Cisco ASA 5505 Configuration Manual page 1091

Chapter 50 Configuring the Botnet Traffic Filter
After you resolve the infection, be sure to remove the access list or the shun. To remove the shun, enter
no shun src_ip.
Searching the Dynamic Database
If you want to check if a domain name or IP address is included in the dynamic database, you can search
the database for a string.
Detailed Steps
Step 1 Go to the Search Dynamic Database area:
•
•
In the Search string field, enter a string at least 3 characters in length, and click Find Now.
Step 2
The first two matches are shown. To refine your search for a more specific match, enter a longer string.
Step 3 To clear the displayed matches and the search string, click Clear, or you can just enter a new string and
click Find Now to get a new display.
Monitoring the Botnet Traffic Filter
Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated.
You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the
adaptive security appliance. This section includes the following topics:
•
•
Botnet Traffic Filter Syslog Messaging
The Botnet Traffic Filter generates detailed syslog messages numbered 338nnn. Messages differentiate
between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other
variables. (The greylist includes addresses that are associated with multiple domain names, but not all
of these domain names are on the blacklist.)
See the Cisco ASA 5500 Series System Log Messages for detailed information about syslog messages.
For the following syslog messages, a reverse access rule can be automatically created from the Real Time
Log Viewer:
•
OL-20339-01
For example, to block future connections from 10.1.1.45, and also drop the current connection to the
malware site in the syslog message, enter:
shun 10.1.1.45 209.165.202.129 6798 80
In Single mode or within a context, choose the Configuration > Firewall > Botnet Traffic Filter
> Botnet Database Update pane.
In multiple context mode in the System execution space, choose the Configuration > Device
Management > Botnet Database Update pane.
Botnet Traffic Filter Syslog Messaging, page 50-13
Botnet Traffic Filter Monitor Panes, page 50-14
338001, 338002, 338003, 338004 (blacklist)
Cisco ASA 5500 Series Configuration Guide using ASDM
Monitoring the Botnet Traffic Filter
50-13