06-21-2010 10:57 AM - edited 03-10-2019 05:02 AM
Hello,
Apologies if this has been covered before, I did a quick scan of forums here but might have missed a relevant post. I am dealing with a 'base license' Cisco 5505 ASA 8.0(2) using ASDM 6.0(2). I've noticed that normal background network traffic across the wire on my outbound interface tends to trip the default triggers on the Cisco 5505's "scanning-threat" IDS rule:
Average(eps) Current(eps) Trigger Total events
10-min Scanning: 6 6 338 3673
1-hour Scanning: 6 7 32859 23525
The default triggers are as follows:
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
This results in a flood of log messages like so:
[Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 3673.
I would like to increase the trigger values on these rules so that only unusual traffic will trip them. I believe the relevant CLI command for creating a new rule would be similar to the config lines above (just altering the average-rate and burst-rate params to be higher), however attempted to do so earns me an "ERROR: rate-interval 600 already exists."
I'd guess there is a different command to overwrite an already existing policy line, or perhaps one to remove (clear?) an existing one, but I've been unable to locate such a command in the device manual or via the web. I do have a SMARTNet contract and could call support, but thought I would check here first. I'd much appreciate any info or advice.
Thanks in advance!
06-21-2010 01:01 PM
Don,
I'm in a bit of a rush, so I will not go over everything right now.
BTW this should be in "firewalling" section rather then IDS ;-) This is thread-detection rather then ip audit - which is the IPS/IDS on ASA.
To see all triggers as configured do
show run all threat
Obviously if you will adjust a setting that is already configured it should not be accepted.
Marcin
06-21-2010 01:13 PM
Thank you for your reply... I'll check the Firewall section now!
>Obviously if you will adjust a setting that is already configured it should not be accepted.
This doesn't seem obvious to me; this is exactly what I am trying to do, adjust an already configured setting. I'd imagine there is different syntax required to change such a setting, can't seem to find it (yet).
06-21-2010 11:51 PM
Don,
Sorry for the confusion, as stated above I was in a bit of rush yesterday. ;-)
What I meant is that apparently one of the values you're trying to set is already set... if time allows I will check this behavior in the lab today.
Marcin
06-22-2010 12:17 AM
This is not a IDS forum question, but anyways you are hitting CSCso51544 ..upgrade to a fixed version
06-22-2010 05:14 AM
Thanks for the advice, I did receive a solution on the Firewall forum, as suggested above. For reference, the solution was:
To remove:
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
Then add your new configuration line.
The 'no' command is what I was missing, being unfamiliar with Cisco command line config. Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: