Information regarding the Cisco ASA Botnet License.
What is it?
Botnet Traffic Filter is an extra license that can be applied to a Cisco ASA firewall that provides detection and automatic blocking of known bots and botnets. The firewall grabs updates from Cisco’s website to know which IPs to look for and block.
Besides stopping outside botnets from coming into the network the botnet filter is also very effective at identifying which hosts may have malicious software within the network. It will stop internal hosts from going out to a known botnet IP. It has the ability to listen for call-home or command/control behavior seen within the network.
It is time based. The SKU is something like L-ASA55xx-BOT-1YR=
It costs between $200-$1500 per year. I will only fully work on version 8.2.2 and up.
Purchase license. Apply it using the activation-key command.
Requires the 3DES/AES license (this license is free but does not ship with an ASA).
The firewall needs to communicate to update-manifests.ironport.com. This means it has to have a valid DNS lookup mechanism. To get this going do something like the following:
There are over 70,000 DNS names that are in the Cisco database and only 5000 IP addresses. To effectively look at each domain name, DNS snooping must be turned on. To do that issue the following commands:
Next turn on the dynamic-filters. I like to start by blocking everything that is blacklisted and whitelist the CEO’s IP from being blocked. Do this by issuing the following commands:
Checking to see what’s happening
Verify the ASA is downloading the rules:
Verify traffic is being inspected:
The show command above will tell you the
Total conns classified. This number will only go up if traffic hits a whitelist blacklist or greylist. Cisco has a bugid CSCti70280 which is super confusing because it makes us think this isn’t intended behavior.
View which hosts are being blocked:
A good test to conduct to see if your botnet is working is to look at the output of
show dynamic-filter data and look for one of the hosts that’s in the “sample contents from database”. Try to get to one of those hosts on port 80 making sure your traffic will go through this firewall. You should then see your statistics going up and if you’re blocking blacklisted hosts then your session should be blocked.
More information on Cisco’s website: