Thursday, May 28, 2009

ASA Botnet Traffic Filter Syslogs

"The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information."

If you are using Cisco ASA8.2, with the Botnet Traffic Filter license, you will know, the ASA will syslog out, when hosts are added to the blacklists etc. Then you can errr, manually mitigate these yourselves, with a shun or ACL. (i`m sure this will get better in the future!)

The current version of MARS 6.0.3 only understand syslogs from ASA 8.1 latest, and thus these new syslog messages, will get determined as unknown events.

I was thinking of creating a parser package, to support these, but unfortunately have not had the time recently.

If you fancy having a go yourselves, you can create either create a parser, and rules, or simply create some rules to look for the text strings in the syslogs below.

Here are the new syslogs, related to the Botnet Traffic Filter feature.....

338001
Error Message %ASA-4-338001: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338002
Error Message %ASA-4-338002: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338003
Error Message %ASA-4-338003: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338004
Error Message %ASA-4-338004: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338101
Error Message %ASA-4-338101: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338102
Error Message %ASA-4-338102: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338103
Error Message %ASA-4-338103: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338104
Error Message %ASA-4-338104: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338201
Error Message %ASA-4-338201: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338202
Error Message %ASA-4-338202: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338301
Error Message %ASA-4-338301: Intercepted DNS reply for domain name from
in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port,
matched list

338302
Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list,
Adding rule

338303
Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

338304
Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from
updater server url

338305
Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater
server url

338306
Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater
server url

338307
Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database
file

338308
Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from
old_server_host: old_server_port to new_server_host: new_server_port

338309
Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter
updater feature.

338310
Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url,
reason: reason string


Enjoy.


Posted by Chris Durkin at 10:42 AM 0 comments Links to this post
Labels: ,

Friday, May 15, 2009

Update on 6.0.3 Patch

Thanks to Bob Lin, for an update on the 6.0.3 patch I mentioned yesterday.

Incidentally, the 6.0.3 patch and patch readme can both be downloaded from the MARS Miscellaneous CCO site:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc.

It is only required if you encounter one of those two bugs.

Regards,
Bob Lin
CS-MARS Release Manager and Escalation Engineer
Posted by Chris Durkin at 9:05 AM 0 comments Links to this post
Labels:

Thursday, May 14, 2009

6.0.3 Patch Available

Thanks to Jeremy Wood in the MARS User Group for pointing out there is a patch available for MARS release 6.0.3

"I was noticing that I had a bunch of Drop rules that were not
triggering correctly after upgrading to 6.0.3 and in my quest for a
solution ran across a patch here:

Looks like it fixes the following problems:
CSCsz14701 - some drop rules do not drop packets after 602 to 603 upgrade
CSCsz22056 - Mars http access to JBoss Application Server info"

Thanks Jeremy.

Also you may be interested to note that a new version of the Cisco NAC Appliance 4.5 Parser Package is now available, without an import password! 

This is a v2 of the package, without the word Draft. Thanks to Craig Hyps for pointing this out.

You can get this from the MARS Parser exchange under the Netpro Forums on Cisco.com





Posted by Chris Durkin at 8:51 AM 1 comments Links to this post
Labels:

Monday, May 04, 2009

MARS Troubleshooting Technotes

I notice Cisco have added a new doc, under the MARS configuration examples section on Cisco.com, on Troubleshooting.

Worth a read for any newbies.

You can view this HERE.
Posted by Chris Durkin at 9:22 PM 1 comments Links to this post
Labels:

Monday, April 27, 2009

Cisco Security Specialist Required

In today’s recession hit world, companies world wide are letting staff go, and making redundancies.

At Satisnet, the UK’s leading Security Partner, we are actually hiring!

I`m looking to add another member to our Security Consulting Practice, and that could well be you.

If think you meet the following requirements....

Have a Cisco CCSP or CCIE, or are at least working towards these qualifications
A knowledge of any or all of the following: Cisco ASA. PIX, VPN, CSA, MARS, IPS, ACS, Ironport
A Full UK Driving License
Not afraid of UK wide travel on assignments
A knowledge of LAN/WAN and Security Technologies
Be commutable to Bedfordshire, UK
A desire to learn your security products inside and out

Optionally have experience/exposure with
Nessus and other security tools
F5, Radware or Cisco Load Balancing Technologies
SIEM Tools
Vmware

Then please get in touch via the Blog, with your CV, and Salary expectations...

If you are down at InfoSecurity Europe, at Earls Court this week, why not pop down and see what we do, on Stand F50, with Shavlik Technologies.

Good Luck...
Posted by Chris Durkin at 12:27 PM 1 comments Links to this post
Labels: ,

Friday, April 24, 2009

New Cisco SAFE Reference Guides


A new set of Cisco SAFE Reference Guides, have just been released. These were very successful a few years ago, and it looks like they have been brought upto date.

You can view the MARS Safe Doc HERE, and the full set of documents HERE.

Worth a read. :-)
Posted by Chris Durkin at 12:58 PM 2 comments Links to this post
Labels:

Tuesday, April 07, 2009

Cisco MARS 6.0.3 Now Available

Cisco have released MARS version 6.0.3

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in :

Credential Automation—Save administrative time by updating many Cisco device credentials in a single operation rather than touching each device definition in MARS. Using a seed file to re-import devices that are already defined in MARS, users can update some credentials for Cisco ASA, Cisco PIX, Cisco IPS, Cisco IOS, and Cisco Switch devices.

Actionable Incident Notification—This enhancement helps customers decide on the importance of a notification without having to log into MARS. The MARS syslog, e-mail, and SNMP incident notification messages provide incident summary information as well as Top 3 reports. The incident summary will include the rule ID, rule name, incident ID, incident start/end time and incident severity. Top 3 reports include Top 3 destination ports, Top 3 reporting devices, and Top 3 event types.

Improved Reporting Response Times—This enhancement improves response times of commonly used reports by retrieving event data from memory rather than from the database.

Exported/Archived Configuration Validation— This enhancement ensures that you do not attempt to restore or upgrade a system using a corrupted configuration file. After exporting or archiving a configuration file, MARS scans the file to make sure it is not corrupted.

New Device Support

The 6.0.3 release of MARS supports the following new device versions:

Cisco IPS 6.2 (backward compatible mode)


You can view the release notes HERE.
Posted by Chris Durkin at 9:53 AM 1 comments Links to this post
Labels:

Friday, April 03, 2009

No News

Sorry for the delay in posts recently, but since there has been no new updates to MARS since mid December, i aint got much to write about!

Any ideas let me know......................
Posted by Chris Durkin at 10:22 AM 0 comments Links to this post
Labels:

Thursday, February 26, 2009

Cisco IOS IPS with MARS

There is a demo on Cisco.com, on using IOS IPS configured with Cisco Configuration Professional and MARS.

You can view this HERE.

*************

Want to advertise HERE? Make me an offer.......

*************
*
Posted by Chris Durkin at 9:59 PM 1 comments Links to this post
Labels:

Tuesday, February 24, 2009

Cisco NAC Appliance 4.5 Parser Available


Looks like, there is now a draft DSF package for NAC Appliance 4.5 been uploaded to the MARS Package Sharing Exchange.

But my only grievance with this exchange, is that there is no where to tell users what the import passwords are.


Hence one reason, i put the Lancope Stealthwatch 5.7 Package, as an import password of: lancope

So if anyone knows the import pass for the NAC Appliance 4.5 parser, please let me know!
Posted by Chris Durkin at 12:20 PM 2 comments Links to this post
Subscribe to: Posts (Atom)