Solved

PIX Threat detection

Posted on 2009-05-14
14
1,745 Views
Last Modified: 2012-08-13
I have threat detection turned on and have tuned it as much as possible for known traffic. On the other hand if I turn on threat detection statistics I start receiving many 733100 and 733101 messages. When I turn off the statistics I don't receive these messages. Are the messages informational when statistics are on? Or, is this telling me that packets are being dropped? The 733101 states current burst rate....then at the end it gives Cumulative total count is <very large number>. What does the Cumulative total count mean?
0
Comment
Question by:Jelonet
  • 8
  • 6
14 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24391375
Cumulative total count is the amount since you cleared the statistics.  So if you haven't cleared them and device been up long, it's likely to be a large number.

And yes, the logs are informing you that the scanning thresholds are being breached.  So you should probably examine them and figure if the rates should be adjusted, or if actions should be taken.
0
 

Author Comment

by:Jelonet
ID: 24395246
I only see these log messages when I have statistics turned on. If I turn it off, I dont see the messages. That is what confuses me. I still have threat detection on but not statistics and see no drop messages. As soon as I enable statistics I get a bunch of log messages about burst rate.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24395367
The logs are tied to the statistics for tcp-intercept.  Without the statistics, it doesn't know when threshold are breached.
The default for when you enable statistics, is to enable all statistics.  If you just want the other statistics, but not the logs you could disable tcp-intercept stats:

threat-detection statistics
no threat-detection statistics tcp-intercept
---
You can check out the Cisco documentation of the cmd here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1499830

or from the configuration guide here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Jelonet
ID: 24396144
I'm not sure I understand the comment; 'Without the statistics, it doesn't know when threshold are breached'. If I have threat detection on and statistics off I still see log messages if the tuned threshold is exceeded and packets are dropped. These messages are very few. However, when I enable threat detection statistics I start getting 733101 messages as soon as I enable it.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24396654
I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on.  Now you say something else..?

I pointed at tcp-intercept for which rate is set as part of "threat statistics tcp-intercept" while all the other rates are set with "threat rate", since that would explain the problem you described.  If I misunderstood your question, please try to rephrase it :)
0
 

Author Comment

by:Jelonet
ID: 24397377
'I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on'. This is partially correct. I get a lot more messages when statistics are enable.

Maybe I'm more lost than I thought. I'll start from the beginning. When I enable basic threat detection; (config)# threat-detection basic-threat
I will see messages if rate limits I have tuned are exceeded. I don't get many of these messages.
If I enable threat detection statistics; (config)# threat-detection statistics
I'll start getting a ton of messages. Are these just info messages?
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24397578
And these additional messages are of the same kind as when statistics are off?  How many different types?  Can you show them?
0
 

Author Comment

by:Jelonet
ID: 24403782
With threat dectection only I may see 2 or 3 of these per day;
%PIX-4-733100: [   192.168.] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 1 per second, max configured rate is 4; Cumulative total count is 8962

%PIX-4-733100: [   192.168.] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 9169
When I enable threat statistics I see a lot of these as soon as I enable it;And, it is constant until I disable threat statistics.
%PIX-4-730101: Subnet [192.168.0.0] is targeted. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 498209.

%PIX-4-730101: Host [192.168.0.1] is attacking. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 1920038


0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404268
Ok, so it's a different type.  I'm not sure of the cause really, but lets try to dig into it.

Apparently it's causing 192.168.0.1 to send alot of traffic which is seens as an attack.  Is that the PIX or what device has that IP?
During this time, what does the following cmds give:

sh threat scan
sh threat stat host 192.168.0.1
sh threat stat host (any target identified in the first command)
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24404315
A speculation to why they appear is that without the statistics, it doesn't store "per host" values and as such can't identify "the attacker".  That is likely why you only see these with statistics on.  But still, lets see if we can get more details when you post result of those commands I asked for in last post.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404319
Oh ya, 1 thing that's interesting to try to prove that last theory.  After enabling statistics, try to disable host statistics and see if you still get those logs:

no threat stat host
0
 

Author Comment

by:Jelonet
ID: 24425387
I disabled threat statistics and when I sh threat scan I only see attackers. I'm not sure what I am suppose to see when I take one of the addresses from the sh threat scan and run the show threat stat host <IP> command. Also, I noteiced when I grep an Ip address that shows in the show threat scan in my syslog some do not show up at all. I would think if it is considered an attacker or target I should have a syslog message. On many I do not.???  If I can't work on this tomorrow I will close and award points and when I get the time I will open another thread and reference this one.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24425821
The "sh threat stat host <ip>" was meant do be done with the statistics on, so as hopefully to get an idea on what it felt was the attack.
Particularly for addresses like 192.168.0.1, which are internal..
0
 

Author Comment

by:Jelonet
ID: 24450064
I'll have to get back to this at a later time. Thank you for your help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question