Cisco Systems ASA Services Module, ASA 5505, ASA 5545-X Botnet Traffic Filter Monitor Panes, 26-15

Command

Purpose

Home > Firewall Dashboard

Shows the Top Botnet Traffic Filter Hits, which shows reports of the top

10 malware sites, ports, and infected hosts. This report is a snapshot of the

data, and may not match the top 10 items since the statistics started to be

collected. If you right-click an IP address, you can invoke the whois tool

to learn more about the botnet site.

• Top Malware Sites—Shows top malware sites.

• Top Malware Ports—Shows top malware ports.

• Top Infected Hosts—Shows the top infected hosts.

Monitoring > Botnet Traffic Filter > Statistics

Shows how many connections were classified as whitelist, blacklist, and

greylist connections, and how many connections were dropped. (The

greylist includes addresses that are associated with multiple domain

names, but not all of these domain names are on the blacklist.) The Details

button shows how many packets at each threat level were classified or

dropped.

Monitoring > Botnet Traffic Filter > Real-time

Generates reports of the top 10 malware sites, ports, and infected hosts

Reports

monitored. The top 10 malware-sites report includes the number of

connections dropped, and the threat level and category of each site. This

report is a snapshot of the data, and may not match the top 10 items since

the statistics started to be collected.

If you right-click a site IP address, you can invoke the whois tool to learn

more about the malware site. Reports can be saved as a PDF file.

Monitoring > Botnet Traffic Filter > Infected

Generates reports about infected hosts. These reports contain detailed

Hosts

history about infected hosts, showing the correlation between infected

hosts, visited malware sites, and malware ports. The Maximum

Connections option shows the 20 infected hosts with the most number of

connections. The Latest Activity option shows the 20 hosts with the most

recent activity. The Highest Threat Level option shows the 20 hosts that

connected to the malware sites with the highest threat level. The Subnet

option shows up to 20 hosts within the specified subnet.

Reports can be saved as a PDF file, as either the Current View or the

Whole Buffer. The Whole Buffer option shows all buffered infected-hosts

information.

Monitoring > Botnet Traffic Filter > Updater

Shows information about the updater server, including the server IP

Client

address, the next time the ASA will connect with the server, and the

database version last installed.

Monitoring > Botnet Traffic Filter > DNS

Shows the Botnet Traffic Filter DNS snooping actual IP addresses and

Snooping

names. All inspected DNS data is included in this output, and not just

matching names in the blacklist. DNS data from static entries are not

included.