Name: Cisco ASA Series
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

1-2

Cisco ASA Series CLI Configuration Guide

Chapter 1 Configuring Threat Detection

Configuring Basic Threat Detection Statistics

Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.

This section includes the following topics:

• Information About Basic Threat Detection Statistics, page 1-2

• Guidelines and Limitations, page 1-3

• Default Settings, page 1-3

• Configuring Basic Threat Detection Statistics, page 1-4

• Monitoring Basic Threat Detection Statistics, page 1-5

• Feature History for Basic Threat Detection Statistics, page 1-6

Information About Basic Threat Detection Statistics

Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events

due to the following reasons:

• Denial by access lists

• Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)

• Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)

• DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)

• Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet

drops in this bulleted list. It does not include non-firewall-related drops such as interface overload,

packets failed at application inspection, and scanning attack detected.)

• Suspicious ICMP packets detected

• Packets failed application inspection

• Interface overload

• Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet

is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat

detection (see the “Configuring Scanning Threat Detection” section on page 1-15) takes this

scanning attack rate information and acts on it by classifying hosts as attackers and automatically

shunning them, for example.)

• Incomplete session detection such as TCP SYN attack detected or no data UDP session attack

detected

When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks

two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst

interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher.

Model License Requirement

All models Base License.

Cisco ASA Series User Manual

Other manuals for Cisco ASA Series