[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Cisco ASA 5540 botnet filter doesnt work and no dropped packets

Posted on 2015-01-11
Medium Priority
Last Modified: 2015-06-15
Hi all,

The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:

I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.

Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.

We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.

A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic  Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.

Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.

Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.

Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.

When I setup the BotNet Traffic Filter how  remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.

So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)

Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)

Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)

Thank you!
Question by:HBS-Mach
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 25

Accepted Solution

Ken Boone earned 2000 total points
ID: 40545018
Here is a typical config setup:

Need to be able to perform DNS resolution:

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server y.y.y.y
 domain-name xxxxx.com

Then create an ACL that tells what traffic will be checked by the botnet filter:
In this case all traffic:
access-list botnet-traffic extended permit ip any any

Then we turn on the client updated and specify to use the database:

dynamic-filter updater-client enable
dynamic-filter use-database

Then we enable the filter on the outside interface with the ACL that we defined above for it to use to examine the traffic on:

dynamic-filter enable interface outside classify-list botnet-traffic

Then we specify that we want to drop any blacklisted traffic that is in the threat level range
between high risk and very-high risk on the outside interface.

dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter drop blacklist interface outside

Finally we need to have DNS Snooping turned on

class-map botnet-DNS
 match port udp eq domain
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy botnet-policy interface outside

Hope that helps.

Also here is a cisco link to help:

Author Comment

ID: 40545620
Thanks for your response.
I have entered the commands as indicated and this looks like its working.
I am getting items blocked on both the Greylist and Blacklists on the Statistics pages and the DNS Snooping is showing details.

I also still have access to the MAN network and the Internet sites so this is looking good.
I will monitor for today before awarding points.

Matter of interest, should you add our Server IP addresses to the White Lists?
LVL 25

Expert Comment

by:Ken Boone
ID: 40545631
Well sometimes it might be your server that gets a bot.  You might not find out if its not on the list.

Author Closing Comment

ID: 40545734
The commands exactly as given allowed me to get the BotNet filter working correctly.

Thank you very much!

Expert Comment

ID: 40831183
Botnet works - but the reports are empty.  Since I upgraded the firewall software and ASDM, the botnet filter shows stats via the command line but the reports (Top 10 Malware) etc. do not populate with data on the ASDM console.  I am not sure why this is.  I checked to make sure logging was enabled etc. but no luck.  The particular events are setup to log as well - though not at the debugging level - rather the informational level.  So, I may have to get TAC on the phone to see why this is broken.  Again - this worked and showed the graphs and reports prior to updating the software now it does not.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question