ASA 5505 IDS question

Unanswered Question
Jun 21st, 2010


Apologies if this has been covered before, I did a quick scan of forums here but might have missed a relevant post.  I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2).  I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" IDS rule:

                          Average(eps)    Current(eps) Trigger      Total events

  10-min  Scanning:                  6               6     338              3673

  1-hour  Scanning:                  6               7   32859             23525

The default triggers are as follows:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

This results in a flood of log messages like so:

[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.

I would like to increase the trigger values on these rules so that only unusual traffic will trip them.  I believe the relevant CLI command for creating a new rule would be similar to the config lines above (just altering the average-rate and burst-rate params to be higher), however attempted to do so earns me an "ERROR: rate-interval 600 already exists."

I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web.  I do have a SMARTNet contract and could call support, but thought I would check here first.  I'd much appreciate any info or advice.

Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Mon, 06/21/2010 - 13:01


I'm in a bit of a rush, so I will not go over everything right now.

BTW this should be in "firewalling" section rather then IDS ;-) This is thread-detection rather then ip audit - which is the IPS/IDS on ASA.

To see all triggers as configured do

show run all threat

Obviously if you will adjust a setting that is already configured it should not be accepted.


dave.kinsley Mon, 06/21/2010 - 13:13

Thank you for your reply...  I'll check the Firewall section now!

>Obviously if you will adjust a setting that is already configured it should not be accepted.

This doesn't seem obvious to me; this is exactly what I am trying to do, adjust an already configured setting.  I'd imagine there is different syntax required to change such a setting, can't seem to find it (yet).

Marcin Latosiewicz Mon, 06/21/2010 - 23:51


Sorry for the confusion, as stated above I was in a bit of rush yesterday. ;-)

What I meant is that apparently one of the values you're trying to set is already set... if time allows I will check this behavior in the lab today.


dave.kinsley Tue, 06/22/2010 - 05:14

Thanks for the advice, I did receive a solution on the Firewall forum, as suggested above.  For reference, the solution was:

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

The 'no' command is what I was missing, being unfamiliar with Cisco command line config.  Thanks again!


This Discussion