03-11-2013 11:09 AM - edited 03-11-2019 06:12 PM
Hi guys,
need bit of guidance i have asa 5505 with software 8.2....when i log in via asdm it shows loads of scanning attacks and few syn...i have enabled threat detection basic and scanning i have also enabled ip audit attack and info.....lil concerned about attacks when i do show threat detection statistic top tcp
it shows public ip then source ip which is my dmz server ip address ....this commands show top ten server under attack...does this comand shows server which are under attack or servers which were attacked but the attcak was thwarted....also i can no longer see cpu util and memory stats on asdm....i see errror signal 11 caught in process fiber unicorn admin handler....can any one advise how i can thwart these errors as i h ave enabled shun with scanning threat its just i see my dmz server as attacker is lil concerning....many thanks
03-11-2013 11:24 AM
Check for these logs:
%ASA-4-733104 and/or %ASA-4-733105
%ASA-4-733104 and %ASA-4-733105 lists the host targeted by the attack that is currently being protected by TCP intercept.
Taken from:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml#action4
Also, what version of ASDM are you running on your unit?
In case you are not using the latest version, can you try to use it?
03-11-2013 01:05 PM
thanks jocamare, today was my first day with firewall and company doesnt have syslog enabled no server configured......iam using asdm 6.2....still coming up as connection lost for visual stats of cpu and memory and attacks showing lso generating logs resource asdm limit 5 reached not sure if basic ips attack and info config caused it but highly doubt it also can see from command line alof of free mem and 10 percent cpu utilization....plus when i do show threat detetction scanning threat it shows me target as public ip address belong to service provider which provide us diff mpls network and source as server for default gateway server in dmz which is default gateway for guest wiresless on dmz.......
wana know wt thwarts attcks ( scanning and syn) shown by dmz asdm...i have two interface with public ip one outside and one DMZ shall i apply below setting to DMZ too as all the attacks are coming from there ....
i have
basic threat detection
advance threat detection
scannning threat with shu host configured
ips with attck and info signature configured reset opion selceted and applied to outside interface
cheers
03-11-2013 02:08 PM
Wow, had a tough time trying to understand that reply.
This is what i got.
----There is no syslog server configured
You can check the logs locally on the ASA, they should appear in there.
---You are using ASDM 6.2
Update it to the latest version.
----You are getting this log: resource asdm limit 5 reached
It means the ASA is running in multiple context mode and the resources are shared and limited.
Run the "show resource usage system counter all 0" to determine how the resources are being distributed.
---It seems that the attack is coming from DMZ going to a public IP
Well, that's bad.
Use the information the ASA is providing you with and track the host down, analyze it and solve the issue.
----You want to know how to configure the ASA in order to block the attack.
Threat detection is a global feature, meaning it scans and can even affect the traffic is classifies as malicious.
If the source of the attack has been identified, proceed with a sanitation of the unit/units.
You can block the traffic from those units using different methods. ACLs and shuns are some of them.
If you have an IPS [i believe that you are refering to the ip-audit feature, but anyway] you can create check its configuration and modify it in order to stop the attack while you attack the root cause.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: