User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x
Botnet Traffic Filtering
Download this chapter
Botnet Traffic FilteringBotnet Traffic Filtering
Download the complete book
User Guide for Cisco Security MARS Local and Global Controllers, Release 6.xUser Guide for Cisco Security MARS Local and Global Controllers, Release 6.x (PDF - 14 MB)
 Feedback

Table Of Contents

Botnet Traffic Filtering

Information About Botnet Traffic Filtering

Query Criteria, System Reports, and Rules Related to Botnet Traffic Filtering

Botnet Site Query Criteria for Queries, Reports, and Rules

Query Result Formats for Botnet Traffic Filter

Site Ranking Query Result Format

All Matching Events With Botnet Sites Result Format

System Reports

MARS System Rules and Notifications for Botnet Traffic Filtering

Botnet Traffic Filter Notifications

MARS Events for Botnet Traffic Filter

Site Management Page

Deleting Sites


Botnet Traffic Filtering

Revised: September 16, 2010

This chapter describes the Botnet Traffic Filter support on the MARS Appliances and includes the following sections:

Information About Botnet Traffic Filtering

Query Criteria, System Reports, and Rules Related to Botnet Traffic Filtering

Site Management Page

Information About Botnet Traffic Filtering

Table 12-1 Feature History for Botnet Traffic Filtering on MARS Appliance  

Release
Modification

6.0.4

This feature was introduced.

6.1.1

Support for ASA 8.2.2 and 8.2.3 was introduced


Botnet in this context refers to a network of malicious software robots embedded on your network hosts that are activated by a distant botnet controller. See the following URL for further botnet information:

http://www.cisco.com/en/US/prod/vpndevc/ps6032/ps6094/ps6120/botnet_index.html

Table 12-2 defines abbreviations and terms used in this chapter.

Table 12-2 Definitions of Terms 

Abbreviation or Term
Definition within the Context of this Documentation

BTF

Cisco ASA Botnet Traffic Filter

Botnet Site

A Black-, Gray-, or White-listed site as configured on the Cisco ASA Botnet Traffic Filter.

A White-listed site is not technically a botnet site, but this term appears in the context of discussing the Cisco ASA Botnet Traffic Filter.

phone-home

Traffic from your network hosts to a Black- or Gray-listed sites.

Reconnaissance

Traffic from Black- or Gray-listed hosts to "infected" hosts on your network.

Black-list

Known malware addresses—These addresses are on the blacklist identified by the Cisco ASA dynamic database and the static blacklist.

Gray-list

Ambiguous addresses—These addresses are associated with multiple domain names and some, but not all of these domain names are on the blacklist.

White-list

Known allowed addresses—These IP addresses are on the Cisco ASA white-list. They are typically Black-listed by the dynamic database, then identified as acceptable by the Cisco ASA administrator.


The Botnet Traffic Filter detects rogue traffic to or from Black-, Gray-, or White-listed hosts across all ports (botnet sites) and then forwards a syslog message to the Cisco Security MARS for detailed reporting and mitigation suggestions. Botnet Traffic Filtering is implemented on the Cisco Ironport Web Security Appliances and the Cisco ASA 5500 Adaptive Security Appliance, beginning with Version 8.2. With the introduction of ASA 8.2.2 in Cisco Security MARS 6.1.1, the Botnet Traffic Filter added Threat Level and Threat Category attributes to its detection and mitigation capabilities.

The Cisco ASA can download dynamically updated lists of botnet sites from a Cisco Ironport update server, as well as manually add botnet sites to the list on the Cisco ASA. To avoid false positives, whitelists can also be configured on the Cisco ASA to ignore known servers (for instance, the Yahoo or Google toolbar servers).

For further information on how to configure the Botnet Traffic Filter on the Cisco ASA 5500 Adapative Security Appliance, Version 8.2, go to the following URL:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/conns_botnet.html

MARS enhances the Cisco ASA botnet filter detection and mitigation capabilities because MARS, with its database correlation, query and reporting capabilities, can provide a global view across many firewalls while retaining the results over many separate time periods. An administrator can better prevent botnet activity by issuing mitigation commands to enforcement devices identified through MARS correlation, reporting and topology mapping.

MARS support for the Botnet Traffic Filter includes the following:

Query result formats to display botnet sites ranked by session, or to display botnet events with site names (sessionized or in real-time)

On-demand system reports to record suspected phone-home activity to Black-listed hosts and to record reconnaissance or attacks from Black-listed hosts to internal hosts

Scheduled system reports to identify "Top botnet sites," "Top infected hosts," "Top botnet ports," "Phone Home Traffic Events," and "Malicious Site Traffic Events"

System Rules to detect communication to and from Black- and Gray-listed botnet sites

Activity charts of Top Botnet Ports, Top Botnet Sites, Top Botnet Hosts, Phone-Home Events, and Malicious Site Traffic Events on the Summary page

Top 3 Botnet sites reported in email notifications

To gather and correlate Botnet Traffic Filter data on MARS, install the Cisco ASA, Version 8.2 as a MARS Security and Monitoring Device, as described in the following URL:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chAsa8x.html#wp1053948

Query Criteria, System Reports, and Rules Related to Botnet Traffic Filtering

This section discusses the following topics:

Botnet Site Query Criteria for Queries, Reports, and Rules

Query Result Formats for Botnet Traffic Filter

System Reports

MARS Events for Botnet Traffic Filter

For descriptions of all MARS reports and rules, see the "Systems Rule and Reports Reference" at the following URL:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/appMars.html

Botnet Site Query Criteria for Queries, Reports, and Rules

Botnet site domain names and IP addresses that are known to MARS can be used as matching criteria in queries and rules as a Source IP or Destination IP parameter.

The Management > Site Management page lists all Botnet sites reported to MARS by the Cisco ASA Botnet Traffic Filter.

Botnet Traffic Filter event types can be used as matching criteria for Queries and Rules when setting the Events parameter. Figure 12-1 shows how selecting All Sites (ASA Botnet Traffic Filter) displays all botnet sites available for the Source IP query parameter.

Figure 12-1 Botnet Traffic Filter Query Criteria

Clicking on a botnet site name or IP address launches a popup window with additional information on that site, as shown in Figure 12-2.

Figure 12-2 Botnet Site Information Popup Window

Query Result Formats for Botnet Traffic Filter

The Query Result formats related to Botnet Traffic Filter are as follows:

Site Ranking (ASA Botnet Traffic Filter)

All Matching Events (with site from ASA Botnet Traffic Filter)

Site Ranking Query Result Format

This result format ranks botnet sites by sessions. The total sessions count for a botnet site includes sessions where the black or gray site appears as a Cisco ASA syslog source site (suggesting a possible reconnaissance or attack) or as a Destination Site (suggesting possible phone-home activity).

The query results (or report results using this query format) shows the total count of sessions per botnet site with subtotals showing how many were Source Sites and how many were Destination Sites (See, Figure 12-4).

To filter on specific botnet sites, use the standard "Event Type Ranking" Result Format, specifying Source IP or Destination IP.

To view the Site Ranking query result format, navigate to Query/Reports > Edit > Site Ranking (ASA Botnet Traffic Filter).

Figure 12-3 shows the Site Ranking by Session query result format as it is appears on the MARS GUI.

Figure 12-3 Site Ranking Query Result Format

Figure 12-4 displays the output of the Botnet Site Ranking by Session query.

Figure 12-4 Botnet Site Ranking Query Output

All Matching Events With Botnet Sites Result Format

The query result format, "All Matching Events (with sites with ASA Botnet Traffic Filter)," is equivalent to the "All Events" result format except that the botnet result format displays botnet site names in the query results (Source Site or Destination Site) where the "All Matching Events" output does not. For events that do not contain botnet site information, "N/A" is displayed as the site information. Because a non-botnet event does not have site information, no query icon appears next to the "N/A."

The "All Matching Events (with sites with ASA Botnet Traffic Filter)" query can display results as sessionized events, or it can display events in real time.

Figure 12-5 shows the All Matching Events query format as it is appears on the MARS GUI.

Figure 12-5 All Matching Events (with Sites from ASA Botnet Traffic Filter) Result Format

Figure 12-6 displays the real-time output of the All Matching Events query result format.

Figure 12-6 All Matching Events (with Sites from ASA Botnet Traffic Filter) Real-time Raw Events

Figure 12-7 displays the sessionized output of the All Matching Events (with Sites from ASA Botnet Traffic Filter) query result format.

Figure 12-7 All Matching Events (with Sites from ASA Botnet Traffic Filter) Sessionized Events Output

To display results showing only Botnet Traffic Filter Events, do the following:

Step 1 Navigate to the Query/Reports > Query page and click Edit.

The Result Format dialog screen appears

Step 2 Select the Result Format, All Matching Events (with sites with ASA Botnet Traffic Filter).

Step 3 Set the Filter by Time parameters. Click Apply.

The Submit Query page appears.

Step 4 Click the Events parameter, then select the Group:ASA Traffic Filter criterion. Click Apply.

The Submit Query page appears.

Step 5 Click Submit.

System Reports

The following six System Reports support Botnet Traffic Filtering:

Activity: ASA Botnet Traffic Filter - Top Botnet Ports

This report ranks top destination ports for traffic originating from infected hosts to Black or Grey-listed sites, for all sessions as seen by MARS.

Activity: ASA Botnet Traffic Filter - Top Botnet Sites

This report ranks top botnet sites (Black- or Gray-listed sites) for all inbound and outbound sessions as reported by the Cisco ASA Botnet Traffic Filter. This report uses the "Site Ranking (ASA Traffic Filter)" query result format and shows the total count of sessions per botnet site with subtotals showing how many were Source Sites and how many were Destination Sites (See, Figure 12-9).

Activity: ASA Botnet Traffic Filter - Top Botnet Sites Blocked

This report ranks top botnet sites (Black- or Gray-listed sites) blocked for all inbound and outbound sessions as reported by the Cisco ASA Botnet Traffic Filter. This report uses the "Site Ranking (ASA Traffic Filter)" query result format and shows the total count of sessions per botnet site with subtotals showing how many were Source Sites and how many were Destination Sites (See, Figure 12-9).

Activity: ASA Botnet Traffic Filter - Top Infected Hosts

This report ranks top infected hosts for traffic originating from infected hosts to Black- or Gray-listed sites, for all sessions as seen by MARS.

Activity: ASA Botnet Traffic Filter: Phone Home - All Events

This report details all suspicious events related to phone home activity, as reported by ASA Botnet Traffic Filter.

Attacks: ASA Botnet Traffic Filter: Malicious Site Traffic - All Events

This report details all events related to traffic originating from black/gray sites/IPs, as reported by ASA Botnet Traffic Filter.

To view Reports, navigate to the MARS Query/Reports > Report > ASA Botnet Traffic Filter. Figure 12-8 shows the Botnet Traffic Filter report definitions from the MARS GUI.

Figure 12-8 MARS Reports Related to Botnet Traffic Filter

Figure 12-9 shows the output of the Top Botnet Sites report.

Figure 12-9 MARS Reports Results—Top Botnet Sites

Figure 12-10 shows the continually updated charts for the Botnet Traffic Filter reports—Top Botnet sites, Top Botnet Ports, and Top Botnet Infected Hosts—available on the Summary > ASA Botnet Reports page.

Figure 12-10 Summary Page—ASA Botnet Reports (Top Ports, Top Sites, Top Infected Hosts)

MARS System Rules and Notifications for Botnet Traffic Filtering

The following two System Rules support Botnet Traffic Filtering:

System Rule: Blocked Phone Home Activity: ASA Botnet Traffic Filter

This rule detects phone home activity to Black- and Gray-listed sites and IP addresses that was blocked, as reported by the Cisco ASA Botnet Traffic Filter.

System Rule: Blocked Traffic from site: ASA Botnet Traffic Filter

This rule detects blocked traffic activity originating from Black and Gray-listed sites and IP addresses, as reported by the Cisco ASA Botnet Traffic Filter.

System Rule: Suspicious Phone Home Activity: ASA Botnet Traffic Filter

This rule detects phone home activity to Black- and Gray-listed sites and IP addresses, as reported by the Cisco ASA Botnet Traffic Filter.

System Rule: Suspicious Traffic from site: ASA Botnet Traffic Filter

This rule detects traffic activity originating from Black and Gray-listed sites and IP addresses, as reported by the Cisco ASA Botnet Traffic Filter.

To view Rules, navigate to the MARS Rules > Inspection Rules page.

Figure 12-11 shows the Botnet Traffic Filter rule definitions from the MARS GUI.

Figure 12-11 MARS System Rules for Cisco ASA Botnet Traffic Filter

Botnet Traffic Filter Notifications

The Botnet Traffic Filter rules can be configured to send notifications. Because of space limitations, the syslog and SNMP incident notifications do not explicitly label botnet site information. The email notification includes a "Top 3 sites sorted by count" listing, as shown in Example 12-1.

Example 12-1 Email Notification With Botnet Site Information 

From: notifier.pnmars@cisco.com [mailto:notifier.pnmars@cisco.com]

Sent: Friday, June 19, 2009 2:49 PM

To: Lavim Busa (labusa)

Subject: CS-MARS Incident Notification (yellow, Rule Name: labusa-notif)


The following incident occurred on "pnmars"


Start time:     Fri Jun 19 14:46:22 2009

End time:       Fri Jun 19 14:46:29 2009

Fired Rule Id:  328056

Fired Rule:     labusa-notif

Incident Id:    607632

Incident Severity:yellow


Top 3 src-dest address pairs sorted by severity and count (showing 3 of 9):

1. N/A           -> N/A          Severity: yellow  Count: 54

2. 1.2.3.4       -> 4.5.6.7      Severity: yellow  Count: 6

3. 11.22.33.44   -> 41.52.63.74  Severity: yellow  Count: 3


Top 3 src ip's address sorted by severity and count (showing 3 of 6):

1. N/A           -> Severity: yellow  Count: 54

2. 1.2.3.4       -> Severity: yellow  Count: 6

3. 11.22.33.44   -> Severity: yellow  Count: 5


Top 3 dest ip's address sorted by severity and count (showing 3 of 9):

1. N/A           -> Severity: yellow  Count: 54

2. 4.5.6.7       -> Severity: yellow  Count: 6

3. 41.52.63.74   -> Severity: yellow  Count: 3


Top 3 dest TCP/UDP ports sorted by severity and count (showing 2 of 2):

1. 80   Severity: yellow  Count: 11

2. 80   Severity: green   Count: 8


Top 3 event types sorted by severity and count (showing 3 of 16):

1. Download failed for dynamic filter data file from updater server  Severity: yellow  Count:9

2. Authentication failure with dynamic filter updater server     Severity: yellow Count:9

3. Decryption of downloaded dynamic filter data file failed      Severity: yellow Count:9


Top 3 reporting devices sorted by count (showing 1 of 1):

1. asa82 Count: 100


Top 3 sites sorted by count (showing 3 of 3):

1. cisco.com      (Type: black) Count: 6

2. whitecisco.com (Type: white) Count: 6

3. altavista.com	(Type: grey)  Count: 5


For more details about this incident please go to:

  https://pnmars/Incidents/IncidentDetails.jsp?Incident_Id=607632

  https://pnmars.mars.cisco.com cisco.com/Incidents/IncidentDetails.jsp?Incident_Id=607632

  https://192.168.1.10/Incidents/IncidentDetails.jsp?Incident_Id=607632

  https://10.2.4.1/Incidents/IncidentDetails.jsp?Incident_Id=607632


For all incidents occurred recently please go to:

  https://pnmars/Incidents/

  https://pnmars.mars.cisco.com cisco.com/Incidents/

  https://192.168.1.10/Incidents/

  https://10.2.4.1/Incidents/

MARS Events for Botnet Traffic Filter

The following event groups comprise the Botnet Traffic Filter related events.

ASATrafficFilter/All

ASATrafficFilter/TrafficLoggedFromMaliciousSite

ASATrafficFilter/TrafficBlockedFromMaliciousSite

ASA TrafficFilter/Misc

ASATrafficFilter/OperationalError

ASATrafficFilter/PhoneHomeTrafficLogged

ASATrafficFilter/PhoneHomeTrafficBlocked

Info/UncommonTraffic/Suspicious

To view Events and Event Groups, navigate to the MARS Management > Event Management page.

Table 12-3 lists the Events related to the Cisco ASA Botnet Traffic Filter

Table 12-3 MARS Botnet Traffic Filter Events 

MARS Normalized Event Number
Event Name

1734142

Traffic originating from Black-listed site

1734143

Phone home traffic to Black-listed site

1734144

Traffic originating from Black-listed IP

1734145

Phone home traffic to Black-listed IP

1734146

Traffic originating from White-listed site

1734147

Traffic destined to White-listed site

1734148

Traffic originating from White-listed IP

1734149

Traffic destined to White-listed IP

1734150

Traffic originating from Gray-listed site

1734151

Phone home traffic to Gray-listed site

1734152

Intercepted DNS reply for listed site

1734153

Adding an IP address to the dynamic filter rule

1734154

Removal of an IP address from the dynamic filter rule

1734155

Download dynamic filter data file from updater server succeeded

1734156

Download failed for dynamic filter data file from updater server

1734157

Authentication failure with dynamic

1734158

Decryption of downloaded dynamic filter data file failed

1734160

Current license does not support dynamic filter updater feature

1734161

Failed to receive an update from dynamic filter updater server

1734228

Traffic originating from blacklisted site was blocked.

1734229

Traffic to blacklisted site was blocked.

1734230

Traffic originating from blacklisted IP is blocked

1734231

Traffic to blacklisted IP was blocked.

1734232

Traffic originating from greylisted site was blocked.

1734233

Traffic to greylisted site was blocked.


Site Management Page

The site management page, shown in Figure 12-12, lists all Black-, Gray-, and White-listed botnet sites parsed from Cisco ASA syslogs. Sites can be deleted from this page, but cannot be edited or manually added.

All sites reported in Cisco ASA syslogs as Black-lists and Gray-lists are malware sites. Sites reported as whitelists are not considered malware. Each time MARS parses a botnet address and sitename from a Cisco ASA syslog, the site is appended to the MARS Site Management list. Over time, the list may become obsolete and long, making it a practical necessity to delete sites. The Cisco ASA configuration in not affected by any site delete action performed in MARS.

Note White-listed sites are technically not "botnet sites" but they may be referred to as botnet sites in this documentation because the Cisco ASA Botnet Traffic Filter is the only context in which the term "White-list" appears in MARS.

Figure 12-12 MARS Site Management Page

Use the Site Type pull-down filter to display, All, Black-, Gray-, or White-listed sites. Use Threat Level or Threat Category pulldown filter to display sites with selected threat levels or threat categories.

To search for a specific site name, enter the name or fragment of the name into the Site Name field and click Search. A site name can have multiple IP addresses.

Deleting Sites

To delete sites, check the box of the site and click Delete. A popup window appears as shown in Figure 12-13.

Figure 12-13 Delete Confirm Popup Window—Delete Sites

Deleting a Site Referenced in a Rule or Report

If a user-created rule or report includes a botnet site as a criterion, and an attempt is made to delete that site from the Site page, a delete confirmation popup window appears that lists the affected rules and reports, as shown in Figure 12-14.

Figure 12-14 Delete Confirmation Popup Window—Delete Site Referenced by a Rule

A rule that references a deleted site is made inactive.

If the site that is referenced by a report is deleted, that report is deleted and a new report with all the same parameters is created but with the deleted botnet site information removed.

When a large number of sites are selected for deletion, MARS checks all the rules and reports for botnet references before deleting the sites. This may cause a delay in displaying the delete confirmation page.