on my asa log, i can see this message (add image) I wonder what the source of these packages. I configured a capture but I don't know what is the command to see packets that were drop by threat-detection:
capture TEST_CAPTURE type asp-drop ??
Thanks in advanced
Its not a packety sent by any source it is a warning message generated by the basic threat detection enabled on your ASA by default. To read more about the syslog, you can refer this;
Hi Varun, thanks for the reply:
I don't understand what you mean with "Its not a packety sent by any source " I'll try to explain better although my English it's not very good. The ASA works only like head end of VPN connections and my doubt is if these drop "packets" are legitimate but sent in a too ratio. And if there are packages that otherwise might be? I´m very confused for this:
The threat detection feature can be described by the following three levels:
Basic threat detection:
Monitors the average and burst rate of dropped packets and
security events over an interval; generates a logging message when a threshold is
Advanced threat detection:
Gathers statistics for both allowed and denied packets
for objects such as hosts, protocols, ports, and access lists; generates a logging message
when the TCP Intercept rate exceeds a threshold
Scanning threat detection:
Maintains a database of suspicious activity for each
host; can detect a host that is scanning for vulnerable targets based on the average
and burst rates of scanning events; generates logging messages and can automatically
shun attacking hosts
You can configure threat detection in phases, adding more progressive levels as needed.
Be aware that advanced and scanning threat detection can tax the ASA resources because
they monitor and gather extensive and granular information.
Thanks for your time