cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
973
Views
0
Helpful
4
Replies

ASA 5510 Threat Detection - determining source

kent
Level 1
Level 1

Hi,

I am using an ASA 5510 on our home/office network as firewall and router.  Over the past hour the top usage status is showing 8+ million packet hits for HTTP traffic.  That seems huge for a Saturday when no one is in the office and I only have 3 people at home.  

I enabled the threat detection and it started blocking things like iPhone software updates.  I added our internal network to the shun exclusion list.  

I'm trying to figure out if these are attempted traffic coming to our site or some type of infected device inside my network going out.

Do you have any suggestions for me for determining where the issue is?  I tried using the demo of FirePlotter, but it hasn't helped me track down the source.

Any help would be greatly appreciated!

Thank you!

--Kent

4 Replies 4

johnd2310
Level 8
Level 8

Hi,

Setup a syslog server for your network and configure the ASA to log to it. Use the logging trap informational command to send detailed log to the syslog server. Analyse the syslog messages to see which devices are generating most of the traffic and to what destinations traffic is going.

Thanks

John

**Please rate posts you find helpful**

What tool do you recommend for analyzing the syslog traffic?

hey 

i am using syslog watcher, try it 

Gianluca Fedele
Level 1
Level 1

Hi, I have a similar problem, a MacBook in our network is being shunned many times per day by our ASA.

Every times this MacBook stop acessing internet the command show shun on CLI gives me the IP address of this computer, so we perform a no shun to free him.

On CLI the command show threat-detection statistics host gives me a detailed output as snapshot attached. I understand this MacBook activated 5 times the TRIGGER in last 20 minutes, that`s why it is being shunned every day.

My question is, how do I understand which triggers he activated?

I don`t know if the MacBook is really doing something wrong, or if it is just an excessive retricting rule on ASA.

Review Cisco Networking for a $25 gift card