Thursday, May 28, 2009

ASA Botnet Traffic Filter Syslogs

"The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information."

If you are using Cisco ASA8.2, with the Botnet Traffic Filter license, you will know, the ASA will syslog out, when hosts are added to the blacklists etc. Then you can errr, manually mitigate these yourselves, with a shun or ACL. (i`m sure this will get better in the future!)

The current version of MARS 6.0.3 only understand syslogs from ASA 8.1 latest, and thus these new syslog messages, will get determined as unknown events.

I was thinking of creating a parser package, to support these, but unfortunately have not had the time recently.

If you fancy having a go yourselves, you can create either create a parser, and rules, or simply create some rules to look for the text strings in the syslogs below.

Here are the new syslogs, related to the Botnet Traffic Filter feature.....

338001
Error Message %ASA-4-338001: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338002
Error Message %ASA-4-338002: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338003
Error Message %ASA-4-338003: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338004
Error Message %ASA-4-338004: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338101
Error Message %ASA-4-338101: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338102
Error Message %ASA-4-338102: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338103
Error Message %ASA-4-338103: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338104
Error Message %ASA-4-338104: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338201
Error Message %ASA-4-338201: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338202
Error Message %ASA-4-338202: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338301
Error Message %ASA-4-338301: Intercepted DNS reply for domain name from
in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port,
matched list

338302
Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list,
Adding rule

338303
Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

338304
Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from
updater server url

338305
Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater
server url

338306
Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater
server url

338307
Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database
file

338308
Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from
old_server_host: old_server_port to new_server_host: new_server_port

338309
Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter
updater feature.

338310
Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url,
reason: reason string


Enjoy.


Friday, May 15, 2009

Update on 6.0.3 Patch

Thanks to Bob Lin, for an update on the 6.0.3 patch I mentioned yesterday.

Incidentally, the 6.0.3 patch and patch readme can both be downloaded from the MARS Miscellaneous CCO site:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc.

It is only required if you encounter one of those two bugs.

Regards,
Bob Lin
CS-MARS Release Manager and Escalation Engineer

Thursday, May 14, 2009

6.0.3 Patch Available

Thanks to Jeremy Wood in the MARS User Group for pointing out there is a patch available for MARS release 6.0.3

"I was noticing that I had a bunch of Drop rules that were not
triggering correctly after upgrading to 6.0.3 and in my quest for a
solution ran across a patch here:

Looks like it fixes the following problems:
CSCsz14701 - some drop rules do not drop packets after 602 to 603 upgrade
CSCsz22056 - Mars http access to JBoss Application Server info"

Thanks Jeremy.

Also you may be interested to note that a new version of the Cisco NAC Appliance 4.5 Parser Package is now available, without an import password! 

This is a v2 of the package, without the word Draft. Thanks to Craig Hyps for pointing this out.

You can get this from the MARS Parser exchange under the Netpro Forums on Cisco.com





Monday, May 04, 2009

MARS Troubleshooting Technotes

I notice Cisco have added a new doc, under the MARS configuration examples section on Cisco.com, on Troubleshooting.

Worth a read for any newbies.

You can view this HERE.