Cisco PIX 500 Series Configuration Manual page 433
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 23
Preventing Network Attacks
Table 23-1
Packet Drop Reason
DoS attack detected
•
Bad packet format
•
Connection limits exceeded
•
•
Suspicious ICMP packets
detected
Scanning attack detected
Incomplete session detected such as
TCP SYN attack detected or no data
UDP session attack detected
(combined)
Denial by access lists
•
Basic firewall checks failed
•
Packets failed application
inspection
Interface overload
(Optional) To change the default settings for one or more type of event, enter the following command:
Step 2
hostname(config)# threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop |
dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat |
syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate
For a description of each event type, see the
When you use this command with the scanning-threat keyword, it is also used in the scanning threat
detection feature (see the
command determine when a host is considered to be an attacker or a target. If you do not set the rates
using this command, the default values are used for the scanning threat detection feature as well as the
basic threat detection feature. If you do not configure basic threat detection, you can still use this
command with the scanning-threat keyword to configure the rate limits for scanning threat detection.
The rate-interface rate_interval argument is between 600 seconds and 2592000 seconds (30 days). The
rate interval is used to determine the length of time over which to average the drops. It also determines
the burst threshold rate interval (see below).
OL-12172-03
Basic Threat Detection Default Settings
Trigger Settings
Average Rate
100 drops/sec over the last 600
seconds.
80 drops/sec over the last 3600
seconds.
5 drops/sec over the last 600
seconds.
4 drops/sec over the last 3600
seconds.
100 drops/sec over the last 600
seconds.
80 drops/sec over the last 3600
seconds.
400 drops/sec over the last 600
seconds.
320 drops/sec over the last
3600 seconds.
400 drops/sec over the last 600
seconds.
320 drops/sec over the last
3600 seconds.
2000 drops/sec over the last
600 seconds.
1600 drops/sec over the last
3600 seconds.
"Configuring Scanning Threat Detection"
Cisco Security Appliance Command Line Configuration Guide
Burst Rate
400 drops/sec over the last 10
second period.
320 drops/sec over the last 60
second period.
10 drops/sec over the last 10
second period.
8 drops/sec over the last 60
second period.
200 drops/sec over the last 10
second period.
160 drops/sec over the last 60
second period.
800 drops/sec over the last 10
second period.
640 drops/sec over the last 60
second period.
1600 drops/sec over the last 10
second period.
1280 drops/sec over the last 60
second period.
8000 drops/sec over the last 10
second period.
6400 drops/sec over the last 60
second period.
"Basic Threat Detection Overview" section on page
section). The rates you set in this
Configuring Threat Detection
23-2.
23-3
Advertisement
Table of Contents
Troubleshooting
