Cisco Systems and the ASA Services Module Network Router User Manual


 
27-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 27 Configuring Threat Detection
Configuring Scanning Threat Detection
Configuring Scanning Threat Detection
Detailed Steps
Monitoring Shunned Hosts, Attackers, and Targets
To monitor shunned hosts and attackers and targets, perform one of the following tasks:
Command Purpose
Step 1
threat-detection scanning-threat [shun
[except {ip-address ip_address mask |
object-group network_object_group_id}]]
Example:
ciscoasa(config)# threat-detection
scanning-threat shun except ip-address
10.1.1.0 255.255.255.0
Enables scanning threat detection. By default, the system log
message 733101 is generated when a host is identified as an
attacker. Enter this command multiple times to identify multiple
IP addresses or network object groups to exempt from shunning.
Step 2
threat-detection scanning-threat shun
duration seconds
Example:
ciscoasa(config)# threat-detection
scanning-threat shun duration 2000
(Optional) Sets the duration of the shun for attacking hosts.
Step 3
threat-detection rate scanning-threat
rate-interval rate_interval average-rate
av_rate burst-rate burst_rate
Example:
ciscoasa(config)# threat-detection rate
scanning-threat rate-interval 1200
average-rate 10 burst-rate 20
ciscoasa(config)# threat-detection rate
scanning-threat rate-interval 2400
average-rate 10 burst-rate 20
(Optional) Changes the default event limit for when the ASA
identifies a host as an attacker or as a target. If you already
configured this command as part of the basic threat detection
configuration (see the “Configuring Basic Threat Detection
Statistics” section on page 27-2), then those settings are shared
with the scanning threat detection feature; you cannot configure
separate rates for basic and scanning threat detection. If you do
not set the rates using this command, the default values are used
for both the scanning threat detection feature and the basic threat
detection feature. You can configure up to three different rate
intervals, by entering separate commands.
Command Purpose
show threat-detection shun
Displays the hosts that are currently shunned.