https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348923#M1064245 <P>Hello,</P> <P>&nbsp;</P> <P>If you are referring to 'top usage status', that setting is controlled by threat detection feature which can be played around by below:</P> <P>&nbsp;</P> <P>configuration &gt; firewall &gt; threat detection</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/intro-asdm.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/intro-asdm.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-</P> <P>HTH</P> <P>&nbsp;</P> <P>AJ</P> Thu, 15 Mar 2018 04:40:08 GMT Ajay Saini 2018-03-15T04:40:08Z https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3324404#M1064241 <P>Hello,</P> <P>&nbsp;</P> <P>This could be due to pure ignorance on my part, but I noticed odd behavior on one of the ASA's I manage.</P> <P>&nbsp;</P> <P>There were a couple clients&nbsp;showing as the source IP for a SYN Attack. Of course, I jumped to malware and scanned the heck out of one of the clients. In the meantime, I arrived onsite and jumped on my machine. While montoring, my device was flagged as a SYN Attack.</P> <P>&nbsp;</P> <P>After doing a little more digging, it looks like some legit traffic (Microsoft, Logmein, etc.) is being flagged. Is this simply because of the breakdown of the TCP handshake?</P> Fri, 21 Feb 2020 15:16:57 GMT https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3324404#M1064241 andysmithor 2020-02-21T15:16:57Z https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348213#M1064242 <P>Hello,</P> <P>&nbsp;</P> <P>It could be a false positive, depends on the feature which triggered these logs - was it threat-detection or MPF policy. If you are sure that its a false positive, you can tweak the policy to increase the values which are a criteria for syn attack on ASA.</P> <P>&nbsp;</P> <P>Where did you find the false syn attack , was it syslog or some other tool?</P> <P>&nbsp;</P> <P>-</P> <P>HTH</P> <P>AJ</P> Wed, 14 Mar 2018 08:51:19 GMT https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348213#M1064242 Ajay Saini 2018-03-14T08:51:19Z https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348333#M1064243 <P>Where exactly can IPS TCP Syn threshold can be changed?&nbsp;</P> <P>Can you share maybe the GUI menu or CLI command if the case?</P> <P>&nbsp;</P> <P>Thanks!&nbsp;</P> Wed, 14 Mar 2018 12:09:39 GMT https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348333#M1064243 Florin Barhala 2018-03-14T12:09:39Z https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348578#M1064244 <P>It's a view segment&nbsp;in the ADMIN GUI for the ASA. I check it out occasionally and they always seem to point to legit IP's. I think it's just dropped packets triggering the alert. No issues with the network because of this, just looking into it.</P> <P>&nbsp;</P> <P>Thanks for the reply.</P> Wed, 14 Mar 2018 16:01:45 GMT https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348578#M1064244 andysmithor 2018-03-14T16:01:45Z https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348923#M1064245 <P>Hello,</P> <P>&nbsp;</P> <P>If you are referring to 'top usage status', that setting is controlled by threat detection feature which can be played around by below:</P> <P>&nbsp;</P> <P>configuration &gt; firewall &gt; threat detection</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/intro-asdm.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/intro-asdm.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-</P> <P>HTH</P> <P>&nbsp;</P> <P>AJ</P> Thu, 15 Mar 2018 04:40:08 GMT https://community.cisco.com/t5/network-security/asa5506-x-showing-false-syn-attack/m-p/3348923#M1064245 Ajay Saini 2018-03-15T04:40:08Z