Understanding Botnet Traffic Filtering
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
-
Known malware addresses—These addresses are on the blocked list identified by the dynamic database and the static block list.
-
Known allowed addresses—These addresses are on the allowed list. To be allowed, an address must be blocked by the dynamic database and also identified by the static allowed list.
-
Ambiguous addresses—These addresses are associated with multiple domain names, but not all of these domain names are on the block list. These addresses are on the graylist.
-
Unlisted addresses—These addresses are unknown, and not included on any list.
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure it to block suspicious traffic automatically.
Unlisted addresses do not generate any syslog messages, but addresses on the block list, allowed list, and graylist generate syslog messages differentiated by type.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone. This section includes the following topics:
-
Information About the Dynamic Database
-
Information About the Static Database
Information About the Dynamic Database
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server. This database lists thousands of known bad domain names and IP addresses.
The security appliance uses the dynamic database as follows:
-
When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache.
-
When the infected host starts a connection to the IP address of the malware site, the security appliance sends a syslog message informing you of the suspicious activity.
-
In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs any traffic to that IP address without having to inspect DNS requests.
Note |
To use the database, be sure to configure a domain name server for the security appliance so that it can access the URL. To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the security appliance looks inside the DNS packets for the domain name and associated IP address. |
Information About the Static Database
You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a block list. You can also enter names or IP addresses in an allowed list, so that names or addresses that appear on both the allowed list and the dynamic block list are identified only as allowed list addresses in syslog messages and reports.
You can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping. With DNS snooping, when an infected host sends a DNS request for a name on the static database, the security appliance looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.