Solved: Re: BotNet Filter Report Veracity?

presscotn · ‎11-15-2010

Company has a ASA5510 with BotNet Traffic filter enabled on it

When I go to the Report file (using ASDM) it shows me From the Monitor section->Botnet Traffic Filter -> Infected Hosts - > Highest Threat Level

If I save it as a pdf and review the report it shows my malware counts on different machines. If I go to that machine and run AV or Malwarebytes ot other tools I never detect anything

What is this report showing me?

Cordially

Thomas

Panos Kampanakis · ‎11-15-2010

The ASA will not remove the botnet from the computer. It will only monitor and catch the traffic at the network level.

So, if it is removed, it could be some AV or virus cleaning software on the host. But the ASA only monitors at a network level and potentially blocks.

I hope it makes sense.

Let us know if your question is answered.

PK

View solution in original post

Panos Kampanakis · ‎11-15-2010

The tool is reporting the hosts that tried to contact known Botnet mater ip addresses. The botnet feature monitors traffic to see is hosts are trying to call home to their masters.

So, even though AV might not catch a bot running on a machine, the ASA might catch its traffic ata network level when it tries to contact suspicious ip addresses. I would suggest to check the Botnet traffic logs from the ASA to see where these hosts are trying to talk to.

I hope it helps.

PK

presscotn · ‎11-15-2010

PK

I am not questioning the process that you described. I would like to know that the bot that was "calling/reporting" back is no longer on the device/computer listed in the report

How do I know that there was malware on the device? Does something remove it? Is it time based? does it morph to ....

Or do I just take it on faith that I am protected and ignore the report?

It would be nice if it was reported on a device, if you went to the device and could find it and then remove it.

Cordially

Thomas

Panos Kampanakis · ‎11-15-2010

The ASA will not remove the botnet from the computer. It will only monitor and catch the traffic at the network level.

So, if it is removed, it could be some AV or virus cleaning software on the host. But the ASA only monitors at a network level and potentially blocks.

I hope it makes sense.

Let us know if your question is answered.

PK

presscotn · ‎11-15-2010

PK

I alo have the WSA implemented (uses BotNet Traffic Filter. I understand the concept. I just never locate the bad code/application. Yes probably in traffic logs and in Database but not on AV quarintine orr av logs.

Kinda of like being in a wind storm you can see the anemometer spinning but you can't locate the wind.....

Thomas

Panos Kampanakis · ‎11-15-2010

I am with you.

Check the logs to see what servers they were calling and that could point you to what the Bot was and help you get closer.

Take care,

PK

ROBERTO TACCON · ‎11-25-2010

Hi,

is there any option to check is an IP address is listed on the BotNet filter of the ASA ?

For example if I need to check the IP 41.238.146.25 with the following url I can do:

htttp://www.senderbase.org/senderbase_queries/detailip?search_string=41.238.146.25

Regards

Roberto Taccon

Panos Kampanakis · ‎11-29-2010

You can check if an ip address exists in the dns snooping database by doing

show dynamic-filter dns-snoop detail

And you can check if there is an entry for the dynamic filter asp table by checking the command

sh asp table classify domain dynamic-filter

show asp table dynamic-filter

I hope it helps.

PK