Monitoring Shunned Hosts, Attackers, And Targets - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Monitoring Threat Detection
Table 18-3
Field
Average(eps)
Current(eps)
Trigger
Total events
20-min, 1-hour,
8-hour, and 24-hour
Monitoring Shunned Hosts, Attackers, and Targets
To monitor and manage shunned hosts and attackers and targets, use the following commands:
•
Cisco ASA Series Firewall CLI Configuration Guide
18-12
show threat-detection statistics host (continued)
Description
The average rate in events/sec over each time period.
The ASA stores the count at the end of each burst period, for a total of 30
completed burst intervals. The unfinished burst interval presently occurring is
not included in the average rate. For example, if the average rate interval is 20
minutes, then the burst interval is 20 seconds. If the last burst interval was
from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the
last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished
burst interval already exceeds the number of events in the oldest burst interval
(#1 of 30) when calculating the total events. In that case, the ASA calculates
the total events as the last 29 complete intervals, plus the events so far in the
unfinished burst interval. This exception lets you monitor a large increase in
events in real time.
The current burst rate in events/sec over the last completed burst interval,
which is 1/30th of the average rate interval or 10 seconds, whichever is larger.
For the example specified in the Average(eps) description, the current rate is
the rate from 3:19:30 to 3:20:00
The number of times the dropped packet rate limits were exceeded. For valid
traffic identified in the sent and received bytes and packets rows, this value is
always 0, because there are no rate limits to trigger for valid traffic.
The total number of events over each rate interval. The unfinished burst
interval presently occurring is not included in the total events. The only
exception to this rule is if the number of events in the unfinished burst interval
already exceeds the number of events in the oldest burst interval (#1 of 30)
when calculating the total events. In that case, the ASA calculates the total
events as the last 29 complete intervals, plus the events so far in the unfinished
burst interval. This exception lets you monitor a large increase in events in real
time.
Statistics for these fixed rate intervals. For each interval:
Sent byte—The number of successful bytes sent from the host.
•
Sent pkts—The number of successful packets sent from the host.
•
Sent drop—The number of packets sent from the host that were dropped
•
because they were part of a scanning attack.
Recv byte—The number of successful bytes received by the host.
•
Recv pkts—The number of successful packets received by the host.
•
Recv drop—the number of packets received by the host that were dropped
•
because they were part of a scanning attack.
show threat-detection shun
Displays the hosts that are currently shunned. For example:
Chapter 18
Threat Detection
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
