02-10-2009 07:54 AM - edited 03-09-2019 10:01 PM
How can I use my PIX-515e firewall to locate the source of a SPAM bot on a network? The PIX is running v6.3.5.
02-10-2009 10:31 AM
How about creating an access list on your Inside interface, for traffic flowing from your internal network out to the Internet. Permit your internal mail servers to talk on smtp (port 25) outbound, and deny all other hosts. Then just look for the hosts that get DENYs on port 25.
You could/should also be looking at an IPS solution, either Cisco's or open source (eg. Snort.) I'd also suggest looking at BotHunter, which is a customized version of Snort thats tuned to -just- look for Bots.
02-10-2009 10:42 AM
I'm assuming you send via a Logging? I have figured out that I can enable Logging to a syslog server and filter for what I'm looking for there.
02-10-2009 10:52 AM
Yes, an external syslog server is almost a requirement for log analysis, since the PIX/ASA will overwrite its internal log fairly quickly, and parsing logs via the CLI can be a pain. I'd highly suggest Cisco MARS here, but you could use any syslog collector (kiwi syslog, syslog-ng, etc)
Alternatively, you could use the logging functionality in ASDM, and just filter on DENY, or in the cli you can do "show logging | inc Deny"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide