need bit of guidance i have asa 5505 with software 8.2....when i log in via asdm it shows loads of scanning attacks and few syn...i have enabled threat detection basic and scanning i have also enabled ip audit attack and info.....lil concerned about attacks when i do show threat detection statistic top tcp
it shows public ip then source ip which is my dmz server ip address ....this commands show top ten server under attack...does this comand shows server which are under attack or servers which were attacked but the attcak was thwarted....also i can no longer see cpu util and memory stats on asdm....i see errror signal 11 caught in process fiber unicorn admin handler....can any one advise how i can thwart these errors as i h ave enabled shun with scanning threat its just i see my dmz server as attacker is lil concerning....many thanks
Check for these logs:
%ASA-4-733104 and/or %ASA-4-733105
%ASA-4-733104 and %ASA-4-733105 lists the host targeted by the attack that is currently being protected by TCP intercept.
Also, what version of ASDM are you running on your unit?
In case you are not using the latest version, can you try to use it?
thanks jocamare, today was my first day with firewall and company doesnt have syslog enabled no server configured......iam using asdm 6.2....still coming up as connection lost for visual stats of cpu and memory and attacks showing lso generating logs resource asdm limit 5 reached not sure if basic ips attack and info config caused it but highly doubt it also can see from command line alof of free mem and 10 percent cpu utilization....plus when i do show threat detetction scanning threat it shows me target as public ip address belong to service provider which provide us diff mpls network and source as server for default gateway server in dmz which is default gateway for guest wiresless on dmz.......
wana know wt thwarts attcks ( scanning and syn) shown by dmz asdm...i have two interface with public ip one outside and one DMZ shall i apply below setting to DMZ too as all the attacks are coming from there ....
basic threat detection
advance threat detection
scannning threat with shu host configured
ips with attck and info signature configured reset opion selceted and applied to outside interface
Wow, had a tough time trying to understand that reply.
This is what i got.
----There is no syslog server configured
You can check the logs locally on the ASA, they should appear in there.
---You are using ASDM 6.2
Update it to the latest version.
----You are getting this log: resource asdm limit 5 reached
It means the ASA is running in multiple context mode and the resources are shared and limited.
Run the "show resource usage system counter all 0" to determine how the resources are being distributed.
---It seems that the attack is coming from DMZ going to a public IP
Well, that's bad.
Use the information the ASA is providing you with and track the host down, analyze it and solve the issue.
----You want to know how to configure the ASA in order to block the attack.
Threat detection is a global feature, meaning it scans and can even affect the traffic is classifies as malicious.
If the source of the attack has been identified, proceed with a sanitation of the unit/units.
You can block the traffic from those units using different methods. ACLs and shuns are some of them.
If you have an IPS [i believe that you are refering to the ip-audit feature, but anyway] you can create check its configuration and modify it in order to stop the attack while you attack the root cause.