Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Searching the Dynamic Database

26-13

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter26 Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter

For example, you receive the following syslog message:

ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798

(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination

209.165.202.129 resolved from dynamic list: bad.example.com

You can then perform one of the following actions:

•Create an access rule to deny traffic.

For example, using the syslog message above, you might want to deny traffic from the infected host

at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different

blacklisted addresses, you can create an ACL to deny all traffic from 10.1.1.45 until you resolve the

infection on the host computer.

For the following syslog messages, a reverse access rule can be automatically created from the Real

Time Log Viewer:

–

338001, 338002, 338003, 338004 (blacklist)

–

338201, 338202 (greylist)

See Chapter 41, “Configuring Logging,” in the general operations configuration guide and

Chapter 7, “Configuring Access Rules,” for more information about creating an access rule.

Note If you create a reverse access rule form a Botnet Traffic Filter syslog message, and you do

not have any other access rules applied to the interface, then you might inadvertently block

all traffic. Normally, without an access rule, all traffic from a high security to a low security

interface is allowed. But when you apply an access rule, all traffic is denied except traffic

that you explicitly permit. Because the reverse access rule is a deny rule, be sure to edit the

resulting access policy for the interface to permit other traffic.

ACLs block all future connections. To block the current connection, if it is still active, enter

the clear conn command. For example, to clear only the connection listed in the syslog

message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See

the command reference for more information.

•Shun the infected host.

Shunning blocks all connections from the host, so you should use an ACL if you want to block

connections to certain destination addresses and ports. To shun a host, enter the following command

in Tools > Command Line Interface. To drop the current connection as well as blocking all future

connections, enter the destination address, source port, destination port, and optional protocol.

shun src_ip [dst_ip src_port dest_port [protocol]]

For example, to block future connections from 10.1.1.45, and also drop the current connection to the

malware site in the syslog message, enter:

shun 10.1.1.45 209.165.202.129 6798 80

After you resolve the infection, be sure to remove the ACL or the shun. To remove the shun, enter no

shun src_ip.

Searching the Dynamic Database

If you want to check if a domain name or IP address is included in the dynamic database, you can search

the database for a string.

Cisco Systems Searching the Dynamic Database