19-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 19 Managing Firewall Botnet Traffic Filter Rules
Task Flow for Configuring the Botnet Traffic Filter
Step 1 Enable use of a DNS server.
This procedure enables security appliance use of a DNS server. In multiple context mode, enable DNS
per context.
For more information, see DNS Page, page 51-13
Step 2 Enable use of the dynamic database.
This procedure enables database updates from the Cisco update server, and also enables use of the
downloaded dynamic database by the security appliance. Disallowing use of the downloaded database is
useful in multiple context mode so you can configure use of the database on a per-context basis.
For more information, see Configuring the Dynamic Database, page 19-4
Step 3 (Optional) Add static entries to the database.
This procedure lets you augment the dynamic database with domain names or IP addresses that you want
to blacklist or whitelist. You might want to use the static database instead of the dynamic database if you
do not want to download the dynamic database over the Internet.
For more information, see Adding Entries to the Static Database, page 19-5
Step 4 Enable DNS snooping.
This procedure enables inspection of DNS packets, compares the domain name with those in the
dynamic database or the static database (when a DNS server for the security appliance is unavailable),
and adds the name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet
Traffic Filter logging function when connections are made to the suspicious address.
For more information, see Enabling DNS Snooping, page 19-6
Step 5 Enable traffic classification and actions for the Botnet Traffic Filter.
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address
in each initial connection packet to the IP addresses in the dynamic database, static database, DNS
reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic or drops
that traffic.
For more information, see Enabling Traffic Classification and Actions for the Botnet Traffic Filter,
page 19-6
Step 6 Monitor and Mitigate Botnet Activity.
After configuring the Botnet Traffic Filter on a device, the device will begin generating syslog messages
to notify you of botnet activity. You should verify the syslog configuration on the device so that messages
are appropriately logged and that notifications are sent as needed. As malicious traffic is identified, you
will need to perform necessary actions to stop such traffic and to clean any infected computers that are
generating the malicious traffic.
For more information, see the following references:
1. Chapter 52, “Configuring Logging Policies on Firewall Devices”
2. Monitoring and Mitigating Botnet Activity, page 66-52
3. Understanding Firewall Summary Botnet Reports, page 67-14