Cisco Systems ASA 5585-X Manual De Usuario

Addresses monitored by the Botnet Traffic Filter include:

Known malware addresses—These addresses are on the blacklist identified by the dynamic database 
and the static blacklist.

Known allowed addresses—These addresses are on the whitelist. The whitelist is useful when an 
address is blacklisted by the dynamic database and also identified by the static whitelist.

Ambiguous addresses—These addresses are associated with multiple domain names, but not all of 
these domain names are on the blacklist. These addresses are on the greylist.

Unlisted addresses—These addresses are unknown, and not included on any list.

You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure 
it to block suspicious traffic automatically.

Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and 
greylist generate syslog messages differentiated by type. See the 

 for more information.

The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, 
or you can disable use of the dynamic database and use the static database alone. This section includes 
the following topics:

The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update 
server. This database lists thousands of known bad domain names and IP addresses.

The ASA uses the dynamic database as follows:

When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic 
Filter adds the name and IP address to the DNS reverse lookup cache.