• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7185
  • Last Modified:

ASA threat-detection / scanning-threat

Hi,

I have threat detection configured and I want to shun scanning attempts.... in order to enable shun, it seems I have to first disable threat-detection scanning-threat and then re-enable with "threat-detection scanning-threat shun", however when I try to remove the first line, I get ERROR: Can not remove 'scanning-threat' while in use".

I do not have any current attackers, or targets but have cleared them all just in case... what needs to be done here?  Thanks!
0
joelia2526
Asked:
joelia2526
  • 11
  • 10
  • 4
  • +1
2 Solutions
 
Rick HobbsRETIREDCommented:
You need to disable the interface that scanning-threat is enable on before removing.
0
 
joelia2526Author Commented:
Pretty sure I tried that, but i'll do it again and let you know... thanks.
0
 
Rick HobbsRETIREDCommented:
If that doesn't work, shunning is hung up.  Enable then disable shunning and that has to work.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
joelia2526Author Commented:
Okay so I must've done the wrong int. last tie..... now it let's me...it also let's me enable shun, but does not show it as enabled in the cli or asdm... here is what i did:

ASA(config)# int eth0/0
ASA(config-if)# shut
ASA(config-if)# exit
ASA(config)# no threat-det scan shun
ASA(config)# no threat-det basic
ASA(config)# int eth0/0
ASA(config-if)# no shut
ASA(config-if)# exit
ASA(config)# threat-detection scanning-threat shun
ASA(config)# threat-detection scanning-threat shun duration 720
ASA(config)# sh run | in shun
threat-detection scanning-threat shun duration 720
ASA(config)#
0
 
Rick HobbsRETIREDCommented:
Looks like you have it to me.  There were no errors and looks like you have it set the way you want it.
0
 
joelia2526Author Commented:
Look at the third line from the bottom... i'm searching the config for "shun" and the only thing that shows up is that shun has a duration, not that it is enabled and the asdm shows the "enable shun" as unchecked.... see attached.
Capture.PNG
0
 
PugglewuggleCommented:
Hi Joelia,

Just so you are aware, I did exactly what you're trying to configure and would occasionally have a very important host blocked (such as my email server/web server). These types of servers are particularly prone to showing up as false-positives when enabling scanning-threat shunning. Do this with caution and make sure you setup and exclusion list for these types of hosts/servers. Also, torrents and some VOIP stuff will show up as scanning-threats.

Cheers!
0
 
joelia2526Author Commented:
Thanks!  It's just at my house and I'm doing it more for the sake of doing it than anything else... I just want to see it work, and then re-think if I'm going to keep it there.
0
 
PugglewuggleCommented:
Sweet. Well, I think that command would be just fine for home. Just make sure you add your shun exceptions and you'll be golden!
0
 
Rick HobbsRETIREDCommented:
Can you enable shun by cli or ADSM now?
0
 
joelia2526Author Commented:
Technically, I can.... it's not giving me an error, but it still shows as not running in both.
0
 
PugglewuggleCommented:
What do you mean it shows as not running? Can you post an ASDM screenshot or CLI clipping?
0
 
joelia2526Author Commented:
There is one in a previous comment... let me know if you see it...
0
 
PugglewuggleCommented:
Oh, you mean the config page. Do those settings stick? If so, it's enabled in the config.

I would also enable basic threat detection if I were you.
0
 
joelia2526Author Commented:
Thanks... i have it enabled ,it just shows that way because i was testing.... however, shun does not show as checked off.
0
 
PugglewuggleCommented:
Run this command:

threat-detection scanning-threat shun duration X

where x is the number of seconds to shun hosts for. multiply this by however many minutes you want by 60 to get the number of seconds.
0
 
joelia2526Author Commented:
I did that and it's showing up as 720... should i have another line saying "threat-detection scanning-threat shun" without the duration?  I type that in and it took it, but that is what's not showing up.
0
 
PugglewuggleCommented:
Can you do a

sh run threat-detection

and tell me what comes up?
0
 
PugglewuggleCommented:
Wait... what ASA/ASDM version are you on? The newest versions use slightly different commands
sometimes
0
 
joelia2526Author Commented:
Version 6.2, here is the result:

threat-detection basic-threat
threat-detection scanning-threat shun duration 720
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
0
 
PugglewuggleCommented:
Oh Goodness! Upgrade that ASA dear sir! It will automatically upgrade the config as well when you upgrade. 6.2 is ancient and has been out of use for years. I would recommend version 8.2.4 or the ASA software and 6.4.1 of the ASDM software. Just upload those to your ASA and do a reload after setting the asdm image command and the boot system command.
0
 
PugglewuggleCommented:
0
 
PugglewuggleCommented:
Sorry, I didn't clarify. Your command did work and shun is running. It will disable hosts for 720 seconds upon detecting a scanning-threat. Everything is working properly and you're good to go. I was just recommending to upgrade your platform whenever you have a chance.
0
 
joelia2526Author Commented:
Sorry, it's asdm 6.2.  The asa is at 8.0(4)... look at the screen shot from asdm, shun is not checked.
Capture.JPG
0
 
PugglewuggleCommented:
Okay, cool. You are good then.

Even if the ASDM doesn't show it, if it shows in the config then it is running.

You can always check the status by running:

sh threat-detection scanning-threat
sh threat-detection shun.

This will show the current list of blocked hosts/attackers. If there are none, it will be blank.

Cheers!
0
 
digitapCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 11
  • 10
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now