cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
0
Helpful
2
Replies

Threat Detection problem

noir_oscar
Beginner
Beginner

Please help me,I am testing the Cisco ASA by nmap but cisco asa doesn't shun my ip.

I have configured the threat detection as following:

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 600 average-rate 3 burst-rate 6

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45

threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

1 Accepted Solution

Accepted Solutions

jocamare
Enthusiast
Enthusiast

The TD feature works with traffic going through the box, not to it.

In case you are trying to scan a host across the ASA, make sure you can see the 733101 logs and also that the attacker appears in the "show threat scanning" output.

View solution in original post

2 Replies 2

jocamare
Enthusiast
Enthusiast

The TD feature works with traffic going through the box, not to it.

In case you are trying to scan a host across the ASA, make sure you can see the 733101 logs and also that the attacker appears in the "show threat scanning" output.

Thank you jocamare,do you rocammend a TD configuration that can detect a scanning attack?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers