02-10-2009 07:54 AM - edited 03-09-2019 10:01 PM
How can I use my PIX-515e firewall to locate the source of a SPAM bot on a network? The PIX is running v6.3.5.
02-10-2009 10:31 AM
How about creating an access list on your Inside interface, for traffic flowing from your internal network out to the Internet. Permit your internal mail servers to talk on smtp (port 25) outbound, and deny all other hosts. Then just look for the hosts that get DENYs on port 25.
You could/should also be looking at an IPS solution, either Cisco's or open source (eg. Snort.) I'd also suggest looking at BotHunter, which is a customized version of Snort thats tuned to -just- look for Bots.
02-10-2009 10:42 AM
I'm assuming you send via a Logging? I have figured out that I can enable Logging to a syslog server and filter for what I'm looking for there.
02-10-2009 10:52 AM
Yes, an external syslog server is almost a requirement for log analysis, since the PIX/ASA will overwrite its internal log fairly quickly, and parsing logs via the CLI can be a pain. I'd highly suggest Cisco MARS here, but you could use any syslog collector (kiwi syslog, syslog-ng, etc)
Alternatively, you could use the logging functionality in ASDM, and just filter on DENY, or in the cli you can do "show logging | inc Deny"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: