66-53
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter66 Viewing Events
Examples of Event Analysis
Monitoring Botnet Using the Security Manager Event Viewer, page 66-53
Monitoring Botnet Using the Security Manager Report Manager, page66-55
Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM), page 66-56
Mitigating Botnet Traffic, page66-56
Understanding the Syslog Messages That Indicate Actionable Events
Botnet Traffic Filter events use syslog message numbers 338xxx. However, some messages are
informational and require no action on your part.
When viewing syslogs for botnet events, you should be most concerned with the following message
numbers. For information on dealing with messages that indicate blacklisted or whitelisted traffic, see
Mitigating Botnet Traffic, page66-56. For detailed descriptions of syslog messages, see the Syslog
Message document for your ASA software version at
http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html.
338001 to 338004—Indicate blacklisted traffic that the ASA is logging, but the ASA is not stopping
the traffic. These messages require immediate attention if you want to stop botnet activity that is in
progress.
338005 to 338008—Indicate blacklisted traffic that the ASA is logging and dropping. This indicates
that the traffic was covered by a drop rule. Thus, your network is being protected, although you still
need to disinfect the victim computer.
338201, 338202—Indicate greylisted traffic that the ASA is logging but not dropping. These
messages can indicate an active botnet connection that needs to be handled immediately.
338203, 338204—Indicate greylisted traffic that the ASA is logging and dropping. Your network is
protected from this traffic. However, if the greylisted site is legitimate, the fact that the traffic is
being dropped might be a problem that requires immediate attention. You can whitelist the greylisted
address if you determine it is legitimate and redeploy the configuration, as described in Adding
Entries to the Static Database, page 19-5.
338305 to 338307, 338310—The ASA could not download the dynamic filter database. Ensure that
you configured DNS lookup on the device, and that there is a routable network path to the Cisco
Intelligence Security Operations Center. You might need to contact Cisco Technical Support.
338309—The Botnet Traffic Filter license is not current, and you cannot download the dynamic
database. Purchase and install the appropriate license. The Botnet Traffic Filter license is
time-based, so you might have had a valid license that expired.
Monitoring Botnet Using the Security Manager Event Viewer
You can use the Event Viewer application to monitor syslog events generated by an ASA device. The
Event Viewer has a predefined view that shows just botnet events.
Botnet messages are in the informational to debug severity levels and are numbered 338xxx.
Tip This procedure assumes the Event Manager service is enabled. If it is not, enable it using the Tools >
Security Manager Administration > Event Management page.
Step 1 Open Event Viewer, for example, by selecting Launch > Event Viewer in Configuration Manager.