Cisco ASA Threat Detection

*Do not just implement this into a production environment. If can, test this in test environment first.

Basic threat detection is enabled by default on all ASA’s running 8.0(2) and later.

BTD monitors packet rates that are dropped for many reasons by the ASA as a whole. BTD basically only applies to the whole ASA/Appliance as one which means it’s NOT very specific with information it provides like the source or the specific nature of the threat.

Below, the ASA drops packets for these events:

ACL Drop (acl-drop) – Packets are denied by access lists
Bad Pkts (bad-packet-drop) – Invalid packet formats, which includes L3 and L4 headers that do not conform to RFC standards
Conn Limit (conn-limit-drop) – Packets that exceed a configured or global connection limit
DoS Attack (dos-drop) – Denial of Service (DoS) attacks
Firewall (fw-drop) – Basic firewall security checks
ICMP Attack (icmp-drop) – Suspicious ICMP packets
Inspect (inspect-drop) – Denial by application inspection
Interface (interface-drop) – Packets dropped by interface checks
Scanning (scanning-threat) – Network/host scanning attacks
SYN Attack (syn-attack) – Incomplete session attacks, which includes TCP SYN attacks and unidirectional UDP sessions that have no return data

Basic Threat—–Trigger(s) / ASP Drop Reason(s):
acl-drop—–acl-drop
bad-packet-drop—–invalid-tcp-hdr-length, invalid-ip-header, inspect-dns-pak-too-long, inspect-dns-id-not-matched
conn-limit-drop—–conn-limit
dos-drop—–sp-security-failed
fw-drop—–inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched, sp-security-failed, acl-drop
icmp-drop—–inspect-icmp-seq-num-not-matched
inspect-drop—–Frame drops triggered by an inspection engine
interface-drop—–sp-security-failed, no-route
scanning-threat—–tcp-3whs-failed, tcp-not-syn, sp-security-failed, acl-drop, inspect-icmp-seq-num-not-matched, inspect-dns-pak-too-long, inspect-dns-id-not-matched
syn-attack—–%ASA-6-302014 syslog with teardown reason of “SYN Timeout”

#SCANNING THREAT DETECTION:
Since BTD only gives you a small picture of what’s going on, you want to enable Scanning Threat Detection (see below). STD keeps track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet. By default, this is turned OFF.

#DIFFERENCES BETWEEN BTD AND STD
Basic Threat Detection – only indicates that the average or burst rate thresholds were crossed
Scanning Threat Detection – maintains a database of attacker and target IP addresses that can help provide more context around the hosts involved in the scan

#THREAT DETECTION DEFAULT SETTINGS:

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

#ENABLE STD:

threat-detection scanning-threat

#TO SHUN A DEVICES:
If a malicious device is up to no good, you can block that device and put a duration on how long they will be denied access.

threat-detection scanning-threat shun
threat-detection scanning-threat shun duration 1000

#SHUN WHITELISTING:
If the malicious device is actually something you know about and it’s not really malicious like a Nessus server, you can whitelist it or a subnet.

threat-detection scanning-threat shun except ip-address 10.1.1.1 255.255.255.255
threat-detection scanning-threat shun except object-group no-shun
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0
threat-detection scanning-threat shun duration 36000

#TO CHANGE A RATE INTERVAL
If you need to fine tune the intervals, here’s how:

threat-detection rate scanning-threat rate-interval 60 average-rate 2 burst-rate 5
threat-detection rate scanning-threat rate-interval 360 average-rate 2 burst-rate 4

#ADVANCED THREAT DETECTION
Another thing you want to enable is Advanced Threat Detection. This keeps track of the number of packets, bytes, and drops that were both sent and received by that object within a specific time period. This is only enabled by default for ACLs but you can enable it for other services like hosts and ports.

threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 threat-detection rate dos-drop

Below are your options:
access-list Keyword to specify access-list statistics
host Keyword to specify IP statistics
port Keyword to specify port statistics
protocol Keyword to specify protocol statistics
tcp-intercept Trace tcp intercept statistics

#CUSTOM LOGGING LIST
Since there will be logs generated, you would want to create some sort of logging list to shoot off to your SIEM. Below is an example using the buffer.

Below is an example of the logs being generated:

Aug 03 2018 12:15:22: %ASA-4-733100: [172.10.206.3] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424
Aug 03 2018 12:15:22: %ASA-4-733101: Host 172.10.206.3 is attacking. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 424
Aug 03 2018 12:32:36: %ASA-4-733101: Host 172.10.201.79 is targeted. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1682

Below is an example of a logging list that includes the logs above:

logging buffered warnings
logging trap warnings
logging list THREAT-DETECTION-LOGGING message 733100
logging list THREAT-DETECTION-LOGGING message 733101
logging list THREAT-DETECTION-LOGGING message 733102
logging list THREAT-DETECTION-LOGGING message 733103
logging list THREAT-DETECTION-LOGGING message 733104
logging list THREAT-DETECTION-LOGGING message 733105
logging buffered THREAT-DETECTION-LOGGING

#VIEW THREAT DETECTION IN ACTION

tpa-asa/pri/act# show threat-detection statistics top
Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events
  20-min Sent attack:
01    172.20.201.60                  1               1       0              1458
02    172.10.206.66                  0               0       0               175
03    172.10.205.171                 0               0       7               169
04    172.10.206.203                 0               0      14               150
05    172.10.206.94                  0               0       9               107
06    172.10.205.58                  0               0       8                54
07    172.10.206.208                 0               0       7                41
08    172.10.203.16                  0               0      12                35
09    172.10.206.152                 0               0      14                33
10    172.10.206.142                 0               0      12                31
  20-min Recv attack:
01    172.20.201.60                  0               0      15               393
02    172.10.205.171                 0               0       0               106
03    172.27.205.201                 0               0       0                91
04    172.24.2.75                    0               0       0                87
05    10.0.1.95                      0               0      13                63
06    172.10.202.62                  0               0       0                60
07    172.16.37.5                    0               0      12                55
08    172.10.202.16                  0               0       2                37
09    172.24.201.61                  0               0       0                29
10    172.10.202.17                  0               0       0                29

#TROUBLESHOOTING COMMANDS
show threat-detection statistics host
show threat-detection statistics port
show threat-detection statistics protocol
show threat-detection statistics top