Block Command and Control requests using ASA 5500

I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but I want to review and update when I feel like it via SSH. Per the Emerging Threats wiki these rules probably only need to be updated once a week but YMMV.

Setup the ASA (one time):

configure terminal 
access-list dynamic-filter_acl extended permit ip any any 
dynamic-filter enable interface outside classify-list dynamic-filter_acl
dynamic-filter drop blacklist interface outside
dynamic-filter blacklist

Download the C&C list from Emerging Threats:

$ wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules

Convert the list to the required format:

$ sed 's/ET-drop/ET-cc/g' emerging-PIX-CC.rules | egrep "^access-list ET-cc deny" \
emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any \
/255.255.255.255/g' | awk '{print $1,$2,$3}' > emerging-PIX-CC.rules.asa

Paste the list using Putty or similar. At current there are around 3000 rules so it takes a minute:

configure terminal
no dynamic-filter blacklist
blacklist dynamic-filter blacklist
address x.x.x.x y.y.y.y

Finally, it is important to note that there could be performance implications with implementing too many rules. Be warned you may shun legitimate sites on shared hosting providers and the like.

This entry was posted in internet, security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>