*Do not just implement this into a production environment. If can, test this in test environment first.
Basic threat detection is enabled by default on all ASA’s running 8.0(2) and later.
BTD monitors packet rates that are dropped for many reasons by the ASA as a whole. BTD basically only applies to the whole ASA/Appliance as one which means it’s NOT very specific with information it provides like the source or the specific nature of the threat.
Below, the ASA drops packets for these events:
ACL Drop (acl-drop) – Packets are denied by access lists Bad Pkts (bad-packet-drop) – Invalid packet formats, which includes L3 and L4 headers that do not conform to RFC standards Conn Limit (conn-limit-drop) – Packets that exceed a configured or global connection limit DoS Attack (dos-drop) – Denial of Service (DoS) attacks Firewall (fw-drop) – Basic firewall security checks ICMP Attack (icmp-drop) – Suspicious ICMP packets Inspect (inspect-drop) – Denial by application inspection Interface (interface-drop) – Packets dropped by interface checks Scanning (scanning-threat) – Network/host scanning attacks SYN Attack (syn-attack) – Incomplete session attacks, which includes TCP SYN attacks and unidirectional UDP sessions that have no return data
Basic Threat—–Trigger(s) / ASP Drop Reason(s): acl-drop—–acl-drop bad-packet-drop—–invalid-tcp-hdr-length, invalid-ip-header, inspect-dns-pak-too-long, inspect-dns-id-not-matched conn-limit-drop—–conn-limit dos-drop—–sp-security-failed fw-drop—–inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched, sp-security-failed, acl-drop icmp-drop—–inspect-icmp-seq-num-not-matched inspect-drop—–Frame drops triggered by an inspection engine interface-drop—–sp-security-failed, no-route scanning-threat—–tcp-3whs-failed, tcp-not-syn, sp-security-failed, acl-drop, inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched syn-attack—–%ASA-6-302014 syslog with teardown reason of “SYN Timeout”
#SCANNING THREAT DETECTION:
Since BTD only gives you a small picture of what’s going on, you want to enable Scanning Threat Detection (see below). STD keeps track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet. By default, this is turned OFF.
#DIFFERENCES BETWEEN BTD AND STD Basic Threat Detection – only indicates that the average or burst rate thresholds were crossed Scanning Threat Detection – maintains a database of attacker and target IP addresses that can help provide more context around the hosts involved in the scan
#ADVANCED THREAT DETECTION
Another thing you want to enable is Advanced Threat Detection. This keeps track of the number of packets, bytes, and drops that were both sent and received by that object within a specific time period. This is only enabled by default for ACLs but you can enable it for other services like hosts and ports.
Below are your options: access-list Keyword to specify access-list statistics host Keyword to specify IP statistics port Keyword to specify port statistics protocol Keyword to specify protocol statistics tcp-intercept Trace tcp intercept statistics
#CUSTOM LOGGING LIST
Since there will be logs generated, you would want to create some sort of logging list to shoot off to your SIEM. Below is an example using the buffer.
Below is an example of the logs being generated:
Aug 03 2018 12:15:22: %ASA-4-733100: [22.214.171.124] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424
Aug 03 2018 12:15:22: %ASA-4-733101: Host 126.96.36.199 is attacking. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424
Aug 03 2018 12:32:36: %ASA-4-733101: Host 188.8.131.52 is targeted. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1682
Below is an example of a logging list that includes the logs above:
logging buffered warnings
logging trap warnings
logging list THREAT-DETECTION-LOGGING message 733100
logging list THREAT-DETECTION-LOGGING message 733101
logging list THREAT-DETECTION-LOGGING message 733102
logging list THREAT-DETECTION-LOGGING message 733103
logging list THREAT-DETECTION-LOGGING message 733104
logging list THREAT-DETECTION-LOGGING message 733105
logging buffered THREAT-DETECTION-LOGGING