ASA anti-botnet 命令详解

– ciscoasa (config)# dynamic-filter enable [interface <nameif_1>] [classify-list <acl_1>] – ciscoasa (config)# dynamic-filter drop blacklist [interface <nameif_2>] [action-classify-list <acl_2>] [threat-level {eq <level> | range <min> <max>}]
Botnet Traffic Filter-统计/报告
ciscoasa# show dynamic-filter reports top botnet-ports Botnet ports Port Connections logged ------------------------------------------------------------tcp 1000 617 tcp 2001 472 tcp 23 22 tcp 1001 19 udp 2000 17 udp 2001 17 tcp 8080 9 tcp 80 3 tcp >8192 2
Botnet Traffic Filter-统计/报告
ciscoasa# show dynamic-filter statistics Enabled on interface outside Total conns classified 2108, ingress 2108, egress 0 Total whitelist hits 0, ingress 0, egress 0 Total greylist hits 0, ingress 0, egress 0 Total blacklist hits 11, ingress 11, egress 0 Enabled on interface inside Total conns classified 4908, ingress 4908, egress 0 Total whitelist hits 3, ingress 3, egress 0 Total greylist hits 0, ingress 0, egress 0 Total blacklist hits 1179, ingress 1179, egress 0
Botnet TraffiΒιβλιοθήκη Baidu Filter-配置(新)
– dynamic-filter drop blacklist [interface <nameif_2>] [action-classify-list <acl_2>] [threatlevel {eq <level> | range <min> <max>}]
where <level>, <min> and <max> are const strings among “low”, “very-low”, “moderate”, “high” and “very-high”. If threat-level is not configured, then the default threat-level configuration "range moderate very-high" will be used. interface nameif_2 and traffic acl_2 (or its super set) should be “dynamic-filter enable”d already.
where <level>, <min> and <max> are const strings among “low”, “very-low”, “moderate”, “high” and “very-high”. If threat-level is not configured, then the default threat-level configuration "range moderate very-high" will be used. interface nameif_2 and traffic acl_2 (or its super set) should be “dynamic-filter enable”d already.
Botnet Traffic Filter-数据库相关CLI
– Use the dynamic-filter database fetch command, the client will connect to the updater-server at https://update-manifests.ironport.com to download the latest database. But this command will not save and use the database. It is for trouble shooting and test updaterclient. – Use the dynamic-filter database purge command to purge the database. – Use the dynamic-filter database find command to search the database with a string. The string can be part of or a complete IP address or domain name. We will enforce a minimum of 3 chars to search and when there are multiple hits in the database we will show 2 hits and indicate there are more matched entries.
Botnet Traffic Filter-配置示例(续)
! Add entries to local black and white lists dynamic-filter blacklist name bad1.example.com name bad2.example.com address 10.1.1.1 255.255.255.0 dynamic-filter whitelist name good.example.com name great.example.com name awesome.example.com address 10.1.1.2 255.255.255.255
ASA anti-botnet 命令详解
Botnet Traffic Filter-配置
– [no] dynamic-filter updater-client enable Enable the updater client – [no] dynamic-filter use-database Allow context to use downloaded database. – [no] dynamic-filter blacklist Use this CLI to enter sub-mode to configure domain names and IP addresses for a local blacklist – [no] dynamic-filter whitelist Use this CLI to enter sub-mode to configure domain names and IP addresses for a local whitelist – [no] name name | address ip-address mask Use for adding entries to the local blacklist or whitelist – [no] dynamic-filter enable [interface nameif] [classify-list access-list] – Use this CLI to enable dynamic-filter classification globally or on an interface. – [no] inspect dns [dns-map] [dynamic-filter-snoop] This option is added as an extension to the existing DNS inspection configuration to provide DNS snooping. – clear configure dynamic-filter This command will remove all dynamic-filter configuration
Botnet Traffic Filter-配置示例
•
• • •
• • • •
• • • • • • •
! Enable dynamic-filter updater-client and use database downloaded from the update server dynamic-filter updater-client enable dynamic-filter use-database ! Apply dynamic-filter on non-port 80 traffic for all protocols access-list dynamic-filter_acl extended deny tcp any any eq 80 access-list dynamic-filter_acl extended permit ip any any ! Enable dynamic-filter classification on outside interface dynamic-filter enable outside classify-list dynamicfilter_acl ! Enable dynamic DNS snoop on outside interface class-map dynamic-filter_snoop_class match port udp eq domain policy-map dynamic-filter_snoop_policy class dynamic-filter_snoop_class inspect dns dynamic-filter-snoop service-policy dynamic-filter_snoop_policy interface outside
Botnet Traffic Filter-统计/报告
ciscoasa# show dynamic-filter reports top botnet-sites Botnet Sites Site Connections logged ------------------------------------------------------------171.67.22.34 (www.stanford.edu) 11 208.50.79.82 (www.nbc.com) 8 209.131.36.158 (www.yahoo.com) 6 199.181.132.250 (www.abc.com) 2 66.232.224.2 (www.kohls.com) 2 209.200.37.249 (1-sexe.org) 1 74.125.19.147 (maps.google.com) 1 74.125.19.99 (maps.google.com) 1 207.46.8.121 (www.hotmail.com) 1 64.38.238.98 (www.slickdeals.net) 1