ASA-55XX Botnet Support

Unanswered Question
Jul 22nd, 2009

I recently received my 30-day trial license for Botnet filtering on my ASA-5505. I followed the instructions in the document that I found here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

There were a couple of issues with submitting commands that I would like assistance with:

Step 1. I did NOT enter "domain-name mydomain.cisco.com" into the ASA as I had previously setup my domain name.

Step 6. The command "match port udp eq domain" failed with the following:

Result of the command: "match port udp eq domain"

match port udp eq domain
  ^
ERROR: % Invalid input detected at '^' marker.

Step 6. So I tried "class-map match port udp eq domain" and received the following:

Result of the command: "class-map match port udp eq domain"

class-map match port udp eq domain
                ^
ERROR: % Invalid input detected at '^' marker.

Step 6. So that command does not appear to work properly.

Step 6. The command "inspect dns dynamic-filter-snoop" results in:

Result of the command: "inspect dns dynamic-filter-snoop"

inspect dns dynamic-filter-snoop
  ^
ERROR: % Invalid input detected at '^' marker.

So, all the other commands seemed to work properly and the ASA accepted them, just not these two under Step 6.

I also appear to be having an issue downloading the database file. The following is under Monitoring/Botnet Traffic Filter/Updater Client:

Dynamic Filter updater client is enabled
Updater server url is https://update-manifests.ironport.com
Application name: trafmon, version: 1.0
Encrypted UDI: (REMOVED)
Last update attempted at 13:45:48 UTC Jul 22 2009,
  with result: Failed to connect to updater server
Next update is in 00:17:51
No database file

So if there is no database file, how does it update it? Well, in looking under Monitoring/Botnet Traffic Filter/Dynamic Database shows this:

Dynamic Filter will use dynamic database downloaded from server.
Total entries in Dynamic Filter database:
  Dynamic data: 0 domain names , 0 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 0 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses

So, I see that DNS snooping is working, but on the "Reports" page, I don't see any data. Just a bunch of blank squares where the data should be.

Any advice would be GREATLY appreciated. This is on our internal system, so not a huge deal. Good thing I'm trying it out prior to selling/installing at a clients' site!

Thank you!

Chris Wardell

ABC Technologies

Ok, updater just completed:

Dynamic Filter updater client is enabled
Updater server url is https://update-manifests.ironport.com
Application name: trafmon, version: 1.0
Encrypted UDI: (REMOVED)Last update attempted at 14:45:53 UTC Jul 22 2009,
  with result: Downloaded file successfully
Next update is in 00:57:02
Database file version is '965' fetched at 14:45:53 UTC Jul 22 2009, size: 887876

So that's working, but still no data on the graphs....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cindy toy Tue, 09/01/2009 - 09:17

Hi cjonwardell,

Sorry for the delay in responding.  The ASA 5500 series is a Cisco Classic product.  This forum is for Cisco Small Business Products.

For more help regarding the ASA 5500 Series product, please click here.

Best regards,

Cindy Toy

Cisco Small Business Support

Community Manager

psamaniego Mon, 12/20/2010 - 00:00

Hi,

I had the same problem about the database fetch...

My problem was because I used a private IP address int the outside interface interface (default gateway interface), because my  ASA tried to reach the IRONPORT database with the outside interface (default)

I tried adding a static route to the IP that the "update-manifests.ironport.com" resolve at the time I was testing but without success.

ASA1# ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
!!!!!

ASA1# show dynamic-filter updater-client
Dynamic Filter updater client is enabled
Updater server URL is https://update-manifests.ironport.com
Application name: threatcast, version: 1.0
Encrypted UDI: 0**...**b
Last update attempted at 01:14:37 ECT Dec 20 2010,
  with result: Failed to connect to updater server
Next update is in 00:01:54
No database file

It was not the solution...

I think I will need to change the private to public or nat in another router.


I tested this configuration in another ASA with public IP address in the interface that manage the default gateway and worked perfect...

ASA2# show dynamic-filter updater-client
Dynamic Filter updater client is enabled
Updater server URL is https://update-manifests.ironport.com
Application name: threatcast, version: 1.0
Encrypted UDI: 0****a
Last update attempted at 02:55:01 GTM Dec 20 2010,
  with result: Downloaded file successfully
Next update is in 00:59:48
Database file version is '1292830321' fetched at 02:55:01 GTM Dec 20 2010, size: 2097132

Patricio S.

anton_slobodskoy Wed, 04/24/2013 - 12:46

Looks like i've found a solution

have changed

dns domain-lookup inside (security level 100)

to

dns domain-lookup outside (security level 0)

before

show dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server URL is https://update-manifests.ironport.com

Application name: threatcast, version: 1.0

Last update attempted at 22:30:38 EEDT Apr 24 2013,

  with result: Failed to connect to updater server

after

show dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server URL is https://update-manifests.ironport.com

Application name: threatcast, version: 1.0

Last update attempted at 22:43:12 EEDT Apr 24 2013,

  with result: Downloaded file successfully

Next update is in 00:59:48

Database file version is '1366819742' fetched at 22:43:12 EEDT Apr 24 2013, size: 2097150

Actions

This Discussion

 

 

Trending Topics - Security & Network