Managing Firewall Botnet Traffic Filter Rules

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity.

You can also supplement the Cisco dynamic database with blocked addresses of your choosing by adding them to a static block list; if the dynamic database includes blocked addresses that you think should not be blocked, you can manually enter them into a static allowed list. Addresses in the allowed list still generate syslog messages, but because you are only targeting blocked syslog messages, they are informational. If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can use the static block list alone if you can identify all the malware sites that you want to target.

This chapter covers the following sections:

Understanding Botnet Traffic Filtering

Botnet Traffic Filter Address Categories

Addresses monitored by the Botnet Traffic Filter include:

  • Known malware addresses—These addresses are on the blocked list identified by the dynamic database and the static block list.

  • Known allowed addresses—These addresses are on the allowed list. To be allowed, an address must be blocked by the dynamic database and also identified by the static allowed list.

  • Ambiguous addresses—These addresses are associated with multiple domain names, but not all of these domain names are on the block list. These addresses are on the graylist.

  • Unlisted addresses—These addresses are unknown, and not included on any list.

Botnet Traffic Filter Actions for Known Addresses

You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure it to block suspicious traffic automatically.

Unlisted addresses do not generate any syslog messages, but addresses on the block list, allowed list, and graylist generate syslog messages differentiated by type.

Botnet Traffic Filter Databases

The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone. This section includes the following topics:

  • Information About the Dynamic Database

  • Information About the Static Database

Information About the Dynamic Database

The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server. This database lists thousands of known bad domain names and IP addresses.

The security appliance uses the dynamic database as follows:

  1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache.

  2. When the infected host starts a connection to the IP address of the malware site, the security appliance sends a syslog message informing you of the suspicious activity.

  3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs any traffic to that IP address without having to inspect DNS requests.


Note
To use the database, be sure to configure a domain name server for the security appliance so that it can access the URL. To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the security appliance looks inside the DNS packets for the domain name and associated IP address.

Information About the Static Database

You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a block list. You can also enter names or IP addresses in an allowed list, so that names or addresses that appear on both the allowed list and the dynamic block list are identified only as allowed list addresses in syslog messages and reports.

You can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping. With DNS snooping, when an infected host sends a DNS request for a name on the static database, the security appliance looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.

Related Topics

Task Flow for Configuring the Botnet Traffic Filter

To configure the Botnet Traffic Filter, follow these steps:

Procedure

Step 1

Enable use of a DNS server.

This procedure enables security appliance use of a DNS server. In multiple context mode, enable DNS per context.

For more information, see DNS Page

Step 2

Enable use of the dynamic database.

This procedure enables database updates from the Cisco update server, and also enables use of the downloaded dynamic database by the security appliance. Disallowing use of the downloaded database is useful in multiple context mode so you can configure use of the database on a per-context basis.

For more information, see Configuring the Dynamic Database

Step 3

(Optional) Add static entries to the database.

This procedure lets you augment the dynamic database with domain names or IP addresses that you want to block or allow. You might want to use the static database instead of the dynamic database if you do not want to download the dynamic database over the Internet.

For more information, see Adding Entries to the Static Database

Step 4

Enable DNS snooping.

This procedure enables inspection of DNS packets, compares the domain name with those in the dynamic database or the static database (when a DNS server for the security appliance is unavailable), and adds the name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter logging function when connections are made to the suspicious address.

For more information, see Enabling DNS Snooping

Step 5

Enable traffic classification and actions for the Botnet Traffic Filter.

This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic or drops that traffic.

For more information, see Enabling Traffic Classification and Actions for the Botnet Traffic Filter

Step 6

Monitor and Mitigate Botnet Activity.

After configuring the Botnet Traffic Filter on a device, the device will begin generating syslog messages to notify you of botnet activity. You should verify the syslog configuration on the device so that messages are appropriately logged and that notifications are sent as needed. As malicious traffic is identified, you will need to perform necessary actions to stop such traffic and to clean any infected computers that are generating the malicious traffic.

For more information, see the following references:

  1. Configuring Logging Policies on Firewall Devices

  2. Monitoring and Mitigating Botnet Activity

  3. Understanding Firewall Summary Botnet Reports

Configuring the Dynamic Database

This procedure enables database updates, and also enables use of the downloaded dynamic database by the security appliance.

In multiple context mode, you enable downloading of the dynamic database on the System context so that it is available to all security contexts. You can then decide, on a per-context basis, whether to enable use of the dynamic database or not.

By default, downloading and using the dynamic database is disabled.

Related Topics

Before You Begin

Enable security appliance use of a DNS server (see DNS Page). In multiple context mode, enable DNS per context.

Procedure

Step 1

Do one of the following:

  • (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.

  • (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.

Note

 
For devices in multiple context mode, you enable downloading of the dynamic database on the System context and enable use of the dynamic database on each security context, as needed.

This opens the Botnet Traffic Filter Rules Page.

Step 2

On the Dynamic Blocklist Configuration tab, select Enable Dynamic Blocklist From Server to enable downloading of the dynamic database.

Note

 
In multiple context mode, you enable downloading of the dynamic database on the System context.

This setting enables downloading of the dynamic database from the Cisco update server. If you do not have a database already installed on the security appliance, it downloads the database after approximately 2 minutes. The update server determines how often the security appliance polls the server for future updates, typically every hour.

Step 3

(Multiple context mode only) Click Save to save the changes to the System context. Then change to the context where you want to configure the Botnet Traffic Filter, select Firewall > Botnet Traffic Filter Rules for that context, and then proceed to Step 4.

Step 4

On the Dynamic Blocklist Configuration tab, select Use Dynamic Blocklist to enable use of the dynamic database.

Note

 
In multiple context mode, these settings are disabled on the System context.

Adding Entries to the Static Database

The static database lets you augment the dynamic database with domain names, IP addresses, or network addresses that you want to block or allow. For more information, see Understanding Botnet Traffic Filtering.

Related Topics

Before You Begin

  • Enable security appliance use of a DNS server (see DNS Page). In multiple context mode, enable DNS per context.

Procedure

Step 1

Do one of the following:

  • (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.

  • (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.

Note

 
For devices in multiple context mode, you configure the static database on the security context.
This opens the Botnet Traffic Filter Rules Page

Step 2

On the Permitlist / Blocklist tab, click the Add Rows button that corresponds with the type of entry you are adding (Permitlist or Blocklist).

This opens the Device Permitlist or Device Blocklist Dialog Box.

Step 3

In the Domain or IP Address field, enter one or more domain names, IP addresses, and IP address/netmasks. Enter multiple entries separated by commas or on separate lines. You can enter up to 1000 entries for each type.

Step 4

Click OK.

Enabling DNS Snooping

This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter logging function when connections are made to the suspicious address.

The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have Botnet Traffic Filter snooping enabled. We suggest that you enable Botnet Traffic Filter snooping only on interfaces where external DNS requests are going. Enabling Botnet Traffic Filter snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the security appliance.


Note
TCP DNS traffic is not supported.

Related Topics

Procedure

Step 1

You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter. See Managing Firewall Inspection Rules.

Step 2

While defining a new inspection rule or editing an existing inspection rule, select DNS as the protocol you want to inspect.

The Configure button to the right of the Selected Protocol field becomes active.

Step 3

Click Configure.

This opens the Configure DNS Dialog Box.

Step 4

To enable DNS snooping, select Enable Dynamic Filter Snooping.

Step 5

Click OK.

Enabling Traffic Classification and Actions for the Botnet Traffic Filter

This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic. The Botnet Traffic Filter can also drop the connection when matching traffic is encountered. For a particular interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the Botnet Traffic Filter.

The DNS snooping is enabled separately (see Enabling DNS Snooping). Typically, for maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.

What You Need To Know About Botnet Traffic Classification ACLs

When you configure the enable and drop rules, you have the option of specifying an extended ACL policy object to limit the traffic to which Botnet Traffic Filtering will be applied. If you do not specify an ACL object, filtering is done for all traffic: this is equivalent to specifying an ACL with the single rule permit IP any any.

If you want to specify an ACL so that filtering is performed on less than all traffic, keep the following in mind:

  • Permit rules identify the traffic that is subject to Botnet Traffic Filtering. In drop rules, permit entries identify the traffic that the ASA is allowed to drop.

  • Deny rules identify the traffic that should not be subject to filtering. The Botnet Traffic Filter ignores traffic that matches deny entries.

  • The ACL that you select for drop rules should be a subset of the ACL used in the enable rules for the interface. For traffic to be dropped, there must not only be a permit rule in the drop rule’s ACL, the traffic must also fall under a permit rule in the enable rule’s ACL. This is because the drop rule is not considered until traffic permitted in an enable rule has first been identified as blocked.

We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and enabling dropping of traffic with a severity of moderate and higher.

Related Topics

Procedure

Step 1

Do one of the following:

  • (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.

  • (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.

Note

 
For devices in multiple context mode, you configure traffic classification on the security context.

This opens the Botnet Traffic Filter Rules Page.

Step 2

To enable the Botnet Traffic Filter on specified traffic, follow these steps:

  1. On the Traffic Classification tab, click Add Row under the Enable Rules table.

    This opens the BTF Enable Rules Editor.

  2. In the Interfaces field, specify the interface or interfaces on which you want to enable the Botnet Traffic Filter. Normally, you want to enable the Internet-facing interface only. To select the interfaces or interface role objects using the Interfaces Selector, click Select (see Understanding Interface Role Objects).

    You can configure a global classification that applies to all interfaces by selecting the All Interfaces role object (selected by default). If you configure an interface-specific classification, the settings for that interface overrides the global setting.

  3. Do one of the following to identify the traffic that you want to monitor:

    • To monitor all traffic, leave the ACL field blank.

    • To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.

    Note

     
    You can specify only one enable rule per interface.

  4. Click OK.

    The BTF Enable Rules Editor closes and the rule is added to the Enable Rules table.

Step 3

To automatically drop malware traffic, follow these steps:

Note

 
You must enable the Botnet Traffic Filter for the traffic you want to automatically drop before creating a drop rule for that traffic.

  1. On the Traffic Classification tab, click Add Row under the Drop Rules table.

    This opens the BTF Drop Rules Editor.

  2. In the Interfaces field, specify the interface or interfaces on which you want to drop traffic. There must be a corresponding enable rule for the interface. To select the interfaces or interface role objects using the Interfaces Selector, click Select (see Understanding Interface Role Objects).

    You can configure a global classification that applies to all interfaces by selecting the All Interfaces role object (selected by default). If you configure an interface-specific classification, the settings for that interface overrides the global setting.

  3. Do one of the following to identify the traffic that you want to drop:

    • To monitor all traffic, leave the ACL field blank.

    • To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.

  4. In the Threat Level area, choose one of the following options to drop traffic specific threat levels. The default level is a range between Moderate and Very High.

    Note

     
    We highly recommend using the default setting unless you have strong reasons for changing the setting.

    • Value—Specify the threat level you want to drop.

    • Range—Specify a range of threat levels.

    Note

     
    Static block list entries are always designated with a Very High threat level.

  5. Click OK.

    The BTF Drop Rules Editor closes and the rule is added to the Drop Rules table.

Step 4

To add more rules, repeat steps 2 and 3, as required. When finished adding rules, click Save to save your changes.

Step 5

To treat graylisted traffic as block listed traffic for action purposes, on the Dynamic Blocklist Configuration tab, check the Treat Ambiguous traffic as Blocklist check box.

If you do not enable this option, graylisted traffic will not be dropped if you configure a drop rule for that traffic.

Botnet Traffic Filter Rules Page

You can use the Botnet Traffic Filter Rules page to define rules for identifying malicious traffic passing through your ASA security device.

The Botnet Traffic Filter Rules page is divided into three sections:

Navigation Path

To access the Botnet Traffic Filter Rules page, do one of the following:

  • (Device view) Select a device, then select Firewall > Botnet Traffic Filter Rules from the Policy selector.

  • (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.

  • (Map view) Right-click a device and select Edit Firewall Policies > Botnet Traffic Filter Rules.

Related Topics

Dynamic Blocklist Configuration Tab

Use the Dynamic Blocklist Configuration tab to enable database updates from the Cisco update server and to enable use of the downloaded dynamic database by the security appliance.

Navigation Path

From the Botnet Traffic Filter Rules Page, click the Dynamic Blocklist Configuration tab.

Related Topics

Field Reference

Table 1. Dynamic Blocklist Configuration Tab

Element

Description

Enable Dynamic Blocklist From Server

Enables downloading of the dynamic database from the Cisco update server. If you do not have a database already installed on the security appliance, it downloads the database after approximately 2 minutes. The update server determines how often the security appliance polls the server for future updates, typically every hour.

Note

 
If the device is in multiple context mode, configure this option on the System context for that device.

Use Dynamic Blocklist

Enables use of the dynamic database for the Botnet Traffic Filter.

Note

 
In multiple context mode, you configure use of the database on a per-context basis.

Treat Ambiguous traffic as Blocklist

When selected, graylisted traffic will be treated as block listed traffic for action purposes.

If you do not enable this option, graylisted traffic will not be dropped if you configure a drop rule for that traffic.

Traffic Classification Tab

Use the Traffic Classification tab to view or to configure the traffic classification definitions for a device or shared policy and to identify malicious traffic that you want automatically dropped. Traffic classification definitions (enable rules) consist of an interface or interface role with an associated ACL that identifies the traffic that is monitored by the Botnet Traffic Filter. You can configure settings for specific interfaces or for interface roles. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override any settings defined for an interface role.

For a particular interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the Botnet Traffic Filter.


Note
We highly recommend configuring Dynamic Filter Snooping for proper functioning of the Botnet Traffic Filter. When in Device view, Cisco Security Manager provides a link at the bottom of the Traffic Classification tab that will take you directly to the Inspection Rules page so that you can enable Dynamic Filter Snooping. For more information, see Enabling DNS Snooping.

The columns in the tables summarize the settings for an entry and are explained in BTF Enable Rules Editorand BTF Drop Rules Editor.

To configure traffic classification and actions:

  • Click the Add Row button to add an interface or interface role to the table, and fill in the BTF Enable Rules Editor or BTF Drop Rules Editor.

  • Select an entry and click the Edit Row button to edit an existing entry.

  • Select an entry and click the Delete Row button to delete it.

Navigation Path

From the Botnet Traffic Filter Rules Page, click the Traffic Classification tab.

Related Topics

BTF Enable Rules Editor

Use the BTF Enable Rules Editor to specify the interfaces on which you want to enable the Botnet Traffic Filter and to identify the traffic that you want to monitor. You can specify only one enable rule per interface.

Navigation Path

To access the BTF Enable Rules Editor, right-click inside the work area of the Enable Rules table on the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.

Related Topics
Field Reference
Table 2. BTF Enable Rules Editor

Element

Description

Interfaces

The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings.

Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects.

ACL

Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic.

To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.

BTF Drop Rules Editor

Use the BTF Drop Rules Editor to identify malware traffic that you want to automatically drop. You can specify multiple drop rules per interface.

Navigation Path

To access the BTF Drop Rules Editor, right-click inside the work area of the Drop Rules table on the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.

Related Topics
Field Reference
Table 3. BTF Drop Rules Editor

Element

Description

Interfaces

The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings.

Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects.

ACL

Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic.

To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.

Threat Level

The Threat Level fields identify the threat level of malicious traffic that you want dropped. The default level is a range between Moderate and Very High.

Note

 
We highly recommend using the default setting unless you have strong reasons for changing the setting.

  • Value—Specify the threat level you want to drop.

    • Very-low

    • Low

    • Moderate

    • High

    • Very-high

  • Range—Specify a range of threat levels.

Note

 
Static blocked list entries are always designated with a Very High threat level.

Permitlist/Blocklist Tab

Use the Permitlist/Blocklist tab to view or to configure the static database entries for a device or shared policy. The Device Blocklist contains domain names or IP addresses of malicious or undesirable sites. You can use the static block list to supplement the Cisco dynamic database, or you can use the static block list alone if you can identify all the malware sites that you want to target.

The Device Permitlist contains domain names or IP addresses of sites that are deemed to be acceptable. If the dynamic database includes blocked addresses that you think should not be blocked, you can manually enter them into a static allowed list. Static allowed list entries take precedence over entries in the static block list and the Cisco dynamic database. Addresses in the allowed list still generate syslog messages, but because you are only targeting blocked syslog messages, they are informational.

To configure the static database:


Timesaver
Select an entry and press F2 or double-click on an entry in the Device Permitlist or Device Blocklist to edit that entry in place.

  • Select an entry and click the Delete Row button to delete it.

Navigation Path

From the Botnet Traffic Filter Rules Page, click the Permitlist/Blocklist tab.

Related Topics

Device Permitlist or Device Blocklist Dialog Box

Use the Device Permitlist or Device Blocklist dialog box to manually define domain names or IP addresses that you want to add to the allowed lists (safe) or blocked lists (malicious). You can use the static block list to supplement the Cisco dynamic database or you can use the static block list alone if you can identify all the malware sites that you want to target. Names or addresses that appear on both the allowed list and the dynamic blocked list are identified only as allowed list addresses in syslog messages and reports.

Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either added to the allowed list or blocked list. You can also enter host IP addresses. Use a comma or new line to separate multiple entries.

Navigation Path

From the Permitlist/Blocklist Tab, click the Add Rows button beneath the Device Permitlist or Device Blocklist tables, or select an entry and click the Edit Row button.

Related Topics