Scanning (733100) exceeded cos Win2k3 R2 Print Server SNMP?
We have an ASA 5550 with 18.104.22.168 with threat detection active.
Regularly we have Scanning Alerts in our Log:
[ Scanning] (733100) drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 4 per second, max configured rate is 5
=> It might be because of Win2k3 R2 print server SNMP requests. (Since R2 of win2k the print servers do a lot of SNMP requests to the printers to check their status). The SNMP Traffic is ALLOWED, not dropped.
The other messages are:
ASA-4-733101: Subnet 172.27.8.0 is attacking. Current burst rate is 4632 per second, max configured rate is 160; Current average rate is 77 per second, max configured rate is 80; Cumulative total count is 46327
=> The very strange fact is that we don't have a NET "172.27.8.0". I don't even see any packets from 172.27.8.0 to the ASA Firewall (Wireshark with port mirroring).
The target is a printer:
ASA-4-733101: Host 172.26.41.52 is targeted. Current burst rate is 200 per second, max configured rate is 10; Current average rate is 3 per second, max configured rate is 5; Cumulative total count is 4007
Is this "normal"? Is there any debug possibility to check where those "Scanning Alerts" come from? Any ideas?
Re: Scanning (733100) exceeded cos Win2k3 R2 Print Server SNMP?
"Subnet 172.27.8.0 is attacking" Explanation: Scanning detected. This system log message is sent when the system detects that a specific host (or several hosts in the same 1024-node subnet) either is scanning the network (attacking), or is being scanned (targeted).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...