First off, I see the ASA comes with a set of default threat-detection rules...Are these acceptable numbers for most? Or, is it best to modify them?
I'm doing some testing with a single external host running all kinds of port scans and sweeps filling the syslogs with 106023 messages:
%PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/25363 dst outside:xxx.xxx.xxx.xxx/5909 by access-group "outside_acl" [0x0, 0x0]
When I run these scans, I'm seeing about 100 drops per-second. What I don't understand is, why doesn't the ASA identify the external host as an attacker? And, add them to a shun list?
I've modified the default threat-detection rules but I can't for the life of me get the asa to identify anything as an attacker (other than one internal host once). Is this because the asa is already denying the packets and it's irrelevant whether it's an attacker or not?