Configuring the dynamic database – Cisco ASA 5505 User Manual
Page 1171
55-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
•
Enabling DNS Snooping, page 55-10
•
Adding Entries to the Static Database, page 55-9
•
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 55-12
•
Blocking Botnet Traffic Manually, page 55-15
•
Searching the Dynamic Database, page 55-16
Task Flow for Configuring the Botnet Traffic Filter
To configure the Botnet Traffic Filter, perform the following steps:
Step 1
Enable use of the dynamic database. See the
“Configuring the Dynamic Database” section on page 55-7
.
This procedure enables database updates from the Cisco update server, and also enables use of the
downloaded dynamic database by the ASA. Disallowing use of the downloaded database is useful in
multiple context mode so you can configure use of the database on a per-context basis.
Step 2
(Optional) Add static entries to the database. See the
“Adding Entries to the Static Database” section on
.
This procedure lets you augment the dynamic database with domain names or IP addresses that you want
to blacklist or whitelist. You might want to use the static database instead of the dynamic database if you
do not want to download the dynamic database over the Internet.
Step 3
Enable DNS snooping. See the
“Enabling DNS Snooping” section on page 55-10
This procedure enables inspection of DNS packets, compares the domain name with those in the
dynamic database or the static database (when a DNS server for the ASA is unavailable), and adds the
name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic
Filter when connections are made to the suspicious address.
Step 4
Enable traffic classification and actions for the Botnet Traffic Filter. See the
Classification and Actions for the Botnet Traffic Filter” section on page 55-12
.
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address
in each initial connection packet to the IP addresses in the dynamic database, static database, DNS
reverse lookup cache, and DNS host cache, and sends a syslog message or drops any matching traffic.
Step 5
(Optional) Block traffic manually based on syslog message information. See the
Traffic Manually” section on page 55-15
.
If you choose not to block malware traffic automatically, you can block traffic manually by configuring
an access list to deny traffic, or by using the shun command to block all traffic to and from a host.
Configuring the Dynamic Database
This procedure enables database updates, and also enables use of the downloaded dynamic database by
the ASA. Disabling use of the downloaded database is useful in multiple context mode so you can
configure use of the database on a per-context basis.
By default, downloading and using the dynamic database is disabled.