Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA threat-detection / scanning-threat

Posted on 2011-02-12
27
Medium Priority
?
6,853 Views
Last Modified: 2013-11-29
Hi,

I have threat detection configured and I want to shun scanning attempts.... in order to enable shun, it seems I have to first disable threat-detection scanning-threat and then re-enable with "threat-detection scanning-threat shun", however when I try to remove the first line, I get ERROR: Can not remove 'scanning-threat' while in use".

I do not have any current attackers, or targets but have cleared them all just in case... what needs to be done here?  Thanks!
0
Comment
Question by:joelia2526
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
  • 4
  • +1
27 Comments
 
LVL 22

Accepted Solution

by:
Rick Hobbs earned 500 total points
ID: 34885192
You need to disable the interface that scanning-threat is enable on before removing.
0
 

Author Comment

by:joelia2526
ID: 34885196
Pretty sure I tried that, but i'll do it again and let you know... thanks.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34885214
If that doesn't work, shunning is hung up.  Enable then disable shunning and that has to work.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:joelia2526
ID: 34885235
Okay so I must've done the wrong int. last tie..... now it let's me...it also let's me enable shun, but does not show it as enabled in the cli or asdm... here is what i did:

ASA(config)# int eth0/0
ASA(config-if)# shut
ASA(config-if)# exit
ASA(config)# no threat-det scan shun
ASA(config)# no threat-det basic
ASA(config)# int eth0/0
ASA(config-if)# no shut
ASA(config-if)# exit
ASA(config)# threat-detection scanning-threat shun
ASA(config)# threat-detection scanning-threat shun duration 720
ASA(config)# sh run | in shun
threat-detection scanning-threat shun duration 720
ASA(config)#
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34885369
Looks like you have it to me.  There were no errors and looks like you have it set the way you want it.
0
 

Author Comment

by:joelia2526
ID: 34885410
Look at the third line from the bottom... i'm searching the config for "shun" and the only thing that shows up is that shun has a duration, not that it is enabled and the asdm shows the "enable shun" as unchecked.... see attached.
Capture.PNG
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34885825
Hi Joelia,

Just so you are aware, I did exactly what you're trying to configure and would occasionally have a very important host blocked (such as my email server/web server). These types of servers are particularly prone to showing up as false-positives when enabling scanning-threat shunning. Do this with caution and make sure you setup and exclusion list for these types of hosts/servers. Also, torrents and some VOIP stuff will show up as scanning-threats.

Cheers!
0
 

Author Comment

by:joelia2526
ID: 34887780
Thanks!  It's just at my house and I'm doing it more for the sake of doing it than anything else... I just want to see it work, and then re-think if I'm going to keep it there.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34888608
Sweet. Well, I think that command would be just fine for home. Just make sure you add your shun exceptions and you'll be golden!
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34897687
Can you enable shun by cli or ADSM now?
0
 

Author Comment

by:joelia2526
ID: 34897847
Technically, I can.... it's not giving me an error, but it still shows as not running in both.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897865
What do you mean it shows as not running? Can you post an ASDM screenshot or CLI clipping?
0
 

Author Comment

by:joelia2526
ID: 34897884
There is one in a previous comment... let me know if you see it...
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897928
Oh, you mean the config page. Do those settings stick? If so, it's enabled in the config.

I would also enable basic threat detection if I were you.
0
 

Author Comment

by:joelia2526
ID: 34897947
Thanks... i have it enabled ,it just shows that way because i was testing.... however, shun does not show as checked off.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897983
Run this command:

threat-detection scanning-threat shun duration X

where x is the number of seconds to shun hosts for. multiply this by however many minutes you want by 60 to get the number of seconds.
0
 

Author Comment

by:joelia2526
ID: 34898074
I did that and it's showing up as 720... should i have another line saying "threat-detection scanning-threat shun" without the duration?  I type that in and it took it, but that is what's not showing up.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898141
Can you do a

sh run threat-detection

and tell me what comes up?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898150
Wait... what ASA/ASDM version are you on? The newest versions use slightly different commands
sometimes
0
 

Author Comment

by:joelia2526
ID: 34898183
Version 6.2, here is the result:

threat-detection basic-threat
threat-detection scanning-threat shun duration 720
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898254
Oh Goodness! Upgrade that ASA dear sir! It will automatically upgrade the config as well when you upgrade. 6.2 is ancient and has been out of use for years. I would recommend version 8.2.4 or the ASA software and 6.4.1 of the ASDM software. Just upload those to your ASA and do a reload after setting the asdm image command and the boot system command.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898267
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898280
Sorry, I didn't clarify. Your command did work and shun is running. It will disable hosts for 720 seconds upon detecting a scanning-threat. Everything is working properly and you're good to go. I was just recommending to upgrade your platform whenever you have a chance.
0
 

Author Comment

by:joelia2526
ID: 34898335
Sorry, it's asdm 6.2.  The asa is at 8.0(4)... look at the screen shot from asdm, shun is not checked.
Capture.JPG
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 500 total points
ID: 34898611
Okay, cool. You are good then.

Even if the ASDM doesn't show it, if it shows in the config then it is running.

You can always check the status by running:

sh threat-detection scanning-threat
sh threat-detection shun.

This will show the current list of blocked hosts/attackers. If there are none, it will be blank.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35126469
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question