08-26-2010 07:19 AM - edited 02-21-2020 04:03 AM
I have a customer that has the botnet filter installed, they were having issues sending email to one of their partners, because the botnet filter was classifying this site as very high Malware. I check senderbase and there reputation is good. How do you check a domain on the Cisco Security Intelligence Operations site. How do you report a miss classification of a domain. How do you go about getting removed from the list.
Thank You
Patrick Weir
08-26-2010 11:06 AM
Hi Patrick,
you can check from within the ASA to see if its showing up in the DB or not.
You can use the following command:
dynamic-filter database find X
X= the site name
I would suggest doing both the host name and the IP. this can determine if its a grey entry or not.
If you find an entry, its a blacklisted entry. Grey entries are basically that the name was not
detected to have malicious sw but the ip that the name resolved to has a site that does.
Another check that can be done is:
http://www.siteadvisor.com/sites/X x=url
example:
http://www.siteadvisor.com/sites/yahoo.com
If it does show up in the database as flagged then the immediate solution is to add the site to the white list. The DB is maintained by ironport.
hope this helps a bit.
-scott
08-26-2010 11:22 AM
Hi Patrick,
just to further clarify, the db that the botnet uses is not one db but multiple ones including senderbase along with other DBs avail like http://www.threatexpert.com/ and the one mentioned in my previous message.
The correct way to get around false positives would be to put the entry into the white list. As for getting it removed, you would have to open up a tac case on that. There is a reason for it being on the list if it is getting listed as black or grey.
Let us know what its showing on the various sites as well as what the find command is showing on your ASA.
thanks,
scott
08-26-2010 11:40 AM
Scott thanks for the answer we did white list it, and that resolved the problem. So when
a site gets listed in the blacklist is it per subnet, per domain, or per host. An example this is an email server that is being hosted by a 3rd party, if this same 3rd party is hosting a webserver (that is sending malware) belonging to a differant company but in the same address space, would the whole subnet get blacklisted or just the one webserver.
Thanks
Pat Weir
08-26-2010 12:02 PM
Hi Patrick,
Depending on the find command whether its showing black on the name or IP, it can determine if its a grey or black list. Its possible that the same IP if the web server is hosting multiple sites, can be classified as malware and affect all of them.
It wouldnt really block based on the subnet, but more of the name and the ip associated with it.
what did the find command show for your particular site?
-scott
08-26-2010 12:04 PM
it's a customer of mine I need him to run it. I'll post what sends me
08-26-2010 11:44 AM
ran the site through siteadvisor and it came back good.
08-26-2010 12:30 PM
ISC-ASA# dynamic-filter database find ironmail.
Found 0 matches
ISC-ASA#
ISC-ASA#
ISC-ASA#
is this because it's in the whitelist
08-26-2010 12:54 PM
hi Patrick,
no, the white list shouldnt matter on the db look up. Can you resolve the IP to your site and then run the find command against the IP and let me know what it says.
regards,
scott
08-26-2010 01:43 PM
Scott I will not be able to get this today, but from the gui report this morning it looks like it resolved it just
fine.
It had
ironmail.
Thanks again
Pat
08-26-2010 03:05 PM
Hi Patrick,
sounds good.. let me know the reporting based on the Ip with the find command. its looking like maybe its grey listed.
thanks,
scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide