Lesson 13 Flashcards
___________ feature of the ASA appliance monitors the dropped packet rate and security events and, if it sees a threat, the appliance generates a log message .
Basic Threat Detection
measures the rates that drops occur over a configured period of time.
Basic Threat Detection is enabled by default.
Uses the following command to enable
fw1( config )# threat - detection basic - threat
These can be seen on the appliance with the __________ command
show run all threat - detection
basic threat detection measures the rates that drops occur over a configured period of time. This period of time is called the ________and can range from ___ seconds to __ days
average rate interval (ARI)
600 seconds to 30 days
The burst rate is very similar but looks at smaller periods of snapshot data, called the __________.
burst rate interval (BRI)
show run all threat-detection [rate]
Unlike Basic Threat Detection, Advanced Threat Detection can be used to track statistics for more granular objects.
fw1( config )# threat - detection statistics [{ access - list | host | port | protocol }]
Without any options, all statistics are enabled
show threat - detection statistics
show threat - detection statistics top
_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.
Scanning Threat Detection
_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.
Scanning Threat Detection
threat-detection scanning-threat
Scanning Threat Detection can optionally react to an attack by ________ the attacker IP.
shunning
Once the set threshold for _________________ has been reached, the security appliance will intercept all TCP synchronizations and respond on behalf of the client .
TCP synchronizations (also known as SYN scan half - open connections , or embryonic connections )
You can limit the number of embryonic connections that can be built with the _______________ with the _____________option using the Modular Policy Framework .
set connection command
embryonic - conn - max
The ASA AIP - SSM IPS module , on the other hand can detect over 1,500 attacks. • However , if you don’t have this card, you can supplement the security of your appliance with the IPS software feature, commonly called ___________
IP audit
The following signature classes are supported by Cisco Security Appliances:
Informational
Attack
To enable default IDS on a security appliance use the command :
fw1( config )#
ip audit info action alarm
ip audit attack action alarm
IDS attack trigger. 3 possibilities
Alarm. Drop. Reset