CHAPT ER
55-1
Cisco ASA 5500 Series Configuration Guide using the CLI
55
Configuring the Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious
activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by
adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think
should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still
generate syslog messages, but because you are only targeting blacklist syslog messages, they are
informational.
Note If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can
use the static blacklist alone if you can identify all the malware sites that you want to target.
This chapter describes how to configure the Botnet Traffic Filter and includes the following sections:
Information About the Botnet Traffic Filter, page55-1
Licensing Requirements for the Botnet Traffic Filter, page55-6
Guidelines and Limitations, page55-6
Default Settings, page55-6
Configuring the Botnet Traffic Filter, page55-6
Monitoring the Botnet Traffic Filter, page55-17
Configuration Examples for the Botnet Traffic Filter, page55-19
Where to Go Next, page55-21
Feature History for the Botnet Traffic Filter, page55-22

Information About the Botnet Traffic Filter

This section includes information about the Botnet Traffic Filter and includes the following topics:
Botnet Traffic Filter Address Types, page55-2
Botnet Traffic Filter Actions for Known Addresses, page55-2