Solved

Cisco ASA 5540 botnet filter doesnt work and no dropped packets

Posted on 2015-01-11
5
378 Views
Last Modified: 2015-06-15
Hi all,

The question is "what commands are needed to get the BotNet Traffic Filter working"
The details are below:

I have a Cisco ASA 5540, version 9.1(5), with the SSM-40 IPS Module and a valid BotNet Traffic filter licence.
The issue I have been having is that we keep getting email blacklisted by SpamHaus and others.

Im pretty much sure that amongst the 2000+ PCs over 100+ sites I have on the MAN, that there is a heap of PCs that are infected with Viruses, Worms, Trojans and BotNets.

We kept a lid on this by using the ASA, along with the IPS and BotNet Traffic Filter to block that traffic outgoing so we don't get blacklisted and so we had a idea as to what PCs to look at to clean or nuke due to viruses et al.
We also have restricted all Port 25 traffic to only being allowed to and from the Exchange Servers.

A contractor updated the ASA version to 9.1(5), and perhaps this is the reason why we are getting blacklisted as when I now look at the BotNet Traffic  Stats in ADSM, im not seeing any traffic at all in the Statisics in ASDM.

Also, on the Firewall Dashboard on ASDM it shows a zero dropped packet rate.

Before the upgrade, I used to see Dropped Packets and the BotNet Traffic Filter showed a heap of details, which I used to try to track down possibly infected PCs on the MAN.

Ive tried a few settings, including reconfiguring the BotNet Traffic Filter to try to get this all to work again.
But Ive run into some problems with that.

When I setup the BotNet Traffic Filter how  remember it, I disconnect all my clients from the MAN, so Im doing something wrong there. Printing, Fileshares, internet browsing, all stops.
The Statistics of the BotNet start showing Blacklist hits when I do that, but obviously I cant disconnect all my clients to get the BotNet Filter working! :-)
The Real-Time Reports in BotNet Traffic Filter still showed nothing however.

So Im asking what commands are needed to get the BotNet Filter working again (without dropping the MAN)

Ive included a simple network diagram and the outputs of show version and show run (hopefully sanitised)

Im no Cisco guy, I know enough to get around, can enter IOS commands and have a little understanding as to what they mean, but I also know that this is at the limits of my knowledge.
So your assistance will need to be as explicit as you can be ;-)

Thank you!
ASA5540.txt
ASA5540.jpg
0
Comment
Question by:HBS-Mach
  • 2
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 40545018
Here is a typical config setup:


Need to be able to perform DNS resolution:

---------
dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server y.y.y.y
 domain-name xxxxx.com
---------

Then create an ACL that tells what traffic will be checked by the botnet filter:
In this case all traffic:
-------------
access-list botnet-traffic extended permit ip any any
-------------

Then we turn on the client updated and specify to use the database:

---------
dynamic-filter updater-client enable
dynamic-filter use-database
----------

Then we enable the filter on the outside interface with the ACL that we defined above for it to use to examine the traffic on:

------------------
dynamic-filter enable interface outside classify-list botnet-traffic
-----------

Then we specify that we want to drop any blacklisted traffic that is in the threat level range
between high risk and very-high risk on the outside interface.

---------------------
dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter drop blacklist interface outside
--------------------

Finally we need to have DNS Snooping turned on

----------------
class-map botnet-DNS
 match port udp eq domain
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy botnet-policy interface outside
----------------

Hope that helps.

Also here is a cisco link to help:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_botnet.html
0
 
LVL 1

Author Comment

by:HBS-Mach
ID: 40545620
Hi
Thanks for your response.
I have entered the commands as indicated and this looks like its working.
I am getting items blocked on both the Greylist and Blacklists on the Statistics pages and the DNS Snooping is showing details.

I also still have access to the MAN network and the Internet sites so this is looking good.
I will monitor for today before awarding points.

Matter of interest, should you add our Server IP addresses to the White Lists?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40545631
Well sometimes it might be your server that gets a bot.  You might not find out if its not on the list.
0
 
LVL 1

Author Closing Comment

by:HBS-Mach
ID: 40545734
The commands exactly as given allowed me to get the BotNet filter working correctly.

Thank you very much!
0
 

Expert Comment

by:FlatheadIT
ID: 40831183
Botnet works - but the reports are empty.  Since I upgraded the firewall software and ASDM, the botnet filter shows stats via the command line but the reports (Top 10 Malware) etc. do not populate with data on the ASDM console.  I am not sure why this is.  I checked to make sure logging was enabled etc. but no luck.  The particular events are setup to log as well - though not at the debugging level - rather the informational level.  So, I may have to get TAC on the phone to see why this is broken.  Again - this worked and showed the graphs and reports prior to updating the software now it does not.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now