50-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 50 Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
• How the Botnet Traffic Filter Works, page 50-4
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
• Known malware addresses—These addresses are on the blacklist identified by the dynamic database
and the static blacklist.
• Known allowed addresses—These addresses are on the whitelist. The whitelist is useful when an
address is blacklisted by the dynamic database and also identified by the static whitelist.
• Ambiguous addresses—These addresses are associated with multiple domain names, but not all of
these domain names are on the blacklist. These addresses are on the greylist.
• Unlisted addresses—These addresses are unknown, and not included on any list.
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure
it to block suspicious traffic automatically.
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and
greylist generate syslog messages differentiated by type. See the “Botnet Traffic Filter Syslog
Messaging” section on page 50-13 for more information.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together,
or you can disable use of the dynamic database and use the static database alone. This section includes
the following topics:
• Information About the Dynamic Database, page 50-2
• Information About the Static Database, page 50-3
• Information About the DNS Reverse Lookup Cache and DNS Host Cache, page 50-3
Information About the Dynamic Database
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update
server. This database lists thousands of known bad domain names and IP addresses.
The adaptive security appliance uses the dynamic database as follows:
1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic
Filter adds the name and IP address to the DNS reverse lookup cache.
2. When the infected host starts a connection to the IP address of the malware site, then the adaptive
security appliance sends a syslog message informing you of the suspicious activity and optionally
drops the traffic if you configured the adaptive security appliance to do so.
3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter
logs or drops any traffic to that IP address without having to inspect DNS requests.
To Next Page
Loading...
Need help?
General
