Filter
Top Products
66-57
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
Tip Messages 338201-3382004 are for greylisted traffic. You might want to first determine if the
greylisted traffic is truly objectionable before stopping the traffic.
Step 2 Stop the botnet traffic:
• Messages 338005-338008 and 338203-338204 indicate that the ASA is already dropping the traffic
for you. Traffic classification drop rules cover the blacklisted or greylisted addresses. See Enabling
Traffic Classification and Actions for the Botnet Traffic Filter, page 19-6.
• Messages 338001-338004 and 338201-338202 indicate that the ASA is logging the event but not
dropping the traffic. The first order of business is to stop this traffic.
You have these options for stopping the botnet traffic if the ASA is not already dropping it because of a
drop rule:
• (Preferred method.) Configure a drop rule for the botnet site and redeploy the configuration. See
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 19-6.
• (Second best method.) Log into the ASA using an SSH client, enter privileged EXEC mode, and use
the shun command to prevent traffic to or from the botnet site. You can also issue this command
through ASDM in a CLI window, but you cannot do it from Security Manager. The shun command
does not create a permanent rule blocking traffic.
For example, if the botnet site is 10.1.14.14, and the internal infected computer is 10.100.10.10,
issue the following commands. The first command blocks all incoming traffic from the botnet
command center, the second blocks traffic from the infected computer just to the botnet site.
shun 10.1.14.14
shun 10.100.10.10 10.1.14.14
• (Not recommended.) Although the shun command is preferred, you can also create a permanent rule
in the interface’s access control list (ACL) that denies traffic to or from the botnet site. With the
device selected in Security Manager, select Firewall > Access Rule, and create two rules: one that
denies the botnet site as the source address, with any destination address; one that denies any source
address with the botnet site as the destination address. For service, select IP so that all traffic is
blocked. You must deploy the configuration for the rule to take effect.
Creating an access rule is not the preferred method because it creates a permanent rule, whereas
botnet sites are transient. Using the Botnet Traffic Filter to dynamically block botnet traffic is a
better fit for this type of network attack compared to traditional access rules.
Step 3 Shut down network access for the infected computer. For example, find the switch port to which the
computer is attached, and shut down the port using the switch’s CLI. There might also be wireless access
for the computer, so completely shutting down network access might not be a simple task.
Step 4 Inform the owner of the victim computer that it is infected and dispatch IT personnel to disinfect the
computer. Tools and techniques for disinfecting a computer are outside the scope of this document.