Cisco ASA 5540 botnet filter doesnt work and no dropped packets

Posted on 2015-01-11
Medium Priority
Last Modified: 2015-06-15
Hi all,

The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:

I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.

Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.

We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.

A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic  Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.

Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.

Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.

Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.

When I setup the BotNet Traffic Filter how  remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.

So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)

Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)

Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)

Thank you!
Question by:HBS-Mach
  • 2
  • 2
LVL 25

Accepted Solution

Ken Boone earned 2000 total points
ID: 40545018
Here is a typical config setup:

Need to be able to perform DNS resolution:

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server y.y.y.y
 domain-name xxxxx.com

Then create an ACL that tells what traffic will be checked by the botnet filter:
In this case all traffic:
access-list botnet-traffic extended permit ip any any

Then we turn on the client updated and specify to use the database:

dynamic-filter updater-client enable
dynamic-filter use-database

Then we enable the filter on the outside interface with the ACL that we defined above for it to use to examine the traffic on:

dynamic-filter enable interface outside classify-list botnet-traffic

Then we specify that we want to drop any blacklisted traffic that is in the threat level range
between high risk and very-high risk on the outside interface.

dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter drop blacklist interface outside

Finally we need to have DNS Snooping turned on

class-map botnet-DNS
 match port udp eq domain
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy botnet-policy interface outside

Hope that helps.

Also here is a cisco link to help:

Author Comment

ID: 40545620
Thanks for your response.
I have entered the commands as indicated and this looks like its working.
I am getting items blocked on both the Greylist and Blacklists on the Statistics pages and the DNS Snooping is showing details.

I also still have access to the MAN network and the Internet sites so this is looking good.
I will monitor for today before awarding points.

Matter of interest, should you add our Server IP addresses to the White Lists?
LVL 25

Expert Comment

by:Ken Boone
ID: 40545631
Well sometimes it might be your server that gets a bot.  You might not find out if its not on the list.

Author Closing Comment

ID: 40545734
The commands exactly as given allowed me to get the BotNet filter working correctly.

Thank you very much!

Expert Comment

ID: 40831183
Botnet works - but the reports are empty.  Since I upgraded the firewall software and ASDM, the botnet filter shows stats via the command line but the reports (Top 10 Malware) etc. do not populate with data on the ASDM console.  I am not sure why this is.  I checked to make sure logging was enabled etc. but no luck.  The particular events are setup to log as well - though not at the debugging level - rather the informational level.  So, I may have to get TAC on the phone to see why this is broken.  Again - this worked and showed the graphs and reports prior to updating the software now it does not.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month16 days, 23 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question