9-21
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 9 Configuring Anomaly Detection
Configuring the Illegal Zone
sensor(config-ano-ill)#
Step 3
Enable the illegal zone.
sensor(config-ano-ill)# enabled true
Step 4
Configure the IP addresses to be included in the illegal zone.
sensor(config-ano-ill)# ip-address-range 192.0.2.72-192.0.2.108
Step 5
Configure TCP protocol.
Step 6
Configure UDP protocol.
Step 7
Configure the other protocols.
For More Information
•
For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the Illegal Zone,
page 9-21.
•
For the procedure for the UDP protocol, see Configuring UDP Protocol for the Illegal Zone,
page 9-24.
•
For the procedure for configuring other protocols, see Configuring Other Protocols for the Illegal
Zone, page 9-26.
Configuring TCP Protocol for the Illegal Zone
Use the tcp {enabled | dst-port number | default-thresholds} command in service anomaly detection
illegal zone submode to enable and configure the TCP service.
The following options apply:
•
enabled {false | true}—Enables/disables TCP protocol.
•
default-thresholds—Defines thresholds to be used for all ports not specified in the destination port
map:
–
threshold-histogram {low | medium | high} num-source-ips number—Sets values in the
threshold histogram.
–
scanner-threshold—Sets the scanner threshold. The default is 200.
•
dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.
•
enabled {true | false}—Enables/disables the service.
•
override-scanner-settings {yes | no}—Lets you override the scanner values:
–
threshold-histogram {low | medium | high} num-source-ips number—Sets values in the
threshold histogram.
–
scanner-threshold—Sets the scanner threshold. The default is 200.