Cisco PIX 500 Series Configuration Manual page 440

Configuring Threat Detection
Table 23-3
Field
Host
tot-ses
act-ses
fw-drop
insp-drop
null-ses
bad-acc
Average(eps)
Current(eps)
Trigger
Cisco Security Appliance Command Line Configuration Guide
23-10
show threat-detection statistics host Fields
Description
Shows the host IP address.
Shows the total number of sessions for this host since it was added to the
database.
Shows the total number of active sessions that the host is currently involved in.
Shows the number of firewall drops. Firewall drops is a combined rate that
includes all firewall-related packet drops tracked in basic threat detection,
including access list denials, bad packets, exceeded connection limits, DoS
attack packets, suspicious ICMP packets, TCP SYN attack packets, and no
data UDP attack packets. It does not include non-firewall-related drops such
as interface overload, packets failed at application inspection, and scanning
attack detected.
Shows the number of packets dropped because they failed application
inspection.
Shows the number of null sessions, which are TCP SYN sessions that did not
complete within the 3-second timeout, and UDP sessions that did not have any
data sent by its server 3 seconds after the session starts.
Shows the number of bad access attempts to host ports that are in a closed
state. When a port is determined to be in a null session (see above), the port
state of the host is set to HOST_PORT_CLOSE. Any client accessing the port
of the host is immediately classified as a bad access without the need to wait
for a timeout.
Shows the average rate in events/sec over each time period.
The security appliance stores the count at the end of each burst period, for a
total of 60 completed burst intervals. The unfinished burst interval presently
occurring is not included in the average rate. For example, if the average rate
interval is 20 minutes, then the burst interval is 20 seconds. If the last burst
interval was from 3:00:00 to 3:00:20, and you use the show command at
3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished
burst interval already exceeds the number of events in the oldest burst interval
(#1 of 60) when calculating the total events. In that case, the security
appliance calculates the total events as the last 59 complete intervals, plus the
events so far in the unfinished burst interval. This exception lets you monitor
a large increase in events in real time.
Shows the current burst rate in events/sec over the last completed burst
interval, which is 1/60th of the average rate interval or 10 seconds, whichever
is larger. For the example specified in the Average(eps) description, the
current rate is the rate from 3:19:30 to 3:20:00
Shows the number of times the dropped packet rate limits were exceeded. For
valid traffic identified in the sent and received bytes and packets rows, this
value is always 0, because there are no rate limits to trigger for valid traffic.
Chapter 23 Preventing Network Attacks
OL-12172-03