Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1540
  • Last Modified:

Monitoring port 16464 on a Cisco ASA 5500

I'm having an issue with out external IP being blacklisted, I have been researching this all day and have followed these instructions in order to only allow stmp traffic to flow from my mail server.

http://www.petenetlive.com/KB/Article/0000172.htm

I would like to narrow down the issue so i can find the client thats causing the issue.  Some of the posts i have read and the info i received from the CBL say to monitor traffic on port 16464 but i'm not sure how to setup that rule on the Cisco firewall.

Message from CBL is below -
"If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16464."


Can someone give me some step by step instructions on how to set this up? and what and where to look for when it is?

Thank you
0
telperiongroup
Asked:
telperiongroup
1 Solution
 
btanExec ConsultantCommented:
some TCP ports that you want to block outbound traffic to are 16464, 16465, 16470, and 16471. Those are comm ports used by the Zero Access botnet. For some of the more popular, larger botnets, there are dedicated websites from groups dedicated to containing them. For example, here is one for the Zeus botnet.
https://zeustracker.abuse.ch/

show access-list—display hit counters for access policies
show logging—display the logs in the buffer.
logging buffer debugging—Shows connections that are established and denied to hosts that go through the PIX. The information is stored in the PIX log buffer, and the output can be seen with the show log command.

another is If you go to the "Monitoring" section in ASDM, and then click on "Logging", you can bring up the realtime log viewer, and then filter on the offending ports, and IPs. That way you could build your ACLs correctly. also , you can go to "Configuration", and then to "Access Rules" right-click on your rules and then click "Show Log", it should show the log entries for your rules. This should tell you if they're working or not.

Old school botnets communicate on IRC ports (6669 and 131). Even though they're old school, they're still out there. Look out for abnormal traffic communicating on UDP 53, TCP 80, 8080, and 443, and PTP ports. Abnormal meaning communication to destinations that are unrecognizable to you, patternous traffic flow.

there is another tool called Fireplotter which is a real-time session monitor for your firewall. It simply
- shows you the traffic that is flowing through your internet connection moment to moment - in real-time.
- can be as a firewall traffic vizualizer, bandwidth analyzer, qos utility or connection monitor for your Cisco ASA/PIX firewall or FortiNet FortiGate firewall.
- replay all the session data it collects for further detailed analysis.

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3
0
 
telperiongroupAuthor Commented:
Thank you for the information.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now