Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > spammng diagnostic logs

Reply
Thread Tools

spammng diagnostic logs

 
 
barret bonden
Guest
Posts: n/a
 
      05-26-2010
I have reports from Cablevision that a machine on a clients LAN has been
taken over by a spamming app; I dont know which machine;
I can set up a syslog server for the ASA ; what's diagnostic here ? What
to look for ?



 
Reply With Quote
 
 
 
 
Igor Mamuzić aka Pseto
Guest
Posts: n/a
 
      05-26-2010
On 26.5.2010. 2:07, barret bonden wrote:
> I have reports from Cablevision that a machine on a clients LAN has been
> taken over by a spamming app; I dont know which machine;
> I can set up a syslog server for the ASA ; what's diagnostic here ? What
> to look for ?
>
>
>
>

The best approach would be to set up access-list on inside interface in
inbound direction to permit smtp traffic only from your SMTP server or
if you don't have one onto your ISPs SMTP. Deny all other SMTP traffic
from your inside network to the Internet. On deny access list put the
log keyword at the end so that you can catch (with syslog) smtp packets
denied by your firewall. Examine syslog and locate internal IP address
that sends bogus smtp and this is your infected pc


sample config would be:
access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address]
eq smtp
access-list SpamerHunter deny tcp any any eq smtp log 3
access-list SpamerHunter permit ip any any

access-group SpamerHunter in interface inside

logging trap errors
logging inside host [syslog_server ip_address]

Configuration listed here will syslog any smtp blocked traffic with
logging level error which will not overwhelm your syslog server with
detailed logging as it does with informational or debug logging.

Of course if you have already inbound access list in place on your
inside interface then adopt my example to fit your existing access-list.

I

 
Reply With Quote
 
 
 
 
barret bonden
Guest
Posts: n/a
 
      05-26-2010
Igor:

Many thanks; am trying it now.


"Igor Mamuzic aka Pseto" <(E-Mail Removed)-com.hr> wrote in
message news:htj94j$m2c$(E-Mail Removed)-com.hr...
> On 26.5.2010. 2:07, barret bonden wrote:
>> I have reports from Cablevision that a machine on a clients LAN has been
>> taken over by a spamming app; I dont know which machine;
>> I can set up a syslog server for the ASA ; what's diagnostic here ?
>> What
>> to look for ?
>>
>>
>>
>>

> The best approach would be to set up access-list on inside interface in
> inbound direction to permit smtp traffic only from your SMTP server or if
> you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from
> your inside network to the Internet. On deny access list put the log
> keyword at the end so that you can catch (with syslog) smtp packets denied
> by your firewall. Examine syslog and locate internal IP address that sends
> bogus smtp and this is your infected pc
>
>
> sample config would be:
> access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq
> smtp
> access-list SpamerHunter deny tcp any any eq smtp log 3
> access-list SpamerHunter permit ip any any
>
> access-group SpamerHunter in interface inside
>
> logging trap errors
> logging inside host [syslog_server ip_address]
>
> Configuration listed here will syslog any smtp blocked traffic with
> logging level error which will not overwhelm your syslog server with
> detailed logging as it does with informational or debug logging.
>
> Of course if you have already inbound access list in place on your inside
> interface then adopt my example to fit your existing access-list.
>
> I
>



 
Reply With Quote
 
barret bonden
Guest
Posts: n/a
 
      05-27-2010
Igor:

I've run it for a day and got this (see below)
Note that neither IP address is on my LAN (we use a 192.168.X.X subnet)
So, as I would understand this; one of my machines is being used as a
repeater; but which one ?
Any ideas as to how to tell ?


new commands:

access-list outside_access_in permit tcp any host 167.206.5.250 eq smtp
access-list outside_access_in deny tcp any any eq smtp log 3
access-list outside_access_in permit ip any any

ciscoasa# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level errors, 4273 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 259379 messages logged
May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
222.170.2.59/
30301 to outside:75.99.83.194/80
May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
58.137.173.37
/6000 to outside:75.99.83.194/80
May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
216.67.46.115
/2068 to outside:75.99.83.194/23
May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
82.178.168.96
/2549 to outside:75.99.83.194/23
ciscoasa#



"Igor Mamuzic aka Pseto" <(E-Mail Removed)-com.hr> wrote in
message news:htj94j$m2c$(E-Mail Removed)-com.hr...
> On 26.5.2010. 2:07, barret bonden wrote:
>> I have reports from Cablevision that a machine on a clients LAN has been
>> taken over by a spamming app; I dont know which machine;
>> I can set up a syslog server for the ASA ; what's diagnostic here ?
>> What
>> to look for ?
>>
>>
>>
>>

> The best approach would be to set up access-list on inside interface in
> inbound direction to permit smtp traffic only from your SMTP server or if
> you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from
> your inside network to the Internet. On deny access list put the log
> keyword at the end so that you can catch (with syslog) smtp packets denied
> by your firewall. Examine syslog and locate internal IP address that sends
> bogus smtp and this is your infected pc
>
>
> sample config would be:
> access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq
> smtp
> access-list SpamerHunter deny tcp any any eq smtp log 3
> access-list SpamerHunter permit ip any any
>
> access-group SpamerHunter in interface inside
>
> logging trap errors
> logging inside host [syslog_server ip_address]
>
> Configuration listed here will syslog any smtp blocked traffic with
> logging level error which will not overwhelm your syslog server with
> detailed logging as it does with informational or debug logging.
>
> Of course if you have already inbound access list in place on your inside
> interface then adopt my example to fit your existing access-list.
>
> I
>



 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      05-27-2010
On 27/05/10 01:36, barret bonden wrote:

> May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
> 222.170.2.59/
> 30301 to outside:75.99.83.194/80
> May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
> 58.137.173.37
> /6000 to outside:75.99.83.194/80
> May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
> 216.67.46.115
> /2068 to outside:75.99.83.194/23
> May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
> 82.178.168.96
> /2549 to outside:75.99.83.194/23
> ciscoasa#


These are not the logs you are looking for. None of them are to a
destination port of 25.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
20:32:12 up 29 days, 21:12, 0 users, load average: 0.37, 0.45, 0.43
It is better to have been wasted and then sober
than to never have been wasted at all
 
Reply With Quote
 
Igor Mamuzić aka Pseto
Guest
Posts: n/a
 
      05-28-2010
On 27.5.2010. 21:34, alexd wrote:
> On 27/05/10 01:36, barret bonden wrote:
>
>> May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
>> 222.170.2.59/
>> 30301 to outside:75.99.83.194/80
>> May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
>> 58.137.173.37
>> /6000 to outside:75.99.83.194/80
>> May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
>> 216.67.46.115
>> /2068 to outside:75.99.83.194/23
>> May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
>> 82.178.168.96
>> /2549 to outside:75.99.83.194/23
>> ciscoasa#

>
> These are not the logs you are looking for. None of them are to a
> destination port of 25.
>

That's right... It seems that you don't have any smtp activity or ACL is
misplaced... Try to simulate traffic: telnet to some denied smtp server
over port 25 to simulate infected host and see if the ACL will log your
attempt.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logs button not opening Logs GUI Lester Lane Cisco 6 08-28-2009 10:02 AM
WinXP Home SP2 logs in then right away logs off Andrew Computer Support 15 10-19-2004 09:45 AM
Win XP SP2 Logs in then Logs out awallwork at sign gmail dot com Computer Support 2 10-16-2004 08:19 PM
Win XP SP2 Logs in then Logs out Andrew Computer Support 2 10-16-2004 04:27 PM
WinXP Home SP2 Logs on then Logs off awallwork at sign gmail dot com Computer Support 2 10-16-2004 02:28 AM



Advertisments