06-21-2010 02:11 PM - edited 03-11-2019 11:01 AM
Hello,
Someone on the IDS group suggested I post this here instead. Apologies if this has been covered before, I did a quick scan of forums here only found one relevant post, which didn't help in my case...
I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2). I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" rule:
Average(eps) Current(eps) Trigger Total events
10-min Scanning: 6 6 338 3673
1-hour Scanning: 6 7 32859 23525
The default triggers are as follows:
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
This results in a flood of log messages like so:
[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.
I would like to increase the trigger values on these rules so that only unusual traffic will trip them. I believe the relevant CLI command for creating a new rule would be similar to:
threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 25
However, attempting to do so earns me an "ERROR: rate-interval 600 already exists."
I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web. To clarify, I am trying to alter an existing config value.
I do have a SmartNet contract and could call support, but thought I would check here first. I'd much appreciate any info or advice.
Thanks in advance!
Solved! Go to Solution.
06-21-2010 08:09 PM
Please remove the exisiting configuration first, and configure the new threat detection rating.
To remove:
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
Then add your new configuration line.
Hope that helps.
06-22-2010 12:25 AM
CSCso51544 ASA overwirtes default config when rate-interval is set to 600
06-21-2010 08:09 PM
Please remove the exisiting configuration first, and configure the new threat detection rating.
To remove:
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
Then add your new configuration line.
Hope that helps.
06-22-2010 12:25 AM
CSCso51544 ASA overwirtes default config when rate-interval is set to 600
06-22-2010 05:11 AM
Thank you very much! The 'no' command is just what I was looking for... clearing the existing rule allows me to re-establish with updated thresholds.
Thanks also for the pointer to the CSC number; upgrading the firmware might be something I try as a longer term solution.
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide