Viewing Threat Statistics - Cisco PIX 500 Series Configuration Manual

Configuring Threat Detection
•
•

Viewing Threat Statistics

The display output shows the following:
•
•
•
•
The security appliance stores the count at the end of each burst period, for a total of 60 completed burst
intervals. The unfinished burst interval presently occurring is not included in the average rate. For
example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst
interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds
are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds
the number of events in the oldest burst interval (#1 of 60) when calculating the total events. In that case,
the security appliance calculates the total events as the last 59 complete intervals, plus the events so far
in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
To view statistics, enter one of the following commands.
•
Cisco Security Appliance Command Line Configuration Guide
23-8
The host statistsics accumulate for as long as the host is active and in the scanning threat host
database. The host is deleted from the database (and the statistics cleared) after 10 minutes of
inactivity.
To enable statistics for TCP and UDP ports, enter the following command:
hostname(config)# threat-detection statistics port
To enable statistics for non-TCP/UDP IP protocols, enter the following command:
hostname(config)# threat-detection statistics protocol
The average rate in events/sec over fixed time periods.
The current burst rate in events/sec over the last completed burst interval, which is 1/60th of the
average rate interval or 10 seconds, whichever is larger
The number of times the rates were exceeded (for dropped traffic statistics only)
The total number of events over the fixed time periods.
To view the top 10 statistics, enter the following command:
hostname# show threat-detection statistics [min-display-rate min_display_rate ] top
[{access-list | host | port-protocol} [rate-1 | rate-2 | rate-3]]
where the min-display-rate min_display_rate argument limits the display to statistics that exceed
the minimum display rate in events per second. You can set the min_display_rate between 0 and
2147483647.
If you do not enter any options, the top 10 statistics are shown for all categories.
To view the top 10 ACEs that match packets, including both permit and deny ACEs., use the
access-list keyword. Permitted and denied traffic are not differentiated in this display. If you enable
basic threat detection using the threat-detection basic-threat command, you can track access list
denies using the show threat-detection rate access-list command.
To view only host statistics, use the host keyword.
To view statistics for ports and protocols, use the port-protocol keyword. The port-protocol
keyword shows the combined statistics of TCP/UDP port and IP protocol types. TCP (protocol 6)
and UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are,
however, included in the display for ports. If you only enable statistics for one of these types, port
or protocol, then you will only view the enabled statistics.
Chapter 23 Preventing Network Attacks
OL-12172-03