ASA5505 Botnet Filter
Hello All,
We have an internal DNS server that all internal hosts do lookups to .. these requests are forwarded onto opendns for anything the dns server isnt authorative for.. My question is we have purchased the botnet filter and this requires the asa5505 dns client to be active on at least one interface .. Should i point the asa dns to an external IP such as 8.8.8.8 and apply DNS enabled on interface outside ( am using asdm)
I dont want the ASA to control DNS for our internal clients we already have a internal server for this, i DO want the asa5505 to check dns packets against its botnet filter, whilst still using open dns for forwarding ... how can one do this ?
TIA
This link doesn't really get into ASDM config but, you can use CLI and refersh ASDM and verify the config there.
https://supportforums.cisco.com/docs/DOC-8782
I found an asdm link as well:
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/protect_botnet.html
Good luck.
-Kureli
Similar Messages
-
Botnet Filter with multiple Context Mode
We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
How should be the Botnet Filter configured in Multiple Context Mode?
Thanks for any response in advance.sh run | grep dns
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
policy-map type inspect dns preset_dns_map
inspect dns preset_dns_map
ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
ping updates.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
ASA Version 8.4(2)
hostname DE-VM-TER-FW-02
enable password 8Ry2Yj8765U24 encrypted
passwd 2KFQnb6IdI.2KY75 encrypted
names
interface GigabitEthernet0/0.3207
nameif TR_v207
security-level 50
ip address 10.28.6.60 255.255.255.248
interface GigabitEthernet0/0.3208
nameif TR_v208
security-level 70
ip address 10.28.6.68 255.255.255.248
interface GigabitEthernet0/0.3209
nameif TR_v209
security-level 80
ip address 10.28.6.76 255.255.255.248
interface GigabitEthernet0/0.3210
nameif TR_v210
security-level 90
ip address 10.28.6.84 255.255.255.248
interface GigabitEthernet0/1
nameif COLT
security-level 0
ip address 217.111.58.46 255.255.255.240
interface GigabitEthernet0/3
nameif T-COM
security-level 0
ip address 194.25.250.94 255.255.255.240
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
name-server 8.8.8.8
object network COLT_dynamic_NAT
subnet 0.0.0.0 0.0.0.0
object network T-COM_dynamiy_NAT
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list COLT_access_in extended deny ip any any
access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
access-list T-COM_access_in extended deny ip any any
access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
access-list TR_3208_access_in extended permit ip any any
access-list TR_3208_access_in extended permit icmp any any
access-list TR_v207_access_in extended deny ip any any
access-list TR_v210_access_in extended deny ip any any
access-list TR_v209_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu TR_v208 1500
mtu T-COM 1500
mtu COLT 1500
mtu TR_v207 1500
mtu TR_v210 1500
mtu TR_v209 1500
ip verify reverse-path interface T-COM
ip verify reverse-path interface COLT
ipv6 access-list TR_v207_access_ipv6_in deny ip any any
ipv6 access-list TR_v208_access_ipv6_in deny ip any any
ipv6 access-list TR_v209_access_ipv6_in deny ip any any
ipv6 access-list TR_v210_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network COLT_dynamic_NAT
nat (any,COLT) dynamic interface
object network T-COM_dynamiy_NAT
nat (any,T-COM) dynamic interface
access-group TR_3208_access_in in interface TR_v208
access-group TR_v208_access_ipv6_in in interface TR_v208
access-group T-COM_access_in in interface T-COM
access-group COLT_access_in in interface COLT
access-group TR_v207_access_in in interface TR_v207
access-group TR_v207_access_ipv6_in in interface TR_v207
access-group TR_v210_access_in in interface TR_v210
access-group TR_v210_access_ipv6_in in interface TR_v210
access-group TR_v209_access_in in interface TR_v209
access-group TR_v209_access_ipv6_in in interface TR_v209
route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface T-COM
dynamic-filter enable interface COLT
dynamic-filter drop blacklist interface T-COM
dynamic-filter drop blacklist interface COLT
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map dynamic-filter-snoop
service-policy global_policy global
Cryptochecksum:7bbe975fb39e189e99d8878787a0037
: end
System Context
dynamic-filter updater-client enable
Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured -
ASA botnet filter vs ips global correlation
Does the global correlation include the data from botnet filter? On Cisc's site it says this on the global correlation
Customers deploying Cisco IPS can benefit from Global Correlation in multiple ways. First, bad traffic from known sources is stopped immediately. This includes zero-day attacks, for which no traditional threat prevention currently exists, advanced persistent threats (APTs), and botnet command and control trafficHello Matt,
Check the following info:
Cisco ASA Botnet Traffic Filter
This paper focuses on how Cisco Security Intelligence Operations relates to botnet threat identification, and its interaction with the Cisco ASA Botnet Traffic Filter. It is important to realize that a comprehensive security deployment should include Cisco Intrusion Prevention Systems (IPS) with its reputation based Global Correlation service and IPS signatures in conjunction with the security services provided by the ASA security appliance such as Botnet Traffic Filter.
So I would say they both provide you security based on databases from the SIO but they will not be equal on their funcionalities, that is why Cisco recommend to use both when possible,
Regards -
I have recently added the Botnet filter license to an ASA5510. Im needing assistance with viewing the config and being able to know that it is working. How can i test? Thanks
hi kevin,
here's some show commands as per my FIREWALL notes and a useful link that i've bookmarked.
usually the ASA will generate a syslog if a bad or infected machine is detected.
https://supportforums.cisco.com/docs/DOC-8782
Commands to Verify Botnet Traffic Filtering Operation
Function Command Syntax
Dynamic database status ciscoasa# show dynamic-filter updater-client
Connections filtered ciscoasa# show dynamic-filter statistics
List infected hosts ciscoasa# show dynamic-filterreport infected-hosts
Top-n botnet activity ciscoasa# show dynamic-filter top [infected-hosts | malware-ports | malware-sites] -
Black hole and BOTNET filter ?
Hi all,
I have a query regarding black hole and botnet.
My customer tends to receive traffic which is not destining to anywhere. He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.
My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.
Thanks in advance
LanceHello Lance,
I answered a query like this I think 2 days ago...
So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
The ASA will drop the packets if they are spoofed and you have the RPF check on.
If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks. -
Clustering with Botnet filter planned?
Hi
Anyone know if there are plans for botnet filter to be supported in cluster mode? Any roadmaps for asa 9.x that can shed some light over it?
Thanks!Hi
Anyone know if there are plans for botnet filter to be supported in cluster mode? Any roadmaps for asa 9.x that can shed some light over it?
Thanks! -
Botnet Filter Hits - Reliability?
We just licensed one of our ASAs at a branch office with the botnet filter license and I'm already seeing some hits in the ASDM. My question is really about the reliability of the results. I know with the IPS sensors, it's pretty common to get false positives so I want to be careful with how I treat the results on hits for botnet activity. We've run a few different virus scans on the computers that are supposedly reaching out to malicious sites, but they haven't returned anything malicious being on the PC. I don't want to dismiss these, but before we start spending time really investigating the computers and disrupting the users I want to get a feel for percentage of reliability on the botnet filters alone. Any thoughts or experiences anybody can share?
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.Hello Rmeans,
Basically there is no manual way to get off of the black list as this would mean a vulnerability.
You can check if there is a blacklisted domain on the following site:
Here are a few (not all) web-sites that we refer to:
Senderbase.org
http://www.senderbase.org/senderbase_queries/rep_lookup
MyWot -
http://www.mywot.com/en/scorecard/example.com
Google Safe browsing
http://www.google.com/safebrowsing/diagnostic?site=xxxxxx.com
These are not all,just some
If you want to report a false positive you will need to send an email specifying the reason of that :
Send an e-mail to "[email protected]" and cc:[email protected]
Regards,
Remember to rate all of the helpful posts -
Hi,
We use botnet filter on several of our ASAs in production.
The time based licenses will run out soon, and I'm wondering how to renew them.
My service coordinator says that the service agreement with Cisco is renewed, but that the PAK numbers won't change.
(I've tried inserting the same PAK on the license portal, but it says it's already been used).
Meanwhile, the time based license continues to count down.
Does anyone know how I'm supposed to update the license?
In my head I would expect Cisco sending a new PAK for the next year.
Who's wrong, my service coordinator or me? :)Hi Steffen,
Hope the below mentioned details would clarify your queries.
Time-Based License Expiration
When the current license for a feature expires, the adaptive security appliance automatically activates an installed license of the same feature if available. If there are no other time-based licenses available for the feature, then the permanent license is used.
If you have more than one additional time-based license installed for a feature, then the adaptive security appliance uses the first license it finds; which license is used is not user-configurable and depends on internal operations. If you prefer to use a different time-based license than the one the adaptive security appliance activated, then you must manually activate the license you prefer. See the "Activating or Deactivating Keys" section.
For example, you have a time-based 2500-session SSL VPN license (active), a time-based 1000-session SSL VPN license (inactive), and a permanent 500-session SSL VPN license. While the 2500-session license expires, the adaptive security appliance activates the 1000-session license. After the 1000-session license expires, the adaptive security appliance uses the 500-session permanent license.
HTH
Regards
Karthik -
BotNet Filter Report Veracity?
Company has a ASA5510 with BotNet Traffic filter enabled on it
When I go to the Report file (using ASDM) it shows me From the Monitor section->Botnet Traffic Filter -> Infected Hosts - > Highest Threat Level
If I save it as a pdf and review the report it shows my malware counts on different machines. If I go to that machine and run AV or Malwarebytes ot other tools I never detect anything
What is this report showing me?
Cordially
ThomasPK
I am not questioning the process that you described. I would like to know that the bot that was "calling/reporting" back is no longer on the device/computer listed in the report
How do I know that there was malware on the device? Does something remove it? Is it time based? does it morph to ....
Or do I just take it on faith that I am protected and ignore the report?
It would be nice if it was reported on a device, if you went to the device and could find it and then remove it.
Cordially
Thomas -
Botnet filter database.
Hello, I am wondering if there is a way to view the dynamic database that is downloaded from Cisco.
I've looked around the internet and have not found anything, only that the database is contained in an encrypted file on the ASA. I have also not found a published list on the internet. I've considered opening a TAC case but figured I should ask here first. The IS Security people where I work want this information so if we have a virus outbreak we can see if the known command and control websites associated with the virus are already blocked or not.
Thanks.Here's the script. Although I ran this against a production 5520 with no peformance impact or other negative results, consider this an official "Run at Your Own Risk" warning.
1) edit the script to include your ASA hostname, IP address, and user creds.
2) create a list of domains you'd like to check in a text file called 'blocklist_to_check.txt', each domain on a separate line.
3) run the script: ./btf-check-blocklist.sh which will ssh to ASA, open the above file, and execute the 'database find' command for each blocklist entry, and save ALL of the output in a file called blocklist_result.txt.
4) Run the btf-cleanup.sh script to create a file called blocklist_result-found.txt and blocklist_result-not_found.txt
btf-check-blocklist.sh:
#!/usr/local/bin/expect
# Written by Neil Clauson
# uncomment for expect verbosity
#set verbose_flag 1
# uncomment for expect debugging
#exp_internal 1
# set global parameters
set asa_ip "192.168.1.1"
set asa_hostname "YOURASA"
set asa_username "your_username"
set asa_password "your_password"
# todo: set params via command line
#set username [lindex $argv 0]
#set password [lindex $argv 1]
proc btfcheck {infile outfile} {
global asa_hostname
set fid_in [open $infile r]
set fid_out [open $outfile w+]
# uncomment below to turn OFF screen output
log_user 0
while 1 {
if {[gets $fid_in line] == -1} break
send "dynamic-filter database find $line\r"
expect "$asa_hostname#"
set buff $expect_out(buffer);
puts $fid_out $buff
# main routine:
# SSH to ASA
spawn ssh -l $asa_username $asa_ip
expect "$asa_username@$asa_ip's password:"
send "$asa_password\r"
expect "$asa_hostname>"
send "en\r"
expect "Password:"
send "$asa_password\r"
expect "$asa_hostname#"
# parse the lists
# todo: implement cli args to pick which lists to parse
# format: btfcheck
btfcheck blocklist_to_check.txt blocklist_results.txt
# logoff ASA
send "exit\r"
btf-cleanup.sh:
#!/bin/sh
cat blocklist_results.txt | grep -v '#' | grep -v dynamic-filter | grep -v Found > blocklist_result-found.txt
cat blocklist_results.txt | grep -v '#' | awk '/Found 0/{where=NR;print}NR==where+1 && where!=0 {print}' | grep -v Found | cut -d " " -f 5 > blocklist_result-not_found.txt -
ASA Botnet Filtering - Does it block Tor Exit nodes?
Hello Group. I am looking into to methods to block TOR network activity both inbound and outbound. Outbound is pretty straightforward by utilizing IPS and AV signatures. Inbound seems to be a little more involved. Preventing inbound traffic requires blocking all of the TOR exiit nodes which comprise a list of multiple thousands of IPs including small percentage that are dynamic. Does the ASA Botnet Filter encompass these IPs?
Thanks in advance for any input.
/JTHi,
One of the sources that the Botnet traffic filter uses is senderbase.org (also it uses many others)so you can evaluate one of the IP address that you know that belongs to the TOR network and see what reputation it has (to see if the botnet feature will catch it); but remember that the main idea behind this feature is the botnet detection; and I don't think we can qualify this site as a botnet site.
Thanks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
SPAN traffic to ASA Firewall with Botnet feature
Hi
I create a SPAN port for all our traffic which goes to the internet .
The fraffic from the span will be directed to the ASA FW where botnet filter is active and which has access to the internet
I suppose the ASA must be configured in transparent mode for working .
Thats right ?
Any other issues where I have to pay attention ?
sincerely AlfredHello Alfred,
I suppose the ASA must be configured in transparent mode for working .
Thats right ?
Can you tell me why it should be running transparent mode? I don't see any reason for that
Is the traffic going to go out via the ASA FW to the internet or is this some sort of just monitoring implementation ASA?
Regards -
Cisco ASA unable to inspect Microsoft DNS
Hi All,
I have setup Botnet Filter and is working good except for one thing.
While it can inspect DNS packets for clients that have DNS Servers outside my network (for example OpenDNS) it can't inspect packets from my internal DNS Infrastructure that is a Microsoft DNS, the forwarders setup on my DNS servers are Google's and OpenDNS.
My DNS Servers sits on the same subnet of the client and passes through the ASA so I wonder why the ASA is not able to catch their traffic up.
Here is the relevant parts of the config
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside classify-list botnet-exclude
dynamic-filter drop blacklist interface outside action-classify-list botnet-excl ude threat-level range very-low very-high
dynamic-filter ambiguous-is-black
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect dns migrated_dns_map_1
class class-default
user-statistics accounting
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
Does somebody have any clues?Missed a little part of config
service-policy global_policy global
service-policy botnet-policy interface outside -
We purchased a bunch of Cisco ASA 5505 for our branch offices. Offices are made up of less than 20 end points. We are using it as a firewall and DHCP server at hte moment but also assumed that it had DNS server capabilities. Basically use it as a SOHO router. My research thus far indicates that yes we can use the device as a dns server but it won't resolve locally defined hosts. So it can relay dns request to an external dns server but won't allow me to configured an a record on the device itself.
Can anyone verify this before I look into purchasing another device just to do local DNS server services?
Thanks!Joe
As far as i know the ASA cannot act as a DNS server nor can it act as a DNS relay. What you can do is -
1) configure DNS servers on the ASA that can be used in certain situations for allowing the ASA to resolve a name to an IP. For example using the Botnet filter on the ASA, SSL certificates etc. require the ASA to be able to qurey external DNS servers.
But this is for use by the ASA itself ie. it is used to resolve names within the ASA config. It is not used to allow clients to ask the ASA to resolve DNS names for them. So it can neither act as a DNS server itself nor can it pass on clients DNS queries to DNS servers.
2) if you use the ASA to hand out IPs via DHCP you can add valid DNS servers within the DHCP config just as you can with Windows DHCP.
Jon -
Guide to chose Cisco Firewall Device.
Hi!
I would like know about the Firewall Device selection. We are mid-sized business with 5 Servers and 15 Switches network. We are planning to have a web server/database server in house. I need guidance to choose a firewall device that can protect our network and still public can access our web server securely.
Your help comments really appreciated.
Thanks,Hi,
Mostly firewall device achieve those processes. You may concern other topics. DDOS attacks, Botnet filter, VPN capability.
Such as ASA firewall split their interfaces by security-level. It cannot permit traffic from lower security-level to higher security-level except you permit special traffic.
Maybe you are looking for
-
FCPX hangs on loading event in boot up, but when it does boot it runs very slowly.
I'm having a problem with FCP 10.0.9 When I try to open the program it gets hung up on the opening logo at loading event. I get a message that FCP is not responding in the force quit menu, but after around 6 hours FCPX opens up, but runs very slowly
-
Hi, In the document flow, our credit memo request is being shown as being processed. However the credit note with respect to that and the subsequent accounting doc is created. why still the credit memo request is being shown as being processed in doc
-
Been having a bit of a headache (more than usual) with the pain in the [arse/butt/fanny] we know and love as Xcelsius '08. On a few of our XLF's, the files were opening perfectly, but when you click preview it either just simply died with a Xcelsius
-
Is there an API existed in model to get the JNDI? Thank you in advance!
-
If I am playing a song in iOS 7 while the phone is locked, unlocking the phone seems to cause the Music app to skip to a different part of the song. It seems to be a random placement, sometimes ahead; sometimes back; sometimes very close to where it