Error #733100 - drop rate-1 exceeded

Answered Question
Jul 27th, 2010
User Badges:

Getting the following 733100 events, and all are Scanning

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 400; Current average rate is 56 per second, max configured rate is 200; Cumulative total count is 33887
ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 320; Current average rate is 13 per second, max configured rate is 160; Cumulative total count is 47709


Question


Why am I getting events from less than the manually configured rates?


Here is the configuration changes output by show run


no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 25 burst-rate 50
threat-detection rate syn-attack rate-interval 3600 average-rate 20 burst-rate 40



In the configuration guide http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wpmkr1076627

it says "You can configure up to three commands with different rate intervals."


Question

Do this mean there are three different types of command, or you can only manual adjust three out of the various basic threat detection settings?

Correct Answer by Panos Kampanakis about 6 years 9 months ago

From http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058639 "If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."


But you have a point in that the alert has a value that is less than the limit reported. Are you running 8.0.4? Then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".


Please mark this as solved if it is, to benefit future readers.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Tue, 07/27/2010 - 15:31
User Badges:
  • Cisco Employee,

The doc is saying that you can have 3 versions of the command


For example


threat-detection rate scanning-threat rate-interval 600 average-rate 200  burst-rate 400
threat-detection rate scanning-threat rate-interval  3600 average-rate 160 burst-rate 320

threat-detection rate scanning-threat rate-interval 800 average-rate 200  burst-rate 400



You will receive a log for which limit you reached in the log for every time you exceed the limit ("[ Scanning] drop rate-1 exceeded", or "[ Scanning] drop rate-2 exceeded").


You have configure 2 limits. If you are running also basic threat detection the basic limits are also matched and the logs will also reflect those.


I hope it helps.


PK

richardwiseman Wed, 07/28/2010 - 03:44
User Badges:

Hello, You have explained the second question, thanks.

But the first question is still not clear.


threat-detection rate scanning-threat rate-interval 600 average-rate 200  burst-rate 400
threat-detection rate scanning-threat rate-interval  3600 average-rate 160 burst-rate 320

threat-detection rate scanning-threat rate-interval 800 average-rate 200  burst-rate 400


Question

In your example does, would they equal rate 1,2 and 3 ?


Basic Threat Detection is enabled.

Question

So are you saying with basic threat detection, the default settings for scanning-threat are still valid, even though they are "no"ed out in the running config?

Question

I do not get why I am getting scanning threat alerts below the threshold I have set.

If another basic threat detection setting, was triggering the event why does the alert message not show the trigger? For example acl drop?


If you disable basic threat detection, and just have manual entries for the threat you are interested in, for example dos-drop would this generate a syslog event 733100.



Thanks

Correct Answer
Panos Kampanakis Wed, 07/28/2010 - 06:38
User Badges:
  • Cisco Employee,

From http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058639 "If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."


But you have a point in that the alert has a value that is less than the limit reported. Are you running 8.0.4? Then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".


Please mark this as solved if it is, to benefit future readers.


PK

richardwiseman Wed, 07/28/2010 - 07:33
User Badges:

Hi,

Yes I am running 8.04

Was aware of a bug using ASDM, thought workround was to use CLI.

So I need to upgrade to 8.05 to fully fix, think this will sort alot of people out. Many Thanks


Is there a workround I can do before I can arrange an upgrade?

I would happy turn off scanning-threat but want to monitor other things such as syn-attack?


Regards

Panos Kampanakis Wed, 07/28/2010 - 07:53
User Badges:
  • Cisco Employee,

It is a syslog generation bug so I am afraid thee is no workaround.


You can disable the scanning threat. The syn-attack is a different event.


Take care,

PK


PS: It is important to flag the question as answered for future reads, so  kidly do so if this is now answered.

richardwiseman Wed, 07/28/2010 - 09:55
User Badges:

Hi can you confirm how this is done

I know I can switch off Basic Threat Detection and Scanning Threat Detection is already off.

How do I just switch on for syn-attack?


I know best solution is to upgrade as fast a possible.

Many Thanks

Actions

This Discussion