ASA 5510

Answered Question
Mar 9th, 2009
User Badges:

All-

What is this message I see in the fws log?


[ Scanning] drop rate-1 exceeded.


Thanks,

Vlad

Correct Answer by Yudong Wu about 8 years 4 months ago

By the way "scanning drop" includes:

ACL drop, Bad packet drop, Conn limit drop, ICMP drop, Inspect drop, Interface drop and Syn attack.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Mon, 03/09/2009 - 14:04
User Badges:
  • Gold, 750 points or more

By the way "scanning drop" includes:

ACL drop, Bad packet drop, Conn limit drop, ICMP drop, Inspect drop, Interface drop and Syn attack.

hunnetvl01 Tue, 03/10/2009 - 06:21
User Badges:

is there a way I can check what hosts were previously shunned if now I cant see any.


I have the log which says rate exceeded but I want to see which were the shunned hosts.

I cant see any with sh threat-detection shun

Thanks,

V



renatoaureliano Fri, 02/17/2012 - 07:01
User Badges:

I'm receiving the same messages on log:


[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5622


[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 31781

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5915


[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 31911


[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5915

.

.

.







It happens all the time.

It doesn't show the source or destination.

I'm using ASDM 6.1 - ASA 5510


How can I avoid this messagens and protect from this scanning attacks?


Thank's,

Renato

renatoaureliano Fri, 02/17/2012 - 11:31
User Badges:

Found Solution for drop rate-1:


https://supportforums.cisco.com/thread/228276

The syslogs "[ Scanning] drop rate-1 exceeded." mean the you have exceeded the "Scanning attack detected" threshold.

Shows a threshold that you exceeded.

But threat detection will not drop unless you tell it to.

The default behavior is to just alert (generate syslog).


So I would like to know if drop rate-2 is the same.


Thank's.




Actions

This Discussion