Monitoring the botnet traffic filter, Botnet traffic filter syslog messaging, Botnet traffic filter commands – Cisco ASA 5505 User Manual

Page 1181: Botnet traffic filter syslog

Advertising
background image

55-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 55 Configuring the Botnet Traffic Filter

Monitoring the Botnet Traffic Filter

hostname# dynamic-filter database find bad

bad.example.com

bad.example.net

Found more than 2 matches, enter a more specific string to find an exact

match

Monitoring the Botnet Traffic Filter

Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated.
You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the
ASA. This section includes the following topics:

Botnet Traffic Filter Syslog Messaging, page 55-17

Botnet Traffic Filter Commands, page 55-17

Botnet Traffic Filter Syslog Messaging

The Botnet Traffic Filter generates detailed syslog messages numbered 338nnn. Messages differentiate
between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other
variables. (The greylist includes addresses that are associated with multiple domain names, but not all
of these domain names are on the blacklist.)

See the syslog message guide for detailed information about syslog messages.

Botnet Traffic Filter Commands

To monitor the Botnet Traffic Filter, enter one of the following commands:

Command

Purpose

show dynamic-filter statistics

[interface

name] [detail]

Shows how many connections were classified as whitelist, blacklist, and
greylist connections, and how many connections were dropped. (The
greylist includes addresses that are associated with multiple domain
names, but not all of these domain names are on the blacklist.) The detail
keyword shows how many packets at each threat level were classified or
dropped.

To clear the statistics, enter the clear dynamic-filter statistics [interface
name] command.

show dynamic-filter reports top

[malware-sites | malware-ports |

infected-hosts

]

Generates reports of the top 10 malware sites, ports, and infected hosts
monitored. The top 10 malware-sites report includes the number of
connections dropped, and the threat level and category of each site. This
report is a snapshot of the data, and may not match the top 10 items since
the statistics started to be collected.

To clear the report data, enter the clear dynamic-filter reports top
command.

Advertising