Filter
Top Products
9-3
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Modes
as scanners, and sends alerts for all traffic flows. Using asymmetric mode protection with anomaly
detection enabled causes excessive resource usage and possible false positives for anomaly detection
signatures.
Worms are automated, self-propagating, intrusion agents that make copies of themselves and then
facilitate their spread. Worms attack a vulnerable host, infect it, and then use it as a base to attack other
vulnerable hosts. They search for other hosts by using a form of network inspection, typically a scan,
and then propagate to the next target. A scanning worm locates vulnerable hosts by generating a list of
IP addresses to probe, and then contacts the hosts. Code Red worm, Sasser worm, Blaster worm, and the
Slammer worm are examples of worms that spread in this manner.
Anomaly detection identifies worm-infected hosts by their behavior as scanners. To spread, a worm must
find new hosts. It finds them by scanning the Internet or network using TCP, UDP, and other protocols
to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a
source IP address that generates events on the same destination port (in TCP and UDP) for too many
destination IP addresses.
The events that are important for TCP protocol are nonestablished connections, such as a SYN packet
that does not have its SYN-ACK response for a given amount of time. A worm-infected host that scans
using TCP protocol generates nonestablished connections on the same destination port for an anomalous
number of IP addresses.
The events that are important for UDP protocol are unidirectional connections, such as a UDP
connection where all packets are going only in one direction. A worm-infected host that scans using UDP
protocol generates UDP packets but does not receive UDP packets on the same quad within a timeout
period on the same destination port for multiple destination IP addresses.
The events that are important for other protocols, such as ICMP, are from a source IP address to many
different destination IP addresses, that is, packets that are received in only one direction.
Caution If a worm has a list of IP addresses it should infect and does not have to use scanning to spread itself (for
example, it uses passive mapping—listening to the network as opposed to active scanning), it is not
detected by the anomaly detection worm policies. Worms that receive a mailing list from probing files
within the infected host and email this list are also not detected, because no Layer 3/Layer 4 anomaly is
generated.
For More Information
For the procedure for turning off anomaly detection, see Disabling Anomaly Detection, page 9-49.
Anomaly Detection Modes
If you have anomaly detection enabled, it initially conducts a “peacetime” learning process when the
most normal state of the network is reflected. Anomaly detection then derives a set of policy thresholds
that best fit the normal network.