cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2420
Views
5
Helpful
4
Replies

Monitoring threat-detection statistics on ASA 8.3

dtochilovsky
Level 1
Level 1

Hello all,  I am interested in gathering cumulative threat-detection statistics from an ASA running 8.3, and displaying number of attacks over time.

I am already capturing traffic information via netflow, but am interested in getting threat information.

Is there a way to capture the statistics via SNMP or any other method?

Has anyone attempted to gather such statistics?

Thank you.

Dmitry.

4 Replies 4

varrao
Level 10
Level 10

Hi Dmitry,

I tried to search on it and as of now there is no MIB support for threat-detection on the ASA.

Thanks,

Varun

Thanks,
Varun Rao

Thank you Varun. That is what I figured.

I did however found a workaround by monitoring syslog messages # 733100 - 733105.

That way I can get some statistics of how often the threat detection is active.

Got the info from this link :

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html#wp1094068

Information About Scanning Threat Detection

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the adaptive security appliance scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

If the scanning threat rate is exceeded, then the adaptive security appliance sends a syslog message (733101), and optionally shuns the attacker. The adaptive security appliance tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning attack, the adaptive security appliance checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target.

Yes, you can configure syslogging for sending the threat-detection events, but this would not constantly provide you the real-time data, these would be generated only if any limit for it is exceeded. You can refer this for configuring logging:

https://supportforums.cisco.com/docs/DOC-18813

Thanks,

Varun

Thanks,
Varun Rao

It appears this is till not supported. It strikes me that this is exactly the kind of thing that you want to be able to track using SNMP

 

Come on Cisco!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: