Basic Threat Detection Overview; Configuring Basic Threat Detection - Cisco PIX 500 Series Configuration Manual

Configuring Threat Detection

Basic Threat Detection Overview

Using basic threat detection, the security appliance monitors the rate of dropped packets and security
events due to the following reasons:
•
•
•
•
•
•
•
•
•
•
When the security appliance detects a threat, it immediately sends a system log message (730100).
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.

Configuring Basic Threat Detection

To configure basic threat detection, including enabling or disabling it and changing the default limits,
perform the following steps:
To enable basic threat detection (if you previously disabled it), enter the following command:
Step 1
hostname(config)# threat-detection basic-threat
By default, this command enables detection for certain types of security events, including packet drops
and incomplete session detections. You can override the default settings for each type of event if desired.
If an event rate is exceeded, then the security appliance sends a system message. The security appliance
tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter
burst interval. The burst rate interval is 1/60th of the average rate interval or 10 seconds, whichever is
higher. For each received event, the security appliance checks the average and burst rate limits; if both
rates are exceeded, then the security appliance sends two separate system messages, with a maximum of
one message for each rate type per burst period.
To disable basic threat detection, enter the no threat-detection basic-threat command.
Table 23-1
running-config all threat-detection command.
Cisco Security Appliance Command Line Configuration Guide
23-2
Denial by access lists
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet
drops in this bulleted list. It does not include non-firewall-related drops such as interface overload,
packets failed at application inspection, and scanning attack detected.)
Suspicious ICMP packets detected
Packets failed application inspection
Interface overload
Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet
is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat
detection (see the "Configuring Scanning Threat Detection" section on page
scanning attack rate information and acts on it by classifying hosts as attackers and automatically
shunning them, for example.)
Incomplete session detection such as TCP SYN attack detected or no data UDP session attack
detected
lists the default settings. You can view all these default settings using the show
Chapter 23 Preventing Network Attacks
23-5) takes this
OL-12172-03