clausonna Tue, 02/10/2009 - 10:31
User Badges:
  • Bronze, 100 points or more

How about creating an access list on your Inside interface, for traffic flowing from your internal network out to the Internet. Permit your internal mail servers to talk on smtp (port 25) outbound, and deny all other hosts. Then just look for the hosts that get DENYs on port 25.


You could/should also be looking at an IPS solution, either Cisco's or open source (eg. Snort.) I'd also suggest looking at BotHunter, which is a customized version of Snort thats tuned to -just- look for Bots.

kbozung Tue, 02/10/2009 - 10:42
User Badges:

I'm assuming you send via a Logging? I have figured out that I can enable Logging to a syslog server and filter for what I'm looking for there.

clausonna Tue, 02/10/2009 - 10:52
User Badges:
  • Bronze, 100 points or more

Yes, an external syslog server is almost a requirement for log analysis, since the PIX/ASA will overwrite its internal log fairly quickly, and parsing logs via the CLI can be a pain. I'd highly suggest Cisco MARS here, but you could use any syslog collector (kiwi syslog, syslog-ng, etc)


Alternatively, you could use the logging functionality in ASDM, and just filter on DENY, or in the cli you can do "show logging | inc Deny"



Actions

This Discussion