56-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter56 Configuring Threat Detection
Configuring Scanning Threat Detection
Configuring Scanning Threat Detection
This section includes the following topics:
Information About Scanning Threat Detection, page56-15
Guidelines and Limitations, page56-16
Default Settings, page56-16
Configuring Scanning Threat Detection, page56-17
Monitoring Shunned Hosts, Attackers, and Targets, page56-17

Information About Scanning Threat Detection

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive
database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally
shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the
burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or
10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning
attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from
a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a
host, then that host is considered to be a target.
Caution The scanning threat detection feature can affect the ASA performance and memory significantly while
it creates and gathers host- and subnet-based data structure and information.
Customize port and protocol statistics rate
intervals
8.3(1) You can now customize the number of rate intervals for
which statistics are collected. The default number of rates
was changed from 3 to 1.
The following commands were modified: threat-detection
statistics port number-of-rates, threat-detection
statistics protocol number-of-rates.
Improved memory usage 8.3(1) The memory usage for threat detection was improved.
The following command was introduced: show
threat-detection memory.
Table56-4 Feature History for Advanced Threat Detection Statistics (continued)
Feature Name
Platform
Releases Feature Information