26-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Examples
The following recommended configuration monitors all traffic on the outside interface and drops all
traffic at a threat level of moderate or higher:
ciscoasa(config)# dynamic-filter enable interface outside
ciscoasa(config)# dynamic-filter drop blacklist interface outside
If you decide not to monitor all traffic, you can limit the traffic using an ACL. The following example
monitors only port 80 traffic on the outside interface, and drops traffic threat level very-high only:
ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside threat-level eq
very-high
Blocking Botnet Traffic Manually
If you choose not to block malware traffic automatically (see the “Enabling Traffic Classification and
Actions for the Botnet Traffic Filter” section on page26-12), you can block traffic manually by
configuring an access rule to deny traffic, or by using the shun command tool to block all traffic to and
from a host.
For example, you receive the following syslog message:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798
(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination
209.165.202.129 resolved from dynamic list: bad.example.com
You can then perform one of the following actions:
Create an access rule to deny traffic.
For example, using the syslog message above, you might want to deny traffic from the infected host
at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different
blacklisted addresses, you can create an ACL to deny all traffic from 10.1.1.45 until you resolve the
infection on the host computer. For example, the following commands deny all traffic from 10.1.1.5
to 209.165.202.129, but permits all other traffic on the inside interface:
ciscoasa(config)# access-list BLOCK_OUT extended deny ip host 10.1.1.45 host
209.165.202.129
ciscoasa(config)# access-list BLOCK_OUT extended permit ip any any
ciscoasa(config)# access-group BLOCK_OUT in interface inside
See Chapter19, “Adding an Extended Access Control List,” in the general operations configuration
guide for more information about creating an ACL, and see Chapter6, “Configuring Access Rules,”
for information about applying the ACL to the interface.
Step4 (Optional)
dynamic-filter ambiguous-is-black
Example:
ciscoasa(config)# dynamic-filter
ambiguous-is-black
If you configured the dynamic-filter drop blacklist command,
then this command treats greylisted traffic as blacklisted traffic
for dropping purposes. If you do not enable this command,
greylisted traffic will not be dropped. See the “Botnet Traffic
Filter Address Types” section on page26-2 for more information
about the greylist.
Command Purpose