Denied Attackers - Maximum?

Unanswered Question
Aug 8th, 2008

Does anyone know where I can find out the maximum number of denied attackers the ASA-SSM-10 running 6.1(1)E2 can handle? I see where you can set a timeout and total number for the denied hosts and denied network blocks but I haven't been able to find anything for the max number of denied attackers.


I'm am using this for a signature that is sometimes popular on our network and I'm concerned about impacting the performance of my IPS.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Fri, 08/08/2008 - 07:22

The default number of blocked hosts is 250. You can see this with a "sh stat net" command. This can be configured from

conf t

service net

general

block-max-entries


marcabal Fri, 08/08/2008 - 09:54

Blocks are different than Denies.


Blocks are for the modification of configuration on Switches, Routers, or Firewalls to get the other device to drop the traffic.


Denies are when the sensor itself drops the packets. The sensor must be operated in InLine mode for Denies to work.


To configure the max number of Denied Attackers you follow a similar procedure as rhermes posted, but it is controlled in the service event-action-rules rules0 configuration.


conf t

service event-action-rules rules0

general

max-denied-attackers 10000


The default I believe is 10,000, but can be configured to be much higher or lower. Increasing this number could have a performance affect on your sensor, so be carefull when increasing this above 10,000.





Actions

This Discussion