Using Access Control Lists (ACLs) as a Virus-Detection Tool
As a network administrator, you can do a few things with your Access Control Lists (ACLs) which can help you detect viruses. If you know a virus that has a certain type of traffic, perhaps on TCP port 1090, you can create an ACL that makes use of the log option. This allows information about these packets to be recorded in the system log, which could go to a centralized Syslog server.
You will make a small change to your Application Control Engine (ACEs) to enable logging. Simply by adding log to the end of the ACE, any traffic that matches the ACE will be logged.
ASAFirewall1(config)# access-list 103 deny tcp any any eq 1090 ? configure mode commands/options: inactive Keyword for disabling an ACL element log Keyword for enabling log option on this ACL element time-range Keyword for attaching time-range option to this ACL element <cr> Router1(config)#access-list 103 deny tcp any any eq 1090 ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value <cr>
Cisco IOS devices have a small log configured on them. When you consider that your router may have as little as 64MB of memory, this does not leave very much space to maintain log information for very long. The alternative to using the router’s memory for logging is to have your log information sent to a server on the network.
Syslog is an industry standard format for accepting and storing these log messages. Many Syslog servers are available for different operating systems, including Kiwi Syslog Server for Windows. Kiwi Syslog Server is available as a free version and is often suitable enough for many people. To enable your device to send messages to a Syslog server, use this command on your IOS device (192.168.1.5 is the IP address of my Syslog server):
Router1>enable Password: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#logging 192.168.1.5
Rather than logging the data, you can view it in real time on the device using the debug command, such as debug ip packet 103 detail, on the device where you expect to see that type of data. The following is debug showing a denied access attempt for a device with the 10.0.2.25 IP address:
Router1>enable Router1#terminal monitor Router1#debug ip packet 103 detail IP packet debugging is on (detailed) for access list 103 Router1# 00:11:55: %SEC-6-IPACCESSLOGP: list 103 denied tcp 10.0.2.25(3541) -> 192.168.8.10(1090), 1 packet Router1#no debug all All possible debugging has been turned off