Filter
Top Products
9-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Notes and Caveats
Anomaly Detection Notes and Caveats
The following notes and caveats apply to configuring anomaly detection:
• Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure
or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in
performance.
• Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see
only one direction of traffic, you should turn off anomaly detection. Otherwise, when anomaly
detection is running in an asymmetric environment, it identifies all traffic as having incomplete
connections, that is, as scanners, and sends alerts for all traffic flows. Using asymmetric mode
protection with anomaly detection enabled causes excessive resource usage and possible false
positives for anomaly detection signatures.
Understanding Security Policies
You can create multiple security policies and apply them to individual virtual sensors. A security policy
is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.
Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy
called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to
a virtual sensor or you can create new policies. The use of multiple security policies lets you create
security policies based on different requirements and then apply these customized policies per VLAN or
physical interface.
Understanding Anomaly Detection
The anomaly detection component of the sensor detects worm-infected hosts. This enables the sensor to
be less dependent on signature updates for protection again worms and scanners, such as Code Red and
SQL Slammer and so forth. The anomaly detection component lets the sensor learn normal activity and
send alerts or take dynamic response actions for behavior that deviates from what it has learned as
normal behavior.
Note Anomaly detection does not detect email-based worms, such as Nimda.
Anomaly detection detects the following two situations:
• When the network starts on the path of becoming congested by worm traffic.
• When a single worm-infected source enters the network and starts scanning for other vulnerable
hosts.
Understanding Worms
Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only
one direction of traffic, you should turn off anomaly detection. Otherwise, when anomaly detection is
running in an asymmetric environment, it identifies all traffic as having incomplete connections, that is,