Search this Blog

Wednesday, July 28, 2010

Error #733100 - drop rate-1 exceeded

Getting the following 733100 events, and all are Scanning

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 400; Current average rate is 56 per second, max configured rate is 200; Cumulative total count is 33887
ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 320; Current average rate is 13 per second, max configured rate is 160; Cumulative total count is 47709

Why am I getting events from less than the manually configured rates?

Here is the configuration changes output by show run

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 25 burst-rate 50
threat-detection rate syn-attack rate-interval 3600 average-rate 20 burst-rate 40

In the configuration guide :it says "You can configure up to three commands with different rate intervals."

Do this mean there are three different types of command, or can we only manually adjust three out of the various basic threat detection settings?

Tips:

The document says that we can have 3 versions of the command

For example:-

threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
threat-detection rate scanning-threat rate-interval 800 average-rate 200 burst-rate 400

You will receive a log for which limit you reached in the log for every time you exceed the limit ("[ Scanning] drop rate-1 exceeded", or "[ Scanning] drop rate-2 exceeded").

You have configure 2 limits. If you are running also basic threat detection the basic limits are also matched and the logs will also reflect those.

From this document on preventing Network attacks from Cisco

"If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."

If you are running 8.0.4, then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".

It is a syslog generation bug so there is no workaround.You can disable the scanning threat. The syn-attack is a different event.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */