Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to find a SPAM bot on the network

How can I use my PIX-515e firewall to locate the source of a SPAM bot on a network? The PIX is running v6.3.5.

3 REPLIES
Bronze

Re: Need to find a SPAM bot on the network

How about creating an access list on your Inside interface, for traffic flowing from your internal network out to the Internet. Permit your internal mail servers to talk on smtp (port 25) outbound, and deny all other hosts. Then just look for the hosts that get DENYs on port 25.

You could/should also be looking at an IPS solution, either Cisco's or open source (eg. Snort.) I'd also suggest looking at BotHunter, which is a customized version of Snort thats tuned to -just- look for Bots.

New Member

Re: Need to find a SPAM bot on the network

I'm assuming you send via a Logging? I have figured out that I can enable Logging to a syslog server and filter for what I'm looking for there.

Bronze

Re: Need to find a SPAM bot on the network

Yes, an external syslog server is almost a requirement for log analysis, since the PIX/ASA will overwrite its internal log fairly quickly, and parsing logs via the CLI can be a pain. I'd highly suggest Cisco MARS here, but you could use any syslog collector (kiwi syslog, syslog-ng, etc)

Alternatively, you could use the logging functionality in ASDM, and just filter on DENY, or in the cli you can do "show logging | inc Deny"

972
Views
0
Helpful
3
Replies