Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
0
Replies

Threat Detection Tunning

Machi Ma
Level 1
Level 1

‎01-07-2017 08:19 PM - edited ‎03-12-2019 01:45 AM

Hello,

I want to have advise of how to fine tune the Threat Detection. 

Currently keep to find a ASA syslog

Jan  8 11:33:43 192.168.10.2 %ASA-4-733100: [   111.222.333.444] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 943
Jan  8 11:35:24 192.168.10.2 %ASA-4-733100: [   111.222.333.444] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 897
Jan  8 11:37:04 192.168.10.2 %ASA-4-733100: [   111.222.333.444] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 907
Jan  8 11:38:45 192.168.10.2 %ASA-4-733100: [   111.222.333.444] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is -4; Current average rate is 0 per second, max configured rate is -4; Cumulative total count is 745

Further check with

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs2.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#anc4

It looks related to threat detection

Showing from ASA live statistics

awsasa# show threat-detection statistics host 111.222.333.444
Current monitored hosts:199999  Total not monitored hosts:85144663
                          Average(eps)    Current(eps) Trigger      Total events

Host:111.222.333.444: tot-ses:792 act-ses:205 fw-drop:0 insp-drop:0 null-ses:134 bad-acc:0
   0-min Sent attack:                0               0       0               135
   0-min Recv attack:                0               0       0                67

and connection information

asa# show conn | include 111.222.333.444
UDP outside  4.4.5.2:16505 INSIDE  111.222.333.444:53, idle 0:00:00, bytes 51, flags X
UDP outside  4.2.6.1:39897 INSIDE  111.222.333.444:53, idle 0:00:00, bytes 45, flags X
UDP outside  8.2.2.1:45463 INSIDE  111.222.333.444:53, idle 0:00:00, bytes 51, flags X
UDP outside  8.1.9.2:453 INSIDE  111.222.333.444:53, idle 0:00:00, bytes 37, flags X

I know that is related to DNS traffic which it is possible hit threat detection

However, I am not sure hit which threat-detection.  Following is my threat detection setting:

asa# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun duration 60
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Question:  How to determine which threat-dection is exceed and further parameters I can fine tune?

Thanks!

3 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card