Configuring basic threat detection statistics – Cisco ASA 5505 User Manual
Page 1188
56-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 56 Configuring Threat Detection
Configuring Basic Threat Detection Statistics
Configuring Basic Threat Detection Statistics
Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.
This section includes the following topics:
•
Information About Basic Threat Detection Statistics, page 56-2
•
Guidelines and Limitations, page 56-3
•
•
Configuring Basic Threat Detection Statistics, page 56-4
•
Monitoring Basic Threat Detection Statistics, page 56-5
•
Feature History for Basic Threat Detection Statistics, page 56-6
Information About Basic Threat Detection Statistics
Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events
due to the following reasons:
•
Denial by access lists
•
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
•
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
•
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
•
Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet
drops in this bulleted list. It does not include non-firewall-related drops such as interface overload,
packets failed at application inspection, and scanning attack detected.)
•
Suspicious ICMP packets detected
•
Packets failed application inspection
•
Interface overload
•
Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet
is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat
detection (see the
“Configuring Scanning Threat Detection” section on page 56-15
) takes this
scanning attack rate information and acts on it by classifying hosts as attackers and automatically
shunning them, for example.)
•
Incomplete session detection such as TCP SYN attack detected or no data UDP session attack
detected
When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks
two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst
interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher.
Model
License Requirement
All models
Base License.