Cisco ASA 5540 botnet filter doesnt work and no dropped packets

Hi all,

The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:

I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.

Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.

We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.

A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic  Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.

Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.

Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.

Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.

When I setup the BotNet Traffic Filter how  remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.

So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)

Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)

Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)

Thank you!
Who is Participating?
Ken BooneNetwork ConsultantCommented:
Here is a typical config setup:

Need to be able to perform DNS resolution:

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server y.y.y.y

Then create an ACL that tells what traffic will be checked by the botnet filter:
In this case all traffic:
access-list botnet-traffic extended permit ip any any

Then we turn on the client updated and specify to use the database:

dynamic-filter updater-client enable
dynamic-filter use-database

Then we enable the filter on the outside interface with the ACL that we defined above for it to use to examine the traffic on:

dynamic-filter enable interface outside classify-list botnet-traffic

Then we specify that we want to drop any blacklisted traffic that is in the threat level range
between high risk and very-high risk on the outside interface.

dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter drop blacklist interface outside

Finally we need to have DNS Snooping turned on

class-map botnet-DNS
 match port udp eq domain
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy botnet-policy interface outside

Hope that helps.

Also here is a cisco link to help:
HBS-MachAuthor Commented:
Thanks for your response.
I have entered the commands as indicated and this looks like its working.
I am getting items blocked on both the Greylist and Blacklists on the Statistics pages and the DNS Snooping is showing details.

I also still have access to the MAN network and the Internet sites so this is looking good.
I will monitor for today before awarding points.

Matter of interest, should you add our Server IP addresses to the White Lists?
Ken BooneNetwork ConsultantCommented:
Well sometimes it might be your server that gets a bot.  You might not find out if its not on the list.
HBS-MachAuthor Commented:
The commands exactly as given allowed me to get the BotNet filter working correctly.

Thank you very much!
Botnet works - but the reports are empty.  Since I upgraded the firewall software and ASDM, the botnet filter shows stats via the command line but the reports (Top 10 Malware) etc. do not populate with data on the ASDM console.  I am not sure why this is.  I checked to make sure logging was enabled etc. but no luck.  The particular events are setup to log as well - though not at the debugging level - rather the informational level.  So, I may have to get TAC on the phone to see why this is broken.  Again - this worked and showed the graphs and reports prior to updating the software now it does not.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.