Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Monitoring port 16464 on a Cisco ASA 5500

Posted on 2013-12-17
2
Medium Priority
?
1,517 Views
Last Modified: 2013-12-20
I'm having an issue with out external IP being blacklisted, I have been researching this all day and have followed these instructions in order to only allow stmp traffic to flow from my mail server.

http://www.petenetlive.com/KB/Article/0000172.htm

I would like to narrow down the issue so i can find the client thats causing the issue.  Some of the posts i have read and the info i received from the CBL say to monitor traffic on port 16464 but i'm not sure how to setup that rule on the Cisco firewall.

Message from CBL is below -
"If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16464."


Can someone give me some step by step instructions on how to set this up? and what and where to look for when it is?

Thank you
0
Comment
Question by:telperiongroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 39726744
some TCP ports that you want to block outbound traffic to are 16464, 16465, 16470, and 16471. Those are comm ports used by the Zero Access botnet. For some of the more popular, larger botnets, there are dedicated websites from groups dedicated to containing them. For example, here is one for the Zeus botnet.
https://zeustracker.abuse.ch/

show access-list—display hit counters for access policies
show logging—display the logs in the buffer.
logging buffer debugging—Shows connections that are established and denied to hosts that go through the PIX. The information is stored in the PIX log buffer, and the output can be seen with the show log command.

another is If you go to the "Monitoring" section in ASDM, and then click on "Logging", you can bring up the realtime log viewer, and then filter on the offending ports, and IPs. That way you could build your ACLs correctly. also , you can go to "Configuration", and then to "Access Rules" right-click on your rules and then click "Show Log", it should show the log entries for your rules. This should tell you if they're working or not.

Old school botnets communicate on IRC ports (6669 and 131). Even though they're old school, they're still out there. Look out for abnormal traffic communicating on UDP 53, TCP 80, 8080, and 443, and PTP ports. Abnormal meaning communication to destinations that are unrecognizable to you, patternous traffic flow.

there is another tool called Fireplotter which is a real-time session monitor for your firewall. It simply
- shows you the traffic that is flowing through your internet connection moment to moment - in real-time.
- can be as a firewall traffic vizualizer, bandwidth analyzer, qos utility or connection monitor for your Cisco ASA/PIX firewall or FortiNet FortiGate firewall.
- replay all the session data it collects for further detailed analysis.

http://www.fireplotter.com/index.php?option=com_content&view=article&id=3
0
 

Author Closing Comment

by:telperiongroup
ID: 39732102
Thank you for the information.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question