66-56
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
If you want to generate the report on a regular basis, you can configure a schedule as described in
Configuring Report Schedules, page 67-28.
Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM)
The Adaptive Security Device Manager (ASDM) includes botnet reporting features. A read-only version
of ASDM is installed with the Security Manager client as a device manager, and you can start ASDM
from within Security Manager.
Tip You can also install the full ASDM application separately. However, any configuration changes that you
perform in ASDM are considered out-of-band changes by Security Manager and are overwritten the next
time you deploy configurations from Security Manager. If you ever find a need to make configuration
changes using ASDM, be sure to rediscover policies on the device in Security Manager so that Security
Manager’s view of the configuration is up-to-date.
Step 1 In Device view in Configuration Manager, select the ASA device.
Step 2 Select Launch > Device Manager to open an ASDM connection to the ASA. You are warned that you
cannot make configuration changes. Click Yes to continue.
Step 3 In ASDM, view Botnet Traffic Filter monitoring information in the following areas:
Home > Firewall Dashboard includes a Botnet Traffic Filter summary.
Monitoring > Botnet Traffic Filter > Reports includes charts on the top botnet sites, ports, and
infected hosts.
Monitoring > Logging > Log Buffer shows historical syslog messages.
Monitoring > Logging > Real-Time Log Viewer shows syslog messages as they are generated.
Tip You can also search the dynamic database on the Configure > Botnet Traffic Filter > Botnet
Database page. This page also allows you to manually start a database download or to purge the
dynamic database. These actions do not change the device’s configuration and do not require
policy rediscovery in Security Manager.
Mitigating Botnet Traffic
Botnet traffic mitigation is a two step process:
1. Stop traffic from your network to the botnet control site.
2. Disinfect the victim computers.
The following procedure explains the process in more detail.
Step 1 You see syslog events that indicate that packets are traveling to or from an objectionable address,
typically message numbers 338001-338008 or 338201-3382004. For detailed information about these
messages, see Understanding the Syslog Messages That Indicate Actionable Events, page 66-53.