Solved

ASA threat-detection / scanning-threat

Posted on 2011-02-12
27
6,652 Views
Last Modified: 2013-11-29
Hi,

I have threat detection configured and I want to shun scanning attempts.... in order to enable shun, it seems I have to first disable threat-detection scanning-threat and then re-enable with "threat-detection scanning-threat shun", however when I try to remove the first line, I get ERROR: Can not remove 'scanning-threat' while in use".

I do not have any current attackers, or targets but have cleared them all just in case... what needs to be done here?  Thanks!
0
Comment
Question by:joelia2526
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
  • 4
  • +1
27 Comments
 
LVL 22

Accepted Solution

by:
Rick Hobbs earned 125 total points
ID: 34885192
You need to disable the interface that scanning-threat is enable on before removing.
0
 

Author Comment

by:joelia2526
ID: 34885196
Pretty sure I tried that, but i'll do it again and let you know... thanks.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34885214
If that doesn't work, shunning is hung up.  Enable then disable shunning and that has to work.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:joelia2526
ID: 34885235
Okay so I must've done the wrong int. last tie..... now it let's me...it also let's me enable shun, but does not show it as enabled in the cli or asdm... here is what i did:

ASA(config)# int eth0/0
ASA(config-if)# shut
ASA(config-if)# exit
ASA(config)# no threat-det scan shun
ASA(config)# no threat-det basic
ASA(config)# int eth0/0
ASA(config-if)# no shut
ASA(config-if)# exit
ASA(config)# threat-detection scanning-threat shun
ASA(config)# threat-detection scanning-threat shun duration 720
ASA(config)# sh run | in shun
threat-detection scanning-threat shun duration 720
ASA(config)#
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34885369
Looks like you have it to me.  There were no errors and looks like you have it set the way you want it.
0
 

Author Comment

by:joelia2526
ID: 34885410
Look at the third line from the bottom... i'm searching the config for "shun" and the only thing that shows up is that shun has a duration, not that it is enabled and the asdm shows the "enable shun" as unchecked.... see attached.
Capture.PNG
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34885825
Hi Joelia,

Just so you are aware, I did exactly what you're trying to configure and would occasionally have a very important host blocked (such as my email server/web server). These types of servers are particularly prone to showing up as false-positives when enabling scanning-threat shunning. Do this with caution and make sure you setup and exclusion list for these types of hosts/servers. Also, torrents and some VOIP stuff will show up as scanning-threats.

Cheers!
0
 

Author Comment

by:joelia2526
ID: 34887780
Thanks!  It's just at my house and I'm doing it more for the sake of doing it than anything else... I just want to see it work, and then re-think if I'm going to keep it there.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34888608
Sweet. Well, I think that command would be just fine for home. Just make sure you add your shun exceptions and you'll be golden!
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 34897687
Can you enable shun by cli or ADSM now?
0
 

Author Comment

by:joelia2526
ID: 34897847
Technically, I can.... it's not giving me an error, but it still shows as not running in both.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897865
What do you mean it shows as not running? Can you post an ASDM screenshot or CLI clipping?
0
 

Author Comment

by:joelia2526
ID: 34897884
There is one in a previous comment... let me know if you see it...
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897928
Oh, you mean the config page. Do those settings stick? If so, it's enabled in the config.

I would also enable basic threat detection if I were you.
0
 

Author Comment

by:joelia2526
ID: 34897947
Thanks... i have it enabled ,it just shows that way because i was testing.... however, shun does not show as checked off.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34897983
Run this command:

threat-detection scanning-threat shun duration X

where x is the number of seconds to shun hosts for. multiply this by however many minutes you want by 60 to get the number of seconds.
0
 

Author Comment

by:joelia2526
ID: 34898074
I did that and it's showing up as 720... should i have another line saying "threat-detection scanning-threat shun" without the duration?  I type that in and it took it, but that is what's not showing up.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898141
Can you do a

sh run threat-detection

and tell me what comes up?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898150
Wait... what ASA/ASDM version are you on? The newest versions use slightly different commands
sometimes
0
 

Author Comment

by:joelia2526
ID: 34898183
Version 6.2, here is the result:

threat-detection basic-threat
threat-detection scanning-threat shun duration 720
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898254
Oh Goodness! Upgrade that ASA dear sir! It will automatically upgrade the config as well when you upgrade. 6.2 is ancient and has been out of use for years. I would recommend version 8.2.4 or the ASA software and 6.4.1 of the ASDM software. Just upload those to your ASA and do a reload after setting the asdm image command and the boot system command.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898267
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34898280
Sorry, I didn't clarify. Your command did work and shun is running. It will disable hosts for 720 seconds upon detecting a scanning-threat. Everything is working properly and you're good to go. I was just recommending to upgrade your platform whenever you have a chance.
0
 

Author Comment

by:joelia2526
ID: 34898335
Sorry, it's asdm 6.2.  The asa is at 8.0(4)... look at the screen shot from asdm, shun is not checked.
Capture.JPG
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 125 total points
ID: 34898611
Okay, cool. You are good then.

Even if the ASDM doesn't show it, if it shows in the config then it is running.

You can always check the status by running:

sh threat-detection scanning-threat
sh threat-detection shun.

This will show the current list of blocked hosts/attackers. If there are none, it will be blank.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35126469
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate: access IPSEC remote site over ssl-vpn 4 22
Problem to setting 16 50
where to get up-to-minute Microsoft security news 2 43
wannacrypt movement 9 78
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question