Scanning (733100) exceeded cos Win2k3 R2 Print Server SNMP?

Unanswered Question
Jul 8th, 2008
User Badges:

We have an ASA 5550 with 8.0.3.19 with threat detection active.


Regularly we have Scanning Alerts in our Log:

[ Scanning] (733100) drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 4 per second, max configured rate is 5


=> It might be because of Win2k3 R2 print server SNMP requests. (Since R2 of win2k the print servers do a lot of SNMP requests to the printers to check their status). The SNMP Traffic is ALLOWED, not dropped.


The other messages are:

ASA-4-733101: Subnet 172.27.8.0 is attacking. Current burst rate is 4632 per second, max configured rate is 160; Current average rate is 77 per second, max configured rate is 80; Cumulative total count is 46327


=> The very strange fact is that we don't have a NET "172.27.8.0". I don't even see any packets from 172.27.8.0 to the ASA Firewall (Wireshark with port mirroring).


The target is a printer:

ASA-4-733101: Host 172.26.41.52 is targeted. Current burst rate is 200 per second, max configured rate is 10; Current average rate is 3 per second, max configured rate is 5; Cumulative total count is 4007


Is this "normal"? Is there any debug possibility to check where those "Scanning Alerts" come from? Any ideas?


Thanks, Simon




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Mon, 07/14/2008 - 06:26
User Badges:
  • Bronze, 100 points or more

"Subnet 172.27.8.0 is attacking" Explanation: Scanning detected. This system log message is sent when the system detects that a specific host (or several hosts in the same 1024-node subnet) either is scanning the network (attacking), or is being scanned (targeted).

simonstrecker Mon, 07/14/2008 - 06:46
User Badges:

Thanks, so what does "1024-node subnet" mean there?


172.27.8.0 = 172.27.8.0 - 172.27.11.255?




Actions

This Discussion