Evaluating the ASA Botnet filter

Cisco ASA Botnet filter test and evaluation

When the ASA Botnet filter feature was announced I thought that it's an interesting concept and is definitely worth trying. One of the interesting concepts that this feature introduces is the ability to monitor your outbound traffic and to know if there are flows in it that should not be allowed. This is an option with dedicated devices but the firewall is usually focused on inbound traffic and not outbound. Botnets make it important to know what is going out as well.

When the time permitted, I upgraded my 5505 to 8.2(1) and got a Botnet 30 days evaluation license. Installed in routed mode with no rules besides basic NAT and enabled all the Botnet check marks. One gotcha here is that you need to configure a DNS on your ASA for the updates to occur, once done the database got updated and monitoring was going live.

Two weeks later I had no indication of Botnet activity in the reporting section of ASDM, there were some entries indicating access to a black listed sites (geocities.com was in it to my surprise) but since they were with tcp port 80 (http), they were not considered Botnets. Great, my home/work computers are clean but how do I get this thing to find something? I spent some time searching for a way to get a VMware guest XP infected but decided the risk is not worth it. Instead I wrote a small batch file that open a tcp session to a list of sites over and over again, in the same way that a Bot would do.

Here is the batch file content:

:start

telnet drbach.pl 12330

telnet orgsite.info 12330

telnet martuz.cn 12330

telnet 007webs 12330

telnet woocasino.com 12330

telnet basketballsport.cn 12330

telnet adultping.net 12330

goto start

The list of sites was taken from: http://www.malwaredomainlist.com , which is a non-commercial community project. Most of the commercial sites that has those lists will not share them but this site was a great resource.

After a short while the ASA's Botnet reporting showed the following reports:

Botnet Hosts - hosts that are suspected in being infected by a Botnet

Botnet Hosts

Botnet sites - sites that have been the target of a Botnet 'call home' activity

Botnet Sites

But what if the destination is a well known site; would the ASA generate a false alarm if the same tcp session attempt happen? For that I modified the batch file to have the following content:

:start

telnet google.com 12330

telnet yahoo.com 12330

telnet cnn.com 12330

telnet networkworld.com 12330

telnet microsoft.com 12330

telnet avaya.com 12330

telnet hp.com 12330

telnet riverbed.com 12330

goto start

The ASA didn't report anything when running this batch which was the expected behavior.

Anyone tried it in production environment and actually discovered some real Botnets with it?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT