3

The issue:
An unknown private (NAT) client is infected with malware and it's trying to access a Bot server at random times/dates.

How we know about this:
We receive bot traffic notices/alerts from REN-ISAC. Unfortunately, we don't receive those until the next day after it has happened. What they provide to us is:

  • The source address (of the firewall)
  • The destination addresses (it varies, but they're going to network subnet allocated to a German ISP)
  • The source port (which varies--dynamic ports).

Question:
What would be the best approach to finding this internal host (historically) with a Cisco ASA as firewall?

I'm guessing blocking anything to the destination address(es), and logging that type of traffic/access might allow me to find the source host, but I'm not sure which tool/command would be the most useful.

I've seen Netflow thrown into a few responses when it comes to logging, but I'm confused with it's association of Logging, NAL, and nBAR, and how they relate to Netflow.

l0c0b0x
  • 11,867
  • 7
  • 47
  • 76
  • Just a note, on the ASA's there isn't any netflow until 8.2, and then it's sFlow not netFlow - which there arn't many collectors that can read sFlow yet. – Zypher May 28 '10 at 23:01
  • How would finding the internal host address help? It's likely to be an RFC1918 address and unless the host is on one of your networks (where you can track down the host) knowing the internal address is of no use as far as I can see. – joeqwerty May 29 '10 at 00:04
  • Also:http://www.sflow.org/products/collectors.php – joeqwerty May 29 '10 at 01:52
  • @joeqwerty as far as I can see, I don't see how it WOULDN'T be useful. We'd like to clean this box :) Maybe I'm not asking the question properly. @both, thanks... at least I'm able to do more research for sflow now. – l0c0b0x Jun 01 '10 at 16:57
  • @10c0b0x: So you find that the internal host address is 192.168.1.236... at some company... somewhere... in the world... that's trying to infiltrate your network. How is that helpful? Or am I misunderstanding what you're asking\saying? – joeqwerty Jun 01 '10 at 17:33
  • @joeqwerty yeah, pretty much completely misunderstanding, hehehe. I already know the external host (somewhat, though I don't care about it), I'm trying to find the internal host-- who's using a random dynamic port to get out inside a NAT. My question is aimed mainly at trying to find it with using the current ASA firewall's internal data generator. – l0c0b0x Jun 01 '10 at 20:21

1 Answers1

1

In regards to questions from @jowqwerty, I'm assuming that you are responsible for the Cisco ASA and the internal network behind it, correct?

If so, you are on the right track. I would recommend using the logging and/or capture features of the ASA to narrow down the traffic.

The more you can narrow down the destination the better. You mention having the destination subnet, do you have the destination protocol/port(s) as well? I would build an ACL which matches the destination and logs hits.

For example:

ip access-list extended find_infected
 permit <tcp/udp> any <destination subnet> <destination mask> eq <destination port> log

Then apply such an ACL to the inside interface of the ASA. Then cross reference future abuse reports with your log entries.

The capture feature builds on this troubleshooting technique by allowing you to capture the traffic in PCAP format. Then you can further analyze it with tools such as WireShark.

ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example

chuckx
  • 1,150
  • 6
  • 8