The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:
I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.
Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.
We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.
A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.
Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.
Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.
Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.
When I setup the BotNet Traffic Filter how remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.
So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)
Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)
Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)