50-3
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 50 Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
The database files are stored in running memory; they are not stored in flash memory. If you need to
delete the database, use theConfiguration > Firewall > Botnet Traffic Filter > Botnet Database pane
Purge Botnet Database button instead. Be sure to first disable use of the database by unchecking the Use
Botnet data dynamically downloaded from updater server check box in the Configuration > Firewall
> Botnet Traffic Filter > Botnet Database > Dynamic Database Configuration area.
Note To use the database, be sure to configure a domain name server for the adaptive security appliance so
that it can access the URL.
To use the domain names in the dynamic database, you need to enable DNS packet inspection with
Botnet Traffic Filter snooping; the adaptive security appliance looks inside the DNS packets for the
domain name and associated IP address.
Information About the Static Database
You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names
in a blacklist. Static blacklist entries are always designated with a Very High threat level. You can also
enter names or IP addresses in a whitelist, so that names or addresses that appear on both the dynamic
blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note
that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic
blacklist.
When you add a domain name to the static database, the adaptive security appliance waits 1 minute, and
then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS
host cache. (This action is a background process, and does not affect your ability to continue configuring
the adaptive security appliance). We recommend also enabling DNS packet inspection with Botnet
Traffic Filter snooping. The adaptive security appliance uses Botnet Traffic Filter snooping instead of
the regular DNS lookup to resolve static blacklist domain names in the following circumstances:
• The adaptive security appliance DNS server is unavailable.
• A connection is initiated during the 1 minute waiting period before the adaptive security appliance
sends the regular DNS request.
If DNS snooping is used, when an infected host sends a DNS request for a name on the static database,
the adaptive security appliance looks inside the DNS packets for the domain name and associated IP
address and adds the name and IP address to the DNS reverse lookup cache.
If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that
traffic will not be monitored by the Botnet Traffic Filter.
Information About the DNS Reverse Lookup Cache and DNS Host Cache
When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup
cache. If you use the static database, entries are added to the DNS host cache (see the “Information
About the Static Database” section on page 50-3 about using the static database with DNS snooping and
the DNS reverse lookup cache).
Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value
provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server
provides a larger TTL, it is truncated to 1 day maximum.
For the DNS reverse lookup cache, after an entry times out, the adaptive security appliance renews the
entry when an infected host initiates a connection to a known address, and DNS snooping occurs.
To Next Page
Loading...
Need help?
General
