https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461063#M662839 <HTML><HEAD></HEAD><BODY><P>Please remove the exisiting configuration first, and configure the new threat detection rating.</P><P></P><P>To remove:</P><P>no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10</P><P></P><P>Then add your new configuration line.</P><P></P><P>Hope that helps.</P></BODY></HTML> Tue, 22 Jun 2010 03:09:40 GMT Jennifer Halim 2010-06-22T03:09:40Z https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461062#M662831 <P></P><P>Hello,</P><P></P><P>Someone on the IDS group suggested I post this here instead.&nbsp; Apologies if this has been covered before, I did a quick scan of forums here only found one relevant post, which didn't help in my case...</P><P></P><P>I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2).&nbsp; I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" rule:</P><P></P><P></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Average(eps)&nbsp;&nbsp;&nbsp; Current(eps) Trigger&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Total events</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; 10-min&nbsp; Scanning:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp; 338&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3673</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; 1-hour&nbsp; Scanning:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp; 32859&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 23525</SPAN></P><P></P><P></P><P>The default triggers are as follows:</P><P></P><P></P><P><SPAN style="font-family: 'courier new', courier;">threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8</SPAN></P><P></P><P></P><P>This results in a flood of log messages like so:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.</SPAN></P><P></P><P>I would like to increase the trigger values on these rules so that only unusual traffic will trip them.&nbsp; I believe the relevant CLI command for creating a new rule would be similar to:</P><P></P><P></P><P><SPAN style="font-family: 'courier new', courier;">threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 25</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"><BR /></SPAN></P><P></P><P>However, attempting to do so earns me an "ERROR: rate-interval 600 already exists."</P><P></P><P>I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web.&nbsp; To clarify, I am trying to alter an existing config value.</P><P></P><P>I do have a SmartNet contract and could call support, but thought I would check here first.&nbsp; I'd much appreciate any info or advice.</P><P></P><P>Thanks in advance!</P><P></P> Mon, 11 Mar 2019 18:01:55 GMT https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461062#M662831 dave.kinsley 2019-03-11T18:01:55Z https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461063#M662839 <HTML><HEAD></HEAD><BODY><P>Please remove the exisiting configuration first, and configure the new threat detection rating.</P><P></P><P>To remove:</P><P>no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10</P><P></P><P>Then add your new configuration line.</P><P></P><P>Hope that helps.</P></BODY></HTML> Tue, 22 Jun 2010 03:09:40 GMT https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461063#M662839 Jennifer Halim 2010-06-22T03:09:40Z https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461064#M662879 <HTML><HEAD></HEAD><BODY><P>CSCso51544&nbsp;&nbsp;&nbsp; ASA overwirtes default config when rate-interval is set to 600</P></BODY></HTML> Tue, 22 Jun 2010 07:25:52 GMT https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461064#M662879 abinjola 2010-06-22T07:25:52Z https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461065#M662944 <HTML><HEAD></HEAD><BODY><P>Thank you very much!&nbsp; The 'no' command is just what I was looking for...&nbsp; clearing the existing rule allows me to re-establish with updated thresholds.</P><P></P><P>Thanks also for the pointer to the CSC number; upgrading the firmware might be something I try as a longer term solution.</P><P></P><P>Cheers!</P></BODY></HTML> Tue, 22 Jun 2010 12:11:29 GMT https://community.cisco.com/t5/network-security/asa-5505-threat-detection-question/m-p/1461065#M662944 dave.kinsley 2010-06-22T12:11:29Z