56-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter56 Configuring Threat Detection
Configuring Scanning Threat Detection
Configuring Scanning Threat Detection
Detailed Steps
Monitoring Shunned Hosts, Attackers, and Targets
To monitor shunned hosts and attackers and targets, perform one of the following tasks:
Command Purpose
Step1 threat-detection scanning-threat [shun
[except {ip-address ip_address mask |
object-group network_object_group_id}]]
Example:
hostname(config)# threat-detection
scanning-threat shun except ip-address
10.1.1.0 255.255.255.0
Enables scanning threat detection. By default, the system log
message 733101 is generated when a host is identified as an
attacker. Enter this command multiple times to identify multiple
IP addresses or network object groups to exempt from shunning.
Step2 threat-detection scanning-threat shun
duration seconds
Example:
hostname(config)# threat-detection
scanning-threat shun duration 2000
(Optional) Sets the duration of the shun for attacking hosts.
Step3 threat-detection rate scanning-threat
rate-interval rate_interval average-rate
av_rate burst-rate burst_rate
Example:
hostname(config)# threat-detection rate
scanning-threat rate-interval 1200
average-rate 10 burst-rate 20
hostname(config)# threat-detection rate
scanning-threat rate-interval 2400
average-rate 10 burst-rate 20
(Optional) Changes the default event limit for when the ASA
identifies a host as an attacker or as a target. If you already
configured this command as part of the basic threat detection
configuration (see the “Configuring Basic Threat Detection
Statistics” section on page 56-2), then those settings are shared
with the scanning threat detection feature; you cannot configure
separate rates for basic and scanning threat detection. If you do
not set the rates using this command, the default values are used
for both the scanning threat detection feature and the basic threat
detection feature. You can configure up to three different rate
intervals, by entering separate commands.
Command Purpose
show threat-detection shun Displays the hosts that are currently shunned.