01-07-2017 08:19 PM - edited 03-12-2019 01:45 AM
Hello,
I want to have advise of how to fine tune the Threat Detection.
Currently keep to find a ASA syslog
Jan 8 11:33:43 192.168.10.2 %ASA-4-733100: [ 111.222.333.444] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 943
Jan 8 11:35:24 192.168.10.2 %ASA-4-733100: [ 111.222.333.444] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 897
Jan 8 11:37:04 192.168.10.2 %ASA-4-733100: [ 111.222.333.444] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 907
Jan 8 11:38:45 192.168.10.2 %ASA-4-733100: [ 111.222.333.444] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 745
Further check with
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs2.html
It looks related to threat detection
Showing from ASA live statistics
awsasa# show threat-detection statistics host 111.222.333.444
Current monitored hosts:199999 Total not monitored hosts:85144663
Average(eps) Current(eps) Trigger Total events
Host:111.222.333.444: tot-ses:792 act-ses:205 fw-drop:0 insp-drop:0 null-ses:134 bad-acc:0
0-min Sent attack: 0 0 0 135
0-min Recv attack: 0 0 0 67
and connection information
asa# show conn | include 111.222.333.444
UDP outside 4.4.5.2:16505 INSIDE 111.222.333.444:53, idle 0:00:00, bytes 51, flags X
UDP outside 4.2.6.1:39897 INSIDE 111.222.333.444:53, idle 0:00:00, bytes 45, flags X
UDP outside 8.2.2.1:45463 INSIDE 111.222.333.444:53, idle 0:00:00, bytes 51, flags X
UDP outside 8.1.9.2:453 INSIDE 111.222.333.444:53, idle 0:00:00, bytes 37, flags X
I know that is related to DNS traffic which it is possible hit threat detection
However, I am not sure hit which threat-detection. Following is my threat detection setting:
asa# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun duration 60
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
Question: How to determine which threat-dection is exceed and further parameters I can fine tune?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide