Solved

Monitoring port 16464 on a Cisco ASA 5500

Posted on 2013-12-17
2
1,439 Views
Last Modified: 2013-12-20
I'm having an issue with out external IP being blacklisted, I have been researching this all day and have followed these instructions in order to only allow stmp traffic to flow from my mail server.

http://www.petenetlive.com/KB/Article/0000172.htm

I would like to narrow down the issue so i can find the client thats causing the issue.  Some of the posts i have read and the info i received from the CBL say to monitor traffic on port 16464 but i'm not sure how to setup that rule on the Cisco firewall.

Message from CBL is below -
"If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16464."


Can someone give me some step by step instructions on how to set this up? and what and where to look for when it is?

Thank you
0
Comment
Question by:telperiongroup
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39726744
some TCP ports that you want to block outbound traffic to are 16464, 16465, 16470, and 16471. Those are comm ports used by the Zero Access botnet. For some of the more popular, larger botnets, there are dedicated websites from groups dedicated to containing them. For example, here is one for the Zeus botnet.
https://zeustracker.abuse.ch/

show access-list—display hit counters for access policies
show logging—display the logs in the buffer.
logging buffer debugging—Shows connections that are established and denied to hosts that go through the PIX. The information is stored in the PIX log buffer, and the output can be seen with the show log command.

another is If you go to the "Monitoring" section in ASDM, and then click on "Logging", you can bring up the realtime log viewer, and then filter on the offending ports, and IPs. That way you could build your ACLs correctly. also , you can go to "Configuration", and then to "Access Rules" right-click on your rules and then click "Show Log", it should show the log entries for your rules. This should tell you if they're working or not.

Old school botnets communicate on IRC ports (6669 and 131). Even though they're old school, they're still out there. Look out for abnormal traffic communicating on UDP 53, TCP 80, 8080, and 443, and PTP ports. Abnormal meaning communication to destinations that are unrecognizable to you, patternous traffic flow.

there is another tool called Fireplotter which is a real-time session monitor for your firewall. It simply
- shows you the traffic that is flowing through your internet connection moment to moment - in real-time.
- can be as a firewall traffic vizualizer, bandwidth analyzer, qos utility or connection monitor for your Cisco ASA/PIX firewall or FortiNet FortiGate firewall.
- replay all the session data it collects for further detailed analysis.

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3
0
 

Author Closing Comment

by:telperiongroup
ID: 39732102
Thank you for the information.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Route Summarization 2 33
Cisco ASA5508-X vs Barracuda X200 2 29
VLAN Tagged traffic 2 21
Cisco Any Connect Client 5 15
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now