Solved

Monitoring port 16464 on a Cisco ASA 5500

Posted on 2013-12-17
2
1,466 Views
Last Modified: 2013-12-20
I'm having an issue with out external IP being blacklisted, I have been researching this all day and have followed these instructions in order to only allow stmp traffic to flow from my mail server.

http://www.petenetlive.com/KB/Article/0000172.htm

I would like to narrow down the issue so i can find the client thats causing the issue.  Some of the posts i have read and the info i received from the CBL say to monitor traffic on port 16464 but i'm not sure how to setup that rule on the Cisco firewall.

Message from CBL is below -
"If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16464."


Can someone give me some step by step instructions on how to set this up? and what and where to look for when it is?

Thank you
0
Comment
Question by:telperiongroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39726744
some TCP ports that you want to block outbound traffic to are 16464, 16465, 16470, and 16471. Those are comm ports used by the Zero Access botnet. For some of the more popular, larger botnets, there are dedicated websites from groups dedicated to containing them. For example, here is one for the Zeus botnet.
https://zeustracker.abuse.ch/

show access-list—display hit counters for access policies
show logging—display the logs in the buffer.
logging buffer debugging—Shows connections that are established and denied to hosts that go through the PIX. The information is stored in the PIX log buffer, and the output can be seen with the show log command.

another is If you go to the "Monitoring" section in ASDM, and then click on "Logging", you can bring up the realtime log viewer, and then filter on the offending ports, and IPs. That way you could build your ACLs correctly. also , you can go to "Configuration", and then to "Access Rules" right-click on your rules and then click "Show Log", it should show the log entries for your rules. This should tell you if they're working or not.

Old school botnets communicate on IRC ports (6669 and 131). Even though they're old school, they're still out there. Look out for abnormal traffic communicating on UDP 53, TCP 80, 8080, and 443, and PTP ports. Abnormal meaning communication to destinations that are unrecognizable to you, patternous traffic flow.

there is another tool called Fireplotter which is a real-time session monitor for your firewall. It simply
- shows you the traffic that is flowing through your internet connection moment to moment - in real-time.
- can be as a firewall traffic vizualizer, bandwidth analyzer, qos utility or connection monitor for your Cisco ASA/PIX firewall or FortiNet FortiGate firewall.
- replay all the session data it collects for further detailed analysis.

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3
0
 

Author Closing Comment

by:telperiongroup
ID: 39732102
Thank you for the information.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question