06-01-2012 09:24 AM - edited 03-11-2019 04:14 PM
With Kureli Sankar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.
Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
06-15-2012 01:13 AM
Hi Kureli,
on my ASA, I can see this output:
ASA5520# sh threat-detection rate scanning-threat
but with this, I can't see anything:
ASA5520# sh threat-detection scanning-threat target
Latest Target Host & Subnet List:
ASA5520#
ASA5520# sh threat-detection scanning-threat attacker
Latest Attacker Host & Subnet List:
How I can see the address of attackers?
Thanks
06-15-2012 06:31 AM
Its the same thing for my case also, I don't see anything with sh threat-detection scanning-threat attacker command but we are getting around 10 syslog messages every min saying the thresholds are exceeded
ASA/pri/act# sh threat-detection rate scanning-threat
Average(eps) Current(eps) Trigger Total events
10-min Scanning: 3 3 22170 2323
1-hour Scanning: 3 4 5362 12814
ASA/pri/act# sh threat-detection scanning-threat attacker
ASA/pri/act#
06-15-2012 10:43 AM
The command is "show threat-detection scanning-threat"
not "show threat-detection rate scanning-threat"
You can also try the following:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html
hostname# show threat-detection statistics host
Average(eps) Current(eps) Trigger Total events
Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0
1-hour Sent byte: 2938 0 0 10580308
hour Sent byte: 367 0 0 10580308
24-hour Sent byte: 122 0 0 10580308
-Kureli
06-15-2012 10:49 AM
Yes I tried "show threat-detection scanning-threat" but it didn't produce any output
ASA/pri/act# show threat-detection scanning-threat
ASA/pri/act#
06-15-2012 11:09 AM
Siddhartham,
Today is the last day of this ATE event. I am not sure if I can get to the bottom of this. Would you mind opening a TAC case so, we can take a look at it. Feel free to mention my name on the case.
Pls. copy and paste the "sh run threat" output from the ASA.
May be there aren't any scanning threats at the moment. If the rate exceeded syslog is seen then, you probably have to tweek the settings and increase
Issue "show run all threat-detection". The number of triggers of different thresholds can be checked in "show threat-detection rate". Syslog 733100 is related to scanning-rate, adjusting this parameter should be able to resolve too many messages showing up in the syslogs. In this case, tuning the command "threat-detection rate scanning-rate 3600 average-rate 15" stopped too many of these messages being logged. In other cases one may have to increase the scanning-rate and average-rate to a higher value.
-Kureli
06-15-2012 12:03 PM
Thanks Kureli, will open a TAC case.
06-18-2012 04:05 AM
Dear Kureli Sankar,
i have a problem, i dont know if that could be an attack or a real problem i need to make something on the fwsm im not sure.
all my user vlans are on the core it self , but the servers vlans are on the fwsm, when 2 servers are in the same vlan they can work perfectly , but there is a delay and sometimes packet drops when a server on vlan try to communicate with other server in other vlan,
my access lists is permit ip any any so all the tracffic sould pass normally between them ,
for example when im on a server in vlan 100 and remote desktop on other server in the same vlan it took less than a sec and im on the other server.
but when a server on vlan 100 remote desktop on server on vlan 99 it may took up tp 30 sec or so to connect and also when the 2 servers in differ vlans try to gett data from eachother sometimes it took time sometimes it gives error as it cant be reached and will try to connect again.
pinging is working fine no problem.
fwsm is router not trasparent.
Servers are microsoft mail server and domain controller server.
If i make it transparent will it solve this problem ?
and if i issue the command firewall transparent should i need a downtime , or everything will work normally ??
Im not good with Security so help and if you need any more info let me know.
Thanks.
06-18-2012 01:31 PM
Mohamed,
Not sure if transparent mode is going to resolve the issue. You still need the same Route and Permission along with optional translation for any flow to work.
We need to look at captures working in the same vlan and delay when separated by the firewall and determin what might be causing the problem.
In the past, with windows file copy and drive mapping issues, we have run into the following:
The problem is that Windows will not allow multiple smb connections on port 445. Subsequent connections will cause the existing connection to be reset.
This behavior is described by Microsoft Article KB301673.
http://support.microsoft.com/kb/301673
Two solutions:
1) Modify the registry on the server per KB301673 to use only port 139 and reboot the server.
2) Block port 445 by ACL on the firewall so that it will be forced to default back to 139.
Give this a shot and let me know if this resolves the issue. Otherwise please open a TAC case as we need to grab captures and analyze them.
-Kureli
06-18-2012 02:13 PM
Dear Kureli Sankar,
The fix is only available for Microsoft Server 2008, mine is 2010 it didnt work with it.
im out of ideas i eve make the access-list all open ip,tcp,upd any any for all vlans as a test for now so i can check if there is any thing will drop or not , and all the security interfaces are the same and i have same security permit intra and inter for the vlan interfaces
the core is fine , i just dont know what to do any more, do you think it could be Microsoft Problem not Cisco side ?
here is my Thread link you can contiue trobleshooting with me in the thread if this Thread will be closed.
https://supportforums.cisco.com/thread/2154093
Thanks and Bests Regards
Mohamed Selim.
12-13-2012 09:28 AM
I have a small doubt about telnet, am not sure if this is the right forum to post this query.
I wanted to know if we can use telnet on a non standard port, lets say 6189. I wanted to configure this on a cisco router. May I know the commands to do this
I have used PAT and port-map to do this.
Is there any other way to achieve this?
Plz help. Thanks in advance.......
04-23-2013 03:32 AM
Dear Kureli,
I wish to integrate to Microsoft Windows 2008 AD. Apparently i am having trouble achieving this due to the error below;
ECSIntFw01# test aaa-server authentication AD1 username fraxxx password$ xxxx
Server IP Address or name: 10.3.1.10
INFO: Attempting Authentication test to IP address <10.3.1.10> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed
My aim is in setting up Identity Options that would either help to allow/restrict permission based on users and/or groups that exist in the Active Directory Domain.
Kindly assist.
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide