18-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Threat Detection
Monitoring Threat Detection
Monitoring Shunned Hosts, Attackers, and Targets
To monitor and manage shunned hosts and attackers and targets, use the following commands:
•
show threat-detection shun
Displays the hosts that are currently shunned. For example:
Average(eps)
The average rate in events/sec over each time period.
The ASA stores the count at the end of each burst period, for a total of 30
completed burst intervals. The unfinished burst interval presently occurring is
not included in the average rate. For example, if the average rate interval is 20
minutes, then the burst interval is 20 seconds. If the last burst interval was
from 3:00:00 to 3:00:20, and you use the
show
command at 3:00:25, then the
last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished
burst interval already exceeds the number of events in the oldest burst interval
(#1 of 30) when calculating the total events. In that case, the ASA calculates
the total events as the last 29 complete intervals, plus the events so far in the
unfinished burst interval. This exception lets you monitor a large increase in
events in real time.
Current(eps)
The current burst rate in events/sec over the last completed burst interval,
which is 1/30th of the average rate interval or 10 seconds, whichever is larger.
For the example specified in the Average(eps) description, the current rate is
the rate from 3:19:30 to 3:20:00
Trigger
The number of times the dropped packet rate limits were exceeded. For valid
traffic identified in the sent and received bytes and packets rows, this value is
always 0, because there are no rate limits to trigger for valid traffic.
Total events
The total number of events over each rate interval. The unfinished burst
interval presently occurring is not included in the total events. The only
exception to this rule is if the number of events in the unfinished burst interval
already exceeds the number of events in the oldest burst interval (#1 of 30)
when calculating the total events. In that case, the ASA calculates the total
events as the last 29 complete intervals, plus the events so far in the unfinished
burst interval. This exception lets you monitor a large increase in events in real
time.
20-min, 1-hour,
8-hour, and 24-hour
Statistics for these fixed rate intervals. For each interval:
•
Sent byte—The number of successful bytes sent from the host.
•
Sent pkts—The number of successful packets sent from the host.
•
Sent drop—The number of packets sent from the host that were dropped
because they were part of a scanning attack.
•
Recv byte—The number of successful bytes received by the host.
•
Recv pkts—The number of successful packets received by the host.
•
Recv drop—the number of packets received by the host that were dropped
because they were part of a scanning attack.
Table 18-3
show threat-detection statistics host (continued)
Field
Description
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......