- Botnet Filter Asa Configuration Tool
- Botnet Server List
- Botnet Filter Asa Configuration Guide
- Sonicwall Botnet Filter
- Asa Botnet Traffic Filter Configuration
I was asked to migrate a customer that's using Websense URL filtering and Botnet feature to an ASA context. I install a Botnet license (1 year license) on our ASA firewalls and I'm glad to know this feature works. I believe Cisco is now moving towards a new approach with Advanced Malware Protection on their next-gen ASA firewalls (5500-X series. Box in the Configuration Firewall Botnet Traffic Filter Botnet Database Dynamic Database Configuration area. Note To filter on the domain names in the dynamic databa se, you need to enable DN S packet inspection with.
I posted this a couple months ago on my blog, but alas my non-celeb status on the internet means I get few views. Still, I was found by some random internet folk who seemed to think it was pretty nifty. I wanted to start blogging here on Packet Pushers, and I thought updating and reposting this would be a good way to start since blacklisting came up recently on the show.
I was tinkering with my ASA the other day. I was interested in this neat Botnet Traffic Filter thingy they’d been clamoring about. Cisco frequently pitches how their products are made with magic and rainbows and cruelty-free unicorn meat, and I tend to be a bit skeptical. But a lot of people have been talking about it recently in my circles, and I really can’t help but tinker with things anyways. After some reading, Cisco words it like the Botnet Filter is pretty much useless without a proper license. However it is enabled and ready to use in all ASAs 8.2(x) and above… the license only activates the subscription service, the base functionality works just fine.
Using the dynamic-filter (AKA “Botnet Filter”) has a few advantages over ACLs. Managing huge blacklist ACLs is a pain. Shuns don’t survive reboot and are surprisingly hard on memory with respect to ACLs. The dynamic-filter seems to use about as much memory as an ACL of similar size, survives reboot, and is bidirectional on its interface. Perfect for blacklisting. There’s a whitelist function that will disallow adding lines you specify to the blacklist by mistake (very sexy when automating this sort of thing). There’s even a DNS snoop function so you can black/white list things by domain name. Pretty good stuff.
Below is the script I wrote to do all this tedious crap for me, because I’m far too awesome to spend my time . It’s a bash script which does most of the work and depends additionally on the
expect
scripting interpreter for operating on the ASA itself. Basically it just grabs the requested list, which in this case is a bunch of ACL entries, and formats it to use the dynamic-filter function instead. Upon subsequent executions it only pushes a list of diffs instead of clearing everything out and pushing the whole list again. Botnet Filter Asa Configuration Tool
Sexy monospace goodness: asa-botlist_local.txt
Botnet Server List
A big problem with blacklists tends to be keeping them legit and keeping them current. A stale blacklist is worse than useless as the offending IPs may be reassigned to legitimate sites or users after some time. I’ve used the lists over at Emerging Threats for a while now. They’re very frequently updated, I’m cool with the sources they use, and they’re very responsive if I’ve had random questions or comments about the lists. The script can be easily modified for use with any published or local list… Just do some find/replace magic and modify the regex syntax that changes ACL entries into
dynamic-filter
formatted “address x.x.x.x m.a.s.k
” lines. The Emerging Threats lists are pretty good but are not free from blocking subnets when blocking a few hosts would be sufficient, so some baselining would not be a poor idea.Caveats:
– “lol plaintext!”. Yup. Passwords in plaintext. Till Cisco allows us to use public keys with ASA like we can with IOS now, it’s all manual logins for simple scripts. Needless to say, this shouldn’t go on a box other users have access to. Also, I have this using TFTP “for demonstration purposes only” because it’s simpler. Adding/replacing bits in simple code to suit your environment is easier than hunting down and removing bits from complicated code. I recommend adapting it to use SSH to log in.
– The script grabs a copy of the running-config and backs it up on the server it’s grabbing updates from. Personally I like to back up config every time I make a change, so this was an appropriate place for it. If you’re big on separation of duties and/or don’t want to add another chunk to your logrotate config, this might not be desirable.
– The box running this is OpenBSD, you’ll probably have to change your
– UUOC police: It’s my cat and I’ll do what I want with it.
– “lol plaintext!”. Yup. Passwords in plaintext. Till Cisco allows us to use public keys with ASA like we can with IOS now, it’s all manual logins for simple scripts. Needless to say, this shouldn’t go on a box other users have access to. Also, I have this using TFTP “for demonstration purposes only” because it’s simpler. Adding/replacing bits in simple code to suit your environment is easier than hunting down and removing bits from complicated code. I recommend adapting it to use SSH to log in.
– The script grabs a copy of the running-config and backs it up on the server it’s grabbing updates from. Personally I like to back up config every time I make a change, so this was an appropriate place for it. If you’re big on separation of duties and/or don’t want to add another chunk to your logrotate config, this might not be desirable.
– The box running this is OpenBSD, you’ll probably have to change your
bash
path on line 1.– UUOC police: It’s my cat and I’ll do what I want with it.
Botnet Filter Asa Configuration Guide
![Botnet Filter Asa Configuration Botnet Filter Asa Configuration](/uploads/1/3/4/6/134629592/277033578.jpeg)
Sonicwall Botnet Filter
![Dhcp Dhcp](/uploads/1/3/4/6/134629592/192832711.png)
Asa Botnet Traffic Filter Configuration
I welcome criticism. I’ve been using this script with a lot of success for a while now. However most of my peers aren’t into tinkering as much as I am, so I have little peer review to work with.