Just fired up the botnet filter service on one of my ASA's today.  Seeing traffic that is tripping syslog message 338001 and 338002 where the recommended action is to use the dynamic-filter drop blacklist command.

When I try to use this command, I get the following -

ASA(config)# dynamic-filter drop blacklist

ERROR: Dynamic Filter is not enabled globally on all interfaces

Here is what my MPF looks like at this time -

class-map IPS

match access-list global_mpc

class-map test-udp-class

match access-list test-udp-acl

class-map dynamic-filter_snoop_class

match port udp eq domain

class-map inspection_default

match default-inspection-traffic

!

!            

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

description IPS

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rtsp

  inspect pptp

  inspect ip-options

  inspect ftp

  inspect tftp

  inspect http

class IPS

  ips inline fail-open sensor vs0

policy-map test-udp-policy

class test-udp-class

  inspect ipsec-pass-thru

class dynamic-filter_snoop_class

  inspect dns dynamic-filter-snoop

!

service-policy global_policy global

service-policy test-udp-policy interface Outside

Note:  I added the dynamic-filter_snoop_class class to the policy on my outside interface policy map instead of having the seperate as the docs indicated since I already had one setup because of some IPSEC traffic that has to traverse from the outside to the inside.  

I tried putting this in the global_policy and taking it out of the policy applied to the outside interface but same result.

Ron