Thursday, May 28, 2009

ASA Botnet Traffic Filter Syslogs

"The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information."

If you are using Cisco ASA8.2, with the Botnet Traffic Filter license, you will know, the ASA will syslog out, when hosts are added to the blacklists etc. Then you can errr, manually mitigate these yourselves, with a shun or ACL. (i`m sure this will get better in the future!)

The current version of MARS 6.0.3 only understand syslogs from ASA 8.1 latest, and thus these new syslog messages, will get determined as unknown events.

I was thinking of creating a parser package, to support these, but unfortunately have not had the time recently.

If you fancy having a go yourselves, you can create either create a parser, and rules, or simply create some rules to look for the text strings in the syslogs below.

Here are the new syslogs, related to the Botnet Traffic Filter feature.....

338001
Error Message %ASA-4-338001: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338002
Error Message %ASA-4-338002: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338003
Error Message %ASA-4-338003: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338004
Error Message %ASA-4-338004: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338101
Error Message %ASA-4-338101: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338102
Error Message %ASA-4-338102: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338103
Error Message %ASA-4-338103: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338104
Error Message %ASA-4-338104: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338201
Error Message %ASA-4-338201: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338202
Error Message %ASA-4-338202: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338301
Error Message %ASA-4-338301: Intercepted DNS reply for domain name from
in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port,
matched list

338302
Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list,
Adding rule

338303
Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

338304
Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from
updater server url

338305
Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater
server url

338306
Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater
server url

338307
Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database
file

338308
Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from
old_server_host: old_server_port to new_server_host: new_server_port

338309
Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter
updater feature.

338310
Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url,
reason: reason string


Enjoy.


No comments: