• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1780
  • Last Modified:

PIX Threat detection

I have threat detection turned on and have tuned it as much as possible for known traffic. On the other hand if I turn on threat detection statistics I start receiving many 733100 and 733101 messages. When I turn off the statistics I don't receive these messages. Are the messages informational when statistics are on? Or, is this telling me that packets are being dropped? The 733101 states current burst rate....then at the end it gives Cumulative total count is <very large number>. What does the Cumulative total count mean?
0
Jelonet
Asked:
Jelonet
  • 8
  • 6
1 Solution
 
Voltz-dkCommented:
Cumulative total count is the amount since you cleared the statistics.  So if you haven't cleared them and device been up long, it's likely to be a large number.

And yes, the logs are informing you that the scanning thresholds are being breached.  So you should probably examine them and figure if the rates should be adjusted, or if actions should be taken.
0
 
JelonetAuthor Commented:
I only see these log messages when I have statistics turned on. If I turn it off, I dont see the messages. That is what confuses me. I still have threat detection on but not statistics and see no drop messages. As soon as I enable statistics I get a bunch of log messages about burst rate.
0
 
Voltz-dkCommented:
The logs are tied to the statistics for tcp-intercept.  Without the statistics, it doesn't know when threshold are breached.
The default for when you enable statistics, is to enable all statistics.  If you just want the other statistics, but not the logs you could disable tcp-intercept stats:

threat-detection statistics
no threat-detection statistics tcp-intercept
---
You can check out the Cisco documentation of the cmd here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1499830

or from the configuration guide here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
JelonetAuthor Commented:
I'm not sure I understand the comment; 'Without the statistics, it doesn't know when threshold are breached'. If I have threat detection on and statistics off I still see log messages if the tuned threshold is exceeded and packets are dropped. These messages are very few. However, when I enable threat detection statistics I start getting 733101 messages as soon as I enable it.
0
 
Voltz-dkCommented:
I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on.  Now you say something else..?

I pointed at tcp-intercept for which rate is set as part of "threat statistics tcp-intercept" while all the other rates are set with "threat rate", since that would explain the problem you described.  If I misunderstood your question, please try to rephrase it :)
0
 
JelonetAuthor Commented:
'I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on'. This is partially correct. I get a lot more messages when statistics are enable.

Maybe I'm more lost than I thought. I'll start from the beginning. When I enable basic threat detection; (config)# threat-detection basic-threat
I will see messages if rate limits I have tuned are exceeded. I don't get many of these messages.
If I enable threat detection statistics; (config)# threat-detection statistics
I'll start getting a ton of messages. Are these just info messages?
0
 
Voltz-dkCommented:
And these additional messages are of the same kind as when statistics are off?  How many different types?  Can you show them?
0
 
JelonetAuthor Commented:
With threat dectection only I may see 2 or 3 of these per day;
%PIX-4-733100: [   192.168.] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 1 per second, max configured rate is 4; Cumulative total count is 8962

%PIX-4-733100: [   192.168.] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 9169
When I enable threat statistics I see a lot of these as soon as I enable it;And, it is constant until I disable threat statistics.
%PIX-4-730101: Subnet [192.168.0.0] is targeted. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 498209.

%PIX-4-730101: Host [192.168.0.1] is attacking. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 1920038


0
 
Voltz-dkCommented:
Ok, so it's a different type.  I'm not sure of the cause really, but lets try to dig into it.

Apparently it's causing 192.168.0.1 to send alot of traffic which is seens as an attack.  Is that the PIX or what device has that IP?
During this time, what does the following cmds give:

sh threat scan
sh threat stat host 192.168.0.1
sh threat stat host (any target identified in the first command)
0
 
Voltz-dkCommented:
A speculation to why they appear is that without the statistics, it doesn't store "per host" values and as such can't identify "the attacker".  That is likely why you only see these with statistics on.  But still, lets see if we can get more details when you post result of those commands I asked for in last post.
0
 
Voltz-dkCommented:
Oh ya, 1 thing that's interesting to try to prove that last theory.  After enabling statistics, try to disable host statistics and see if you still get those logs:

no threat stat host
0
 
JelonetAuthor Commented:
I disabled threat statistics and when I sh threat scan I only see attackers. I'm not sure what I am suppose to see when I take one of the addresses from the sh threat scan and run the show threat stat host <IP> command. Also, I noteiced when I grep an Ip address that shows in the show threat scan in my syslog some do not show up at all. I would think if it is considered an attacker or target I should have a syslog message. On many I do not.???  If I can't work on this tomorrow I will close and award points and when I get the time I will open another thread and reference this one.
0
 
Voltz-dkCommented:
The "sh threat stat host <ip>" was meant do be done with the statistics on, so as hopefully to get an idea on what it felt was the attack.
Particularly for addresses like 192.168.0.1, which are internal..
0
 
JelonetAuthor Commented:
I'll have to get back to this at a later time. Thank you for your help.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now