Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I see the source of this packets?

Hi all,

on my asa log, i can see this message (add image) I wonder what the source of these packages. I configured a capture but I don't know what is the command to see packets that were drop by threat-detection:

capture TEST_CAPTURE type asp-drop ??

Thanks in advanced

Everyone's tags (4)
2 REPLIES
Red

How can I see the source of this packets?

Hi Emilio,

Its not a packety sent by any source it is a warning  message generated by the basic threat detection enabled on your ASA by  default. To read more about the syslog, you can refer this;

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4963969

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

How can I see the source of this packets?

Hi Varun, thanks for the reply:

I don't understand what you mean with "Its not a packety sent by any source " I'll try to explain better although my English it's not very good. The ASA works only like head end of VPN connections and my doubt is if these drop "packets" are legitimate but sent in a too ratio. And if there are packages that otherwise might be? I´m very confused for this:

The threat detection feature can be described by the following three levels:

Basic threat detection:

Monitors the average and burst rate of dropped packets and

security events over an interval; generates a logging message when a threshold is

exceeded

Advanced threat detection:

Gathers statistics for both allowed and denied packets

for objects such as hosts, protocols, ports, and access lists; generates a logging message

when the TCP Intercept rate exceeds a threshold

Scanning threat detection:

Maintains a database of suspicious activity for each

host; can detect a host that is scanning for vulnerable targets based on the average

and burst rates of scanning events; generates logging messages and can automatically

shun attacking hosts

You can configure threat detection in phases, adding more progressive levels as needed.

Be aware that advanced and scanning threat detection can tax the ASA resources because

they monitor and gather extensive and granular information.

Thanks for your time

358
Views
0
Helpful
2
Replies
CreatePlease login to create content