Solved

Monitoring port 16464 on a Cisco ASA 5500

Posted on 2013-12-17
2
1,447 Views
Last Modified: 2013-12-20
I'm having an issue with out external IP being blacklisted, I have been researching this all day and have followed these instructions in order to only allow stmp traffic to flow from my mail server.

http://www.petenetlive.com/KB/Article/0000172.htm

I would like to narrow down the issue so i can find the client thats causing the issue.  Some of the posts i have read and the info i received from the CBL say to monitor traffic on port 16464 but i'm not sure how to setup that rule on the Cisco firewall.

Message from CBL is below -
"If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16464."


Can someone give me some step by step instructions on how to set this up? and what and where to look for when it is?

Thank you
0
Comment
Question by:telperiongroup
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39726744
some TCP ports that you want to block outbound traffic to are 16464, 16465, 16470, and 16471. Those are comm ports used by the Zero Access botnet. For some of the more popular, larger botnets, there are dedicated websites from groups dedicated to containing them. For example, here is one for the Zeus botnet.
https://zeustracker.abuse.ch/

show access-list—display hit counters for access policies
show logging—display the logs in the buffer.
logging buffer debugging—Shows connections that are established and denied to hosts that go through the PIX. The information is stored in the PIX log buffer, and the output can be seen with the show log command.

another is If you go to the "Monitoring" section in ASDM, and then click on "Logging", you can bring up the realtime log viewer, and then filter on the offending ports, and IPs. That way you could build your ACLs correctly. also , you can go to "Configuration", and then to "Access Rules" right-click on your rules and then click "Show Log", it should show the log entries for your rules. This should tell you if they're working or not.

Old school botnets communicate on IRC ports (6669 and 131). Even though they're old school, they're still out there. Look out for abnormal traffic communicating on UDP 53, TCP 80, 8080, and 443, and PTP ports. Abnormal meaning communication to destinations that are unrecognizable to you, patternous traffic flow.

there is another tool called Fireplotter which is a real-time session monitor for your firewall. It simply
- shows you the traffic that is flowing through your internet connection moment to moment - in real-time.
- can be as a firewall traffic vizualizer, bandwidth analyzer, qos utility or connection monitor for your Cisco ASA/PIX firewall or FortiNet FortiGate firewall.
- replay all the session data it collects for further detailed analysis.

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3
0
 

Author Closing Comment

by:telperiongroup
ID: 39732102
Thank you for the information.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question