Enabling Threat Detection; Enabling The Botnet Traffic Filter - Cisco ASA 5505 Configuration Manual

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
manager. Other legitimate connections continue to operate independently without interruption. For more
information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line
Interface.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The adaptive security appliance
uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack
perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection
request that has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.

Enabling Threat Detection

You can configure scanning threat detection and basic threat detection, and also how to use statistics to
analyze threats.
Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and
automatically sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the adaptive security appliance scanning threat detection feature
maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the adaptive security appliance to send system log messages about an attacker or you
can automatically shun the host.

Enabling the Botnet Traffic Filter

Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
OL-20339-01
Cisco ASA 5500 Series Configuration Guide using ASDM
Firewall Functional Overview
1-17