Cisco Systems ASA5515K9, ASA 5500 Blocking Botnet Traffic Manually

55-15

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter55 Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter

Examples

The following recommended configuration monitors all traffic on the outside interface and drops all

traffic at a threat level of moderate or higher:

hostname(config)# dynamic-filter enable interface outside

hostname(config)# dynamic-filter drop blacklist interface outside

If you decide not to monitor all traffic, you can limit the traffic using an access list. The following

example monitors only port 80 traffic on the outside interface, and drops traffic threat level very-high

only:

hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80

hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl

hostname(config)# dynamic-filter drop blacklist interface outside threat-level eq

very-high

Blocking Botnet Traffic Manually

If you choose not to block malware traffic automatically (see the “Enabling Traffic Classification and

Actions for the Botnet Traffic Filter” section on page55-12), you can block traffic manually by

configuring an access list to deny traffic, or by using the shun command tool to block all traffic to and

from a host.

For example, you receive the following syslog message:

ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798

(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination

209.165.202.129 resolved from dynamic list: bad.example.com

You can then perform one of the following actions:

•Create an access list to deny traffic.

For example, using the syslog message above, you might want to deny traffic from the infected host

at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different

blacklisted addresses, you can create an access list to deny all traffic from 10.1.1.45 until you

resolve the infection on the host computer. For example, the following commands deny all traffic

from 10.1.1.5 to 209.165.202.129, but permits all other traffic on the inside interface:

hostname(config)# access-list BLOCK_OUT extended deny ip host 10.1.1.45 host

209.165.202.129

hostname(config)# access-list BLOCK_OUT extended permit ip any any

hostname(config)# access-group BLOCK_OUT in interface inside

Step4 (Optional)

dynamic-filter ambiguous-is-black

Example:

hostname(config)# dynamic-filter

ambiguous-is-black

If you configured the dynamic-filter drop blacklist command,

then this command treats greylisted traffic as blacklisted traffic

for dropping purposes. If you do not enable this command,

greylisted traffic will not be dropped. See the “Botnet Traffic

Filter Address Types” section on page55-2 for more information

about the greylist.

Command Purpose