cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1589
Views
0
Helpful
3
Replies

Botnet filter database.

Adam Swindell
Level 1
Level 1

Hello, I am wondering if there is a way to view the dynamic database that is downloaded from Cisco.

I've looked around the internet and have not found anything, only that the database is contained in an encrypted file on the ASA. I have also not found a published list on the internet. I've considered opening a TAC case but figured I should ask here first. The IS Security people where I work want this information so if we have a virus outbreak we can see if the known command and control websites associated with the virus are already blocked or not.

Thanks.

1 Accepted Solution

Accepted Solutions

clausonna
Level 3
Level 3

You can issue this command from the command-line on the ASA: dynamic-filter database find

It will tell you if the domain name is in the Cisco BTF database, and I think the show dynamic-filter dns-snoop will let you know if anyone has actually hit that domain.

Documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp2000534

A while back I wrote a script which would automate that 'database find' process.  The script uses the Expect language and (at least for me) ran on a Linux box.  Let me know if you'd like me to send it to you.  I wrote it to test the overall coverage of Cisco's BTF database vs. malicious domain names from other sources.

View solution in original post

3 Replies 3

clausonna
Level 3
Level 3

You can issue this command from the command-line on the ASA: dynamic-filter database find

It will tell you if the domain name is in the Cisco BTF database, and I think the show dynamic-filter dns-snoop will let you know if anyone has actually hit that domain.

Documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp2000534

A while back I wrote a script which would automate that 'database find' process.  The script uses the Expect language and (at least for me) ran on a Linux box.  Let me know if you'd like me to send it to you.  I wrote it to test the overall coverage of Cisco's BTF database vs. malicious domain names from other sources.

Awesome, thanks for the commands. I would like to try out your script. Does it let you search a long list of domain names all at once? 

Here's the script.  Although I ran this against a production 5520 with no peformance impact or other negative results, consider this an official "Run at Your Own Risk" warning. 

1) edit the script to include your ASA hostname, IP address, and user creds.

2) create a list of domains you'd like to check in a text file called 'blocklist_to_check.txt', each domain on a separate line.  

3) run the script: ./btf-check-blocklist.sh which will ssh to ASA, open the above file, and execute the 'database find' command for each blocklist entry, and save ALL of the output in a file called blocklist_result.txt. 

4) Run the btf-cleanup.sh script to create a file called blocklist_result-found.txt and blocklist_result-not_found.txt

  btf-check-blocklist.sh:

#!/usr/local/bin/expect

# Written by Neil Clauson

# uncomment for expect verbosity

#set verbose_flag 1

# uncomment for expect debugging

#exp_internal 1

# set global parameters

set asa_ip "192.168.1.1"

set asa_hostname "YOURASA"

set asa_username "your_username"

set asa_password "your_password"

# todo: set params via command line

#set username [lindex $argv 0]

#set password [lindex $argv 1]

proc btfcheck {infile outfile} {

        global asa_hostname

        set fid_in [open $infile r]

        set fid_out [open $outfile w+]

        # uncomment below to turn OFF screen output

         log_user 0

        while 1 {

                if {[gets $fid_in line] == -1} break

                send "dynamic-filter database find $line\r"

                expect "$asa_hostname#"

                set buff $expect_out(buffer);

                puts $fid_out $buff

        }

}

# main routine:

# SSH to ASA

spawn ssh -l $asa_username $asa_ip

expect "$asa_username@$asa_ip's password:"

send "$asa_password\r"

expect "$asa_hostname>"

send "en\r"

expect "Password:"

send "$asa_password\r"

expect "$asa_hostname#"

# parse the lists

# todo:  implement cli args to pick which lists to parse

# format: btfcheck

btfcheck blocklist_to_check.txt blocklist_results.txt

# logoff ASA

send "exit\r"

--

btf-cleanup.sh:

#!/bin/sh

cat blocklist_results.txt | grep -v '#' | grep -v dynamic-filter | grep -v Found > blocklist_result-found.txt

cat blocklist_results.txt | grep -v '#' | awk '/Found 0/{where=NR;print}NR==where+1 && where!=0 {print}' | grep -v Found | cut -d " " -f 5 > blocklist_result-not_found.txt

Review Cisco Networking for a $25 gift card