07-08-2008 12:59 AM - edited 03-11-2019 06:10 AM
We have an ASA 5550 with 8.0.3.19 with threat detection active.
Regularly we have Scanning Alerts in our Log:
[ Scanning] (733100) drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 4 per second, max configured rate is 5
=> It might be because of Win2k3 R2 print server SNMP requests. (Since R2 of win2k the print servers do a lot of SNMP requests to the printers to check their status). The SNMP Traffic is ALLOWED, not dropped.
The other messages are:
ASA-4-733101: Subnet 172.27.8.0 is attacking. Current burst rate is 4632 per second, max configured rate is 160; Current average rate is 77 per second, max configured rate is 80; Cumulative total count is 46327
=> The very strange fact is that we don't have a NET "172.27.8.0". I don't even see any packets from 172.27.8.0 to the ASA Firewall (Wireshark with port mirroring).
The target is a printer:
ASA-4-733101: Host 172.26.41.52 is targeted. Current burst rate is 200 per second, max configured rate is 10; Current average rate is 3 per second, max configured rate is 5; Cumulative total count is 4007
Is this "normal"? Is there any debug possibility to check where those "Scanning Alerts" come from? Any ideas?
Thanks, Simon
07-14-2008 06:26 AM
"Subnet 172.27.8.0 is attacking" Explanation: Scanning detected. This system log message is sent when the system detects that a specific host (or several hosts in the same 1024-node subnet) either is scanning the network (attacking), or is being scanned (targeted).
07-14-2008 06:46 AM
Thanks, so what does "1024-node subnet" mean there?
172.27.8.0 = 172.27.8.0 - 172.27.11.255?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide