I need information with details about threat detection:

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

what is the meaning of every component of the command?, someone have a document with detail of components and the way to config.

I don't have the signature 2000 or 2004 that means that the ICMP is permitted?.

Hi,

Ok threat-detection will work as DOS prevention tool.

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/t.html#wp1563212

In regards to your other question if you don't have any signature based protection (like IP audit or IPS module), the ICMP traffic will be allowed if you permit it on the ACL or inspection.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

But, I still do not understand the meaning of the parameters of the command, i'm doing some test with pingplotter thru the ASA from one of the servers in the inside interface, This test can be affected by this feature?, is a continuous ping to a remote site.

Thank you.

Hi,

This command is part of basic threat detection. Basic threat detection monitors the rates at which packets are dropped       for various reasons by the ASA as a whole.

So basically you will see a Threat-detection syslog when the amount of ICMP droppped packets execeed the parameters configured.

icmp-drop: Sets the rate limit for dropped packets caused by denial by suspicious ICMP packets detected.

rate-interval: Sets the average rate interval between 600 seconds  and 2592000 seconds (30 days). The rate interval is used to determine  the length of time over which to average the drops. It also determines  the burst threshold rate interval.

average-rate: Sets the average rate limit between 0 and 2147483647 in drops/sec.

burst-rate:  Sets the burst rate limit between 0 and 2147483647 in drops/sec. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate-interval

rate_interval value or 10 seconds, whichever is larger.

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

Within an interval 600 seconds an alert will be triggered if the amount of packets dropped per second exceeds the average-rate/burst rate.

ASA Threat Detection Functionality and Configuration

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Do you know if cisco has an administrator guide for ASA IPS?.

Hi,

Here you have the configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html

ASA syslog messages guide

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logsevp.html

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

How i can check if the ICMP and tracerouter is blocking in a Cisco Ips 4240?, do you know if cisco has a administrator guide for Cisco Ips 4240?

Thank you so much.

Here you have the latest IPS configuration guide:

http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html

http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cli_introducing.html

The best way to see if a signature is dropping traffic is looking at the events; under monitoring.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html