CHAPTER
59-1
Cisco ASA 5500 Series Configuration Guide using ASDM
59
Configuring the Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious
activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by
adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think
should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still
generate syslog messages, but because you are only targeting blacklist syslog messages, they are
informational.
Note If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can
use the static blacklist alone if you can identify all the malware sites that you want to target.
This chapter describes how to configure the Botnet Traffic Filter and includes the following sections:
• Information About the Botnet Traffic Filter, page 59-1
• Licensing Requirements for the Botnet Traffic Filter, page 59-6
• Guidelines and Limitations, page 59-6
• Default Settings, page 59-7
• Configuring the Botnet Traffic Filter, page 59-7
• Monitoring the Botnet Traffic Filter, page 59-14
• Where to Go Next, page 59-16
• Feature History for the Botnet Traffic Filter, page 59-16
Information About the Botnet Traffic Filter
This section includes information about the Botnet Traffic Filter and includes the following topics:
• Botnet Traffic Filter Address Types, page 59-2
• Botnet Traffic Filter Actions for Known Addresses, page 59-2
• Botnet Traffic Filter Databases, page 59-2