Blocking botnet traffic manually, Blocking botnet, Examples – Cisco ASA 5505 User Manual
Page 1179
55-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Examples
The following recommended configuration monitors all traffic on the outside interface and drops all
traffic at a threat level of moderate or higher:
hostname(config)# dynamic-filter enable interface outside
hostname(config)# dynamic-filter drop blacklist interface outside
If you decide not to monitor all traffic, you can limit the traffic using an access list. The following
example monitors only port 80 traffic on the outside interface, and drops traffic threat level very-high
only:
hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
hostname(config)# dynamic-filter drop blacklist interface outside threat-level eq
very-high
Blocking Botnet Traffic Manually
If you choose not to block malware traffic automatically (see the
“Enabling Traffic Classification and
Actions for the Botnet Traffic Filter” section on page 55-12
), you can block traffic manually by
configuring an access list to deny traffic, or by using the shun command tool to block all traffic to and
from a host.
For example, you receive the following syslog message:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798
(209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination
209.165.202.129 resolved from dynamic list: bad.example.com
You can then perform one of the following actions:
•
Create an access list to deny traffic.
For example, using the syslog message above, you might want to deny traffic from the infected host
at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different
blacklisted addresses, you can create an access list to deny all traffic from 10.1.1.45 until you
resolve the infection on the host computer. For example, the following commands deny all traffic
from 10.1.1.5 to 209.165.202.129, but permits all other traffic on the inside interface:
hostname(config)# access-list BLOCK_OUT extended deny ip host 10.1.1.45 host
209.165.202.129
hostname(config)# access-list BLOCK_OUT extended permit ip any any
hostname(config)# access-group BLOCK_OUT in interface inside
Step 4
(Optional)
dynamic-filter ambiguous-is-black
Example:
hostname(config)# dynamic-filter
ambiguous-is-black
If you configured the dynamic-filter drop blacklist command,
then this command treats greylisted traffic as blacklisted traffic
for dropping purposes. If you do not enable this command,
greylisted traffic will not be dropped. See the
Filter Address Types” section on page 55-2
for more information
about the greylist.
Command
Purpose