Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
7
Replies

ASA threat-detection

S891
Level 2
Level 2

‎06-14-2015 04:05 AM - edited ‎03-11-2019 11:06 PM

Hi,

I am trying to understand ASA threat-detection feature but I have not been able to find much details. 

How can I see what criteria is used by ASA to determine if a connection is threat? Any documentation detailing this !

Labels:
0 Helpful
7 Replies 7

Ahmad Khalifa
Level 1
Level 1

‎06-15-2015 12:21 PM

hi try this command

sh run all threat detection

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Ahmad Khalifa

‎06-16-2015 06:32 AM

Hi,

Actually , the drops on which the ASA Threat detection works is the "show asp drop".

Based on these drops rate , it matches the default parameter and uses the threat detection to possibility block hosts.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

S891
Level 2
Level 2
In response to Vibhor Amrodia

‎06-19-2015 12:18 AM

Hi ,

Can you please clarify the criteria threat-detection uses to detect if it is a threat? For example, if it sees an IP address trying to connect to X number of hosts and makes Y number of attempts then it is considered a threat. 

In short, how would I determine if a particular connection attempt may be considered a threat.

I have seen some legitimate connections attempts were considered as threat and the IP was shunned. 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to S891

‎06-19-2015 04:20 AM

Hi,

To explain this , ASA device has a static value of each of these drops rate and it would remain the same in different networks some which has large amount of traffic and others not that much.

The rate might be high for some addresses but that can be legitimate.

I think to get rid of this , there would be two ways:-

1) use the Except command for the addresses which should never be blocked

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1563523

2) Run this command , show run all threat-detection and modify the rates as per your requirement which are seen the most in the logs.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

S891
Level 2
Level 2
In response to Vibhor Amrodia

‎06-19-2015 04:41 AM

thanks Vibhor. Can you give an example for this? For example, how the below rate- interval would work and when would it block an IP in this case?

threat-detection rate scanning-threat rate-interval 500 average-rate 10 burst-rate 20

0 Helpful

Ahmad Khalifa
Level 1
Level 1
In response to S891

‎06-22-2015 03:14 PM

hi

i think you can not go below 600 rate-interval

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Ahmad Khalifa

‎06-23-2015 04:45 AM

Hi,

These values can only be specified within a range and has to be set on a trial and error basis as the the network activity.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card