Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
5
Replies

ASA Botnet Filter

kdietz
Level 1
Level 1

‎10-02-2013 07:10 AM - edited ‎03-11-2019 07:46 PM

I have recently added the Botnet filter license to an ASA5510.  Im needing assistance with viewing the config and being able to know that it is working.  How can i test?  Thanks

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎10-02-2013 07:29 AM

Here is a document that should get you started:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

If there are more questions after going through that doc, fell free to ask.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

johnlloyd_13
Level 9
Level 9

‎10-02-2013 08:53 PM

hi kevin,

here's some show commands as per my FIREWALL notes and a useful link that i've bookmarked.

usually the ASA will generate a syslog if a bad or infected machine is detected.

https://supportforums.cisco.com/docs/DOC-8782

Commands to Verify Botnet Traffic Filtering Operation

Function                                Command Syntax

Dynamic database status        ciscoasa# show dynamic-filter updater-client

Connections filtered                ciscoasa# show dynamic-filter statistics

List infected hosts                  ciscoasa# show dynamic-filterreport infected-hosts

Top-n botnet activity                ciscoasa# show dynamic-filter top [infected-hosts | malware-ports | malware-sites]

0 Helpful

rmujeeb81
Level 1
Level 1
In response to johnlloyd_13

‎10-04-2013 05:40 AM

Hi,

I have to enable botnet filter as well for one of our customer. So is it possible to enable botnet filter in monitoring mode only, means without dropping any traffic or impacting the production environment ?

Thanks

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to rmujeeb81

‎10-07-2013 09:15 PM

hi,

the answer is no. the ASA will intercept DNS queries and match it against the configured blacklist sites on its database and drops the traffic.

0 Helpful

kdietz
Level 1
Level 1
In response to johnlloyd_13

‎10-11-2013 10:38 AM

My filter was origanly set to monitor mode which wasnt dropping the malicous requests - Scenerio;  I have a DNS server where the filter is detecting as a malicouis host naking DNS requests.  My question is,  does this necessarily imply that the DNS server is infected or is it another host on my network using this DNS server for name resolution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card