Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
50869
Views
11
Helpful
17
Comments

ASA - Botnet Configuration

Kureli Sankar
Cisco Employee
Cisco Employee

‎03-05-2010 07:01 PM - edited ‎03-08-2019 06:32 PM

 

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm

Overview

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.

Prerequisite

The ASA must be running minimum 8.2 code to be able to configure botnet feature.

ASA-5505# sh ver

 

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)

.......

 

Enable ASA use of a DNS server

"Configuring the DNS Server"

 

Botnet license must be installed on the ASA

ASA-5505# sh ver

 

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)

.......

Botnet Traffic Filter        : Enabled

 

Once license expires filtering will not work until license is renewed.

Limitations

  • Supported in single and multiple context mode.
  • Supported in routed and transparent firewall mode.
  • Botnet Traffic Filter does not share any information between Failover pairs.
  • TCP DNS traffic is not supported.
  • Failovers or Reboots require a re-download of the Dynamic Database.
  • Currently there is no support for IPV6.

Step by Step Configuration

 

1. Enable DNS client on ASA

This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.

 

ASA(config)# dns domain-lookup outside
ASA(config)#dns server-group DefaultDNS
ASA(config-dns-server-group)#name-server 4.2.2.2

 

2. Enable dynamic traffic filtering (Botnet Traffic Filter).

ASA(config)#dynamic-filter updater-client enable

 

3. Enable the Botnet Traffic Filter database update.

ASA(config)#dynamic-filter use-database

 

4. Classify the traffic that will be exempted and subjected.

ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic

 

5. Enable dynamic-filter classification on outside interface

 

ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude

 

6. Configure a class map and only match dns traffic

ASA(config)#class-map botnet-DNS
ASA(config-cmap)# match port udp eq domain

 

 

7. Enable DNS snooping on the external interface

 

ASA(config)# policy-map botnet-policy
ASA(config-pmap)# class botnet-DNS
ASA(config-pmap-c)# inspect dns dynamic-filter-snoop


ASA(config)# service-policy botnet-policy interface outside

 

Alternatively, you can also choose to apply this to the existing global policy that is already configured on the ASA.

 

class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
  inspect dns dynamic-filter-snoop
  ...
service-policy global_policy global

 

 

8. Define local whitelists and/or blacklists if needed.

Never block addresses:

This is traffic to or from an IP address that is considered to be good. It is part of administrator configured lists.

 

ASA(config)# dynamic-filter whitelist
ASA(config-llist)# name www.google.com
ASA(config-llist)# name www.cisco.com

Manual Black List:

This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.

 

ASA(config)# dynamic-filter blacklist
ASA(config-llist)# name www.crackhell.com
ASA(config-llist)# name www.megaport.hu
ASA(config-llist)# address 164.109.48.46 255.255.255.255

 

Final Configuration Section:

dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
!
dynamic-filter updater-client enable
dynamic-filter use-database

!

access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0
access-list botnet-exclude extended permit ip any any
!
dynamic-filter enable interface outside classify-list botnet-exclude

!

class-map botnet-DNS
match port udp eq domain
!
policy-map botnet-policy
class botnet-DNS
  inspect dns dynamic-filter-snoop
!
service-policy botnet-policy interface outside

 

Logging

 

338001 - 338004

338101 - 338104

338201 - 338204

338301 - 338310

 

  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165

Show commands

show dynamic-filter data

dynamic-filter database find <string>

show dynamic-filter reports top botnet-sites

show dynamic-filter reports top infected-hosts

show dynamic-filter reports top botnet-ports

 

clear dynamic-filter statistics
    The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.

 

clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts]
    This command will reset all statistics back to 0 and remove all entries from the reports.

 

clear dynamic-filter dns-snoop
    This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.

 

 

 

 

 

 

Labels:
Comments
Chirantan Goswami
Community Member
‎01-25-2013 02:53 AM

Hii Poonguzhali,

i really find this documet useful  but currently i am facing a problem .... Hope you should be able to help me out on that .. i am currently using asa 5580-40 (8.3) which is deployed at our core. we have deployed our asa in a loop with a 7600 ... so that we can pass the interesting traffic through the asa and rest bypass the asa ... we are using vrf on the router to forward traffic ... In this scenario i am trying to enable dynamic botnet filtering on the asa for the interesting traffic .... my constraints are that , i am not in a position to expose either the asa or the router to the outside world ...... Hope i am able to explain you my problem and ask for possible solution/solutions on this to reach the update server ??

Kureli Sankar
Cisco Employee
Cisco Employee
‎01-26-2013 09:48 AM

1. Enable DNS client on ASA

This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.

The ASA should be able to reach the internet.  This is a requirement and not an option.

-Kureli

Chirantan Goswami
Community Member
‎02-15-2013 04:07 AM

Hii Poonguzhali,

Thankyou for your HINT. Hint because not the ASA but the admin context in the ASA working on multiple context mode should be reachable to the internet... Unfortunately nowhere in your KB it is mentioned precisely that this thing should be kept in mind .... I tried with different contexts in the multiple context mode but it didnt worked .... At last i tried it with the admin context and it worked .... Unlike ironport where we do have the privilege to apply a device ip for its recognition ASA doesnt have this feature .... & also because of my limitations that i discussed earlier i had to find out a solution to this ....... Everything is working fine for me now and to a great extent i am relieved ..... So my request to you is to update the same in the KB.

Kureli Sankar
Cisco Employee
Cisco Employee
‎02-15-2013 04:48 AM

Chirantan,

Sorry about that.  I had no idea this was a multiple context ASA. The documentation link that I provided above, does have it listed as a pre-requisite. You can readd here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html#wp1129678

-Kureli

w1ll1ambarr
Level 1
Level 1
‎04-27-2013 03:05 AM

Hi Poonguzhali,

I find your article very interesting and informative, I'm new in ASA I work for a small company, we just bought to ASA with security plus license and I want to enable botnet filtering.

My question is now that I have added the 2 ASAs in our Smarnet contract and have received the botnet filtering licenses from

Cisco, how do install the license to our ASAs?

Thanks in advance for your help.

Will

Chirantan Goswami
Community Member
‎04-29-2013 02:56 AM

Hii Will ,

On your ASDM panel go to System>Configuration > Device Management>Activation Key>New Activation Key ... Copy paste the key you received and hit Update Activation key at the bottom of the page ....  You will have to then save the configuration and restart ASDM .

Alternatively you can go to your system context to type    ASA(config)# activation-key ##########   and paste the activation key (#########)...... It would require a reload to take affect..... .... Hope that should solve your problem for now... Cheers!!

Edward Dominguez
Level 1
Level 1
‎07-30-2013 04:45 PM

Hi Poonguzhali,

Do you know how to enable reports or notifications for the Botnet Traffic Filter directly from the ASA instead of the use of third-party Syslog program? Thanks.

Chirantan Goswami
Community Member
‎07-30-2013 10:44 PM

Hii Edward,

Once implemented, you can go to your asdm page > Monitoring > Botnet traffic filter>Real time reports/Infected hosts to generate your report with the settings pre-defined... You cannot customize the fields though what is given should be adequate .. Hope that answers your question.

pemasirid
Level 1
Level 1
‎03-26-2014 08:15 AM

Dear KS,

I have configured the botnet and found that there are some malware infected hosts inside,however it shows me as permitted which infact should be blocked. Could you please advise what command required to configure the infected host to be blocked immediately instead of as permitted.

 

AD-xx-xx-FW1# show dynamic-filter reports infected-hosts all 
Total 1 infected-hosts in buffer
Host (interface)                        Latest malicious conn time, filter action  Conn logged, dropped
=======================================================================================================
10.1.231.10 (inside)                    13:12:00 AST Mar 26 2014, permitted                  1      0
Malware-sites connected to (not ordered)
Site                                            Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
83.238.208.55 ()                               8193, 13:12:00 AST Mar 26 2014, permitted           1      0   very-high  Malware
=======================================================================================================

 

 

Martin2m2
Level 1
Level 1
‎01-21-2015 02:55 AM

Hi Poonguzhali,

What happens technically when the botnet license expires? Does the botnet function stop completely or only the updates?

 

Does the ASA generate any messages before the license expires?

 

Kind regards,

Martin

JOHN FEDOR
Community Member
‎03-17-2016 12:36 PM

yes, you get a daily syslog trigger with a countdown.  Example:

Mar 16 2016 20:54:23: %ASA-4-444005: Timebased license key 0x12345 0x12345 0x12345 0x12345 0x12345 will expire in 341 days.

thierrymasson
Level 1
Level 1
‎04-06-2016 11:50 PM

Hi,

I have installed a Botnet traffic Filter on a ASA5505.

But this one is in transparent mode (IPv6 bridge), so IPv4 couln't be resolve from ASA itself !

How can we do make the Botnet functionnal (as the database URL is only resolvable in IPv4 !!!)?

thanks

saifuddin.miyaji
Level 3
Level 3
‎09-19-2016 01:06 AM

Hi,

We have ASA5515X and have Botnet configuration in place. We are observing regular tcp disconnects and session termination. Following mesage pops up in syslog:

Sep 19 2016 08:27:03 192.168.202.2 : %ASA-5-338303: Address 52.21.128.40 (mail.ruic.rom) timed out. Removing rule

Could this be the work of botnet filtering, and how to rectify this?

Saif

anantha.k1
Community Member
‎10-24-2016 07:43 PM

HI All,

we are using ASA 5525 model, our botnet configuration is similar like your example configuration, i had renew the licence and activate also, but when i generate the report is nothing.

Regards

Krish

bcoverstone
Level 1
Level 1
‎10-17-2018 09:28 AM

EDIT: I figured out the issue.  You must run "dynamic-filter use-database" first, or else you will get the error below.  I'll leave this for future googlers.

 

 

We just purchased a used ASA 5505 with 9.1(7)32, and it has a Botnet subscription.  While I don't really have a use for it, I thought I would try it out.  Unfortunately, it does not seem to recognize the database format:

 

ASA# debug dynamic-filter updater-client

ASA# dynamic-filter database fetch

...

Dynamic Filter: update file url1 =
http://updates.ironport.com/threatcast/1.0/blacklist/2mb-1file/1539787252
Dynamic Filter: update file url2 =
http://updates.ironport.com/threatcast/1.0/blacklist/2mb-1file/1539787252
...
Dynamic Filter: Successfully downloaded the update file from url1
...

Dynamic Filter: Downloaded file successfully
Dynamic Filter: read ramfs bytes 2097136
Dynamic Filter: file MD5 verification check succeeded
Dynamic Filter: decrypt key succeeded
Channel NP p=0x00000000 0/0 more bufferedINFO: Dynamic Filter: update succeeded
channel-np.cDynamic Filter: decrypt file succeeded byte = 2097134
Dynamic Filter: updating engine bytes = 2097134
Dynamic_filter: There is no meta dat found in the update file,
 probably because of wrong dynamic database format or downloaded old format
 dynamic database.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents