55-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
See Chapter 15, “Adding an Extended Access List,” for more information about creating an access
list, and see Chapter 34, “Configuring Access Rules,” for information about applying the access list
to the interface.
Note Access lists block all future connections. To block the current connection, if it is still active,
enter the clear conn command. For example, to clear only the connection listed in the syslog
message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See
the command reference for more information.
Shun the infected host.
Shunning blocks all connections from the host, so you should use an access list if you want to block
connections to certain destination addresses and ports. To shun a host, enter the following command.
To drop the current connection as well as blocking all future connections, enter the destination
address, source port, destination port, and optional protocol.
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]]
For example, to block future connections from 10.1.1.45, and also drop the current connection to the
malware site in the syslog message, enter:
hostname(config)# shun 10.1.1.45 209.165.202.129 6798 80
See “Blocking Unwanted Connections” section on page57-2 for more information about shunning.
After you resolve the infection, be sure to remove the access list or the shun. To remove the shun, enter
no shun src_ip.
Searching the Dynamic Database
If you want to check if a domain name or IP address is included in the dynamic database, you can search
the database for a string.
Detailed Steps
Examples
The following example searches on the string “example.com”, and finds 1 match:
hostname# dynamic-filter database find bad.example.com
bad.example.com
Found 1 matches
The following example searches on the string “bad”, and finds more than 2 matches:
Command Purpose
dynamic-filter database find string
Example:
hostname# dynamic-filter database find
Searches the dynamic database for a domain name or IP address. The
string can be the complete domain name or IP address, or you can enter
part of the name or address, with a minimum search string of 3 characters.
If there are multiple matches, the first two matches are shown. To refine
your search for a more specific match, enter a longer string.
Note Regular expressions are not supported for the database search.