https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712013#M535534 <HTML><HEAD></HEAD><BODY><P>Hi Emilio,</P><P></P><P>This can be fixed by using threat detection feature on ASA. Here's a link for your help:-</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6</A></P><P></P><P><STRONG>Note:&nbsp; </STRONG>If you do not want the drop rate exceed warning to appear, you can disable it by running the </P><P> <STRONG>no threat-detection basic-threat</STRONG> command.</P><P></P><P>Hope this helps,</P><P>Sian</P></BODY></HTML> Wed, 27 Jul 2011 10:20:58 GMT Parminder Sian 2011-07-27T10:20:58Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712012#M535533 <P>How to see the ip address of the attack host?</P><P></P><P>Show the logging</P><P></P><P>Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:11: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3113</P><P>Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:15: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 21589<SPAN id="mce_marker"> </SPAN></P><P>Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:11: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3113</P><P>Jul 19 09:43:15 10.239.67.1 Jul 19 2011 09:43:15: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 21589</P><P></P><P>Regards</P> Mon, 11 Mar 2019 21:00:51 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712012#M535533 emilioj.romero 2019-03-11T21:00:51Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712013#M535534 <HTML><HEAD></HEAD><BODY><P>Hi Emilio,</P><P></P><P>This can be fixed by using threat detection feature on ASA. Here's a link for your help:-</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6</A></P><P></P><P><STRONG>Note:&nbsp; </STRONG>If you do not want the drop rate exceed warning to appear, you can disable it by running the </P><P> <STRONG>no threat-detection basic-threat</STRONG> command.</P><P></P><P>Hope this helps,</P><P>Sian</P></BODY></HTML> Wed, 27 Jul 2011 10:20:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712013#M535534 Parminder Sian 2011-07-27T10:20:58Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712014#M535535 <HTML><HEAD></HEAD><BODY><P>Hi Parminder</P><P></P><P></P><P>How can I shun&nbsp; a host or a network?&nbsp; My ASA is under scanning attack now.&nbsp; Thanks.</P></BODY></HTML> Wed, 27 Jul 2011 14:57:32 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712014#M535535 tranquocphu 2011-07-27T14:57:32Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712015#M535536 <HTML><HEAD></HEAD><BODY><P>Just use the shun command</P><P></P><P>ciscoasa# shun ?</P><P></P><P></P><P>&nbsp; Hostname or A.B.C.D&nbsp; Specify source IP address of a mischievous host</P></BODY></HTML> Wed, 27 Jul 2011 15:14:12 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712015#M535536 lcaruso 2011-07-27T15:14:12Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712016#M535538 <HTML><HEAD></HEAD><BODY><P>Hi lcaruso</P><P></P><P>I use the shun command shun x.x.x.x&nbsp; x.x.x.x source port (need to specify a range of ports or shun all source ports)&nbsp;&nbsp; 80 0.</P><P></P><P></P><P>How can I shun all or a range of ports of the source port?&nbsp; Source ports are showing dynamically on ASA screen.&nbsp; Thanks.</P></BODY></HTML> Wed, 27 Jul 2011 15:29:00 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712016#M535538 tranquocphu 2011-07-27T15:29:00Z https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712017#M535540 <HTML><HEAD></HEAD><BODY><P>Hi Peter,</P><P></P><P>I am not sure i dunderstand your requirement well enough to be answering this. Are you looking at shunning a range of ports for a particular IP address on the ASA?</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Wed, 10 Aug 2011 21:04:13 GMT https://community.cisco.com/t5/network-security/cisco-asa-scanning-attack/m-p/1712017#M535540 praprama 2011-08-10T21:04:13Z