Hi,

Logging configuration

logging enable
logging timestamp
logging list errores level errors
logging buffer-size 32768
logging buffered warnings
logging trap warnings
logging asdm warnings
logging from-address xxxxx@xxxxxx
logging recipient-address xxxxx@jxxxxxx level errors
logging host Interface-outside 10.xx.xx.xx
logging message 605004 level warnings

The firewall no shunning host, only detect scanning, and

Hi,

Do you need more information about  my service request?

I am looking forward for you reply

Regards

Emilio

Hi Emilio,

I was wrong with the syslog I mentioned earlier. That syslog was for when "shun " is given in the command line.

The syslog you should be looking out for is 733102

Error Message    %ASA-4-733102:Threat-detection adds host %I to shun list 

Explanation   This message indicates that a host has been shunned by the threat detection engine.  When the threat-detection scanning-threat shun command is configured, the attacking hosts will  be shunned by the threat detection engine.

Now, as to why the host is not being shunned, you can check the following:

Do "show run all | in scanning" to get the scanning threat rate parameters set on the ASA.

Enable "threat-detection statistics host".

Note: this command can effect the performance of the ASA in a high load environment. So make sure you disable it once you are done with it.

Let the ASA collect statistics for the attacking host for some time.

You can now view the statistics for the attacker by doing: "show threat-detection statistics host " and see if the statistics for the

host exceed the scanning threat rate parameters or not. Unless it exceeds that it won't be shunned.

You can go ahead and tweak the parameters for the scanning rate with the command:

threat-detection rate scanning-threat rate-interval  average-rate  burst-rate 
(Burst-rate duration is 1/30th of the rate-interval)
(Make sure you remove the earlier configured scanned rates, just in case)

If the ASA shuns the attacker, you can view it under "show threat-detection shun".

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered, if it ha been resolved. Do rate helpful posts. Thanks.

Hi,

The steps which you explain before have been made by me.

I need send an email or trap when an attack happens. How to get it? Could you explain to me what steps I have to make, please?

Do you need the configuration file of my firewall?

Regards

Emilio

Hi Emilio,

Try the following:

logging message 733102 level 0

logging mail 0

logging from-address aaaa@bbbb.com

logging recipient-address xxxx@yyyy.com level 0

smtp-server

This way you will get alerts on xxxx@yyyy.com whenever the syslog 733102 is generated. The from address in the email will be aaaa@bbbb.com

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

I tested your configuration and it doesn’t work properly

I attach you the configuration file and loggin.

logging enable
logging timestamp
logging list errores level errors
logging buffer-size 32768
logging buffered informational
logging trap warnings
logging asdm warnings
logging mail emergencies
logging from-address xxxx@xxxx
logging recipient-address xxxxx@xxxxx level emergencies
logging host AAAA X.X.X.X
logging message 733102 level emergencies
logging message 605004 level warnings
smtp-server X.X.X.X

Launch nmap (Scanning)

Do you need more information about  my service request?

Regards.

Hi Emilio,

I thought you needed an email alert when a host was shunned.

If you need an alert whenever [Scanning] drop rate-l is exceeded, then please add the following command:

logging message 733100 level 0

On the ASDM, you will be able to see the syslog id for all logs that are generated. So any log you want to be alerted by email, do: logging message level 0

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

That's right, thank you very much, but how can i know the ip of attacker?

Regards