How to identify botnet/malicious traffic

Hello,

We have the Cisco ASA 5520 as a client's firewall. This firewall also has the Cisco SSM-20 as the inline IPS module.

I would like to know how to identify botnet/malicious traffic on the firewall. I do not wish to purchase the botnet filter yet. I would need to make the case for it and therefore need to id the traffic.

Any and all help is appreciated.

Thank you.
LVL 21
netcmhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Leverage on ips capability then but can be chicken and egg as if you can do it then really no need the botnet filters.  The key is the deep packet inspect and classification of the various botnets. Maybe the manual approach first

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html#wpxref52567

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html#wp1130197

I see is to have the malicious traffic generated so that the alerts from the rule triggers...I know of evader as a tool to test ips evasion scheme coverage but to really test botnet, the key is to prevent and alert on C&C callbacks based on known blacklist...the anomalies will need the filter checks where possible ...
0
netcmhAuthor Commented:
Thanks breadtan. But, both of those links deal with the filter, which I'm not keen on implementing at the moment. But, you have me started thinking on the blacklist approach. Where do you find your callback blacklist?
0
btanExec ConsultantCommented:
If you looks at the links they are xonfiguring access list based on blacklist. The filter is on the dynamic database which will be categorised into malware type if you have the filter. Blacklisted ip or dns domain can be easily gotten from sitrs such as abuse.ch, dnsbl, emerging threats etc...

This blog maybe of interest but maintaining a blacklist is never going to end hence do consider outbound anomalies as mentuoned in the sans paper (do a google using "sans outbound firewall rules")
http://www.iggdawg.com/blog/2011/05/netting-the-botnets-with-cisco-asa-for-free/
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

netcmhAuthor Commented:
I had read that page before and didn't know how to implement it. Not sure if I want to side step Cisco.
0
btanExec ConsultantCommented:
There is ready blacklist from
http://rules.emergingthreats.net/fwrules/

But probably the easiest way is talk to vendor to get a trial filter, I am sure they will be more than happy to help. Have it runs with traffic tapping into the production, need not active block but simply to get the stats and reports of those "surprising" finding / alerts.

I will say that is more convincing when your mgmt see it and ask why the exposure risk is of existence and what we have done with them...it always works to give the real evidence rather than side steps or workaround which eventually is still going round to prove the same point.

I did that previously in same situation but pertaining to other network security devices and the revealing does bode well to push forth why the technology can (and will) help to mitigate and provide a layer of protection in your case. So don't short change yourself when profiling those threats, they are real and need more robust and straightforward means to deter.. you will then have more time to see how to craft better rules and other technology to complement such as use of SIEMS ...

Just remember you are revealing risk that has not been uncovered (yet) and not trying to sell why device capabilities though eventually that is a bonus...if they are enlightened
0
madunix (Fadi SODAH)Commented:
I would think about putting UTM device i.e. cyberroam, fortinet ..etc
http://www.fortinet.com/solutions/unified_threat_management.html
http://www.cyberoam.com/utmoverview.html
0
netcmhAuthor Commented:
I've been looking into the UTM/NextGenFW/TM solutions, but would very much like to get some data off of the existing infrastructure. I'm going to further try the blacklist as a separate ACL on the firewall to see if the hits increase. I'll get back as soon as I can. Thanks.
0
btanExec ConsultantCommented:
just a word of cautions, the "all-in-one" box" will need to validate it stands if you will want to turn on all its features or modules as performance impacts can kick in and the whole user experience will worsened. Also do have SSL termination as a must for the solution else it is blinded as any device in the path. Application aware is a good but talking abt Web vulnerability, I believe only WAF does it better compared to NGFW or UTM (unless thye alos say they have WAF module - but think back the performance, how many can be 'on' w/o impacting overall performance). thks
0
madunix (Fadi SODAH)Commented:
I don't have much experience with UTM products, but I can comment on Cisco.  Cisco's flagship security product is the ASA but it is somewhat limited in terms of what it has to offer in the UTM space.  

They now own IronPort    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
which may give some additional features you are looking for.

To have an idea about UTM technology and market share http://www.fortinet.com/resource_center/analyst_reports/gartners_magic_quadrant_report_unified_threat_management.html
0
netcmhAuthor Commented:
So, besides the blacklist, there's no traffic pattern that I can try listening to on the ASA to determine botnet infection on the inside?
0
btanExec ConsultantCommented:
that is the obvious low hanging to detect first but of cost as in botnet filter available in ASA additional modules it looks out for e.g. Traffic Classification (whitelist,blacklist, greylist, Unknown) and Reporting, (DNS) Snooping in conjunction with DNS inspection or even the use of ISE to give more contextual info on the packet running thru it (e.g. where is the geo location, who is send/recv, what appl is communicating e.g. P2P, RDP s/w, etc).

Example of the Botnet Traffic Filter in Action

The client attempts to connect to phone-home server "command-control.badguy.ru."
1. Client issues a DNS query for "command-control.badguy.ru."
2. The ASA DNS inspection snoops the query and the response to the DNS query and caches it for later use.
3. Client connects to IP address of "command-control.badguy.ru."
– Botnet Traffic Filter resolves IP address in BTF DNS cache.
– Botnet Traffic Filter looks up DNS name for connection in Botnet Traffic Filter block list.
– If peer address is found in Botnet Traffic Filter block list and is not in the manual whitelist, then alert via logging that an illegal connection was attempted.
– If peer address is not found, then allow connection to continue.
0
netcmhAuthor Commented:
That doesn't answer my question.
0
btanExec ConsultantCommented:
Encrypted is common to bot communicating to command and control but they are legit ssl type typically. E.g. pushbot. Asa will be blinded unless it inspect the packet but then again it is no data leakage detect mechanism in it. BoT also ride on command exchange coming from IRC..but it has been http and dns   being common to tunnel comms out. You cannot rely on simple check scheme solely.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.