The issue:
An unknown private (NAT) client is infected with malware and it's trying to access a Bot server at random times/dates.
How we know about this:
We receive bot traffic notices/alerts from REN-ISAC. Unfortunately, we don't receive those until the next day after it has happened. What they provide to us is:
- The source address (of the firewall)
- The destination addresses (it varies, but they're going to network subnet allocated to a German ISP)
- The source port (which varies--dynamic ports).
Question:
What would be the best approach to finding this internal host (historically) with a Cisco ASA as firewall?
I'm guessing blocking anything to the destination address(es), and logging that type of traffic/access might allow me to find the source host, but I'm not sure which tool/command would be the most useful.
I've seen Netflow thrown into a few responses when it comes to logging, but I'm confused with it's association of Logging, NAL, and nBAR, and how they relate to Netflow.
In regards to questions from @jowqwerty, I'm assuming that you are responsible for the Cisco ASA and the internal network behind it, correct?
If so, you are on the right track. I would recommend using the logging and/or capture features of the ASA to narrow down the traffic.
The more you can narrow down the destination the better. You mention having the destination subnet, do you have the destination protocol/port(s) as well? I would build an ACL which matches the destination and logs hits.
For example:
Then apply such an ACL to the inside interface of the ASA. Then cross reference future abuse reports with your log entries.
The capture feature builds on this troubleshooting technique by allowing you to capture the traffic in PCAP format. Then you can further analyze it with tools such as WireShark.
ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example