probably the easiest way is talk to vendor to get a trial filter, I am sure they will be more than happy to help. Have it runs with traffic tapping into the production, need not active block but simply to get the stats and reports of those "surprising" finding / alerts.

I will say that is more convincing when your mgmt see it and ask why the exposure risk is of existence and what we have done with them...it always works to give the real evidence rather than side steps or workaround which eventually is still going round to prove the same point.

I did that previously in same situation but pertaining to other network security devices and the revealing does bode well to push forth why the technology can (and will) help to mitigate and provide a layer of protection in your case. So don't short change yourself when profiling those threats, they are real and need more robust and straightforward means to deter.. you will then have more time to see how to craft better rules and other technology to complement such as use of SIEMS ...

Just remember you are revealing risk that has not been uncovered (yet) and not trying to sell why device capabilities though eventually that is a bonus...if they are enlightened

I would think about putting UTM device i.e. cyberroam, fortinet ..etc
http://www.fortinet.com/solutions/unified_threat_management.html
http://www.cyberoam.com/utmoverview.html

I've been looking into the UTM/NextGenFW/TM solutions, but would very much like to get some data off of the existing infrastructure. I'm going to further try the blacklist as a separate ACL on the firewall to see if the hits increase. I'll get back as soon as I can. Thanks.

just a word of cautions, the "all-in-one" box" will need to validate it stands if you will want to turn on all its features or modules as performance impacts can kick in and the whole user experience will worsened. Also do have SSL termination as a must for the solution else it is blinded as any device in the path. Application aware is a good but talking abt Web vulnerability, I believe only WAF does it better compared to NGFW or UTM (unless thye alos say they have WAF module - but think back the performance, how many can be 'on' w/o impacting overall performance). thks

I don't have much experience with UTM products, but I can comment on Cisco.  Cisco's flagship security product is the ASA but it is somewhat limited in terms of what it has to offer in the UTM space.  

They now own IronPort    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
which may give some additional features you are looking for.

To have an idea about UTM technology and market share http://www.fortinet.com/resource_center/analyst_reports/gartners_magic_quadrant_report_unified_threat_management.html

So, besides the blacklist, there's no traffic pattern that I can try listening to on the ASA to determine botnet infection on the inside?

that is the obvious low hanging to detect first but of cost as in botnet filter available in ASA additional modules it looks out for e.g. Traffic Classification (whitelist,blacklist, greylist, Unknown) and Reporting, (DNS) Snooping in conjunction with DNS inspection or even the use of ISE to give more contextual info on the packet running thru it (e.g. where is the geo location, who is send/recv, what appl is communicating e.g. P2P, RDP s/w, etc).

Example of the Botnet Traffic Filter in Action

The client attempts to connect to phone-home server "command-control.badguy.ru."
1. Client issues a DNS query for "command-control.badguy.ru."
2. The ASA DNS inspection snoops the query and the response to the DNS query and caches it for later use.
3. Client connects to IP address of "command-control.badguy.ru."
– Botnet Traffic Filter resolves IP address in BTF DNS cache.
– Botnet Traffic Filter looks up DNS name for connection in Botnet Traffic Filter block list.
– If peer address is found in Botnet Traffic Filter block list and is not in the manual whitelist, then alert via logging that an illegal connection was attempted.
– If peer address is not found, then allow connection to continue.

That doesn't answer my question.