Solved

ASA threat-detection / scanning-threat

Posted on 2011-02-12
27
6,309 Views
Last Modified: 2013-11-29
Hi,

I have threat detection configured and I want to shun scanning attempts.... in order to enable shun, it seems I have to first disable threat-detection scanning-threat and then re-enable with "threat-detection scanning-threat shun", however when I try to remove the first line, I get ERROR: Can not remove 'scanning-threat' while in use".

I do not have any current attackers, or targets but have cleared them all just in case... what needs to be done here?  Thanks!
0
Comment
Question by:joelia2526
  • 11
  • 10
  • 4
  • +1
27 Comments
 
LVL 22

Accepted Solution

by:
rickhobbs earned 125 total points
ID: 34885192
You need to disable the interface that scanning-threat is enable on before removing.
0
 

Author Comment

by:joelia2526
ID: 34885196
Pretty sure I tried that, but i'll do it again and let you know... thanks.
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 34885214
If that doesn't work, shunning is hung up.  Enable then disable shunning and that has to work.
0
 

Author Comment

by:joelia2526
ID: 34885235
Okay so I must've done the wrong int. last tie..... now it let's me...it also let's me enable shun, but does not show it as enabled in the cli or asdm... here is what i did:

ASA(config)# int eth0/0
ASA(config-if)# shut
ASA(config-if)# exit
ASA(config)# no threat-det scan shun
ASA(config)# no threat-det basic
ASA(config)# int eth0/0
ASA(config-if)# no shut
ASA(config-if)# exit
ASA(config)# threat-detection scanning-threat shun
ASA(config)# threat-detection scanning-threat shun duration 720
ASA(config)# sh run | in shun
threat-detection scanning-threat shun duration 720
ASA(config)#
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 34885369
Looks like you have it to me.  There were no errors and looks like you have it set the way you want it.
0
 

Author Comment

by:joelia2526
ID: 34885410
Look at the third line from the bottom... i'm searching the config for "shun" and the only thing that shows up is that shun has a duration, not that it is enabled and the asdm shows the "enable shun" as unchecked.... see attached.
Capture.PNG
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34885825
Hi Joelia,

Just so you are aware, I did exactly what you're trying to configure and would occasionally have a very important host blocked (such as my email server/web server). These types of servers are particularly prone to showing up as false-positives when enabling scanning-threat shunning. Do this with caution and make sure you setup and exclusion list for these types of hosts/servers. Also, torrents and some VOIP stuff will show up as scanning-threats.

Cheers!
0
 

Author Comment

by:joelia2526
ID: 34887780
Thanks!  It's just at my house and I'm doing it more for the sake of doing it than anything else... I just want to see it work, and then re-think if I'm going to keep it there.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34888608
Sweet. Well, I think that command would be just fine for home. Just make sure you add your shun exceptions and you'll be golden!
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 34897687
Can you enable shun by cli or ADSM now?
0
 

Author Comment

by:joelia2526
ID: 34897847
Technically, I can.... it's not giving me an error, but it still shows as not running in both.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897865
What do you mean it shows as not running? Can you post an ASDM screenshot or CLI clipping?
0
 

Author Comment

by:joelia2526
ID: 34897884
There is one in a previous comment... let me know if you see it...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897928
Oh, you mean the config page. Do those settings stick? If so, it's enabled in the config.

I would also enable basic threat detection if I were you.
0
 

Author Comment

by:joelia2526
ID: 34897947
Thanks... i have it enabled ,it just shows that way because i was testing.... however, shun does not show as checked off.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897983
Run this command:

threat-detection scanning-threat shun duration X

where x is the number of seconds to shun hosts for. multiply this by however many minutes you want by 60 to get the number of seconds.
0
 

Author Comment

by:joelia2526
ID: 34898074
I did that and it's showing up as 720... should i have another line saying "threat-detection scanning-threat shun" without the duration?  I type that in and it took it, but that is what's not showing up.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898141
Can you do a

sh run threat-detection

and tell me what comes up?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898150
Wait... what ASA/ASDM version are you on? The newest versions use slightly different commands
sometimes
0
 

Author Comment

by:joelia2526
ID: 34898183
Version 6.2, here is the result:

threat-detection basic-threat
threat-detection scanning-threat shun duration 720
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898254
Oh Goodness! Upgrade that ASA dear sir! It will automatically upgrade the config as well when you upgrade. 6.2 is ancient and has been out of use for years. I would recommend version 8.2.4 or the ASA software and 6.4.1 of the ASDM software. Just upload those to your ASA and do a reload after setting the asdm image command and the boot system command.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898267
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898280
Sorry, I didn't clarify. Your command did work and shun is running. It will disable hosts for 720 seconds upon detecting a scanning-threat. Everything is working properly and you're good to go. I was just recommending to upgrade your platform whenever you have a chance.
0
 

Author Comment

by:joelia2526
ID: 34898335
Sorry, it's asdm 6.2.  The asa is at 8.0(4)... look at the screen shot from asdm, shun is not checked.
Capture.JPG
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 125 total points
ID: 34898611
Okay, cool. You are good then.

Even if the ASDM doesn't show it, if it shows in the config then it is running.

You can always check the status by running:

sh threat-detection scanning-threat
sh threat-detection shun.

This will show the current list of blocked hosts/attackers. If there are none, it will be blank.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35126469
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
NSD FAIL 2 22
Changing external IP address on Cisco 1921 Router 1 23
Gateway Resilience 4 16
Cisco prime 3 20
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now