26-13
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
For example, you receive the following syslog message:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798
(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination
209.165.202.129 resolved from dynamic list: bad.example.com
You can then perform one of the following actions:
• Create an access rule to deny traffic.
For example, using the syslog message above, you might want to deny traffic from the infected host
at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different
blacklisted addresses, you can create an ACL to deny all traffic from 10.1.1.45 until you resolve the
infection on the host computer.
For the following syslog messages, a reverse access rule can be automatically created from the Real
Time Log Viewer:
–
338001, 338002, 338003, 338004 (blacklist)
–
338201, 338202 (greylist)
See Chapter 41, “Configuring Logging,” in the general operations configuration guide and
Chapter 7, “Configuring Access Rules,” for more information about creating an access rule.
Note If you create a reverse access rule form a Botnet Traffic Filter syslog message, and you do
not have any other access rules applied to the interface, then you might inadvertently block
all traffic. Normally, without an access rule, all traffic from a high security to a low security
interface is allowed. But when you apply an access rule, all traffic is denied except traffic
that you explicitly permit. Because the reverse access rule is a deny rule, be sure to edit the
resulting access policy for the interface to permit other traffic.
ACLs block all future connections. To block the current connection, if it is still active, enter
the clear conn command. For example, to clear only the connection listed in the syslog
message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See
the command reference for more information.
• Shun the infected host.
Shunning blocks all connections from the host, so you should use an ACL if you want to block
connections to certain destination addresses and ports. To shun a host, enter the following command
in Tools > Command Line Interface. To drop the current connection as well as blocking all future
connections, enter the destination address, source port, destination port, and optional protocol.
shun src_ip [dst_ip src_port dest_port [protocol]]
For example, to block future connections from 10.1.1.45, and also drop the current connection to the
malware site in the syslog message, enter:
shun 10.1.1.45 209.165.202.129 6798 80
After you resolve the infection, be sure to remove the ACL or the shun. To remove the shun, enter no
shun src_ip.
Searching the Dynamic Database
If you want to check if a domain name or IP address is included in the dynamic database, you can search
the database for a string.