55-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter55 Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Databases, page55-2
How the Botnet Traffic Filter Works, page55-5
Botnet Traffic Filter Address Types
Addresses monitored by the Botnet Traffic Filter include:
Known malware addresses—These addresses are on the blacklist identified by the dynamic database
and the static blacklist.
Known allowed addresses—These addresses are on the whitelist. The whitelist is useful when an
address is blacklisted by the dynamic database and also identified by the static whitelist.
Ambiguous addresses—These addresses are associated with multiple domain names, but not all of
these domain names are on the blacklist. These addresses are on the greylist.
Unlisted addresses—These addresses are unknown, and not included on any list.
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure
it to block suspicious traffic automatically.
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and
greylist generate syslog messages differentiated by type. See the “Botnet Traffic Filter Syslog
Messaging” section on page55-17 for more information.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together,
or you can disable use of the dynamic database and use the static database alone. This section includes
the following topics:
Information About the Dynamic Database, page55-2
Information About the Static Database, page55-3
Information About the DNS Reverse Lookup Cache and DNS Host Cache, page55-4

Information About the Dynamic Database

The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update
server. This database lists thousands of known bad domain names and IP addresses.

How the ASA Uses the Dynamic Database

The ASA uses the dynamic database as follows:
1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic
Filter adds the name and IP address to the DNS reverse lookup cache.
2. When the infected host starts a connection to the IP address of the malware site, then the ASA sends
a syslog message informing you of the suspicious activity and optionally drops the traffic if you
configured the ASA to do so.