Solved

Cisco ASA 5540 botnet filter doesnt work and no dropped packets

Posted on 2015-01-11
5
424 Views
Last Modified: 2015-06-15
Hi all,

The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:

I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.

Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.

We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.

A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic  Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.

Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.

Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.

Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.

When I setup the BotNet Traffic Filter how  remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.

So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)

Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)

Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)

Thank you!
ASA5540.txt
ASA5540.jpg
0
Comment
Question by:HBS-Mach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 25

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 40545018
Here is a typical config setup:


Need to be able to perform DNS resolution:

---------
dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server y.y.y.y
 domain-name xxxxx.com
---------

Then create an ACL that tells what traffic will be checked by the botnet filter:
In this case all traffic:
-------------
access-list botnet-traffic extended permit ip any any
-------------

Then we turn on the client updated and specify to use the database:

---------
dynamic-filter updater-client enable
dynamic-filter use-database
----------

Then we enable the filter on the outside interface with the ACL that we defined above for it to use to examine the traffic on:

------------------
dynamic-filter enable interface outside classify-list botnet-traffic
-----------

Then we specify that we want to drop any blacklisted traffic that is in the threat level range
between high risk and very-high risk on the outside interface.

---------------------
dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter drop blacklist interface outside
--------------------

Finally we need to have DNS Snooping turned on

----------------
class-map botnet-DNS
 match port udp eq domain
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy botnet-policy interface outside
----------------

Hope that helps.

Also here is a cisco link to help:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_botnet.html
0
 
LVL 1

Author Comment

by:HBS-Mach
ID: 40545620
Hi
Thanks for your response.
I have entered the commands as indicated and this looks like its working.
I am getting items blocked on both the Greylist and Blacklists on the Statistics pages and the DNS Snooping is showing details.

I also still have access to the MAN network and the Internet sites so this is looking good.
I will monitor for today before awarding points.

Matter of interest, should you add our Server IP addresses to the White Lists?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40545631
Well sometimes it might be your server that gets a bot.  You might not find out if its not on the list.
0
 
LVL 1

Author Closing Comment

by:HBS-Mach
ID: 40545734
The commands exactly as given allowed me to get the BotNet filter working correctly.

Thank you very much!
0
 

Expert Comment

by:FlatheadIT
ID: 40831183
Botnet works - but the reports are empty.  Since I upgraded the firewall software and ASDM, the botnet filter shows stats via the command line but the reports (Top 10 Malware) etc. do not populate with data on the ASDM console.  I am not sure why this is.  I checked to make sure logging was enabled etc. but no luck.  The particular events are setup to log as well - though not at the debugging level - rather the informational level.  So, I may have to get TAC on the phone to see why this is broken.  Again - this worked and showed the graphs and reports prior to updating the software now it does not.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question