Apologies if this has been covered before, I did a quick scan of forums here but might have missed a relevant post. I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2). I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" IDS rule:
Average(eps) Current(eps) Trigger Total events
10-min Scanning: 6 6 338 3673
1-hour Scanning: 6 7 32859 23525
The default triggers are as follows:
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
This results in a flood of log messages like so:
[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.
I would like to increase the trigger values on these rules so that only unusual traffic will trip them. I believe the relevant CLI command for creating a new rule would be similar to the config lines above (just altering the average-rate and burst-rate params to be higher), however attempted to do so earns me an "ERROR: rate-interval 600 already exists."
I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web. I do have a SMARTNet contract and could call support, but thought I would check here first. I'd much appreciate any info or advice.
Thanks in advance!