cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1265
Views
0
Helpful
3
Replies

ASA 5505 threat-detection question

dave.kinsley
Level 1
Level 1

Hello,

Someone on the IDS group suggested I post this here instead.  Apologies if this has been covered before, I did a quick scan of forums here only found one relevant post, which didn't help in my case...

I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2).  I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" rule:

                          Average(eps)    Current(eps) Trigger      Total events

  10-min  Scanning:                  6               6     338              3673

  1-hour  Scanning:                  6               7   32859             23525

The default triggers are as follows:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

This results in a flood of log messages like so:

[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.

I would like to increase the trigger values on these rules so that only unusual traffic will trip them.  I believe the relevant CLI command for creating a new rule would be similar to:

threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 25


However, attempting to do so earns me an "ERROR: rate-interval 600 already exists."

I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web.  To clarify, I am trying to alter an existing config value.

I do have a SmartNet contract and could call support, but thought I would check here first.  I'd much appreciate any info or advice.

Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Please remove the exisiting configuration first, and configure the new threat detection rating.

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

Hope that helps.

View solution in original post

CSCso51544    ASA overwirtes default config when rate-interval is set to 600

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Please remove the exisiting configuration first, and configure the new threat detection rating.

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

Hope that helps.

CSCso51544    ASA overwirtes default config when rate-interval is set to 600

Thank you very much!  The 'no' command is just what I was looking for...  clearing the existing rule allows me to re-establish with updated thresholds.

Thanks also for the pointer to the CSC number; upgrading the firmware might be something I try as a longer term solution.

Cheers!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: