topic ASA threat-detection in Network Security

ASA threat-detection

S891 — Tue, 12 Mar 2019 06:06:44 GMT

Hi,

I am trying to understand ASA threat-detection feature but I have not been able to find much details.

How can I see what criteria is used by ASA to determine if a connection is threat? Any documentation detailing this !

hi try this commandsh run all

Ahmad Khalifa — Mon, 15 Jun 2015 19:21:34 GMT

hi try this command

sh run all threat detection

Hi,Actually , the drops on

Vibhor Amrodia — Tue, 16 Jun 2015 13:32:34 GMT

Hi,

Actually , the drops on which the ASA Threat detection works is the "show asp drop".

Based on these drops rate , it matches the default parameter and uses the threat detection to possibility block hosts.

Thanks and Regards,

Vibhor Amrodia

Hi ,Can you please clarify

S891 — Fri, 19 Jun 2015 07:18:06 GMT

Hi ,

Can you please clarify the criteria threat-detection uses to detect if it is a threat? For example, if it sees an IP address trying to connect to X number of hosts and makes Y number of attempts then it is considered a threat.

In short, how would I determine if a particular connection attempt may be considered a threat.

I have seen some legitimate connections attempts were considered as threat and the IP was shunned.

Hi,To explain this , ASA

Vibhor Amrodia — Fri, 19 Jun 2015 11:20:31 GMT

Hi,

To explain this , ASA device has a static value of each of these drops rate and it would remain the same in different networks some which has large amount of traffic and others not that much.

The rate might be high for some addresses but that can be legitimate.

I think to get rid of this , there would be two ways:-

1) use the Except command for the addresses which should never be blocked

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1563523

2) Run this command , show run all threat-detection and modify the rates as per your requirement which are seen the most in the logs.

Thanks and Regards,

Vibhor Amrodia

thanks Vibhor. Can you give

S891 — Fri, 19 Jun 2015 11:41:12 GMT

thanks Vibhor. Can you give an example for this? For example, how the below rate- interval would work and when would it block an IP in this case?

threat-detection rate scanning-threat rate-interval 500 average-rate 10 burst-rate 20

hii think you can not go

Ahmad Khalifa — Mon, 22 Jun 2015 22:14:08 GMT

i think you can not go below 600 rate-interval

Hi,These values can only be

Vibhor Amrodia — Tue, 23 Jun 2015 11:45:05 GMT

Hi,

These values can only be specified within a range and has to be set on a trial and error basis as the the network activity.

Thanks and Regards,

Vibhor Amrodia