cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5547
Views
0
Helpful
10
Replies

send alarm cisco asa 5510

emilioj.romero
Level 1
Level 1

Hi,

I have a cisco asa 5510.

I am doing attack a my firewall, using namp. I am seeing in the log the attack but i like that firewall send only alarm of attack by email or nagios. I have active email with warning and i received very much email.....

I observed that graph show attack, but not ip of attacker, is possible that cisco asa show the ip too ?

The log show scanning with nmap but not shunning IP and not send alarm. How i can send alarm ?

cisco-foro.png

The graph no show ip, it's possible show it

cisco-grafica.png

In short as I can detect attacks and to send me a warning

Configuration threat-detection

ciscoasa# show running-config | i shu
threat-detection scanning-threat shun except ip-address X.X.X.X 255.255.255.0
threat-detection scanning-threat shun duration 3600

Thank very much.




10 Replies 10

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Emilio,

If you could show me your logging configuration, then i can tell you the exact commands that need to be configured.

However, primarily, you need to see to it that the syslog 401002 is in the logging list. By default the syslog is logged at level 4.

Here is the description for syslog 401002:

Error Message    %ASA-4-401002: Shun added: IP_address IP_address port port

Explanation   A shun command was entered, where the first IP address is the shunned host. The other  addresses and ports are optional and are used to terminate the connection if available.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Hi,

Logging configuration

logging enable
logging timestamp
logging list errores level errors
logging buffer-size 32768
logging buffered warnings
logging trap warnings
logging asdm warnings
logging from-address xxxxx@xxxxxx
logging recipient-address xxxxx@jxxxxxx level errors
logging host Interface-outside 10.xx.xx.xx
logging message 605004 level warnings

The firewall no shunning host, only detect scanning, and

I would like to send alerts or email and Shunn the ip.

Hi,

Do you need more information about  my service request?

I am looking forward for you reply

Regards

Emilio

Hi Emilio,

I was wrong with the syslog I mentioned earlier. That syslog was for when "shun " is given in the command line.

The syslog you should be looking out for is 733102

Error Message    %ASA-4-733102:Threat-detection adds host %I to shun list 

Explanation   This message indicates that a host has been shunned by the threat detection engine.  When the threat-detection scanning-threat shun command is configured, the attacking hosts will  be shunned by the threat detection engine.

Now, as to why the host is not being shunned, you can check the following:

Do "show run all | in scanning" to get the scanning threat rate parameters set on the ASA.

Enable "threat-detection statistics host".

Note: this command can effect the performance of the ASA in a high load environment. So make sure you disable it once you are done with it.

Let the ASA collect statistics for the attacking host for some time.

You can now view the statistics for the attacker by doing: "show threat-detection statistics host " and see if the statistics for the

host exceed the scanning threat rate parameters or not. Unless it exceeds that it won't be shunned.

You can go ahead and tweak the parameters for the scanning rate with the command:

threat-detection rate scanning-threat rate-interval (Burst-rate duration is 1/30th of the rate-interval)
(Make sure you remove the earlier configured scanned rates, just in case)

If the ASA shuns the attacker, you can view it under "show threat-detection shun".

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered, if it ha been resolved. Do rate helpful posts. Thanks.

Hi,

The steps which you explain before have been made by me.

I need send an email or trap when an attack happens. How to get it? Could you explain to me what steps I have to make, please?

Do you need the configuration file of my firewall?

Regards

Emilio

Hi Emilio,

Try the following:

logging message 733102 level 0

logging mail 0

logging from-address aaaa@bbbb.com

logging recipient-address xxxx@yyyy.com level 0

smtp-server

This way you will get alerts on xxxx@yyyy.com whenever the syslog 733102 is generated. The from address in the email will be aaaa@bbbb.com

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

I tested your configuration and it doesn’t work properly

I attach you the configuration file and loggin.

logging enable
logging timestamp
logging list errores level errors
logging buffer-size 32768
logging buffered informational
logging trap warnings
logging asdm warnings
logging mail emergencies
logging from-address xxxx@xxxx
logging recipient-address xxxxx@xxxxx level emergencies
logging host AAAA X.X.X.X
logging message 733102 level emergencies
logging message 605004 level warnings
smtp-server X.X.X.X

Launch nmap (Scanning)

Do you need more information about  my service request?

Regards.

Hi Emilio,

I thought you needed an email alert when a host was shunned.

If you need an alert whenever [Scanning] drop rate-l is exceeded, then please add the following command:

logging message 733100 level 0

On the ASDM, you will be able to see the syslog id for all logs that are generated. So any log you want to be alerted by email, do: logging message level 0

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

That's right, thank you very much, but how can i know the ip of attacker?

Regards

Hi,

Do you need more information about  my service request?

I am looking forward for you reply

Regards

Emilio

Review Cisco Networking for a $25 gift card