cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Botnet Filter Hits - Reliability?

Christopher Bell
Enthusiast
Enthusiast

We just licensed one of our ASAs at a branch office with the botnet filter license and I'm already seeing some hits in the ASDM.  My question is really about the reliability of the results.  I know with the IPS sensors, it's pretty common to get false positives so I want to be careful with how I treat the results on hits for botnet activity.  We've run a few different virus scans on the computers that are supposedly reaching out to malicious sites, but they haven't returned anything malicious being on the PC.  I don't want to dismiss these, but before we start spending time really investigating the computers and disrupting the users I want to get a feel for percentage of reliability on the botnet filters alone.  Any thoughts or experiences anybody can share?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.       

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 ACCEPTED SOLUTION

Accepted Solutions

Hello Christopher,

Exactly,

Normally a botnet infected host will present the behavior that this particular feature will prevent(going to known malicious sites) but it will prevent the user going to this malicious sites before even infected as well,

A win, win, wherever you see it

You got it know,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 REPLIES 7

Julio Carvajal
Advisor
Advisor

Hello Christopher,

Hope you are doing fine, I can see that you have the kwnoledge to run a botnet filter on the ASA so your question goes to how the botnet filter behaves, where it takes the domain.names from blacklisted sites and how accurate it is.

Well the botnet feature on the ASA will work by inspecting all sessions from in-out and out-in by checking if the domain name of the site you are attempting to connect is known as problematic or not, So it's a dynamic database and that is the keyword.

so what's being blocked today may be allowed on the next weeks.

We have a number of sensors (internal and external) which provide details about different sites and we combine all details, do our internal analysis (both manual and automatic) before marking a site as malware. Also keep in mind that the reputation of site is dynamic and it could change every time when someone visits the site, so it may host malware this minute or hour and maybe the next minute or hour it may be valid as I already mentioned before.


Here are a few (not all) web-sites that we refer to:


Senderbase.org

http://www.senderbase.org/senderbase_queries/rep_l

ookup


MyWot -

http://www.mywot.com/en/scorecard/example.com


Google Safe browsing

http://www.google.com/safebrowsing/diagnostic?site=xxxxxx.com

Hope that this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

To clarify, the filter engine then is inspecting packets sourced/destined to known sites hosting malicious software - not just botnet command and control type servers.  So 'hits' on the filter engine don't necessarily indicate that a client is infected with malicious software, only that it is visiting a site with a reputation of currently hosting malicious software.  Does that sound correct? 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Hello Christopher,

Exactly,

Normally a botnet infected host will present the behavior that this particular feature will prevent(going to known malicious sites) but it will prevent the user going to this malicious sites before even infected as well,

A win, win, wherever you see it

You got it know,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rmeans
Participant
Participant

I have been using botnet filtering for the previous 5 months.  We have noticed a decrease in desktop/laptop infections. There have been a couple of instances where outside organizations have tried to access my infrastructure. Their access attempts were blocked. Each instance, the outside organization had a virus outbreak.

One item that I am not clear on is how to get off the black list.

Hello Rmeans,

Basically there is no manual way to get off of the black list as this would mean a vulnerability.

You can check if there is a blacklisted domain on the following site:

Here are a few (not all) web-sites that we refer to:

Senderbase.org
http://www.senderbase.org/senderbase_queries/rep_lookup

MyWot -
http://www.mywot.com/en/scorecard/example.com

Google Safe browsing
http://www.google.com/safebrowsing/diagnostic?site=xxxxxx.com

These are not all,just some

If you want to report a false positive you will need to send an email specifying the reason of that :

Send an e-mail to "btf-l4tm-escalations@cisco.com" and cc:email-in@cisco.com

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The email address you provided does not seem to be working to report possible false positives.  Can you double check that?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Hello Christopher,

It's possible that only via TAC u could report that but before confirming that can you try this:

support@senderbase.org

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: