Threat detection allows us to gather stats for various threats,as well as scanning threat detection when host is performing a scan. Threat detection optionaly can even shun attacker.
Threat detection we can divide into 2 parts:
- Basic – include information about attack activity for the system as whole(enabled by default)
- Advanced – track activity at an object level. Activity can be gathered per individual hosts, ports, protocol or access list. Advanced threat detection stats have a big performance impact so be carefull during configuration.By default only ACL stats are enabled.
Threat detection feature is not available in Multicontext mode!
Threat detecion feature monitor only traffic passing through Asa,not to ASA!
BASIC THREAT DETECTION
Basic threat detection monitors the rate of dropped packets and security events due to the following reasons:
– Denial by ACL
– Bad packet format
– Connection limit exceeded
– DoS attack detected
– Basic firewall checks failed (only firewall related!)
– Suspicious ICMP packets
– Packets failed application inspection
– Interface overload
– Scanning attack detected,e.g.tcp connection failed 3-way handshake
– Incomplete session detection,e.g TCP syn attack
Default configuration on Asa:
# sh running-config threat-detection
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
- Change ACL-drop rate to 100 drops/s per 10 minute in normal mode,burst mode 60 per1/30th of the avarage interval
(config)#threat-detection rate acl-drop rate-interval 600 average-rate 100 burst-rate 60
- Change icmp-drop rate to 50/s per 600s in normal mode and 100 in 1/128ht of averate rate in burst mode.
ADVANCED THREAT DETECTION
Enabling advanced threat detection be carefull about performance.
From all advanced feature only ACL stats are enabled by default, to show stats for ACL type command: