19-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 19 Managing Firewall Botnet Traffic Filter Rules
Task Flow for Configuring the Botnet Traffic Filter
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and
graylist generate syslog messages differentiated by type.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together,
or you can disable use of the dynamic database and use the static database alone. This section includes
the following topics:
Information About the Dynamic Database
Information About the Static Database
Information About the Dynamic Database
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update
server. This database lists thousands of known bad domain names and IP addresses.
The security appliance uses the dynamic database as follows:
1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic
Filter adds the name and IP address to the DNS reverse lookup cache.
2. When the infected host starts a connection to the IP address of the malware site, the security
appliance sends a syslog message informing you of the suspicious activity.
3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter
logs any traffic to that IP address without having to inspect DNS requests.
Note To use the database, be sure to configure a domain name server for the security appliance so that it can
access the URL.
To use the domain names in the dynamic database, you need to enable DNS packet inspection with
Botnet Traffic Filter snooping; the security appliance looks inside the DNS packets for the domain name
and associated IP address.
Information About the Static Database
You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names
in a blacklist. You can also enter names or IP addresses in a whitelist, so that names or addresses that
appear on both the whitelist and the dynamic blacklist are identified only as whitelist addresses in syslog
messages and reports.
You can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping. With DNS
snooping, when an infected host sends a DNS request for a name on the static database, the security
appliance looks inside the DNS packets for the domain name and associated IP address and adds the
name and IP address to the DNS reverse lookup cache.
Related Topics
Task Flow for Configuring the Botnet Traffic Filter, page19-2
Botnet Traffic Filter Rules Page, page19-9
Task Flow for Configuring the Botnet Traffic Filter
To configure the Botnet Traffic Filter, follow these steps: