*Do not just implement this into a production environment. If can, test this in test environment first.
Basic threat detection is enabled by default on all ASA’s running 8.0(2) and later.
BTD monitors packet rates that are dropped for many reasons by the ASA as a whole. BTD basically only applies to the whole ASA/Appliance as one which means it’s NOT very specific with information it provides like the source or the specific nature of the threat.
Below, the ASA drops packets for these events:
ACL Drop (acl-drop) – Packets are denied by access lists
Bad Pkts (bad-packet-drop) – Invalid packet formats, which includes L3 and L4 headers that do not conform to RFC standards
Conn Limit (conn-limit-drop) – Packets that exceed a configured or global connection limit
DoS Attack (dos-drop) – Denial of Service (DoS) attacks
Firewall (fw-drop) – Basic firewall security checks
ICMP Attack (icmp-drop) – Suspicious ICMP packets
Inspect (inspect-drop) – Denial by application inspection
Interface (interface-drop) – Packets dropped by interface checks
Scanning (scanning-threat) – Network/host scanning attacks
SYN Attack (syn-attack) – Incomplete session attacks, which includes TCP SYN attacks and unidirectional UDP sessions that have no return data
Basic Threat—–Trigger(s) / ASP Drop Reason(s):
acl-drop—–acl-drop
bad-packet-drop—–invalid-tcp-hdr-length, invalid-ip-header, inspect-dns-pak-too-long, inspect-dns-id-not-matched
conn-limit-drop—–conn-limit
dos-drop—–sp-security-failed
fw-drop—–inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched, sp-security-failed, acl-drop
icmp-drop—–inspect-icmp-seq-num-not-matched
inspect-drop—–Frame drops triggered by an inspection engine
interface-drop—–sp-security-failed, no-route
scanning-threat—–tcp-3whs-failed, tcp-not-syn, sp-security-failed, acl-drop, inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched
syn-attack—–%ASA-6-302014 syslog with teardown reason of “SYN Timeout”
#SCANNING THREAT DETECTION:
Since BTD only gives you a small picture of what’s going on, you want to enable Scanning Threat Detection (see below). STD keeps track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet. By default, this is turned OFF.
#DIFFERENCES BETWEEN BTD AND STD
Basic Threat Detection – only indicates that the average or burst rate thresholds were crossed
Scanning Threat Detection – maintains a database of attacker and target IP addresses that can help provide more context around the hosts involved in the scan
#THREAT DETECTION DEFAULT SETTINGS:
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400 threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320 threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400 threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320 threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800 threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640 threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400 threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320 threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400 threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320 threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10 threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8 threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200 threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160 threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600 threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280 threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600 threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280 threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000 threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
#ENABLE STD:
threat-detection scanning-threat
#TO SHUN A DEVICES:
If a malicious device is up to no good, you can block that device and put a duration on how long they will be denied access.
threat-detection scanning-threat shun threat-detection scanning-threat shun duration 1000
#SHUN WHITELISTING:
If the malicious device is actually something you know about and it’s not really malicious like a Nessus server, you can whitelist it or a subnet.
threat-detection scanning-threat shun except ip-address 10.1.1.1 255.255.255.255 threat-detection scanning-threat shun except object-group no-shun threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0 threat-detection scanning-threat shun duration 36000
#TO CHANGE A RATE INTERVAL
If you need to fine tune the intervals, here’s how:
threat-detection rate scanning-threat rate-interval 60 average-rate 2 burst-rate 5 threat-detection rate scanning-threat rate-interval 360 average-rate 2 burst-rate 4
#ADVANCED THREAT DETECTION
Another thing you want to enable is Advanced Threat Detection. This keeps track of the number of packets, bytes, and drops that were both sent and received by that object within a specific time period. This is only enabled by default for ACLs but you can enable it for other services like hosts and ports.
threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 threat-detection rate dos-drop
Below are your options:
access-list Keyword to specify access-list statistics
host Keyword to specify IP statistics
port Keyword to specify port statistics
protocol Keyword to specify protocol statistics
tcp-intercept Trace tcp intercept statistics
#CUSTOM LOGGING LIST
Since there will be logs generated, you would want to create some sort of logging list to shoot off to your SIEM. Below is an example using the buffer.
Below is an example of the logs being generated:
Aug 03 2018 12:15:22: %ASA-4-733100: [172.10.206.3] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424 Aug 03 2018 12:15:22: %ASA-4-733101: Host 172.10.206.3 is attacking. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424 Aug 03 2018 12:32:36: %ASA-4-733101: Host 172.10.201.79 is targeted. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1682
Below is an example of a logging list that includes the logs above:
logging buffered warnings logging trap warnings logging list THREAT-DETECTION-LOGGING message 733100 logging list THREAT-DETECTION-LOGGING message 733101 logging list THREAT-DETECTION-LOGGING message 733102 logging list THREAT-DETECTION-LOGGING message 733103 logging list THREAT-DETECTION-LOGGING message 733104 logging list THREAT-DETECTION-LOGGING message 733105 logging buffered THREAT-DETECTION-LOGGING
#VIEW THREAT DETECTION IN ACTION
tpa-asa/pri/act# show threat-detection statistics top Top Name Id Average(eps) Current(eps) Trigger Total events 20-min Sent attack: 01 172.20.201.60 1 1 0 1458 02 172.10.206.66 0 0 0 175 03 172.10.205.171 0 0 7 169 04 172.10.206.203 0 0 14 150 05 172.10.206.94 0 0 9 107 06 172.10.205.58 0 0 8 54 07 172.10.206.208 0 0 7 41 08 172.10.203.16 0 0 12 35 09 172.10.206.152 0 0 14 33 10 172.10.206.142 0 0 12 31 20-min Recv attack: 01 172.20.201.60 0 0 15 393 02 172.10.205.171 0 0 0 106 03 172.27.205.201 0 0 0 91 04 172.24.2.75 0 0 0 87 05 10.0.1.95 0 0 13 63 06 172.10.202.62 0 0 0 60 07 172.16.37.5 0 0 12 55 08 172.10.202.16 0 0 2 37 09 172.24.201.61 0 0 0 29 10 172.10.202.17 0 0 0 29
#TROUBLESHOOTING COMMANDS
show threat-detection statistics host
show threat-detection statistics port
show threat-detection statistics protocol
show threat-detection statistics top