Cisco Cisco Email Security Appliance X1050 故障排查指南
Locate DHAP Alert Information on the ESA
Document ID: 118936
Contributed by John Yu and Robert Sherwin, Cisco TAC Engineers.
Apr 23, 2015
Apr 23, 2015
Contents
Introduction
Locate DHAP Occurrences from the ESA
View or Update DHAP Configuration from the GUI
View or Update DHAP Configuration from the CLI
Related Information
Locate DHAP Occurrences from the ESA
View or Update DHAP Configuration from the GUI
View or Update DHAP Configuration from the CLI
Related Information
Introduction
This document describes how to locate information in regards to Directory Harvest Attack Prevention
(DHAP) alerts on your Cisco Email Security Appliance (ESA).
(DHAP) alerts on your Cisco Email Security Appliance (ESA).
Locate DHAP Occurrences from the ESA
The entries that describe the DHAP event reside in the mail logs. Here is an example mail log entry when
DHAP occurs:
DHAP occurs:
Tue Oct 18 00:25:35 2005 Warning: LDAP: Dropping connection due to potential Directory
Harvest Attack from host=(192.168.10.1', None), dhap_limit=4, sender_group=SUSPECTLIST
Note: By default, the /24 netmask is looked for in the search.
Enter this query into the CLI in order to view the mail logs:
myesa.local> grep "dhap_limit=" mail_logs
The DHAP counters include both Recipient Access Table (RAT) rejections and Lightweight Directory Access
Protocol (LDAP) acceptance query rejections. The DHAP settings are configured in the Mail Flow policy.
Protocol (LDAP) acceptance query rejections. The DHAP settings are configured in the Mail Flow policy.
View or Update DHAP Configuration from the GUI
Complete these steps in order to view or edit your DHAP configuration parameters from the GUI:
Navigate to Mail Policies > Mail Flow Policies.
1.
Click the policy name in order to make edits, or click Default Policy Parameters in order to view the
current DHAP configuration.
current DHAP configuration.
2.
Make changes to the Directory Harvest Attack Prevention (DHAP) section as needed:
3.