Hi,

Actually , the drops on which the ASA Threat detection works is the "show asp drop".

Based on these drops rate , it matches the default parameter and uses the threat detection to possibility block hosts.

Thanks and Regards,

Vibhor Amrodia

Hi ,

Can you please clarify the criteria threat-detection uses to detect if it is a threat? For example, if it sees an IP address trying to connect to X number of hosts and makes Y number of attempts then it is considered a threat. 

In short, how would I determine if a particular connection attempt may be considered a threat.

I have seen some legitimate connections attempts were considered as threat and the IP was shunned. 

Hi,

To explain this , ASA device has a static value of each of these drops rate and it would remain the same in different networks some which has large amount of traffic and others not that much.

The rate might be high for some addresses but that can be legitimate.

I think to get rid of this , there would be two ways:-

1) use the Except command for the addresses which should never be blocked

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1563523

2) Run this command , show run all threat-detection and modify the rates as per your requirement which are seen the most in the logs.

Thanks and Regards,

Vibhor Amrodia

thanks Vibhor. Can you give an example for this? For example, how the below rate- interval would work and when would it block an IP in this case?

threat-detection rate scanning-threat rate-interval 500 average-rate 10 burst-rate 20

hi

i think you can not go below 600 rate-interval

Hi,

These values can only be specified within a range and has to be set on a trial and error basis as the the network activity.

Thanks and Regards,

Vibhor Amrodia