03-05-2010 07:01 PM - edited 03-08-2019 06:32 PM
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
ASA-5505# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
.......
ASA-5505# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
.......
Botnet Traffic Filter : Enabled
Once license expires filtering will not work until license is renewed.
This steps is required to allow it to resolve the address of CSIO's updater service, so the dynamic filter update client to fetch updates.
ASA(config)# dns domain-lookup outside
ASA(config)#dns server-group DefaultDNS
ASA(config-dns-server-group)#name-server 4.2.2.2
ASA(config)#dynamic-filter updater-client enable
ASA(config)#dynamic-filter use-database
ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0 ---> exempted traffic
ASA(config)#access-list botnet-exclude extended permit ip any any ---> subjected traffic
ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude
ASA(config)#class-map botnet-DNS
ASA(config-cmap)# match port udp eq domain
ASA(config)# policy-map botnet-policy
ASA(config-pmap)# class botnet-DNS
ASA(config-pmap-c)# inspect dns dynamic-filter-snoop
ASA(config)# service-policy botnet-policy interface outside
Alternatively, you can also choose to apply this to the existing global policy that is already configured on the ASA.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns dynamic-filter-snoop
...
service-policy global_policy global
This is traffic to or from an IP address that is considered to be good. It is part of administrator configured lists.
ASA(config)# dynamic-filter whitelist
ASA(config-llist)# name www.google.com
ASA(config-llist)# name www.cisco.com
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.
ASA(config)# dynamic-filter blacklist
ASA(config-llist)# name www.crackhell.com
ASA(config-llist)# name www.megaport.hu
ASA(config-llist)# address 164.109.48.46 255.255.255.255
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
!
dynamic-filter updater-client enable
dynamic-filter use-database
!
access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0
access-list botnet-exclude extended permit ip any any
!
dynamic-filter enable interface outside classify-list botnet-exclude
!
class-map botnet-DNS
match port udp eq domain
!
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
!
service-policy botnet-policy interface outside
338001 - 338004
338101 - 338104
338201 - 338204
338301 - 338310
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165
show dynamic-filter data
dynamic-filter database find <string>
show dynamic-filter reports top botnet-sites
show dynamic-filter reports top infected-hosts
show dynamic-filter reports top botnet-ports
clear dynamic-filter statistics
The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.
clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts]
This command will reset all statistics back to 0 and remove all entries from the reports.
clear dynamic-filter dns-snoop
This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.
Hello
How to update Botnet License to replace expiring botnet license ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: