Solved

PIX Threat detection

Posted on 2009-05-14
14
1,735 Views
Last Modified: 2012-08-13
I have threat detection turned on and have tuned it as much as possible for known traffic. On the other hand if I turn on threat detection statistics I start receiving many 733100 and 733101 messages. When I turn off the statistics I don't receive these messages. Are the messages informational when statistics are on? Or, is this telling me that packets are being dropped? The 733101 states current burst rate....then at the end it gives Cumulative total count is <very large number>. What does the Cumulative total count mean?
0
Comment
Question by:Jelonet
  • 8
  • 6
14 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24391375
Cumulative total count is the amount since you cleared the statistics.  So if you haven't cleared them and device been up long, it's likely to be a large number.

And yes, the logs are informing you that the scanning thresholds are being breached.  So you should probably examine them and figure if the rates should be adjusted, or if actions should be taken.
0
 

Author Comment

by:Jelonet
ID: 24395246
I only see these log messages when I have statistics turned on. If I turn it off, I dont see the messages. That is what confuses me. I still have threat detection on but not statistics and see no drop messages. As soon as I enable statistics I get a bunch of log messages about burst rate.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24395367
The logs are tied to the statistics for tcp-intercept.  Without the statistics, it doesn't know when threshold are breached.
The default for when you enable statistics, is to enable all statistics.  If you just want the other statistics, but not the logs you could disable tcp-intercept stats:

threat-detection statistics
no threat-detection statistics tcp-intercept
---
You can check out the Cisco documentation of the cmd here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1499830

or from the configuration guide here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499
0
 

Author Comment

by:Jelonet
ID: 24396144
I'm not sure I understand the comment; 'Without the statistics, it doesn't know when threshold are breached'. If I have threat detection on and statistics off I still see log messages if the tuned threshold is exceeded and packets are dropped. These messages are very few. However, when I enable threat detection statistics I start getting 733101 messages as soon as I enable it.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24396654
I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on.  Now you say something else..?

I pointed at tcp-intercept for which rate is set as part of "threat statistics tcp-intercept" while all the other rates are set with "threat rate", since that would explain the problem you described.  If I misunderstood your question, please try to rephrase it :)
0
 

Author Comment

by:Jelonet
ID: 24397377
'I thoughts your "problem" was that you didn't get messages when you turned statistics off, and got them when statistics were on'. This is partially correct. I get a lot more messages when statistics are enable.

Maybe I'm more lost than I thought. I'll start from the beginning. When I enable basic threat detection; (config)# threat-detection basic-threat
I will see messages if rate limits I have tuned are exceeded. I don't get many of these messages.
If I enable threat detection statistics; (config)# threat-detection statistics
I'll start getting a ton of messages. Are these just info messages?
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24397578
And these additional messages are of the same kind as when statistics are off?  How many different types?  Can you show them?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Jelonet
ID: 24403782
With threat dectection only I may see 2 or 3 of these per day;
%PIX-4-733100: [   192.168.] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 1 per second, max configured rate is 4; Cumulative total count is 8962

%PIX-4-733100: [   192.168.] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 9169
When I enable threat statistics I see a lot of these as soon as I enable it;And, it is constant until I disable threat statistics.
%PIX-4-730101: Subnet [192.168.0.0] is targeted. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 498209.

%PIX-4-730101: Host [192.168.0.1] is attacking. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 1920038


0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404268
Ok, so it's a different type.  I'm not sure of the cause really, but lets try to dig into it.

Apparently it's causing 192.168.0.1 to send alot of traffic which is seens as an attack.  Is that the PIX or what device has that IP?
During this time, what does the following cmds give:

sh threat scan
sh threat stat host 192.168.0.1
sh threat stat host (any target identified in the first command)
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24404315
A speculation to why they appear is that without the statistics, it doesn't store "per host" values and as such can't identify "the attacker".  That is likely why you only see these with statistics on.  But still, lets see if we can get more details when you post result of those commands I asked for in last post.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24404319
Oh ya, 1 thing that's interesting to try to prove that last theory.  After enabling statistics, try to disable host statistics and see if you still get those logs:

no threat stat host
0
 

Author Comment

by:Jelonet
ID: 24425387
I disabled threat statistics and when I sh threat scan I only see attackers. I'm not sure what I am suppose to see when I take one of the addresses from the sh threat scan and run the show threat stat host <IP> command. Also, I noteiced when I grep an Ip address that shows in the show threat scan in my syslog some do not show up at all. I would think if it is considered an attacker or target I should have a syslog message. On many I do not.???  If I can't work on this tomorrow I will close and award points and when I get the time I will open another thread and reference this one.
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24425821
The "sh threat stat host <ip>" was meant do be done with the statistics on, so as hopefully to get an idea on what it felt was the attack.
Particularly for addresses like 192.168.0.1, which are internal..
0
 

Author Comment

by:Jelonet
ID: 24450064
I'll have to get back to this at a later time. Thank you for your help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now