ASA - Botnet Configuration

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(New page: {{Template:Required Metadata}} ==Introduction== This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:...)
Line 16: Line 16:
This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.
This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.
-
ASA(config)# dns domain-lookup outside
+
ASA(config)# dns domain-lookup outside
-
ASA(config)#dns server-group DefaultDNS
+
ASA(config)#dns server-group DefaultDNS
-
ASA(config-dns-server-group)#name-server 64.102.6.247
+
ASA(config-dns-server-group)#name-server 64.102.6.247
   
   
===Enable dynamic traffic filtering (Botnet Traffic Filter)===
===Enable dynamic traffic filtering (Botnet Traffic Filter)===
-
ASA(config)#dynamic-filter updater-client enable
+
ASA(config)#dynamic-filter updater-client enable
   
   
===Enable the Botnet Traffic Filter database update===
===Enable the Botnet Traffic Filter database update===
-
ASA(config)#dynamic-filter use-database
+
ASA(config)#dynamic-filter use-database
   
   
===Classify the traffic that will be exempted and subjected.===
===Classify the traffic that will be exempted and subjected.===
-
ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
+
ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
-
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic
+
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic
   
   
===Enable dynamic-filter classification on outside interface===
===Enable dynamic-filter classification on outside interface===
-
ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude
+
ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude
   
   
===Configure a class map and only match dns traffic===
===Configure a class map and only match dns traffic===
-
ASA(config)#class-map botnet-DNS
+
ASA(config)#class-map botnet-DNS
-
ASA(config-cmap)# match port udp eq domain
+
ASA(config-cmap)# match port udp eq domain
   
   
Line 51: Line 51:
===Enable DNS snooping on the external interface===
===Enable DNS snooping on the external interface===
-
ASA(config)# policy-map botnet-policy
+
ASA(config)# policy-map botnet-policy
-
ASA(config-pmap)#  class botnet-DNS
+
ASA(config-pmap)#  class botnet-DNS
-
ASA(config-pmap-c)#  inspect dns dynamic-filter-snoop
+
ASA(config-pmap-c)#  inspect dns dynamic-filter-snoop
-
ASA(config)# service-policy botnet-policy interface outside
+
ASA(config)# service-policy botnet-policy interface outside
   
   
Line 64: Line 64:
   
   
-
class-map inspection_default
+
class-map inspection_default
-
match default-inspection-traffic
+
match default-inspection-traffic
-
!
+
!
-
policy-map global_policy
+
policy-map global_policy
-
class inspection_default
+
class inspection_default
   inspect dns dynamic-filter-snoop
   inspect dns dynamic-filter-snoop
   ...
   ...
-
service-policy global_policy global
+
service-policy global_policy global
   
   
Line 82: Line 82:
   
   
-
ASA(config)# dynamic-filter whitelist
+
ASA(config)# dynamic-filter whitelist
-
ASA(config-llist)#  name www.google.com
+
ASA(config-llist)#  name www.google.com
-
ASA(config-llist)#  name www.cisco.com
+
ASA(config-llist)#  name www.cisco.com
 +
 
Manual Black List:
Manual Black List:
Line 92: Line 93:
   
   
-
ASA(config)# dynamic-filter blacklist
+
ASA(config)# dynamic-filter blacklist
-
ASA(config-llist)#  name www.crackhell.com
+
ASA(config-llist)#  name www.crackhell.com
-
ASA(config-llist)#  name www.megaport.hu
+
ASA(config-llist)#  name www.megaport.hu
-
ASA(config-llist)#  address 164.109.48.46 255.255.255.255
+
ASA(config-llist)#  address 164.109.48.46 255.255.255.255
   
   
Line 101: Line 102:
==Related show Commands==
==Related show Commands==
-
show dynamic-filter data
+
show dynamic-filter data
-
 
+
show dynamic-filter database find <string>
-
show dynamic-filter database find <string>
+
show dynamic-filter reports top botnet-sites
-
 
+
show dynamic-filter reports top infected-hosts
-
show dynamic-filter reports top botnet-sites
+
show dynamic-filter reports top botnet-ports
-
 
+
-
show dynamic-filter reports top infected-hosts
+
-
 
+
-
show dynamic-filter reports top botnet-ports
+

Revision as of 22:47, 3 June 2010

Contents

Introduction

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm

Overview

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.


Configuration

Enable DNS client on ASA

This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.

ASA(config)# dns domain-lookup outside
ASA(config)#dns server-group DefaultDNS
ASA(config-dns-server-group)#name-server 64.102.6.247


Enable dynamic traffic filtering (Botnet Traffic Filter)

ASA(config)#dynamic-filter updater-client enable


Enable the Botnet Traffic Filter database update

ASA(config)#dynamic-filter use-database


Classify the traffic that will be exempted and subjected.

ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic


Enable dynamic-filter classification on outside interface

ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude


Configure a class map and only match dns traffic

ASA(config)#class-map botnet-DNS
ASA(config-cmap)# match port udp eq domain


Enable DNS snooping on the external interface

ASA(config)# policy-map botnet-policy
ASA(config-pmap)#  class botnet-DNS
ASA(config-pmap-c)#   inspect dns dynamic-filter-snoop


ASA(config)# service-policy botnet-policy interface outside


Alternatively, you can also choose to apply this to the existing global policy that is already configured on the ASA.


class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
 inspect dns dynamic-filter-snoop
 ...
service-policy global_policy global


Define local whitelists and/or blacklists if needed.

Never block addresses:

This is traffic to or from an IP address that is considered to be good. It is part of administrator configured lists.


ASA(config)# dynamic-filter whitelist
ASA(config-llist)#   name www.google.com
ASA(config-llist)#   name www.cisco.com

Manual Black List:

This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain. Whitelist


ASA(config)# dynamic-filter blacklist
ASA(config-llist)#  name www.crackhell.com
ASA(config-llist)#  name www.megaport.hu
ASA(config-llist)#  address 164.109.48.46 255.255.255.255


Related show Commands

show dynamic-filter data
show dynamic-filter database find <string>
show dynamic-filter reports top botnet-sites
show dynamic-filter reports top infected-hosts
show dynamic-filter reports top botnet-ports


Show running-config

dns domain-lookup outside dns server-group DefaultDNS name-server 64.102.6.247 ! dynamic-filter updater-client enable dynamic-filter use-database

!

access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0 access-list botnet-exclude extended permit ip any any ! dynamic-filter enable interface outside classify-list botnet-exclude

!

class-map botnet-DNS match port udp eq domain ! policy-map botnet-policy class botnet-DNS

 inspect dns dynamic-filter-snoop

! service-policy botnet-policy interface outside

Related Information

Logging

338001 - 338004 338101 - 338104 338201 - 338204 338301 - 338310

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165

Rating: 3.5/5 (4 votes cast)

Personal tools