topic Re: ASA 5505 IDS question in Network Security

ASA 5505 IDS question

dave.kinsley — Sun, 10 Mar 2019 12:02:03 GMT

Hello,

Apologies if this has been covered before, I did a quick scan of forums here but might have missed a relevant post. I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2). I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" IDS rule:

Average(eps) Current(eps) Trigger Total events

10-min Scanning: 6 6 338 3673

1-hour Scanning: 6 7 32859 23525

The default triggers are as follows:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

This results in a flood of log messages like so:

[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.

I would like to increase the trigger values on these rules so that only unusual traffic will trip them. I believe the relevant CLI command for creating a new rule would be similar to the config lines above (just altering the average-rate and burst-rate params to be higher), however attempted to do so earns me an "ERROR: rate-interval 600 already exists."

I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web. I do have a SMARTNet contract and could call support, but thought I would check here first. I'd much appreciate any info or advice.

Thanks in advance!

Re: ASA 5505 IDS question

Marcin Latosiewicz — Mon, 21 Jun 2010 20:01:45 GMT

Don,

I'm in a bit of a rush, so I will not go over everything right now.

BTW this should be in "firewalling" section rather then IDS 😉 This is thread-detection rather then ip audit - which is the IPS/IDS on ASA.

To see all triggers as configured do

show run all threat

Obviously if you will adjust a setting that is already configured it should not be accepted.

Marcin

Re: ASA 5505 IDS question

dave.kinsley — Mon, 21 Jun 2010 20:13:39 GMT

Thank you for your reply... I'll check the Firewall section now!

>Obviously if you will adjust a setting that is already configured it should not be accepted.

This doesn't seem obvious to me; this is exactly what I am trying to do, adjust an already configured setting. I'd imagine there is different syntax required to change such a setting, can't seem to find it (yet).

Re: ASA 5505 IDS question

Marcin Latosiewicz — Tue, 22 Jun 2010 06:51:42 GMT

Don,

Sorry for the confusion, as stated above I was in a bit of rush yesterday. 😉

What I meant is that apparently one of the values you're trying to set is already set... if time allows I will check this behavior in the lab today.

Marcin

Re: ASA 5505 IDS question

abinjola — Tue, 22 Jun 2010 07:17:12 GMT

This is not a IDS forum question, but anyways you are hitting CSCso51544 ..upgrade to a fixed version

Re: ASA 5505 IDS question

dave.kinsley — Tue, 22 Jun 2010 12:14:01 GMT

Thanks for the advice, I did receive a solution on the Firewall forum, as suggested above. For reference, the solution was:

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

The 'no' command is what I was missing, being unfamiliar with Cisco command line config. Thanks again!