threat-detection basic-threat

threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200

Hi,

These commands alone would not be able to SHUN the ip addresses on the ASA device.

How are you able to find if the hosts are being shunned or not ?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

Thanks and Regards,

Vibhor Amrodia

Vibhor thanks for your reply.

I have configured alerts and receive these alerts alot. I think this may be the cause.

<164>Nov 14 2014 10:00:59 W138AG-ASA5520-1 : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 4098

<164>Nov 14 2014 10:00:49 W138AG-ASA5520-1 : %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 1 per second, max configured rate is 4; Cumulative total count is 6774

I am trying to work out what this means at present :)

Hi,

These are just informational. These would not cause the hosts to be shunned on the ASA device.

These are normal and you can ignore these :)

Thanks and Regards,

Vibhor Amrodia

In the future HS69, if you want to check for shunned hosts (obviously you will see in the logs as well) you can use the following commands

sh shun

sh threat-detection shun

Hi David,

What is the difference between those two commands?

I ask because I have found that when some hosts are being shunned, they show up in the sh shun output but not the other.  Furthermore, I have taken steps to exclude some of the hosts from threat-detection, and yet they still show up under show shun.

I need to fix this permanently, especially for my network monitoring servers.

Thanks.

John