Cisco Cisco Web Security Appliance S190 Guía Del Usuario
20-2
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 20 Detecting Rogue Traffic on Non-Standard Ports
List of Known Sites
List of Known Sites
Configuring L4 Traffic Monitor Global Settings
Step 1
Choose Security Services > L4 Traffic Monitor.
Step 2
Click Edit Global Settings.
Step 3
Choose whether or not to enable the L4 Traffic Monitor.
Step 4
When you enable the L4 Traffic Monitor, choose which ports it should monitor:
•
All ports. Monitors all 65535 TCP ports for rogue activity.
•
All ports except proxy ports. Monitors all TCP ports except the following ports for rogue activity.
–
Ports configured in the “HTTP Ports to Proxy” property on the Security Services > Web Proxy
page (usually port 80).
page (usually port 80).
–
Ports configured in the “Transparent HTTPS Ports to Proxy” property on the Security Services
> HTTPS Proxy page (usually port 443).
> HTTPS Proxy page (usually port 443).
Step 5
Submit and Commit Changes.
Updating L4 Traffic Monitor Anti-Malware Rules
Step 1
Choose Security Services > L4 Traffic Monitor.
Address
Description
Known allowed
Any IP address or hostname listed in the Allow List property. These addresses
appear in the log files as “whitelist” addresses.
appear in the log files as “whitelist” addresses.
Unlisted
Any IP address that is not known to be a malware site nor is a known allowed
address. They are not listed on the Allow List, Additional Suspected Malware
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do
not appear in the log files.
address. They are not listed on the Allow List, Additional Suspected Malware
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do
not appear in the log files.
Ambiguous
These appear in the log files as “greylist” addresses and include:
–
Any IP address that is associated with both an unlisted hostname and a
known malware hostname.
known malware hostname.
–
Any IP address that is associated with both an unlisted hostname and a
hostname from the Additional Suspected Malware Addresses property
hostname from the Additional Suspected Malware Addresses property
Known malware
These appear in the log files as “blacklist” addresses and include:
–
Any IP address or hostname that the L4 Traffic Monitor Database
determines to be a known malware site and not listed in the Allow List.
determines to be a known malware site and not listed in the Allow List.
–
Any IP address that is listed in the Additional Suspected Malware
Addresses property, not listed in the Allow List and is not ambiguous
Addresses property, not listed in the Allow List and is not ambiguous