Hello - I have an ASA as our external firewall. I have enabled basic threat detection and scanning threat detection. Given that I cannot seem to get the shun mechanism to work properly, I have configured it as strictly as possible (monitoring window 1, burst threshold 25, average threshold 25). I know this configuration is counterintuitive but even configured this way, I constantly get external hosts scanning my external IP range without being shunned. Typically, an external host will scan the entire range (100+ IPs) in a second or two over a particular port (popular ones seem to be 135-139 and 445 (MS SMB ports). Although these ports are not open, I view this as hostile action and want to shun these hosts. Am I missing a configuration somewhere? Help please!
I use the ASDM (I know, I know). I have the box next to "Enable scanning threat detection" checked, the box next to "Shun hosts detected by scanning threat" checked and the Shun Duration is set to 3000. I have posted a screenshot of this settings area. I have erased the internal IP ranges from the excluded area for security purposes but they are there. Please let me know if you need any other info.
From the tools option please use the CLI to procure the output of "show run all threat-detection"
You can sanitize the ip addresses with alphabets or something, and put it here. I would just like to verify that the CLI config is in Sync with what is being displayed on the ASDM.
Also, another important thing, is anyone scanning your ports currently? Only if they exceed the scanning threat threshold will they be shunned.
If you have logging enabled, then you can view scanning-threat detected messages in the logs as well.
Attached is the output from that command. Sorry it took so long. Had to put out some other fires.
We have an event correlation engine which we ship all the events from the firewall to. This engine creates alerts when it suspects a port scan is being performed. We had 8 last night alone. Based on a manual review of the events, it is clearly a variety of external hosts are scanning our external IP range looking for particular ports to be open.
Can anyone help with this? I am getting events from our ASA showing numerous port scans but for some reason, the device is not shunning them. I have seen the device shun people but it seems to be hit or miss (mostly miss) as to when it does it.
So an ip address would be shunned, if packets sourced from it were being dropped at an average of 5 packets per second for 600 seconds (or 10 packets per second over 20 seconds) according to the first rule. Similarly for the second, except that it is over a longer duration.
You can check hosts shunned by the threat-detection engine under "show threat-detection shun"
As you mentioned in your post earlier, there is a separate device which detects hosts which are scanning.
Enable "threat-detection statistics host" on the ASA.
Note: This command is CPU and memory intensive since the ASA maintains a table for every host is sees. So don't have it switched on forever.
Now, when you are notified that a host is scanning, and the ASA has not shunned it, then do the following:
show threat-detection statistics host and this will show the rate of traffic from that host over various fixed time periods. You can compare this data against the scanning-threat rates configured and check if it is crossing that. If it isn't then you need to tweak the parameters so that it can detect sooner.
Burst rate is measured over 1/30th of the time specified You can disable host statistics with "no threat-detection statistics host" once you are satisfied with the tweaked parameters. Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
