Scanning (733100) exceeded cos Win2k3 R2 Print Server SNMP?

Unanswered Question
Jul 8th, 2008

We have an ASA 5550 with 8.0.3.19 with threat detection active.

Regularly we have Scanning Alerts in our Log:

[ Scanning] (733100) drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 4 per second, max configured rate is 5

=> It might be because of Win2k3 R2 print server SNMP requests. (Since R2 of win2k the print servers do a lot of SNMP requests to the printers to check their status). The SNMP Traffic is ALLOWED, not dropped.

The other messages are:

ASA-4-733101: Subnet 172.27.8.0 is attacking. Current burst rate is 4632 per second, max configured rate is 160; Current average rate is 77 per second, max configured rate is 80; Cumulative total count is 46327

=> The very strange fact is that we don't have a NET "172.27.8.0". I don't even see any packets from 172.27.8.0 to the ASA Firewall (Wireshark with port mirroring).

The target is a printer:

ASA-4-733101: Host 172.26.41.52 is targeted. Current burst rate is 200 per second, max configured rate is 10; Current average rate is 3 per second, max configured rate is 5; Cumulative total count is 4007

Is this "normal"? Is there any debug possibility to check where those "Scanning Alerts" come from? Any ideas?

Thanks, Simon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Mon, 07/14/2008 - 06:26

"Subnet 172.27.8.0 is attacking" Explanation: Scanning detected. This system log message is sent when the system detects that a specific host (or several hosts in the same 1024-node subnet) either is scanning the network (attacking), or is being scanned (targeted).

simonstrecker Mon, 07/14/2008 - 06:46

Thanks, so what does "1024-node subnet" mean there?

172.27.8.0 = 172.27.8.0 - 172.27.11.255?

Actions

This Discussion