Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Botnet in 5505 ASA v9.2 - Manual entered Blacklist is only Greylisted

Any help is appreciated, I know not a lot of people are running the botnet but after using it on a trial basis I was hooked so I would like to know if this is a but or a setting where blacklisted traffic levels are defined.

 

I may have had this issue in other versions and not noticed it.

 

I have two issues, first is manually putting entries into my blacklist section for example:

dynamic-filter blacklist
   name www.sprint.com

Are only being Greylisted so when I test I am still able to get to the webpage because I only block high to very high traffic.

Looking at the monitor it shows that the website was only Greylisted any my filter level was set to only block high and very high threats.

Documentation says manual entries in the blacklist are considered Very High but my system only categorizes them as Greylist.

My current workaround is to go under

Botnet traffic filter

    Traffic Settings

       and select the checkbox for "Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic

The problem is I may now get false positives.

My other question is can I set the ASA to display a page saying "Blocked by Botnet" or redirect traffic to my internal webserver so I can create that page? Merely blocking a page without definition can cause some frustration.

Can anyone else who has this take a peek to see if this is the same or did I jack one of my settings?

Here is some of my config

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface inside 
dynamic-filter enable interface outside 
dynamic-filter enable interface dmz 
dynamic-filter drop blacklist interface outside threat-level range high very-high
dynamic-filter ambiguous-is-black
dynamic-filter whitelist
 name vc.dwwtc.com
 address 111.221.77.150 255.255.255.255
 address 157.55.177.46 255.255.255.255
 name centos.mirrors.hoobly.com
 address 66.160.172.98 255.255.255.255
 address 69.63.190.0 255.255.255.0
 address 205.244.201.221 255.255.255.255
dynamic-filter blacklist
 name www.sprint.com

 

 

1 REPLY
Cisco Employee

Hello; That is indeed a

Hello;

 

That is indeed a feature that we can consider. If you have a Cisco representative, I would strongly suggest you talk to him and request the feature. By now there is no redirect page or block page for botnet.

 

In regards to the other query. If the site appears to be good on our database, but you categorize is as black, the site would turn out to be grey, the way to drop this would be applying "grey is alway black" which is the option you have.

Mike.

 

Mike
30
Views
5
Helpful
1
Replies