spammng diagnostic logs

Discussion in 'Cisco' started by barret bonden, May 26, 2010.

  1. I have reports from Cablevision that a machine on a clients LAN has been
    taken over by a spamming app; I dont know which machine;
    I can set up a syslog server for the ASA ; what's diagnostic here ? What
    to look for ?
    barret bonden, May 26, 2010
    #1
    1. Advertising

  2. On 26.5.2010. 2:07, barret bonden wrote:
    > I have reports from Cablevision that a machine on a clients LAN has been
    > taken over by a spamming app; I dont know which machine;
    > I can set up a syslog server for the ASA ; what's diagnostic here ? What
    > to look for ?
    >
    >
    >
    >

    The best approach would be to set up access-list on inside interface in
    inbound direction to permit smtp traffic only from your SMTP server or
    if you don't have one onto your ISPs SMTP. Deny all other SMTP traffic
    from your inside network to the Internet. On deny access list put the
    log keyword at the end so that you can catch (with syslog) smtp packets
    denied by your firewall. Examine syslog and locate internal IP address
    that sends bogus smtp and this is your infected pc;)


    sample config would be:
    access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address]
    eq smtp
    access-list SpamerHunter deny tcp any any eq smtp log 3
    access-list SpamerHunter permit ip any any

    access-group SpamerHunter in interface inside

    logging trap errors
    logging inside host [syslog_server ip_address]

    Configuration listed here will syslog any smtp blocked traffic with
    logging level error which will not overwhelm your syslog server with
    detailed logging as it does with informational or debug logging.

    Of course if you have already inbound access list in place on your
    inside interface then adopt my example to fit your existing access-list.

    I
    Igor Mamuzić aka Pseto, May 26, 2010
    #2
    1. Advertising

  3. Igor:

    Many thanks; am trying it now.


    "Igor Mamuzic aka Pseto" <-com.hr> wrote in
    message news:htj94j$m2c$-com.hr...
    > On 26.5.2010. 2:07, barret bonden wrote:
    >> I have reports from Cablevision that a machine on a clients LAN has been
    >> taken over by a spamming app; I dont know which machine;
    >> I can set up a syslog server for the ASA ; what's diagnostic here ?
    >> What
    >> to look for ?
    >>
    >>
    >>
    >>

    > The best approach would be to set up access-list on inside interface in
    > inbound direction to permit smtp traffic only from your SMTP server or if
    > you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from
    > your inside network to the Internet. On deny access list put the log
    > keyword at the end so that you can catch (with syslog) smtp packets denied
    > by your firewall. Examine syslog and locate internal IP address that sends
    > bogus smtp and this is your infected pc;)
    >
    >
    > sample config would be:
    > access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq
    > smtp
    > access-list SpamerHunter deny tcp any any eq smtp log 3
    > access-list SpamerHunter permit ip any any
    >
    > access-group SpamerHunter in interface inside
    >
    > logging trap errors
    > logging inside host [syslog_server ip_address]
    >
    > Configuration listed here will syslog any smtp blocked traffic with
    > logging level error which will not overwhelm your syslog server with
    > detailed logging as it does with informational or debug logging.
    >
    > Of course if you have already inbound access list in place on your inside
    > interface then adopt my example to fit your existing access-list.
    >
    > I
    >
    barret bonden, May 26, 2010
    #3
  4. Igor:

    I've run it for a day and got this (see below)
    Note that neither IP address is on my LAN (we use a 192.168.X.X subnet)
    So, as I would understand this; one of my machines is being used as a
    repeater; but which one ?
    Any ideas as to how to tell ?


    new commands:

    access-list outside_access_in permit tcp any host 167.206.5.250 eq smtp
    access-list outside_access_in deny tcp any any eq smtp log 3
    access-list outside_access_in permit ip any any

    ciscoasa# sh logging
    Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level errors, 4273 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 259379 messages logged
    May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
    222.170.2.59/
    30301 to outside:75.99.83.194/80
    May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
    58.137.173.37
    /6000 to outside:75.99.83.194/80
    May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
    216.67.46.115
    /2068 to outside:75.99.83.194/23
    May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
    82.178.168.96
    /2549 to outside:75.99.83.194/23
    ciscoasa#



    "Igor Mamuzic aka Pseto" <-com.hr> wrote in
    message news:htj94j$m2c$-com.hr...
    > On 26.5.2010. 2:07, barret bonden wrote:
    >> I have reports from Cablevision that a machine on a clients LAN has been
    >> taken over by a spamming app; I dont know which machine;
    >> I can set up a syslog server for the ASA ; what's diagnostic here ?
    >> What
    >> to look for ?
    >>
    >>
    >>
    >>

    > The best approach would be to set up access-list on inside interface in
    > inbound direction to permit smtp traffic only from your SMTP server or if
    > you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from
    > your inside network to the Internet. On deny access list put the log
    > keyword at the end so that you can catch (with syslog) smtp packets denied
    > by your firewall. Examine syslog and locate internal IP address that sends
    > bogus smtp and this is your infected pc;)
    >
    >
    > sample config would be:
    > access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq
    > smtp
    > access-list SpamerHunter deny tcp any any eq smtp log 3
    > access-list SpamerHunter permit ip any any
    >
    > access-group SpamerHunter in interface inside
    >
    > logging trap errors
    > logging inside host [syslog_server ip_address]
    >
    > Configuration listed here will syslog any smtp blocked traffic with
    > logging level error which will not overwhelm your syslog server with
    > detailed logging as it does with informational or debug logging.
    >
    > Of course if you have already inbound access list in place on your inside
    > interface then adopt my example to fit your existing access-list.
    >
    > I
    >
    barret bonden, May 27, 2010
    #4
  5. barret bonden

    alexd Guest

    On 27/05/10 01:36, barret bonden wrote:

    > May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
    > 222.170.2.59/
    > 30301 to outside:75.99.83.194/80
    > May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
    > 58.137.173.37
    > /6000 to outside:75.99.83.194/80
    > May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
    > 216.67.46.115
    > /2068 to outside:75.99.83.194/23
    > May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
    > 82.178.168.96
    > /2549 to outside:75.99.83.194/23
    > ciscoasa#


    These are not the logs you are looking for. None of them are to a
    destination port of 25.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:32:12 up 29 days, 21:12, 0 users, load average: 0.37, 0.45, 0.43
    It is better to have been wasted and then sober
    than to never have been wasted at all
    alexd, May 27, 2010
    #5
  6. On 27.5.2010. 21:34, alexd wrote:
    > On 27/05/10 01:36, barret bonden wrote:
    >
    >> May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
    >> 222.170.2.59/
    >> 30301 to outside:75.99.83.194/80
    >> May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from
    >> 58.137.173.37
    >> /6000 to outside:75.99.83.194/80
    >> May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from
    >> 216.67.46.115
    >> /2068 to outside:75.99.83.194/23
    >> May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from
    >> 82.178.168.96
    >> /2549 to outside:75.99.83.194/23
    >> ciscoasa#

    >
    > These are not the logs you are looking for. None of them are to a
    > destination port of 25.
    >

    That's right... It seems that you don't have any smtp activity or ACL is
    misplaced... Try to simulate traffic: telnet to some denied smtp server
    over port 25 to simulate infected host and see if the ACL will log your
    attempt.
    Igor Mamuzić aka Pseto, May 28, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. awallwork at sign gmail dot com

    WinXP Home SP2 Logs on then Logs off

    awallwork at sign gmail dot com, Oct 13, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,907
    Andrew
    Oct 16, 2004
  2. awallwork at sign gmail dot com

    Win XP SP2 Logs in then Logs out

    awallwork at sign gmail dot com, Oct 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,297
    Andrew
    Oct 16, 2004
  3. Andrew

    Win XP SP2 Logs in then Logs out

    Andrew, Oct 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    620
    mhicaoidh
    Oct 16, 2004
  4. Andrew
    Replies:
    15
    Views:
    7,064
    Gus Webb
    Oct 19, 2004
  5. Lester Lane

    Logs button not opening Logs GUI

    Lester Lane, Jun 29, 2009, in forum: Cisco
    Replies:
    6
    Views:
    526
    Lester Lane
    Aug 28, 2009
Loading...

Share This Page