topic Botnet filter database. in Network Security

Botnet filter database.

Adam Swindell — Tue, 12 Mar 2019 00:59:03 GMT

Hello, I am wondering if there is a way to view the dynamic database that is downloaded from Cisco.

I've looked around the internet and have not found anything, only that the database is contained in an encrypted file on the ASA. I have also not found a published list on the internet. I've considered opening a TAC case but figured I should ask here first. The IS Security people where I work want this information so if we have a virus outbreak we can see if the known command and control websites associated with the virus are already blocked or not.

Thanks.

Botnet filter database.

clausonna — Tue, 12 Feb 2013 23:29:35 GMT

You can issue this command from the command-line on the ASA: dynamic-filter database find

It will tell you if the domain name is in the Cisco BTF database, and I think the show dynamic-filter dns-snoop will let you know if anyone has actually hit that domain.

Documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp2000534

A while back I wrote a script which would automate that 'database find' process. The script uses the Expect language and (at least for me) ran on a Linux box. Let me know if you'd like me to send it to you. I wrote it to test the overall coverage of Cisco's BTF database vs. malicious domain names from other sources.

Botnet filter database.

Adam Swindell — Wed, 13 Feb 2013 13:33:21 GMT

Awesome, thanks for the commands. I would like to try out your script. Does it let you search a long list of domain names all at once?

Re: Botnet filter database.

clausonna — Wed, 13 Feb 2013 14:04:26 GMT

Here's the script. Although I ran this against a production 5520 with no peformance impact or other negative results, consider this an official "Run at Your Own Risk" warning.

1) edit the script to include your ASA hostname, IP address, and user creds.

2) create a list of domains you'd like to check in a text file called 'blocklist_to_check.txt', each domain on a separate line.

3) run the script: ./btf-check-blocklist.sh which will ssh to ASA, open the above file, and execute the 'database find' command for each blocklist entry, and save ALL of the output in a file called blocklist_result.txt.

4) Run the btf-cleanup.sh script to create a file called blocklist_result-found.txt and blocklist_result-not_found.txt

btf-check-blocklist.sh:

#!/usr/local/bin/expect

# Written by Neil Clauson

# uncomment for expect verbosity

#set verbose_flag 1

# uncomment for expect debugging

#exp_internal 1

# set global parameters

set asa_ip "192.168.1.1"

set asa_hostname "YOURASA"

set asa_username "your_username"

set asa_password "your_password"

# todo: set params via command line

#set username [lindex $argv 0]

#set password [lindex $argv 1]

proc btfcheck {infile outfile} {

global asa_hostname

set fid_in [open $infile r]

set fid_out [open $outfile w+]

# uncomment below to turn OFF screen output

log_user 0

while 1 {

if {[gets $fid_in line] == -1} break

send "dynamic-filter database find $line\r"

expect "$asa_hostname#"

set buff $expect_out(buffer);

puts $fid_out $buff

}

# main routine:

# SSH to ASA

spawn ssh -l $asa_username $asa_ip

expect "$asa_username@$asa_ip's password:"

send "$asa_password\r"

expect "$asa_hostname>"

send "en\r"

expect "Password:"

send "$asa_password\r"

expect "$asa_hostname#"

# parse the lists

# todo: implement cli args to pick which lists to parse

# format: btfcheck

btfcheck blocklist_to_check.txt blocklist_results.txt

# logoff ASA

send "exit\r"

btf-cleanup.sh:

#!/bin/sh

cat blocklist_results.txt | grep -v '#' | grep -v dynamic-filter | grep -v Found > blocklist_result-found.txt

cat blocklist_results.txt | grep -v '#' | awk '/Found 0/{where=NR;print}NR==where+1 && where!=0 {print}' | grep -v Found | cut -d " " -f 5 > blocklist_result-not_found.txt