threat-detection & scanning-threat

Unanswered Question
Mar 25th, 2008
User Badges:

First off, I see the ASA comes with a set of default threat-detection rules...Are these acceptable numbers for most? Or, is it best to modify them?


I'm doing some testing with a single external host running all kinds of port scans and sweeps filling the syslogs with 106023 messages:


%PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/25363 dst outside:xxx.xxx.xxx.xxx/5909 by access-group "outside_acl" [0x0, 0x0]


When I run these scans, I'm seeing about 100 drops per-second. What I don't understand is, why doesn't the ASA identify the external host as an attacker? And, add them to a shun list?


I've modified the default threat-detection rules but I can't for the life of me get the asa to identify anything as an attacker (other than one internal host once). Is this because the asa is already denying the packets and it's irrelevant whether it's an attacker or not?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Mon, 03/31/2008 - 09:43
User Badges:
  • Silver, 250 points or more

The default threat detection rules are good for any user and a few of them may require modification depending on the design and usage of the network. The ASA is not identifying the machine as a threat because it is coming from trusted subnet. Try the same from an untrusted subnet and check the ASA response.

Actions

This Discussion