?
Solved

PIX Threat detection

Posted on 2009-05-14
14
Medium Priority
?
1,762 Views
Last Modified: 2012-08-13
I have threat detection turned on and have tuned it as much as possible for known traffic. On the other hand if I turn on threat detection statistics I start receiving many 733100 and 733101 messages. When I turn off the statistics I don't receive these messages. Are the messages informational when statistics are on? Or, is this telling me that packets are being dropped? The 733101 states current burst rate....then at the end it gives Cumulative total count is <very large number>. What does the Cumulative total count mean?
0
Comment
Question by:Jelonet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24391375
Cumulative total count is the amount since you cleared the statistics.  So if you haven't cleared them and device been up long, it's likely to be a large number.

And yes, the logs are informing you that the scanning thresholds are being breached.  So you should probably examine them and figure if the rates should be adjusted, or if actions should be taken.
0
 

Author Comment

by:Jelonet
ID: 24395246
I only see these log messages when I have statistics turned on. If I turn it off, I dont see the messages. That is what confuses me. I still have threat detection on but not statistics and see no drop messages. As soon as I enable statistics I get a bunch of log messages about burst rate.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24395367
The logs are tied to the statistics for tcp-intercept.  Without the statistics, it doesn't know when threshold are breached.
The default for when you enable statistics, is to enable all statistics.  If you just want the other statistics, but not the logs you could disable tcp-intercept stats:

threat-detection statistics
no threat-detection statistics tcp-intercept
---
You can check out the Cisco documentation of the cmd here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1499830

or from the configuration guide here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:Jelonet
ID: 24396144
I'm not sure I understand the comment; 'Without the statistics, it doesn't know when threshold are breached'. If I have threat detection on and statistics off I still see log messages if the tuned threshold is exceeded and packets are dropped. These messages are very few. However, when I enable threat detection statistics I start getting 733101 messages as soon as I enable it.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24396654
I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on.  Now you say something else..?

I pointed at tcp-intercept for which rate is set as part of "threat statistics tcp-intercept" while all the other rates are set with "threat rate", since that would explain the problem you described.  If I misunderstood your question, please try to rephrase it :)
0
 

Author Comment

by:Jelonet
ID: 24397377
'I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on'. This is partially correct. I get a lot more messages when statistics are enable.

Maybe I'm more lost than I thought. I'll start from the beginning. When I enable basic threat detection; (config)# threat-detection basic-threat
I will see messages if rate limits I have tuned are exceeded. I don't get many of these messages.
If I enable threat detection statistics; (config)# threat-detection statistics
I'll start getting a ton of messages. Are these just info messages?
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24397578
And these additional messages are of the same kind as when statistics are off?  How many different types?  Can you show them?
0
 

Author Comment

by:Jelonet
ID: 24403782
With threat dectection only I may see 2 or 3 of these per day;
%PIX-4-733100: [   192.168.] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 1 per second, max configured rate is 4; Cumulative total count is 8962

%PIX-4-733100: [   192.168.] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 9169
When I enable threat statistics I see a lot of these as soon as I enable it;And, it is constant until I disable threat statistics.
%PIX-4-730101: Subnet [192.168.0.0] is targeted. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 498209.

%PIX-4-730101: Host [192.168.0.1] is attacking. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 1920038


0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404268
Ok, so it's a different type.  I'm not sure of the cause really, but lets try to dig into it.

Apparently it's causing 192.168.0.1 to send alot of traffic which is seens as an attack.  Is that the PIX or what device has that IP?
During this time, what does the following cmds give:

sh threat scan
sh threat stat host 192.168.0.1
sh threat stat host (any target identified in the first command)
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 2000 total points
ID: 24404315
A speculation to why they appear is that without the statistics, it doesn't store "per host" values and as such can't identify "the attacker".  That is likely why you only see these with statistics on.  But still, lets see if we can get more details when you post result of those commands I asked for in last post.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404319
Oh ya, 1 thing that's interesting to try to prove that last theory.  After enabling statistics, try to disable host statistics and see if you still get those logs:

no threat stat host
0
 

Author Comment

by:Jelonet
ID: 24425387
I disabled threat statistics and when I sh threat scan I only see attackers. I'm not sure what I am suppose to see when I take one of the addresses from the sh threat scan and run the show threat stat host <IP> command. Also, I noteiced when I grep an Ip address that shows in the show threat scan in my syslog some do not show up at all. I would think if it is considered an attacker or target I should have a syslog message. On many I do not.???  If I can't work on this tomorrow I will close and award points and when I get the time I will open another thread and reference this one.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24425821
The "sh threat stat host <ip>" was meant do be done with the statistics on, so as hopefully to get an idea on what it felt was the attack.
Particularly for addresses like 192.168.0.1, which are internal..
0
 

Author Comment

by:Jelonet
ID: 24450064
I'll have to get back to this at a later time. Thank you for your help.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question