Hey All,

I need to check the connections through our ASA5510, look for anything 'abnormal', and check things like FTP and Telnet sessions going on over our firewall.

Currently I've been using 'show local-host brief' to see high numbers of connections, then I go back through and do 'show local-host x.x.x.x' to see what they're actually connected to. 

I'm seeing some desktops with 120+ TCP connections, but when I do a 'show local-host x.x.x.x' on those IP's I get a long list, but it's all to normal sites like google, facebook etc. 

I'm also currently doing things all by hand, visually looking at the IP's, doing whois on them etc..

Here are my questions:

1. What is 'abnormal' and what are some tools to find abnormalities
2. Is there a way to pull all the IP's on the inside/outside interfaces and scan them against known bad IP's/malicious IP's??
3. How do I identify users who are hogging bandwidth / doing things they shouldn't be by looking at the results of 'show local-host' (how many connections is 'too many')
4. How do I specifically look for FTP sessions or Telnet sessions going through our firewall?

Any answers on any of these would be a huge help for my daily reports !!