67-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 67 Managing Reports
Understanding the Predefined System Reports in Report Manager
Top Destinations—This report ranks the session destinations of all built/deny firewall events
received by Security Manager. The report shows the destination IP address, the count of the number
of events for each address, and the percentage of the count compared to the sum of all counts in the
report.
Top Sources—This report ranks the session sources of all built/deny firewall events received by
Security Manager. The report shows the source IP address, the count of the number of events for
each address, and the percentage of the count compared to the sum of all counts in the report.
Top Services—This report ranks the destination services of all built/deny firewall events received
by Security Manager. TCP and UDP services include the port number. The report shows the service,
the count of the number of events for each service, and the percentage of the count compared to the
sum of all counts in the report.
The parameters used to define the number of addresses or services to included in the report and the
reporting time period are defined in the system defaults as described in Configuring Default Settings for
Reports, page 67-24.
You can also edit the report settings and create custom versions of the reports. You can narrow the reports
to focus on specific sets of source or destination addresses or services, or on just permit or deny actions,
or limit the report to focus on a sub-set of firewall devices, as described in the following topics:
Editing Report Settings, page 67-21
Creating Custom Reports, page 67-20
Understanding Firewall Summary Botnet Reports
Report Manager includes predefined system reports that you can use to analyze botnet traffic filtering.
The statistics are based on the botnet events collected by the Event Manager service (as displayed in
Event Viewer) for blacklisted and gray-listed sites.
For more information about botnet, see Chapter 19, “Managing Firewall Botnet Traffic Filter Rules”.
The following reports are available in the System Reports > FW > Summary Botnet folder.
Top Infected Hosts—This report ranks the top infected hosts for traffic originating from infected
hosts to black- or gray-listed sites based on all botnet events received by Security Manager. The
report shows the IP address of the infected host with the firewall interface name on which the event
was detected in parentheses, the count of the number of connections logged to blacklisted or
gray-listed sites for each address, the count of the number of connections that were blocked
(dropped) by botnet traffic filtering, and the percentage of the count compared to the sum of all
counts in the report.
Top Malware Ports—This report ranks the top destination ports for traffic originating from infected
hosts to black or gray-listed sites based on all botnet events received by Security Manager. The
report shows the destination malware port, the count of the number of connections logged to
blacklisted or gray-listed sites for each port, the count of the number of connections that were
blocked (dropped) by botnet traffic filtering, and the percentage of the count compared to the sum
of all counts in the report.
Top Malware Sites—This report ranks the top botnet sites (black or gray-listed sites) for all
inbound and outbound sessions based on all botnet events received by Security Manager. The report
shows the following information:
IP Address—The IP address that is indicated as the malicious host in botnet events, either on
the black list or the grey list.