CHAP TER
19-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
19
Managing Firewall Botnet Traffic Filter Rules
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses, and then logs any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by
adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think
should not be blacklisted, you can manually enter them into a static whitelis t. Whitelisted addresses still
generate syslog messages, but because you are only targeting blacklist syslog messages, they are
informational. If you do not want to use the Cisco dynamic database at all, because of internal
requirements, you can use the static blacklist alone if you can identify all the malware sites that you want
to target.
Related Topics
Understanding Botnet Traffic Filtering, page19-1
Task Flow for Configuring the Botnet Traffic Filter, page19-2
Botnet Traffic Filter Rules Page, page19-9

Understanding Botnet Traffic Filtering

Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
Known malware addresses—These addresses are on the blacklist identified by the dynamic
database and the static blacklist.
Known allowed addresses—These addresses are on the whitelist. To be whitelisted, an address
must be blacklisted by the dynamic database and also identified by the static whitelist.
Ambiguous addresses—These addresses are associated with multiple domain names, but not all of
these domain names are on the blacklist. These addresses are on the graylist.
Unlisted addresses—These addresses are unknown, and not included on any list.
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure
it to block suspicious traffic automatically.