Cisco ASA 5505 Configuration Manual page 1096

Configuring Basic Threat Detection Statistics
•
•
•
Information About Basic Threat Detection Statistics
Using basic threat detection statistics, the adaptive security appliance monitors the rate of dropped
packets and security events due to the following reasons:
•
•
•
•
•
•
•
•
•
•
When the adaptive security appliance detects a threat, it immediately sends a system log message
(730100). The adaptive security appliance tracks two types of rates: the average event rate over an
interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/30th of the
average rate interval or 10 seconds, whichever is higher. For each received event, the adaptive security
appliance checks the average and burst rate limits; if both rates are exceeded, then the adaptive security
appliance sends two separate system messages, with a maximum of one message for each rate type per
burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Cisco ASA 5500 Series Configuration Guide using ASDM
51-2
Configuring Basic Threat Detection Statistics, page 51-4
Monitoring Basic Threat Detection Statistics, page 51-4
Feature History for Basic Threat Detection Statistics, page 51-4
Denial by access lists
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet
drops in this bulleted list. It does not include non-firewall-related drops such as interface overload,
packets failed at application inspection, and scanning attack detected.)
Suspicious ICMP packets detected
Packets failed application inspection
Interface overload
Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet
is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat
detection (see the "Configuring Scanning Threat Detection" section on page
scanning attack rate information and acts on it by classifying hosts as attackers and automatically
shunning them, for example.)
Incomplete session detection such as TCP SYN attack detected or no data UDP session attack
detected
Chapter 51 Configuring Threat Detection
51-8) takes this
OL-20339-01