Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
59-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 59 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Blocking Botnet Traffic Manually
If you choose not to block malware traffic automatically (see the “Enabling Traffic Classification and
Actions for the Botnet Traffic Filter” section on page 59-11), you can block traffic manually by
configuring an access rule to deny traffic, or by using the shun command in the Command Line Interface
tool to block all traffic to and from a host. For some messages, you can automatically configure access
rules in ASDM.
For example, you receive the following syslog message:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798
(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination
209.165.202.129 resolved from dynamic list: bad.example.com
You can then perform one of the following actions:
Create an access rule to deny traffic.
For example, using the syslog message above, you might want to deny traffic from the infected host
at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different
blacklisted addresses, you can create an access list to deny all traffic from 10.1.1.45 until you
resolve the infection on the host computer.
For the following syslog messages, a reverse access rule can be automatically created from the Real
Time Log Viewer:
338001, 338002, 338003, 338004 (blacklist)
338201, 338202 (greylist)
See Chapter 76, “Configuring Logging,” and Chapter 37, “Configuring Access Rules,” for more
information about creating an access rule.
Note If you create a reverse access rule form a Botnet Traffic Filter syslog message, and you do
not have any other access rules applied to the interface, then you might inadvertently block
all traffic. Normally, without an access rule, all traffic from a high security to a low security
interface is allowed. But when you apply an access rule, all traffic is denied except traffic
that you explicitly permit. Because the reverse access rule is a deny rule, be sure to edit the
resulting access policy for the interface to permit other traffic.
Access lists block all future connections. To block the current connection, if it is still active,
enter the clear conn command. For example, to clear only the connection listed in the syslog
message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See
the command reference for more information.
Shun the infected host.
Shunning blocks all connections from the host, so you should use an access list if you want to block
connections to certain destination addresses and ports. To shun a host, enter the following command
in Tools > Command Line Interface. To drop the current connection as well as blocking all future
connections, enter the destination address, source port, destination port, and optional protocol.
shun src_ip [dst_ip src_port dest_port [protocol]]
For example, to block future connections from 10.1.1.45, and also drop the current connection to the
malware site in the syslog message, enter:
shun 10.1.1.45 209.165.202.129 6798 80