Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
1
Replies

threat-detection & scanning-threat

snooter
Level 1
Level 1

‎03-25-2008 08:59 AM - edited ‎03-11-2019 05:21 AM

First off, I see the ASA comes with a set of default threat-detection rules...Are these acceptable numbers for most? Or, is it best to modify them?

I'm doing some testing with a single external host running all kinds of port scans and sweeps filling the syslogs with 106023 messages:

%PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/25363 dst outside:xxx.xxx.xxx.xxx/5909 by access-group "outside_acl" [0x0, 0x0]

When I run these scans, I'm seeing about 100 drops per-second. What I don't understand is, why doesn't the ASA identify the external host as an attacker? And, add them to a shun list?

I've modified the default threat-detection rules but I can't for the life of me get the asa to identify anything as an attacker (other than one internal host once). Is this because the asa is already denying the packets and it's irrelevant whether it's an attacker or not?

Labels:
0 Helpful
1 Reply 1

amritpatek
Level 6
Level 6

‎03-31-2008 09:43 AM

The default threat detection rules are good for any user and a few of them may require modification depending on the design and usage of the network. The ASA is not identifying the machine as a threat because it is coming from trusted subnet. Try the same from an untrusted subnet and check the ASA response.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card