Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
The ASA must be running minimum 8.2 code to be able to configure botnet feature.
ASA-5505# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(5)
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.
ASA(config)# dynamic-filter blacklist ASA(config-llist)# name www.crackhell.com ASA(config-llist)# name www.megaport.hu ASA(config-llist)# address 126.96.36.199 255.255.255.255
Final Configuration Section:
dns domain-lookup outside dns server-group DefaultDNS name-server 188.8.131.52 ! dynamic-filter updater-client enable dynamic-filter use-database
access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0 access-list botnet-exclude extended permit ip any any ! dynamic-filter enable interface outside classify-list botnet-exclude
class-map botnet-DNS match port udp eq domain ! policy-map botnet-policy class botnet-DNS inspect dns dynamic-filter-snoop ! service-policy botnet-policy interface outside
clear dynamic-filter statistics The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.
clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts] This command will reset all statistics back to 0 and remove all entries from the reports.
clear dynamic-filter dns-snoop This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.