55-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Examples
The following recommended configuration creates a class map for all UDP DNS traffic, enables DNS
inspection and Botnet Traffic Filter snooping with the default DNS inspection policy map, and applies
it to the outside interface:
hostname(config)# class-map dynamic-filter_snoop_class
hostname(config-cmap)# match port udp eq domain
hostname(config-cmap)# policy-map dynamic-filter_snoop_policy
hostname(config-pmap)# class dynamic-filter_snoop_class
hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
hostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside
What to Do Next
See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page55-12 .
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and
destination IP address in each initial connection packet to the following:
Dynamic database IP addresses
Static database IP addresses
DNS reverse lookup cache (for dynamic database domain names)
DNS host cache (for static database domain names)
When an address matches, the ASA sends a syslog message. The only additional action currently
available is to drop the connection.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
Step5 inspect dns [map_name]
dynamic-filter-snoop
Example:
hostname(config-pmap-c)# inspect dns
preset_dns_map dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping. To
use the default DNS inspection policy map for the map_name,
specify preset_dns_map for the map name. See the “DNS
Inspection” section on page 43-1 for more information about
creating a DNS inspection policy map.
Step6 service-policy policymap_name interface
interface_name
Example:
hostname(config)# service-policy
dynamic-filter_snoop_policy interface
outside
Activates the policy map on an interface. The interface-specific
policy overrides the global policy. You can only apply one policy
map to each interface.
Command Purpose