Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 threat-detection question

Hello,

Someone on the IDS group suggested I post this here instead.  Apologies if this has been covered before, I did a quick scan of forums here only found one relevant post, which didn't help in my case...

I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2).  I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" rule:

                          Average(eps)    Current(eps) Trigger      Total events

  10-min  Scanning:                  6               6     338              3673

  1-hour  Scanning:                  6               7   32859             23525

The default triggers are as follows:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

This results in a flood of log messages like so:

[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.

I would like to increase the trigger values on these rules so that only unusual traffic will trip them.  I believe the relevant CLI command for creating a new rule would be similar to:

threat-detection rate scanning-threat rate-interval 600 average-rate 15 burst-rate 25


However, attempting to do so earns me an "ERROR: rate-interval 600 already exists."

I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web.  To clarify, I am trying to alter an existing config value.

I do have a SmartNet contract and could call support, but thought I would check here first.  I'd much appreciate any info or advice.

Thanks in advance!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA 5505 threat-detection question

Please remove the exisiting configuration first, and configure the new threat detection rating.

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

Hope that helps.

Cisco Employee

Re: ASA 5505 threat-detection question

CSCso51544    ASA overwirtes default config when rate-interval is set to 600

3 REPLIES
Cisco Employee

Re: ASA 5505 threat-detection question

Please remove the exisiting configuration first, and configure the new threat detection rating.

To remove:

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

Then add your new configuration line.

Hope that helps.

Cisco Employee

Re: ASA 5505 threat-detection question

CSCso51544    ASA overwirtes default config when rate-interval is set to 600

New Member

Re: ASA 5505 threat-detection question

Thank you very much!  The 'no' command is just what I was looking for...  clearing the existing rule allows me to re-establish with updated thresholds.

Thanks also for the pointer to the CSC number; upgrading the firmware might be something I try as a longer term solution.

Cheers!

1014
Views
0
Helpful
3
Replies
CreatePlease to create content