56-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter56 Configuring Threat Detection
Configuring Basic Threat Detection Statistics
For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded,
then the ASA sends two separate system messages, with a maximum of one message for each rate type
per burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
Basic threat detection statistics are enabled by default.
Table56-1 lists the default settings. You can view all these default settings using the show
running-config all threat-detection command.
Table56-1 Basic Threat Detection Default Settings
Packet Drop Reason
Trigger Settings
Average Rate Burst Rate
DoS attack detected
Bad packet format
Connection limits exceeded
Suspicious ICMP packets
detected
100 drops/sec over the last 600
seconds.
400 drops/sec over the last 20
second period.
80 drops/sec over the last 3600
seconds.
320 drops/sec over the last 120
second period.
Scanning attack detected 5 drops/sec over the last 600
seconds.
10 drops/sec over the last 20
second period.
4 drops/sec over the last 3600
seconds.
8 drops/sec over the last 120
second period.
Incomplete session detected such as
TCP SYN attack detected or no data
UDP session attack detected
(combined)
100 drops/sec over the last 600
seconds.
200 drops/sec over the last 20
second period.
80 drops/sec over the last 3600
seconds.
160 drops/sec over the last 120
second period.