Malware is malicious software that is installed on an unknowing hosts. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
I recently had the opportunity to install and configure the BOTNET Traffic filter on our Company 5510 and 5520 ASA’s. This was a real treat because it was something I have wanted to do for a long time ever since I had the opportunity to configure the IPS modules. The overall install and configuring was really pretty simple, and straightforward.
ASA#configure terminal
ASA(config)#dns domain-lookup outside
ASA(config-dns-server-group)#dns-server value 172.16.30.11 172.16.31.11
ASA(config-dns-server-group)#exit
ASA(config)#
ASA(config)#dynamic-filter updater-client enable
ASA(config)#dynamic-filter use-database
ASA(config)#dynamic-filter enable interface inside
ASA(config)#
ASA(config)#policy-map type inspect dns DNS-MAP
ASA(config-pmap)#parameters
ASA(config-pmap-p)#message-length maximum client auto
ASA(config-pmap-p)#message-length maximum 512
ASA(config-pmap-p)#exit
ASA(config-pmap)#exit
ASA(config)#
ASA(config)#policy-map global_policy
ASA(config-pmap)#class inspection_default
ASA(config-pmap-c)#inspect dns DNS-MAP dynamic-filter-snoop
ASA(config-pmap-c)#exit
ASA(config-pmap)#end
ASA#
ASA(config)#dynamic-filter drop blacklist interface inside
Here’s a quick list of useful BOTNET related commands that I use on a daily basis to monitor, and report on various Malware related traffic.
- show dynamic-filter data
- show dynamic-filter updater-client
- show dynamic-filter dns-snoop
- show dynamic-filter reports infected-hosts all
- show dynamic-filter reports top
I hope you found this post on BOTNET helpful and informative. Be sure to let me know what you think by leaving suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about me be sure to check out the About page. And as always thanks again for visiting The Packet.