Managing Shunned Hosts - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Threat Detection
If the scanning threat rate is exceeded, then the security appliance sends a system message, and
optionally shuns the attacker. The security appliance tracks two types of rates: the average event rate over
an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/60th of the
average rate interval or 10 seconds, whichever is higher. For each event detected that is considered to be
part of a scanning attack, the security appliance checks the average and burst rate limits. If either rate is
exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is
exceeded for traffic received by a host, then that host is considered to be a target.
If you already configured this command as part of the basic threat detection configuration (see the
"Configuring Basic Threat Detection" section on page
scanning threat detection feature; you cannot configure separate rates for each feature. If you do not set
the rates using this command, the default values are used for both the scanning threat detection feature
and the basic threat detection feature. The default values are:
Table 23-2
Average Rate
5 drops/sec over the last 600 seconds.
5 drops/sec over the last 3600 seconds.
The rate_interval is between 300 seconds and 2592000 seconds (30 days). The rate interval is used to
determine the length of time over which to average the events. It also determines the burst threshold rate
interval (see below).
The average-rate av_rate argument can be between 0 and 2147483647 in drops/sec.
The burst-rate burst_rate argument can be between 0 and 2147483647 in drops/sec. The burst rate is
calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval
is 1/60th of the rate interval or 10 seconds, whichever is larger.
You can configure up to three commands with different rate intervals.
The following example enables scanning threat detection and automatically shuns hosts categorized as
attackers, except for hosts on the 10.1.1.0 network. The default rate limits for scanning threat detection
are also changed.
hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0
255.255.255.0
hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10
burst-rate 20
hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10
burst-rate 20
Managing Shunned Hosts
•
•
Cisco Security Appliance Command Line Configuration Guide
23-6
Default Rate Limits for Scanning Threat Detection
To view the hosts that are currently shunned, enter the following command:
hostname# show threat-detection shun
To release a host from being shunned, enter the following command:
hostname# clear threat-detection shun [ ip_address [ mask ]]
If you do not specify an IP address, all hosts are cleared from the shun list.
Chapter 23
23-1), then those settings are shared with the
Burst Rate
10 drops/sec over the last 10 second period.
10 drops/sec over the last 60 second period.
Preventing Network Attacks
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
