Configuring Scanning Threat Detection; Enabling Scanning Threat Detection - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 23
Preventing Network Attacks
1-hour
1-hour Bad
10-min
1-hour
10-min DoS attck:
1-hour DoS attck:
10-min Interface:
1-hour Interface:
Configuring Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the security appliance scanning threat detection feature maintains an
extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the security appliance to send system log messages about an attacker or you can
automatically shun the host.
The scanning threat detection feature can affect the security appliance performance and memory
Caution
significantly while it creates and gathers host- and subnet-based data structure and information.
This section includes the following topics:
•
•
•
Enabling Scanning Threat Detection
To configure scanning threat detection, perform the following steps:
To enable scanning threat detection, enter the following command:
Step 1
hostname(config)# threat-detection scanning-threat [shun [except {ip-address ip_address
mask | object-group network_object_group_id }]]
By default, the system log message 730101 is generated when a host is identified as an attacker.
The shun keyword automatically terminates a host connection when the security appliance identifies the
host as an attacker, in addition to sending the system log message.
You can except host IP addresses from being shunned by entering the except ip-address or except
object-group keywords. Enter this command multiple times to identify multiple IP addresses or network
object groups to exempt from shunning.
Step 2
(Optional) To change the default event limit for when the security appliance identifies a host as an
attacker or as a target, enter the following command:
hostname(config)# threat-detection rate scanning-threat rate-interval rate_interval
average-rate av_rate burst-rate burst_rate
OL-12172-03
Scanning:
pkts:
Firewall:
Firewall:
Enabling Scanning Threat Detection, page 23-5
Managing Shunned Hosts, page 23-6
Viewing Attackers and Targets, page 23-7
106
0
76
0
0
0
76
0
0
0
0
0
0
0
88
0
Cisco Security Appliance Command Line Configuration Guide
Configuring Threat Detection
10
384776
2
274690
3
22
2
274844
0
6
0
42
0
204
0
318225
23-5
Advertisement
Table of Contents
Troubleshooting
