06-03-2013 01:01 PM - edited 03-11-2019 06:52 PM
We just licensed one of our ASAs at a branch office with the botnet filter license and I'm already seeing some hits in the ASDM. My question is really about the reliability of the results. I know with the IPS sensors, it's pretty common to get false positives so I want to be careful with how I treat the results on hits for botnet activity. We've run a few different virus scans on the computers that are supposedly reaching out to malicious sites, but they haven't returned anything malicious being on the PC. I don't want to dismiss these, but before we start spending time really investigating the computers and disrupting the users I want to get a feel for percentage of reliability on the botnet filters alone. Any thoughts or experiences anybody can share?
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Solved! Go to Solution.
06-04-2013 07:48 AM
Hello Christopher,
Exactly,
Normally a botnet infected host will present the behavior that this particular feature will prevent(going to known malicious sites) but it will prevent the user going to this malicious sites before even infected as well,
A win, win, wherever you see it
You got it know,
Regards,
Remember to rate all of the helpful posts
06-03-2013 03:09 PM
Hello Christopher,
Hope you are doing fine, I can see that you have the kwnoledge to run a botnet filter on the ASA so your question goes to how the botnet filter behaves, where it takes the domain.names from blacklisted sites and how accurate it is.
Well the botnet feature on the ASA will work by inspecting all sessions from in-out and out-in by checking if the domain name of the site you are attempting to connect is known as problematic or not, So it's a dynamic database and that is the keyword.
so what's being blocked today may be allowed on the next weeks.
We have a number of sensors (internal and external) which provide details about different sites and we combine all details, do our internal analysis (both manual and automatic) before marking a site as malware. Also keep in mind that the reputation of site is dynamic and it could change every time when someone visits the site, so it may host malware this minute or hour and maybe the next minute or hour it may be valid as I already mentioned before.
Here are a few (not all) web-sites that we refer to:
Senderbase.org
http://www.senderbase.org/senderbase_queries/rep_l
ookup
MyWot -
http://www.mywot.com/en/scorecard/example.com
Google Safe browsing
http://www.google.com/safebrowsing/diagnostic?site=xxxxxx.com
Hope that this helps,
Julio
06-04-2013 05:42 AM
To clarify, the filter engine then is inspecting packets sourced/destined to known sites hosting malicious software - not just botnet command and control type servers. So 'hits' on the filter engine don't necessarily indicate that a client is infected with malicious software, only that it is visiting a site with a reputation of currently hosting malicious software. Does that sound correct?
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
06-04-2013 07:48 AM
Hello Christopher,
Exactly,
Normally a botnet infected host will present the behavior that this particular feature will prevent(going to known malicious sites) but it will prevent the user going to this malicious sites before even infected as well,
A win, win, wherever you see it
You got it know,
Regards,
Remember to rate all of the helpful posts
06-04-2013 10:39 AM
I have been using botnet filtering for the previous 5 months. We have noticed a decrease in desktop/laptop infections. There have been a couple of instances where outside organizations have tried to access my infrastructure. Their access attempts were blocked. Each instance, the outside organization had a virus outbreak.
One item that I am not clear on is how to get off the black list.
06-04-2013 12:20 PM
Hello Rmeans,
Basically there is no manual way to get off of the black list as this would mean a vulnerability.
You can check if there is a blacklisted domain on the following site:
Here are a few (not all) web-sites that we refer to:
Senderbase.org
http://www.senderbase.org/senderbase_queries/rep_lookup
MyWot -
http://www.mywot.com/en/scorecard/example.com
Google Safe browsing
http://www.google.com/safebrowsing/diagnostic?site=xxxxxx.com
These are not all,just some
If you want to report a false positive you will need to send an email specifying the reason of that :
Send an e-mail to "btf-l4tm-escalations@cisco.com" and cc:email-in@cisco.com
Regards,
Remember to rate all of the helpful posts
06-13-2013 11:46 AM
The email address you provided does not seem to be working to report possible false positives. Can you double check that?
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
06-13-2013 01:07 PM
Hello Christopher,
It's possible that only via TAC u could report that but before confirming that can you try this:
support@senderbase.org
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide