Managing Basic Threat Statistics - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Threat Detection
The average-rate av_rate argument can be between 0 and 2147483647 in drops/sec.
The burst-rate burst_rate argument can be between 0 and 2147483647 in drops/sec. The burst rate is
calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval
is 1/60th of the average rate interval or 10 seconds, whichever is larger.
You can configure up to three different rate intervals for each event type.
The following example enables basic threat detection, and changes the triggers for DoS attacks:
hostname(config)# threat-detection basic-threat
hostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60
burst-rate 100
Managing Basic Threat Statistics
•
•
The following is sample output from the show threat-detection rate command:
hostname# show threat-detection rate
10-min ACL
1-hour ACL
1-hour SYN attck:
10-min
Cisco Security Appliance Command Line Configuration Guide
23-4
To view basic threat statistics, enter the following command:
hostname# show threat-detection rate [min-display-rate min_display_rate ] [acl-drop |
bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop |
interface-drop | scanning-threat | syn-attack]
where the min-display-rate min_display_rate argument limits the display to statistics that exceed
the minimum display rate in events per second. You can set the min_display_rate between 0 and
2147483647.
For a description of each event type, see the
page
23-2.
The output shows the average rate in events/sec over two fixed time periods: the last 10 minutes and
the last 1 hour. It also shows: the current burst rate in events/sec over the last completed burst
interval, which is 1/60th of the average rate interval or 10 seconds, whichever is larger; the number
of times the rates were exceeded (triggered); and the total number of events over the time periods.
The security appliance stores the count at the end of each burst period, for a total of 60 completed
burst intervals. The unfinished burst interval presently occurring is not included in the average rate.
For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the
last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the
last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already
exceeds the number of events in the oldest burst interval (#1 of 60) when calculating the total events.
In that case, the security appliance calculates the total events as the last 59 complete intervals, plus
the events so far in the unfinished burst interval. This exception lets you monitor a large increase in
events in real time.
To clear basic threat statistics, enter the following command:
hostname# clear threat-detection rate
Average(eps)
drop:
drop:
Scanning:
Chapter 23
"Basic Threat Detection Overview" section on
Current(eps) Trigger
0
0
0
0
5
0
0
0
Preventing Network Attacks
Total events
0
16
0
112
2
21438
29
193
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
