Botnet in 5505 ASA v9.2 - Manual entered Blacklist is only Greylisted
Any help is appreciated, I know not a lot of people are running the botnet but after using it on a trial basis I was hooked so I would like to know if this is a but or a setting where blacklisted traffic levels are defined.
I may have had this issue in other versions and not noticed it.
I have two issues, first is manually putting entries into my blacklist section for example:
dynamic-filter blacklist name www.sprint.com
Are only being Greylisted so when I test I am still able to get to the webpage because I only block high to very high traffic.
Looking at the monitor it shows that the website was only Greylisted any my filter level was set to only block high and very high threats.
Documentation says manual entries in the blacklist are considered Very High but my system only categorizes them as Greylist.
My current workaround is to go under
Botnet traffic filter
and select the checkbox for "Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic
The problem is I may now get false positives.
My other question is can I set the ASA to display a page saying "Blocked by Botnet" or redirect traffic to my internal webserver so I can create that page? Merely blocking a page without definition can cause some frustration.
Can anyone else who has this take a peek to see if this is the same or did I jack one of my settings?
That is indeed a feature that we can consider. If you have a Cisco representative, I would strongly suggest you talk to him and request the feature. By now there is no redirect page or block page for botnet.
In regards to the other query. If the site appears to be good on our database, but you categorize is as black, the site would turn out to be grey, the way to drop this would be applying "grey is alway black" which is the option you have.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...