"
The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information."
If you are using Cisco ASA8.2, with the
Botnet Traffic Filter license, you will know, the ASA will syslog out, when hosts are added to the blacklists etc. Then you can errr, manually mitigate these yourselves, with a shun or ACL. (i`m sure this will get better in the future!)
The current version of MARS 6.0.3 only understand syslogs from ASA 8.1 latest, and thus these new syslog messages, will get determined as unknown events.
I was thinking of creating a parser package, to support these, but unfortunately have not had the time recently.
If you fancy having a go yourselves, you can create either create a parser, and rules, or simply create some rules to look for the text strings in the syslogs below.
Here are the new syslogs, related to the Botnet Traffic Filter feature.....
338001 Error Message %ASA-4-338001: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name
338002 Error Message %ASA-4-338002: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name
338003 Error Message %ASA-4-338003: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask
338004 Error Message %ASA-4-338004: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask
338101 Error Message %ASA-4-338101: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name
338102 Error Message %ASA-4-338102: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name
338103 Error Message %ASA-4-338103: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask
338104 Error Message %ASA-4-338104: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask
338201 Error Message %ASA-4-338201: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name
338202 Error Message %ASA-4-338202: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name
338301 Error Message %ASA-4-338301: Intercepted DNS reply for domain name from
in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port,
matched list
338302 Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list,
Adding rule
338303 Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule
338304 Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from
updater server url
338305 Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater
server url
338306 Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater
server url
338307 Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database
file
338308Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from
old_server_host: old_server_port to new_server_host: new_server_port
338309 Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter
updater feature.
338310 Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url,
reason: reason string
Enjoy.