Using Access Control Lists (ACLs) as a Virus-Detection Tool

As a network administrator, you can do a few things with your Access Control Lists (ACLs) which can help you detect viruses. If you know a virus that has a certain type of traffic, perhaps on TCP port 1090, you can create an ACL that makes use of the log option. This allows information about these packets to be recorded in the system log, which could go to a centralized Syslog server.

You will make a small change to your Application Control Engine (ACEs) to enable logging. Simply by adding log to the end of the ACE, any traffic that matches the ACE will be logged.

ASAFirewall1(config)# access-list 103 deny tcp any any eq 1090 ?
configure mode commands/options:
  inactive    Keyword for disabling an ACL element
  log         Keyword for enabling log option on this ACL element
  time-range  Keyword for attaching time-range option to this ACL element
Router1(config)#access-list 103 deny tcp any any eq 1090 ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value

Cisco IOS devices have a small log configured on them. When you consider that your router may have as little as 64MB of memory, this does not leave very much space to maintain log information for very long. The alternative to using the router’s memory for logging is to have your log information sent to a server on the network.

Syslog is an industry standard format for accepting and storing these log messages. Many Syslog servers are available for different operating systems, including Kiwi Syslog Server for Windows. Kiwi Syslog Server is available as a free version and is often suitable enough for many people. To enable your device to send messages to a Syslog server, use this command on your IOS device ( is the IP address of my Syslog server):

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

Rather than logging the data, you can view it in real time on the device using the debug command, such as debug ip packet 103 detail, on the device where you expect to see that type of data. The following is debug showing a denied access attempt for a device with the IP address:

Router1#terminal monitor
Router1#debug ip packet 103 detail
IP packet debugging is on (detailed) for access list 103
00:11:55: %SEC-6-IPACCESSLOGP: list 103 denied tcp ->, 1 packet
Router1#no debug all
All possible debugging has been turned off
blog comments powered by Disqus

Inside Sweepstakes

Win $500. Easy.